Wolf in sheep's clothing

The sophistication of email scams and phishing attacks reached new levels in 2016. With that trend set to continue in 2017, what can you do as a sender to improve the odds for your customers?

There is a local bank here in Singapore which has enjoyed my (albeit negligible) business for the past few years. During this time they have sent me some of the poorest-quality emails I have ever had the privilege to witness from the finance sector.

They also seem to have suffered more than their fair-share of successful email phishing attacks, hitting both customers and employees alike.

Coincidence? I think not..

Filtering Mechanics 101

What happens when you send poor-quality email?


1. A spam-filtering system is designed to route legitimate emails to the inbox, and scam/phishing emails to the spam box (so the user is never exposed to them). Lovely.

Filtering Mechanics 2

2. When an email from a legitimate company is of poor-quality, the filter wants to do its job and place it in spam. However, the user, encouraged to add it to their 'safe-senders' list, overrides this decision, rescuing it from spam. Commercial whitelisting services can also contribute by attempting to artificially override this decision too.

Filtering Mechanics 3

3. The real problem comes when a scam/phishing email comes along pretending to be from the aforementioned company. The filtering system may well smell a rat (there are always markers), however it has been 'trained' by the previous decision-override that this kind of quality is actually okay. The email is diverted to the inbox, the user is exposed.

But what do we mean by 'quality'?

When a sending server wants to send an email to a receiving server, they 'shake-hands' and the sender tries to prove to the receiver that he is who he says he is. If the receiver believes him, the sender passes the email to the receiver to give to the user.

The receiver's spam-filtering system then scans it to make sure it's not something the user wouldn't want. If it passes that scan, it's given to the user.

Email Delivery In this image you could say the courier is the sending server trying to prove he's legit, the receptionist is the receiving server examining his credentials and the package itself, the package is the email, and the final addressee is the user.

Although this has been massively simplified, the 'quality' of an email can be said to be how legitimate it looks under the scrutiny of this entire process.

This is very closely related to an email's Deliverability, except that here we are deliberately not considering the effect of user-engagement history, as frequent engagement with poor-quality emails is exactly what can cause these issues.

So how to improve things?

As a legitimate sender, there are a number of measures available to ensure your emails are displaying squeaky-clean profiles.

Sending Infrastructure

A flawless sending infrastructure will help prove the authenticity of the sending server during the first step (the server hand-shake). Luckily, this is not too difficult to achieve.

Most modern ESPs can provide a quality sending-infrastructure setup with minimal user-configuration, handling most of it for you.

At the very least have the most common authentication protocols set correctly. SPF is easy to implement, even if you are not using an ESP. DKIM is slightly more technical, but most ESPs make it very easy. DMARC is also relatively accessible even without an ESP, and its influence is steadily increasing. So no excuses there.

It goes without saying that the reputation of the sending-server should be free from blacklisting and show a high level of whitelisting where possible (not commercial, earned e.g. dnswl.org). Shared-IPs can sometimes be rather hit-and-miss in terms of reputation/blacklisting, but many ESPs also provide the option to cultivate your own dedicated IP.

There are of course other things to consider infrastructure-wise, but these are the basics and it's still a surprise to see many companies falling at this first hurdle.

Now while it's true that scammers can take advantage of many of these measures (by hijacking a legitimate machine to do the sending, for example), the important differentiator is what they cannot do without.

A Classic PhishA classic attempt to dupe PayPal customers (early 2016).

They have to link to some mechanism to steal your information (fake sites, malware downloads etc.), and this can be detected. It would be irresponsible to assume that filters would be able to detect the slight differences in every sophisticated attack, but the key thing is to help improve their chances by making the differences clearer.

Content Markers

So onto the second-step: scanning the email's content. A perfect infrastructure will continue to help the profile here, but the content itself should strive to be as issue-free as possible.

This can be harder to keep a hold on since copy, links, CTAs, even the template code itself may change frequently. Add this to events in the fluctuating global spam/scam environment, and you have a set of constantly moving goalposts.

If this seems daunting, the advice is simply to do the best you can. Every improvement mitigates the effect of other issues. There will be some things you wont be able to change due to the nature of the business, but for those you can ..do!

Given that nefarious links are usually the path to the actual compromise, these need greatest scrutiny. Check that you are not including links to third-parties that are blacklisted, and always try to make sure you're only using secure (https) links, especially when linking to data-collecting forms.

There are also many less-obvious spam-markers that take time, experience, and/or analysis-tools (#insert shameless plug here#) to understand and reduce. Some of them may seem benign in the course of normal business email, but their impact should not be overlooked.

Some common content-based spam/scam-markers to avoid:

  • Sensationalised language
  • Spelling/grammar mistakes
  • Immediacy/urgency of requests
  • 'Unusual' requests for information - PIN codes, ID numbers etc.
  • Broken HTML/CSS elements/tags
  • Certain types of attachments
  • Multiple layers of link redirection
  • Mismatching HTML/Text MIME portions
  • ..and the list goes on

While there is a lot to consider on the content side, note again that simply starting with a good sending-infrastructure puts you way ahead of the pack to begin with.

Give The Filters A Chance

To summarise, the message here is that filters would work far better if they weren't being confused all the time. In fact, if everyone sent high-quality email, it would be much harder for email scammers to operate at all.

Filtering Mechanics 4

In an ideal world, even the slightest whiff of ne'er-do-well in an otherwise high-quality email would have a chance of detection. But until we get there, you can still make a difference for your own customers and help protect the reputation of you own company.

And just remember, improving the quality of your emails in the eyes of filtering systems has a very welcome side-effect: increased deliverability and engagement from your users.

I'm off to talk to my bank..