Is your email being flagged for "phishing"?

Email security is an ever growing concern these days.  Well known people and even some top government officials have been the victims of identity theft as the result of "phishing" scams.  Email systems and email programs are constantly being updated to detect these scams and protect us from the bad guys.  A side effect of the enhanced security is that your emails may be inadvertently flagged for phishing.

How phishing works

Identity theft sometimes begins with what appears to be a harmless email from a trusted institution like a bank or credit union.  The message may say that you account has been disabled, you have won a cash prize, or some other attention grabbing gimmick. The problem is that the email wasn't sent by your bank at all.  It was sent by a criminal that is trying to learn confidential information about you. 

The email may contain links that appear to be legitimate, but instead will redirect you to a website where you will be asked compromising questions or malware will be installed on your computer.  These types of emails are called "phishing" because for the scheme to work you have to "take the bait" and click on one of the fraudulent links.

The text for links embedded in the email may appear to have the correct URL, such as http://www.goodomain.com, but the actual link will point to http://www.baddomain.com.  These links are easy for you to detect.  If you hover your mouse pointer over the link, the actual link will appear in your browser's status bar or in a small pop-up tooltip.  You can then compare the text to the actual link.

The phishing filters in email systems are designed to detect even minute differences in link text.  Some programs are more sensitive than others.  They may flag your link as "phishing" when, in fact, it is not.  Some programs will flag your URLs as bad even if they go to the same website.  For example, if your text says "www.mydomain.com" and the link is "http://www.mydomain.com", the email will be flagged for phishing.  I saw this just this morning on a Windows Vista machine running Windows Mail.

We can complain how stupid an email client can be, but the fact is that you have no way of knowing what email systems your readers are using.  By following a few simple rules you can ensure that your emails will be delivered intact by all email systems and clients.

Rule Number One:

Simple text links that do not contain any text that looks like a URL are never flagged for phishing.  An example is the text "Click Here" and the link URL is "http://www.mydomain.com".  Because the link text does not resemble a full or partial URL the link will not be flagged as bad.

Rule Number Two:

Don't use partial links in your text.  If you want to link to your website, don't display the text in an abbreviated format as "www.mydomain.com".  Instead, display it as "http://www.mydomain.com".  The actual link will always include the protocol of the link.  The protocol may appear as http://, https://, or ftp://, but it will always be present.

Rule Number Three:

Ensure that your link text matches the link exactly.  Watch out for variations in the protocol or subdomain like "http:www.mydomain.com" and "https://www.mydomain.com".  Another common error is to have a mismatch of "http://mydomain.com and "http://www.mydomain.com".

If you pay attention to your links and follow these simple rules it will help to keep your emails out of your audience's junk mail folder or trash can.