Phishing emails are used by criminals to trick people into handing over sensitive information such as usernames, passwords, PIN numbers and credit card details. If the fraudulent emails are successful, recipients can become victims of identity theft or may find their credit card maxed out or their bank account emptied.
This means the major ISPs, and other mailbox providers, are on high alert for any incoming mail that looks like it could be a phishing attempt. Anything that does is going straight to the junk folder or will be deleted on arrival.
Follow the advice on this page to help prevent your email campaigns being mistaken for phishing attempts:
Avoid mismatched URLs
An example of a common phishing technique is an email reporting fraudulent activity on your account and asking you to click a link to verify your information. A bad link can be hidden behind a legitimate looking link, such as https://yourbank.com/verify_account, to trick people into downloading malware or accessing unsafe sites.
To determine if an email may be a phishing scam, the email client looks for a link in your HTML campaign where the display text is a URL. If the displayed link is different from the actual URL, the user is alerted.
Phishing scams are designed to work in a variety of ways, one of which is hiding bad links behind seemingly legitimate links as mentioned in the example above. To combat this, software used to detect fraudulent emails will scan your HTML for mismatched links.
A mismatched link means that the URL a recipient is directed to does not match the URL text used in your campaign content, which is exactly what happens if you include clickable URL addresses in HTML campaigns.
To generate campaign reports that tell you which links were clicked and how often, we replace every URL in your HTML with tracking redirect links. So before sending a campaign, for example, your source code may look like this:
<p>Visit my website: <a href="http://www.abcwidgets.com">abcwidgets.com</a></p>Then, as soon as it's sent from our system, it would be changed to something like this:
<p>Visit my website: <a href="http://yourcompany.cmailx.com/l/m-t-nughil-h-t">abcwidgets.com</a></p>Email services that scan incoming mail for suspicious content will sometimes see this as deceptive linking. As a result your email may go to the recipient's junk folder, or it could go missing altogether.
A simple solution
Avoid using URLs as the display text for links in your HTML emails. Instead, try to use a word or phrase which describes the link, for example:
<p><a href="http://abcwidgets.com">Visit my website</a></p>Authenticate your emails
Phishing emails typically use spoofing to mislead recipients about where the email was sent from. A "spoofed" email is a message with a forged sender address, making it look like it's sent from a trusted source. Unfortunately this is pretty easy to do because email " the actual process of transmitting email messages between mail servers " was not designed with security in mind.
This is where authentication technology comes into play. Authenticating your emails validates your identity as the sender and the identity of the Email Service Provider (ESP), which is us, sending on your behalf.
Set up a custom domain
Instead of using the default subdomain generated for your account, you can override it with a custom domain. For example: email.abcwidgets.com.
Custom domains are referenced in every campaign you send, meaning they will be used in the URLs for web version links, Twitter or Facebook social sharing links, and all campaign tracking links. ISPs look at the domains referenced in your campaigns so if they match your DNS records it's further validation that you are the sender you're claiming to be. Also, spoofed emails sent by phishers don't contain that kind of custom personalization.
Request personal information the right way
Sometimes you have to request specific personal information or ask account holders to update their information for entirely legitimate reasons. For example, a data security breach where you need to advise customers to reset their passwords.
The issue with this kind of email is that it can sound suspiciously similar to the hoax messages sent by phishers. A good sender reputation and email authentication are your best chance at inbox delivery, but if you have to contact people under difficult circumstances it's important to make the email content look trustworthy.
- Provide a detailed explanation — Clearly explain the situation that has caused your company to send this urgent or important message. Actual phishing emails are generally pretty vague. For example: "We need your details for a security and maintenance upgrade", or "We need you to verify your account to protect you from a fraud threat".
- Choose your words carefully — Anything along the lines of "your account has been compromised" or "urgent action required" will raise flags with ISPs when your message is scanned for suspicious content.
- Use personalization — Phishers don't personalise their emails with recipient's names or things like customer IDs because they typically don't have this information. If you do, use it.
- Reference your trusted website — If you need recipients to proceed to a website, make sure it's the one they know and trust.
- Don't ask people to click a link — To get people to visit your website or log into their account it's best to provide the web address as text only and advise them to type it in.
- Show you are security conscious — Include information about the security precautions in place. For example, remind recipients that your website is SSL encrypted so they should always check the address bar for
https://nothttp://when passing sensitive information. - Include a permission reminder — It's always a good idea to include a permission reminder but especially so under these circumstances.
- Clearly identify who you are — Authentication aside, your "From" name and email address should accurately identify who is sending the email.
- Write a meaningful subject line — Keep it short and be specific about the point of the email. Also, try to arrange the keywords in order of importance to grab people's attention.
- Check your final draft twice — Spelling errors and poor grammar should be avoided in all campaigns but it's especially important in this case because phishing scams commonly contain grammatical errors and misspellings.
- Don't forget your address — Including a physical postal address is necessary to comply with our terms of use, and it's typically not something phishers do.