I last got one of these in 2010 and assumed it must have died by now, but no, otherwise sensible organisations are still training their customers to fall victim to phishing attacks by asking them to open dodgy email attachments.
The product in question is Cisco Registered Envelope and it deals with the lack of security in email by sending you an encrypted HTML file. Opening this file sends you off to register on some website and then runs a Java app to decrypt the message. This is insane. The HTML attachment in insane and the Java applet is insane.
The latest email I got in this format was an appointment reminder from UCSF. I'm sure there is some HIPPA requirement that they can't just send medical information in a plain text email. But they could send an email that lets you know you should login to your account to see the appointment. It's not like the securedoc.html method is magic, you still have to create an account on a website to use it so it buys you literally nothing.
UCSF, shame on you. Look after your patients digital health as well as their physical health. Out of self interest if nothing else, nobody can pay you if their bank accounts have been emptied after falling victim to a real phishing attack.
Cisco, shame on you. This product is so wrong headed it's impossible to believe that you're doing anything right.
You Might Also Like
- The color of yesterday
- Autumnal Equinox 2013
- OpenAGI, or why we shouldn't trust Open AI to protect us from the Singularity
(Published to the Fediverse as: Is it safe to open securedoc.html (Cisco Registered Envelope)? #etc #securedoc #cisco #phishing #ucsf #hippa Securedoc.html looks like a phishing/malware attack but isn't. Here's why it's dangerous anyway. )
I have been trying to open the important encrypted document. It has been 6-hrs. CST. I have not been able to unmask the contents of that document. My goal was first to install the appt that I was suppose to. That being said when clicked to install the first step said follow these instructions carefully to uninstall the appt. Never did match any steps and picture steps to install the appt or to open the encrypted message. I'm frustrated, very tired and disappointed. Consumers should not have to put in a days work to hassle with poor quality products invented by people who cannot relate properly/adequately to the broad array of the population
Thanks for this post, I thought this was for sure phishing and did a backup before opening just to be careful. Nope, just United Healthcare continuing to underwhelm with their technology mastery.
So frustrated. I got one of these yesterday with information in it I have been waiting for since June, 2021. It would not open, I called my daughter in law to come try to open it. We tried everything, even forwarded it to her email, mobile device, etc in attempts to open. Unbelievable! No clue what to even do. We responded to that email siting problems opening. Doubtful we will hear another word from them. :(
Still happening, and I had the same reaction. I lost some respect for Cisco today. Thanks for your thoughtful post.
I got one of these 'securedoc' emails.
No, I won't open it. I hate flashy emails but if you notice, scammers often try to copy it but most often not getting it 'really' right. But it is a small chance you have.
But this email looks way too unserious. Get serious!!
I just received one of these today. It seem legitimate, as it came from United Health Care (UHC), with whom I had just completed a telephone conversation. The email had an attachment securedoc_xxxx.html which I was supposed to save locally and open with a browser. I saved it locally and opened it with a text editor (BBEdit). Yikes, it is a long and complicated executable program. My reaction was exactly the same as documented here - why would any reputable organization send executable programs as attachments to customers and expect the customer to run the program on their local system? This is seriously wrong!!!
Thanks for the very sane commentary on an insane practice. Yes, the Registered Envelopes are still around. I received one today. It was apparently in response to an unfavorable review I left of a large insurance company's website after I encountered a number of glitches with it, including their somehow managing to lose an electronic fund transfer I attempted to make. The company already has my phone number and snail mail address, and I also have a login account on their website that is supposed to be secure. They could have easily instructed me to log in to their site directly and display whatever message they had for me there. My email program flagged the message as possibly coming from a forged address, although, according to whois, it appears legitimate. Nevertheless, I do not open unknown email attachments, and I have no intention of jumping through hoops so they can try to get me to retract my comments about their flaky site, if that is what this secure message is about. The email looks so much like a phishing attempt, with a vague subject line, and even contains a form where I am supposed to enter my password to send back to them. It is hard to imagine that anyone in their right mind would consider this a good idea.