Phishing: The Hidden E-Mail Deliverability Threat
Six steps to avoid being labeled a phisher.
Whenever I talk about issues that affect deliverability, I usually cover spam complaints, broken code in messages, blacklisting, and poor relationships with ISPs. Phishing doesn’t come up often as it affects a relatively select group of senders. Nevertheless, it can do more damage than several thousand erroneous “this is spam” reports.
Phishing is the effort to steal sensitive identity or financial data through fraudulent e-mail seemingly sent from banks, investment houses, government agencies, e-commerce divisions of major retail brands, or online auction and payment-transfer services. The e-mail redirects users to authentic-looking but bogus sites that collect the data and use it for identity theft and other crimes.
ISPs now block or tag about four phishing e-mail messages for every message that’s delivered, according to a 2006 report by the Messaging Anti-Abuse Working Group, a coalition of technology, e-mail, and ISP groups.
As a sender, you needn’t have your company name or brand identity hijacked to be a phishing victim. Now that ISPs are cracking down on fraudulent e-mail just as they have on spammers, your e-mail practices could get you wrongly blocked as a potential phisher.
Also, many e-mail clients are being updated to sniff out phishing attempts. To determine whether an e-mail could be a phishing scam, the client looks for a link in your HTML message where the display text is a URL. If the displayed link is different from the actual URL, the client alerts the user.
That’s the bad news. The good news is you can take steps to either avoid being wrongly blocked as a phisher, or restore your reputation as a safe, trusted sender.
How to Avoid the Phish Tag
Keep a close eye on your delivery reports, ISP feedback loops, and blacklist tracking for a sudden spike in blocking or complaints. If you haven’t made substantial changes to how you acquire subscribers or create and send e-mail messages, you still could have run afoul of an ISP’s phishing patrol.
These strategies can help you head off any misperceptions by your subscribers or receiving ISPs:
- If you suspect your identity has been hijacked by phishers, post a notice immediately on your Web site reporting the outbreak and what you’re doing to minimize the damage.
- Send a standalone e-mail to your subscriber or customer base reminding them you don’t ask for personal or sensitive information, nor do you direct users to update their account information via e-mail. Direct them to your privacy policy, which should include this statement.
Add this information to your next several mailings, or make it a permanent addition if your business is particularly vulnerable to identity forging. Also, add it to your site’s e-mail signup or preference page and link to your privacy policy. E-retailers and others who rely on transactional e-mail to confirm details should include this statement on all transactional e-mail.
- Revise your privacy policy to make clear what information you do collect and how it will be used.
- Check all the mailboxes associated with your e-mail program for phishing e-mail involving your brand or company. Include seed addresses on mailing lists to help track delivery problems. If you find evidence that you’ve been targeted, retain those e-mail messages and give copies to any ISP that’s blocking or filtering you and to blacklists that have tagged you as a phishers.
- Begin using authentication practices, if you aren’t now. Consider a third-party reputation audit to see whether you’ve acquired a bad name and to clear up bad reports.
- Revise how you handle message text, especially if you use tracking technology that encodes the URL. All e-mail service providers (ESPs) do this as a customer service; many in-house systems do, too. However, ISPS now look for mismatched URLs and will block or filter any they find.
Don’t put your domain name in the display text of an HREF e-mail tag, which is what your readers see in the message: http://www.yoursite.com. Tracking technology could encode it so that it looks like this, creating a mismatch: http://www.yoursite.com.
Instead, use a descriptive term or describe the action you want readers to take: Visit us here. Readers will still see a clickable link, but any encoding for tracking will not create a mismatch.
Conclusion
Your chances of having your brand or company identity hijacked for phishing attempts are relatively small, but they’re much greater that you’ll suffer collateral damage to your deliverability by being falsely identified as a phisher.
You’ve armed yourself with best practices in the war on spam. Now it’s time to fight your way out of the phish net.
And as always, keep on deliverin’.
Want more e-mail marketing information? ClickZ E-Mail Reference is an archive of all our e-mail columns, organized by topic.
