How not to tell your customers how much you care about their security


We’ve written several times before about “what not to do” when sending important emails to your customers.

For example, after the recent Heartbleed data leakage revelations, there was widespread fear that most websites you’d visited in the past two year might, just might, have yielded up your password to the cybercriminal underworld or to one or more intelligence services.

In fact, your password very probably wasn’t seen by anybody (except perhaps after the Heartbleed hype hit home and every Tom, Richard and Harriet went a-looking for what they could find in server memory), but “very probably” isn’t really good enough.

As a result, lots of websites understandably asked you to reset your password, and one or two couldn’t resist making it really easy by including quick-and-easy links to their login pages.

So, we asked you as nicely as we knew how, “Please don’t do that.”

We’ve also advised you to steer clear of pleasantries about just how much you value our security, how seriously you take our privacy in theory, and so forth, especially if you are writing to give us bad news about how little you actually did to protect our personal data in practice.

After all, when we share our personal data with you, it’s a privilege for you that we have chosen to do so.

It shouldn’t be a privilege for us that you might treat our data with the respect we already think it deserves.

And we’ve written a detailed article entitled Phish or legit – Can you tell the difference? to give a real-world explanation of how easy it is to send a genuine email that nevertheless has a piscatological whiff about it.

Sending genuine emails that sail too close to phishing territory represent a double negative:

  • Phish-looking marketing emails will be rejected by savvy customers, and may tarnish your brand amongst the sort of users who care about security. In our “post-Snowden” world, security evangelists are becoming ever more influential, so you may as well start winning them over now.
  • Phish-looking marketing emails soften up your less cautious customers, making it more likely that they will click dubious links in future. Far better to leave the dodgy look to the crooks, so that when your users see something suspicious, they can reject it immediately, instead of wondering if it might just be real.

With all of this in mind, we thought we’d share with you an antipodeal example of a real marketing mail that you can use an an example of what not to do.

This sample was sent in by a Australian reader, with the electronic equivalent of an audible sigh:

(What you can’t see in the image above is that when you hover over the URLs in the message, they actually turn into links that redirect via, the server used to deliver the message, with tracking codes added; these links then redirect back to

We probably don’t need to analyse what’s phishy about this message, but we’ll summarise the key points anyway:

  1. Don’t bother with self-praise like “your personal information is our … absolute priority” when all you are really writing to tell us is that you intend to comply with the law.
  2. If you’re going to use links that look like URLs, keep it simple: don’t sneakily redirect those URLs somewhere else
  3. Don’t put links to login pages into email correspondence: leave that sort of behaviour to the crooks, so only crooks ever do it.

That third point is the most important.

If you never, ever put login links in your emails, then any email that contains a login link will stand out immediately to your customers.

They’ll thank you for that in the end.