How not to tell your customers how much you care about their security

Filed Under: Featured, Phishing

We've written several times before about "what not to do" when sending important emails to your customers.

For example, after the recent Heartbleed data leakage revelations, there was widespread fear that most websites you'd visited in the past two year might, just might, have yielded up your password to the cybercriminal underworld or to one or more intelligence services.

In fact, your password very probably wasn't seen by anybody (except perhaps after the Heartbleed hype hit home and every Tom, Richard and Harriet went a-looking for what they could find in server memory), but "very probably" isn't really good enough.

As a result, lots of websites understandably asked you to reset your password, and one or two couldn't resist making it really easy by including quick-and-easy links to their login pages.

So, we asked you as nicely as we knew how, "Please don't do that."

We've also advised you to steer clear of pleasantries about just how much you value our security, how seriously you take our privacy in theory, and so forth, especially if you are writing to give us bad news about how little you actually did to protect our personal data in practice.

After all, when we share our personal data with you, it's a privilege for you that we have chosen to do so.

It shouldn't be a privilege for us that you might treat our data with the respect we already think it deserves.

And we've written a detailed article entitled Phish or legit - Can you tell the difference? to give a real-world explanation of how easy it is to send a genuine email that nevertheless has a piscatological whiff about it.

Sending genuine emails that sail too close to phishing territory represent a double negative:

  • Phish-looking marketing emails will be rejected by savvy customers, and may tarnish your brand amongst the sort of users who care about security. In our "post-Snowden" world, security evangelists are becoming ever more influential, so you may as well start winning them over now.
  • Phish-looking marketing emails soften up your less cautious customers, making it more likely that they will click dubious links in future. Far better to leave the dodgy look to the crooks, so that when your users see something suspicious, they can reject it immediately, instead of wondering if it might just be real.

With all of this in mind, we thought we'd share with you an antipodeal example of a real marketing mail that you can use an an example of what not to do.

This sample was sent in by a Australian reader, with the electronic equivalent of an audible sigh:

(What you can't see in the image above is that when you hover over the URLs in the message, they actually turn into links that redirect via, the server used to deliver the message, with tracking codes added; these links then redirect back to

We probably don't need to analyse what's phishy about this message, but we'll summarise the key points anyway:

  1. Don't bother with self-praise like "your personal information is our ... absolute priority" when all you are really writing to tell us is that you intend to comply with the law.
  2. If you're going to use links that look like URLs, keep it simple: don't sneakily redirect those URLs somewhere else
  3. Don't put links to login pages into email correspondence: leave that sort of behaviour to the crooks, so only crooks ever do it.

That third point is the most important.

If you never, ever put login links in your emails, then any email that contains a login link will stand out immediately to your customers.

They'll thank you for that in the end.

, ,

You might like

12 Responses to How not to tell your customers how much you care about their security

  1. Citi or Chase did that to me once. It looked very phishy, something about needing to log on within the next 30 days to their new website blah blah when I had JUST DONE SO like the day before. And it included links. Yet when I emailed them all suspicious-like, they told me it was legit. Poor.

  2. David Fraiser · 457 days ago

    I disagree with you about never putting login links in an email. Clearly you've never run a hosting company or dealt with users who can barely send email. By spreading STUPID advice disguised as security, you actually make the Internet LESS safe. Way to go.... smh....

    • Paul Ducklin · 457 days ago

      I don't think I've ever met anyone who genuinely couldn't be shown how to send an email or to type in a web address, assuming that they were functionally literate and had an even slightly competent teacher.

      If your opinion of your customers' intelligence is so low, perhaps you oughtn't to be selling them hosting services in the first place?

    • Alan · 457 days ago

      What the...?!? Surely if somebody is able to purchase hosting they're able to go to the relevant website to manage their account without following "STUPID" links (your capitalisation, not mine) in an e-mail. Yes, not everyone is an IT expert, but I'm sure the majority of people can cope with typing your company name into Google, even if they don't know the URL.

      It's this lazy and patronising approach that's causing the problem. Surely helping your less tech-savy customers with a sentence asking them to visit your website without providing clickable links instead of telling them they're idiots would be more useful?

  3. George Pajari · 457 days ago

    Paul -- what is your opinion about putting in non-clickable URLs in the email and asking your customer to copy and paste into a browser?

    • Paul Ducklin · 457 days ago

      You may want to do this...many email clients make the links clickable for you, of course, so it's a rather imperfect solution.

      I think my preferred solution, for something that is really important from a security point of view, is to do what an increasing number of websites are doing, namely adding an obvious banner or notification to your main web page.

      Then you only need to persuade your customers to visit the website in your email...and any user who visits your website anyway gets the warning anyway, for a sort of "win win" result.

  4. VL-S · 457 days ago

    I enjoy hardening my defences against internet intruders with your sage advice and at the same time improving my vocabulary. "Piscatological" hmmm... doesn't come up in a first page Goggle search. However "piscatological whiff" does, even as the the first entry, citing nakedsecurity as it's source. I think it's a good word and will quote you as the author.

    • Jim · 455 days ago

      Look up piscatology instead. It's the study of fishing (from Latin "pisca", to fish).

      • Jim · 455 days ago

        But, now that I think about it, perhaps Paul should have used "phishcatlogical". That really WOULD have been a new word. :)

  5. Patrick · 457 days ago

    I ran into this some time back with PayPal. I received a phish looking email that was caught in my filter. The domain was not a usual PayPal one so I sent it to their fraud department. Later I received a message stating it was legit. My advice is to stick with your known domain when sending to your customers.

  6. TonyG · 457 days ago

    HMRC do this with their emails - the links in them go off to a US based tracking site before being redirected into the right place in HMRC.

    I have very vocally made them aware that their emails cannot be distinguished from phishing emails by all but the most savvy, and they break the only guidelines you can give to ordinary mortals that if you hover over a link and it goes to a different place to the name of the link, DON'T CLICK.

    After fighting to find someone to contact, they "are aware of my concerns".

    Unlike Natwest, who have continually ignored all my protestations that their emails look more bogus than the bogus emails.

    I have even offered suggestions to these people as to how they could provide emails that give us a little more confidence in them, but alas, it seems that they know better and insist on keep churning them out regardless.

    It seems to me that they will wait until there is some great disaster, throw their hands up in horror, and then blame everyone but themselves for failing to take trust and security seriously.

  7. cdoggyd · 457 days ago

    Many email marketing services will automatically insert redirect/tracking codes into emails.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog