Improve security of payment emails with some form of vendor authentication
I've recently had to pay two large invoices by clicking a link sent from the contractor for the project that they're doing for me. It is a HORRIBLE security practice to allow ANY vendor to request and receive payments this way. The only "authentication" I could perform on the payment email was to check that the amount requested was exactly what I expected. But if a hacker had previously intercepted any communications between me and the vendor, they could have generated a spoofing email with a look-alike button for that exact amount. I checked and confirmed that the payment URL was "https://connect.intuit.com/" and that it passed a VirusTotal check, but how could I have verified that this was taking me to the correct vendor account in QuickBooks? And what if an unsuspecting consumer doesn't know to check the URL. As a rule, I NEVER make payments or do anything to enter or expose sensitive information (like bank account and routing numbers, in this case) by clicking a link in an email. Instead, I ALWAYS go to the site requesting payment or information sensitive independently, using a known good link that I've stored in my password manager. But there was no way for me to do that in this case. Since phishing remains a primary vector of cyber attack, responsible companies like Intuit must provide a better and more secure means by which consumers can authenticate invoice links before they click to pay!