Hikvision Declares 'Never Click On Links In Emails'

By IPVM Team, Published Jan 09, 2018, 10:18am EST

Hikvision is stepping up its cybersecurity efforts with a clear recommendation - to never click on links in emails:

It is a surprising change since Hikvision has relied on links in their 'Special Bulletin' emails in responding to their own numerous cybersecurity vulnerabilities, such as:



** **** ** *********** to *** *** ********* communicates **** ****** *** that **** **** ******** links *** *********** ** ****** to ** ********.

Tradeoff ******* *** ********

** ******** ** *********'* previous ********, ***** ** emails *** *********** **********. ***** is * **** ** share *********** ****** **** can ** ***** ** copied *** ****** **** an *****. ***** ***** people *** ************* ** concisely ***** **** ***********.

The ****

*** **** ** ******** links ** ****** ** that *** **** *** not ** **** ** purports ** **. *** example, **** ** * link **** ******* ** be ** * **** to ****** ******** *** what **** ** ****** you *******, ** ** unsubscribe:

*******, *** **** ******** goes ** * ***** site ********** ** **** a **** ****, **** the ****** **** ***** to **** **** * TMZ ********* ****** ****:

** ********, *** **** contains **** **** **** the ****** ***** *** clicked **, ***** ***** verify **** *** ***** address *** ***** (*** potentially **** *** ********* does *** ******** *********** in ******** ******* *****):

Some ******** ***** ** ******* **** *****

**** ***** ******* **** options ** ****** ******* headers ** *** ********** data ** *** ******, or *****-** *******. ***** this ** *** * perfect ********* **** *** message ** **********, ********** emails ***** **** *****-** addresses **** **** ****** invalid (*** ** *********, or *** ** **** to **** ** ******* a ***** ****** ******** to *** ******). ** the ***** ******* ***** we *** *** **** this ***** ** ***** has ********** *********** *** Hikvision ** *** ****: and *****-**: ******. 

****** ******** * **** in ** *****, ***** over ** ** ****** the **** **** ** the ****. **** **** you *** ***** ********* if ** **** ** * domain *** ***** ******, such ** *** ******* below **** * ******* Alpha *****:

*********, **** **** ***** very ********** *** ******** to ** ********** **** "Canada ***** ******":

****, ****** **** ****** clicking ***** ** ******, copy ****, *** **** open **** ** * "private" ******* ****** ** tab (*.*.: ********* **** in ******, ******* **** in ******). **** **** prevent ** ******** *** ability *** ********** ***** to *** ****** ** other ******* ****, ** to *** ********** *******.

Vote / ****


Comments (24)

I check the sender address before I click on links. Just because it says "PayPal" in the email header doesn't mean it's from PayPal. When you see the full email address you can tell pretty quickly if the email links are safe or not. I also don't click on links from automated emails or mass emails, not because I'm afraid of spam I just don't want to get on a retargeting list. 

Additionally, you can check the email headers (in Outlook) by opening up the email in a new window and clicking the little arrow in the bottom right of Tags.

This will provide you with a lot more information on where the email has come from 

If a legit looking email comes in (from your bank or whatnot) then looking at the headers will quickly tell you if the email is bogus or not.

Uh, I clicked on a link in an email to get to this story...is that bad?

Uh, I clicked on a link in an email to get to this story...is that bad?

No, but we have noticed some recent suspicious activity on your account, so we need you to verify just the last 9 digits of your SS#:__________  ;)


Your survey is missing an option, "It depends".  Links provide vital references where it is applicable. Its true you should not click on links you do not feel certain about.  It does not mean you cannot click on a link.  Just be wary of seeing the URL before you click to assess whether it is going to the place you think it is going to.  Just to add. Hikvisions' list of do's/dont's seems correct I expect they have some sort of detailed training behind each and every point that articulates what that means.

I agree with you, generally, that clicking on links in emails depends on conditions / analysis of the email itself.

However, Hikvision's quote/statement is "Never click on links in emails". It would be logically contradictory to reply to a 'never' statement with 'it depends' because never is an absolute, i.e., not ever.

Bigger picture, Hikvision would do better answering real, direct, harder questions about their own cyberecurity, e.g., Dear Hikvision's Chuck Davis, What Is The ONVIF Security Problem?

It is unfortunate that Chuck Davis is showing more concern about generic cybersecurity practices (with blog posts over and over and over again) but little about Hikvision's own cybersecurity.

Blanket statement.  ya, that makes total sense.  How about just check the link and be smarter about your decisions to click it or not.  They are not that hard to figure out.  If it looks sketchy, don't click it.......easy as that. 

There was a Krebs article where he suggests pretty much what Hikvision is stating here. He warns against clicking on any links in emails, regardless of if you know the sender or not. I was recently sent an email from "Paypal" stating my account had some unauthorized activity, and I needed to verify my identity through a click-through link in the email. In all honesty, it looked 100% legit - even showing the lock symbol for a secured and certified webpage. But I chose to instead go to Paypal's main site through a different browser window, and logged in that way. Needless to say, the email I got was phishing scam. That was the first time I've come across something that well-made, including an SSL certification. I have no doubt it has fooled many before me, and will continue to fool many more. Hikvision's approach may be a little heavy-handed here, and is probably not necessary for most on this site, but as general announcement for some of their customers (the default name and password, port-forwarding, etc crowd) it may be something they should be thinking about.  

This just in... Hikvision’s Chuck Davis announces a crackdown on Nigerian 419 Scammers.

An excerpt from Davis’ announcement read, “If you get an email from a Nigerian prince asking you for your banking information, don’t do it, it’s probably a scam.”

Nigerian Prince Adegbite Adewunmi Sijuade could not be reached for comment, but an official from his office stated “I mean, his highness already has enough trouble getting people to respond to his emails in the first place, we really don’t need the Chinese government making matters worse.”

"Never" is a strong word. If you asked for something from a family member and received the requested link is different than Paypal requesting you to log in.

Awareness and common sense based on articles like this (and from Chuck Davis) will get you to "close".  To get to "never" will make you extremely slow .... like saying if you never  want to get hit by a car ... don't go outside.


How will you reset your password in Dropbox, Facebook, Google, Salesforce.com, or almost any other website/application in the world? 

Image result for car house accident



Still better than Knightscope

Image result for knightscope fail

We are getting off topic here a bit ;) Part of the reason our industry is accused of being old and behind the time (not entirely without justification) is that we are often a bit quick to dismiss innovation. Knightscope has had a tough run and I am certainly not ready to rent one however I am a cheerleader for any and all attempts to innovate. There are a few others coming on line .. each building off the other. We fell way behind on the IT evolution ... let's not repeat on the robot evolution :)


Why not right click and copy the link, then paste it into a text editor (notepad, etc) and look at the raw URL? That way, you can tell the difference between:




A very simple trick to be aware of is URL masking, where a seemingly legit link is posted "in the clear" like these (hover over each to see what's hidden):




That's why I said right click and "copy address", then past it in a text editor.

Jon, it is often the case that you are too smart and practical for the discussion.

Well, the hover function doesn't seem to work ... they're both actually good links. My point is that you can make a link look good upon a cursory glance when its really not.

I think they meant to say never to click on links in any of their emails, since they're investing all of their money in damage control rather than fixing the problems with their security. Good advice, but I never click on Hik messages anyway...

It took a security lab to figure this out? 

I don't think this is a "cybersecurity attack". More like trolling for the sick and elderly.  

Read this IPVM report for free.

This article is part of IPVM's 6,728 reports, 907 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports