Thanks for your commnets Bill. As you suggest I do not click on URLs in emails for secure stuff like bank accounts or other critical sites. Interesting observation that 80% of bad stuff comes in through email. I obviously misrepresented my observation of even 'simple' encryption. I had not meant adding 1 to the Vault data as in 'concatenation'. I had meant adding 1 to the hex code of each digit in the code. Easy to do yet ZA would fail to spot it.
As for my PIN numbers. These are for my credit cards. 4 digits - no way these can ever be 'strong' passwords but thats what the industry has settled on. You could well ask why store PINs at all as they are not transmitted over the Internet; perhaps I shall remove them. However, we may need to transmit the 3 digit security code on the back of credit cards in the future. My concern was that ZA trapped these short codes when they were not in the text of the message. Hence my conclusion that they were in the formatting and control data. ZA needs to be able to select out this. Otherwise it will reqularly report false positives on short Vault data.
As you say it is an additional layer of protection. Just so long as its limitations are recognised and it is not relied on.
I still think the alert message needs to be improved to may it erganomic (ie understandable in the context of the user).