This is the Way. To minimize attack surface, the senders of authentic messages should straight-up avoid putting links to "do the thing" in the message. Just tell the user to update their credentials via the website.

That's what the Australian Tax Office does. Just a plaintext message that's effectively "you've got a new message. Go to the website to read it."

All my medical places I use do that, with the note that you can also use their app. Good system.

Unfortunately, my doctor's office texts me their bank account number saying "please pay $75 to this account". It told them that's putting people at risk of phishing but they didn't care.

Personally, I'd rather they put the HIPAA message content straight into the email, and let Gmail sort out the priority. About 90% "you have received a message" notifications are not actionable: "you made an appointment" or "take this survey nobody cares about."

My doctor's office does the same thing. So do some financial services companies.

For most users, that'll just result in them going to Google, searching for the name of your business, and then clicking the first link blindly. At that point you're trusting that there's no malicious actors squatting on your business name's keyword -- and if you're at all an interesting target, there's definitely malvertising targeting you.

The only real solution is to have domain-bound identities like passkeys.

That's what I always do. Never click these kinds of links in e-mail.

Always manually open the website.

This week Oracle Cloud started enforcing 2FA. And surely I didn't click their e-mail link to do that.

But won’t someone think of the friction? /s

My theory is that if that companies start using that workflow in the future, it’ll become even _easier_ for users to click a random link, because they’d go “wow! That’s so convenient now!”