This is the Way. To minimize attack surface, the senders of authentic messages should straight-up avoid putting links to "do the thing" in the message. Just tell the user to update their credentials via the website.

▲

viraptor 4 days ago | parent | next [-]

That's what the Australian Tax Office does. Just a plaintext message that's effectively "you've got a new message. Go to the website to read it."

▲

duxup 4 days ago | parent | next [-]

All my medical places I use do that, with the note that you can also use their app. Good system.

	▲	foxglacier 3 days ago \| parent \| next [-]
		Unfortunately, my doctor's office texts me their bank account number saying "please pay $75 to this account". It told them that's putting people at risk of phishing but they didn't care.
	▲	darthwalsh 2 days ago \| parent \| prev [-]
		Personally, I'd rather they put the HIPAA message content straight into the email, and let Gmail sort out the priority. About 90% "you have received a message" notifications are not actionable: "you made an appointment" or "take this survey nobody cares about."

▲

amysox 4 days ago | parent | prev [-]

My doctor's office does the same thing. So do some financial services companies.

▲

Roguelazer 3 days ago | parent | prev [-]

For most users, that'll just result in them going to Google, searching for the name of your business, and then clicking the first link blindly. At that point you're trusting that there's no malicious actors squatting on your business name's keyword -- and if you're at all an interesting target, there's definitely malvertising targeting you.

The only real solution is to have domain-bound identities like passkeys.