Michael Sinatra over at seclists.org had the following to say:
This should be a lesson to all of us, since EDUCAUSE is definitely not
alone here: We all do regular, legitimate business in ways that is
sometimes indistinguishable from phishing, at least to regular users.
That needs to stop. Email marketers and analytics junkies will not like
to hear this, but we need to put an end to embedded email links that are
redirected through other systems. IMO, we should put an end to *all*
legitimate links in emails; instead have a business portal with all of
the links to surveys, training sites, etc., and have notification emails
for when new things appear on the portal. In addition, we could modify
our SSO sites so that they alert users when they need to take care of
something that we would normally use email for which to notify the user.
Once that's done, we can assure users that we will NEVER ask them to
click on a link in an email, just like we currently remind them that we
never ask them for passwords.
If that is "too hard" and/or the analytics stuff is "too valuable" then
we need to simply accept the risk that our users will get caught in
phishing attacks. The bad guys have figured out that it is very easy to
mimic our business practices, and they have gotten very good at doing
it. Unless we change those practices, they will find us to be easy
pickings.