(no title)

The very unfortunate reality is that many (most?) users evaluate phishing attempts with the null hypothesis that "this is trustworthy". They are looking for evidence that something is wrong and assuming all is well if they don't find it. To that sort of user, the thinking goes something like:

* Some trustworthy sites use .com.

* My municipality is trustworthy.

* My municipality uses .com.

If you draw out the venn diagram, there's a clear gap in that line of thinking. That doesn't matter to someone's Great Aunt Linda though. She just knows that .com is what goes after Amazon and Google, so it must be good.

With that in mind, could using .gov help to protect those folks? To a certain extent. I can see the argument for keeping the more discerning few from getting scammed. For the broader group though, it won't change anything.

Offhand, the alternative solution that I'd offer would be providing clear communication standards to the public. Specifically, defining when, how, and from whom municipal notifications go out. Think of it like the IRS only sending physical letters; archaic as it seems, it makes it pretty obvious that an email "from them" is bogus. The clearer someone's understanding of where to find us is, the more optimistic I am that they'll get where they need to be.