Gone Phishing

Amanda DeLuke

Just a few weeks ago, I had the pleasure of going to see Phish, the band, perform at Saratoga Performing Arts Center (a local outdoor venue right here in Saratoga Springs, NY.) I like to describe Phish’s music as jam-based with some story-telling and jazz fusion mixed in. They are a lot of fun to watch live because the audience gets to participate by throwing glow sticks and beach balls during certain parts of their songs (there is quite the phollowing… they are known as “phans.”) Every time I come across something related to a “phishing” attempt, I always have a good chuckle (too phunny, right?)

Well, in the digital marketing world, “phishing” is referred to as a type of spam that is often used to obtain sensitive information to commit identity theft or other malicious scams (don’t be phooled!). You may have seen or heard subscribers mention that your emails are being misclassified as a phishing attempt. Below are some important items to consider:

  • Authenticate your sending domain(s). The most important thing you can do to protect your sender identity is to complete your sender authentication (SPF and DKIM.) This helps provide proof to ISPs and mailbox providers that you are not a phishing attempt and allows them to determine if the sender has been forged.
  • Be sure to double and triple check your grammar and spelling in your mailings before sending. Malicious senders are not known for following (phollowing?) proper language rules, so make sure to re-read your mailing before hitting that “send” button.
  • Make sure any URLs that are included in your mailings are not exposed and those domains are not currently blacklisted. Also, avoid using 3rd party link shortening tools as well.
  • Include your organization’s physical address in the footer of the email to provide further authenticity.
  • Personalize your emails as much as possible. Phishers do not personalize their emails as they typically do not have the names or subscriber IDs for the recipients they are targeting.
  • Be careful of the words you choose. Things like, “urgent action required” or “click here now” may raise some red flags.

Do keep in mind that:

  • Many receiving mail servers will disable or turn off images and/or hyperlinks for all messages received if the identity of the sender cannot be verified. In addition, attachments may also be disabled.
  • It is highly recommended that you send from domains that your organization owns. If you use a “from” or “reply to” address that you do not own, then mail could potentially be rejected (especially if that domain has a DMARC policy in place, ex: Yahoo! or AOL.)
  • To protect your own domain from being used in a phishing attempt, it is recommended to set up a DMARC policy to specify how you want to classify unauthenticated mail.
  • Some receivers are placing additional filtering rules on mail coming from a bank or credit union, so be aware if you fall into that category, your mailings are more likely to be misclassified as a phishing attempt.

Keep in mind that email filters look at everything so it’s important to take as many steps as possible to protect your sender identity and phollow the rules! Remember, don’t be a fan of phishing, but be a phan of Phish!

Ready for more deliverability tips to get your emails delivered? Check out the deliverability blogs here.

About the Author
Amanda DeLuke

As a Deliverability Specialist, Amanda helps with client sender reputation, abuse management, and internal deliverability process. When she is not busy at work, she enjoys playing the alto sax, mountain biking, and chasing after her identical twin boys.