I read all of my email using either mutt or Thunderbird depending on which computer I’m using at the time. When I install either of those on a new computer, the first thing I do is to configure it so that it won’t display HTML email. I have many good reasons for doing this, but mostly I just prefer reading email as plain text.
Most email these days seems to be sent with both HTML and plain text versions so I just get to see the text version, people who are more trusting than me about HTML email get to see the HTML version and everyone is happy. If someone sends me email with no plain text version then I don’t get to see it. This is rarely a problem as these mails tend to come from people who I don’t want to read email from anyway.
But recently I noticed another advantage to my policy. It’s helping to protect me from phishing attacks. The whole point of a phishing attack is to persude you to click on a link which doesn’t go where you think it goes. So you think that you are verifying your account information with Paypal whereas you’re actually giving your username and password to someone who you really don’t want to have it. The best way for them to do that is to send an HTML email where they can disguise the links. The text in the link makes you think that you’re going to a legitimate site, but actually the link goes to somewhere completely different. You can’t disguise that in plain text.
So phishing attacks generally only have a HTML version. A plain text version would give the game way too easily. But all of the legitimate businesses who the phishing attacks pretend to be (Ebay, Paypal, my bank) always send both plain text and HTML versions as they have nothing to hide. So if I get an email from Ebay and there is no plain text version, then I can instantly see that it’s a phishing attack and can be deleted.
Just one more reason to say no to HTML email.