when simplicity endangers users

yesterday i had someone try to hack my animal jam account again. if you don't know, there is this phishing scam going around targeting animal jam players that is presumably using data from the 2020 breach.

what they do is try to reset your password, which causes the official animal jam hq email to send a legitimate password change request email. the scammer then sends their own email pretending to be animal jam hq that says it is an automated support ticket and that you should reply with screenshots of any suspicious password change requests.

i already knew this was a scam because they had tried to do this to me several times before (plus it was automatically detected as junk mail anyway). the thing that scared me was something about the email client i was using.

for the sake of simplicity, many email clients only show the sender's display name unless you click on something extra. people who are less internet-savvy and (rightfully) panick when they see a phishing email may not think about clicking that extra thing. specifically, the app that i was using (the default samsung email app) makes you click on the sender's display name to see their email address.

out of curiosity, i looked at all the email clients i use to see what you have to do in them to see a sender's email address if they use a display name.

gmail on desktop displays the sender's name as "name <email>", but only once you have opened the email. plus it may be partially or completely hidden if you use split view and the reading pane is too small.

gmail on mobile makes you click an arrow after you open the email.

roundcube, which is the software that cock.li (yes, there is an email service named that) uses, won't even show the sender's email if you click on the details button. you have to hover over their name.

outlook was the best one. you can hover over display names to see their email on both the website and the windows app. names are always displayed in "name <email>" format once you open the email which is really good. the spam inbox does this too, but not the other inboxes.

this got me thinking about how windows now hides file extensions by default. this was done because it can complicate things for tech-illiterate users. it makes renaming files a bit harder (which windows pretty much solved since it doesn't highlight the file extension when you rename a file, although it could be improved upon) and you could accidentally change the file extension (which windows also pretty much solved since it shows a warning, but some people don't read apparently).

the problem is that this makes people, especially tech-illiterate people, more susceptible to malware. it's easy to confuse "movie.mp4.exe" or even just "movie.exe" with a real video file when the icon makes it look like it's a video.

but microsoft seems quite fond of sacrificing security for user experience nowadays with things like copilot recall. someone has already made a tool for extracting data from it before it has even been officially released.