How to lose security-conscious customers.

I use ETrade to handle some of my monies. Sorry, "used."

I got a suspicious email from "E*TRADE SECURITIES LLC" <id@proxyvote.com> (one of these things is not like the other), talking about STREETTRACKS FUND Shareholder Reports (lots of caps never a good sign) which isn't a name I immediately recognized. It linked to a pdf file (because there haven't been any zero-day acrobat vulnerabilities recently or anything, right?) at an entirely different third domain (ww3.ics.adp.com). No identifying information or "proof we know you" or "proof we're actually ETrade" offered at all, and to boot it leaked (a tiny bit of) personal information in cleartext. If you want people to be able to recognize spam and identity theft, stop making legitimate emails look fake. This is not how you use email.

The Right Way to do this, of course, is how Chase does it. You get an email saying that there's Important Information waiting for you and you have to login to read it. It proves Chase is Chase, that I'm Me, doesn't leak anything to anyone, doesn't encourage clicking on third party links and doesn't encourage trusting valid-looking emails. Now I don't know if I'll bother to encourage the half-dozen other people whose ETrade accounts I helped setup to move brokerages but they've lost my account and further recommendations.