Have you gone phishing without realising?

In recent years email marketing, and the marketers behind the campaigns, have become more and more savvy when it comes to creative. As a result there has been a marked increase in phishing accusations.  No marketer wants this to happen to them so, in this blog, I thought I’d illustrate how phishing can come about in a normal legit marketing email – without you even realising it. 

What is phishing?

“Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.” Wikipedia

If you look in your junk folder you may see emails from various banks telling you that you that you have to update your security information. These emails are trying to convince you that they are this bank and you need to take action, click through and enter your details which they then steal and rob you blind.

In an email a link could read www.hsbc.co.uk but if you hover over it in your inbox, if the email client has not removed the destination you will see it actually goes somewhere else entirely, like www.robbing-u-blind.com. So they are putting the bank's website in the text of the link, e.g. www.HSBC.co.uk but the actual link destination goes somewhere else entirely – it goes to their phishing site which is built to look exactly like the company they are pretending to be so people will enter their details and lose their money.

How is it possible to get accused of this when all the links go back to the right place?

When building emails you normally use words like “click here” or “buy now” or, if you are more creative, you will be linking more descriptive words and phrases. 

However, on occasion you might want to put in your website address like this:

http://www.pure360.com

When you send your self the email from your client or an ESP’s test facility your email client will want to make it click-able but see it is already a link. It will then check to see if the link destination is the same as the link text and it is so all is fine...

BUT

When you send it as a tracked campaign through your ESP, they will swap the link destinations with tracked links that actually go back your account, report on the click and seamlessly redirect your recipient to your intended destination. Therefore http://www.pure360.com would look like it was going to http://www.pure360.com but it will actually go to something like http://emails.pure3260.co.uk/tracking.php?d6gh456h65hb56nedthhmj5kkk

Where the domain is where the software is hosted or masked and the rest is the encrypted tracking information to allow the ESP to know who sent the email, which message, list campaign and recipient sent it and where to redirect to – I know it’s genius!

So even though the person clicking will actually end up where the link text says, what the email client sees is http://www.pure360.com but it will actually go to somewhere like http://emails.pure3260.co.uk/tracking.php?d6gh456h65hb56nedthhmj5kkk, thus accusing you of phishing!

In my experience the most common instance of this is in emails from Linkedin. They add their own tracking and if someone pastes a URL into a discussion comment it always gives me a phishing warning.

How do I avoid this? I need to put my website in my emails

Phishing is very easily avoided, don’t put www or http:// in the text that you want to make into links.

Email clients identify links by having http:// , www. or http://www. at the start so all you have to do is leave that prefix off the link text and you’re fine!

Make sure you still leave the http:// and www. in the link destination though!

For example http://www.pure360.com would become pure360.com
Both links are still linked back to http://www.pure360.com but the first would be a phishing offence and the second would not. 

Tah-dah.