Phishing: The Hidden E-Mail Deliverability Threat
Six steps to avoid being labeled a phisher.
Six steps to avoid being labeled a phisher.
Whenever I talk about issues that affect deliverability, I usually cover spam complaints, broken code in messages, blacklisting, and poor relationships with ISPs. Phishing doesn’t come up often as it affects a relatively select group of senders. Nevertheless, it can do more damage than several thousand erroneous “this is spam” reports.
Phishing is the effort to steal sensitive identity or financial data through fraudulent e-mail seemingly sent from banks, investment houses, government agencies, e-commerce divisions of major retail brands, or online auction and payment-transfer services. The e-mail redirects users to authentic-looking but bogus sites that collect the data and use it for identity theft and other crimes.
ISPs now block or tag about four phishing e-mail messages for every message that’s delivered, according to a 2006 report by the Messaging Anti-Abuse Working Group, a coalition of technology, e-mail, and ISP groups.
As a sender, you needn’t have your company name or brand identity hijacked to be a phishing victim. Now that ISPs are cracking down on fraudulent e-mail just as they have on spammers, your e-mail practices could get you wrongly blocked as a potential phisher.
Also, many e-mail clients are being updated to sniff out phishing attempts. To determine whether an e-mail could be a phishing scam, the client looks for a link in your HTML message where the display text is a URL. If the displayed link is different from the actual URL, the client alerts the user.
That’s the bad news. The good news is you can take steps to either avoid being wrongly blocked as a phisher, or restore your reputation as a safe, trusted sender.
How to Avoid the Phish Tag
Keep a close eye on your delivery reports, ISP feedback loops, and blacklist tracking for a sudden spike in blocking or complaints. If you haven’t made substantial changes to how you acquire subscribers or create and send e-mail messages, you still could have run afoul of an ISP’s phishing patrol.
These strategies can help you head off any misperceptions by your subscribers or receiving ISPs:
Add this information to your next several mailings, or make it a permanent addition if your business is particularly vulnerable to identity forging. Also, add it to your site’s e-mail signup or preference page and link to your privacy policy. E-retailers and others who rely on transactional e-mail to confirm details should include this statement on all transactional e-mail.
Don’t put your domain name in the display text of an HREF e-mail tag, which is what your readers see in the message: http://www.yoursite.com. Tracking technology could encode it so that it looks like this, creating a mismatch: http://www.yoursite.com.
Instead, use a descriptive term or describe the action you want readers to take: Visit us here. Readers will still see a clickable link, but any encoding for tracking will not create a mismatch.
Conclusion
Your chances of having your brand or company identity hijacked for phishing attempts are relatively small, but they’re much greater that you’ll suffer collateral damage to your deliverability by being falsely identified as a phisher.
You’ve armed yourself with best practices in the war on spam. Now it’s time to fight your way out of the phish net.
And as always, keep on deliverin’.
Want more e-mail marketing information? ClickZ E-Mail Reference is an archive of all our e-mail columns, organized by topic.