But phishing links are of a specific kind. They are links to commercial sites which invite you to enter your password. (Right? Are there other kinds I'm overlooking?) People just need to learn that receiving an email with a link in it is not, in general, a reason to believe that you are talking to the legitimate site. It's just like meeting someone on the street and him saying, I'm a bank officer, please give me your money and I'll go deposit in the bank for you. No one would fall for that, we've all learned better. In the same way, we will learn better not to believe similar claims in email.

Claiming that this won't happen and that people will continue to click on phishing links, giving away their account numbers and passwords, is tantamount to claiming that people can't learn from unpleasant experiences.

Second part: "people can't learn from unpleasant experiences." That's exactly what I'm claiming, in 4. above.

First part: well, right! It's just like that. It's also just like a bank discovering a security breach and emailing all its users and asking them to check their accounts in case there is a problem. Or, it's like a bank notifying that there is now a new site that offers new services. One of which happens to be a fantastic new prize giveaway that requires you to login.

In banking, there is a well known way in which banks make their presence felt: they rent or build a big fat impressive building in the centre of town, and they tell everyone that's where they are. Those pillars that you see in front of a bank had a purpose; they were there to impress on the users that only a bona fide bank would have the money to waste on such luxury, and it's a real bank inside.

Once we get onto the net, all that changes. Your claim that "we will learn better not to believe similar claims in email" is tantamount to banks not being able to use email. Well. That's not very satisfactory, is it? Just how is the bank going to notify the user when it has real problems? Real offers? Real anything?

Good article, I mostly agree with you. I'd append
7.: because of 4. (unclear who's responsible), Microsoft has no need to build more secure systems. Therefor, secure by default will not be done a long time... There is no profit in it.

That leads me to the question, what _can_ we as the IT-experts do so far?
Some ideas:
- Let the users run into the wall until he learns it, e.g. by using "fake" phishing mails that points to a trap: a site with explanations, counter and a gift for the first user that clicked on it? As an add-on force winupdate ("browser-kidnapping" until the update is done)
- Force the use of Knoppix to do online banking?

You know why user eductation is useless? Most people do not have any (cognitive or intuitive) frame of reference available they can use to understand the subtleties in identity and identification, naming, references, authenticity and authentication and representation in a bit medium. You can't blame them, there is no established de facto standard way of representing or naming on the internet. And it is doubtfull if there ever will be one used for everything. Besides even people in the industry make serious errors here.

Our hope lies in limiting the "circle of friends". The key signing party concept of PGP was the first attempt at this; linking the social/physical world into bit representation requires first hand knowledge about this relationship. And by necessity this circle of friends needs to be rather small. Say the size of an average tribe or extended family ;)