Phishing and Spam in Times of Corona
Julia Janssen-Holldiek, Director of the CSA, clarifies what companies now have to consider when communicating by email with their customers.
Shops have closed, restaurants too, hotels are empty – the Corona pandemic has brought many regions to a virtual standstill in recent weeks, and many small and medium-sized businesses into a dangerously precarious situation. But as we all know, necessity is the mother of invention, and so many entrepreneurs have moved their business to the Internet, where there are no – at least for the human body – dangerous viruses. And customers are shifting their purchases to the World Wide Web while the shop doors are closed.
This has consequences: The mail providers WEB.DE and GMX, part of the 1&1 Group, have seen an increase by a whopping 40 percent in email use since the beginning of the Corona crisis, with shopping emails increasing by more than 30 percent.
This development is in principle not a problem, but resourceful cyber criminals are taking advantage of the current situation by abusing the trust of the recipients. A Google search for the terms “email” and “Corona” results almost exclusively in hits that deal with phishing. Governments around the world, for example, have been warning against phishing emails coming purportedly from trusted companies like the government itself or the recipient’s bank. Customers are enticed to provide personal data via a link in the email, and this data immediately lands in the hands of the fraudsters.
A second problem is spam.Phishers are taking advantage of the fact that, in response to the COVID-19 lockdown, companies are increasingly maintaining customer relationships via email; and that the recipients, in turn, recognizing the need for this, perhaps do not exercise the level of caution necessary when opening an email. This is not only an annoyance for the recipients of such emails: in the worst case, it really can cost them money.
But there is also a flow-on effect: The high volume of such emails can also have consequences for quite reputable senders of emails – if, for example, such phishing mails are sent in your name, or the name of your business, as in the case mentioned above. Emails with dubious offers of breathing masks or disinfectants exploit the recipients’ fears as a form of enticement. Spam mails have even appeared in the name of the World Health Organization (WHO). Mailbox providers are aware of this and are implementing their spam rules even more rigorously. Particularly importantly for legitimate email senders: Once your emails have landed in the spam folder of a recipient, they will not make it into that recipient’s inbox in the future either. In this context, it is therefore especially important for senders to adhere strictly to certain rules to ensure that their mails are delivered.
Especially small and medium-sized companies, having moved their business activities to the Internet in the face of the crisis and now increasingly sending emails, often have little idea either of how to protect themselves from being abused through phishing attacks, or of the impact of losing their good reputation by being labelled as supposed spammers. The Certified Senders Alliance (CSA), a white-listing project of eco – Association of the Internet Industry in cooperation with the German Dialog Marketing Association (DDV), has made it its declared goal to increase the quality of commercial emails and through this to improve deliverability and protect the reputation of the senders. The CSA’s email experts recommend that companies adhere to the following five basics to protect their identity on the Internet and ensure that their emails end up in the recipient's inbox now and in the future.
Use only high-quality addresses
Include in your mailing list only addresses you have legally obtained, of people who you know you want to receive your information, and whose consent you can always prove. This not only gives you legal security, but also protects your reputation and establishes trust with your customers. A small mailing list with high-quality addresses is better than a large mailing list with addresses from more dubious sources. In any event, you should use the Double Opt-In procedure. If push comes to shove, you must be able to clearly prove, at any time, that you have the consent of every person to whom you have sent an email. And with Double-Opt-In (DOI), you are on the safe side.
Make sure you create a professional impression
Pay attention to quality in the choice of images and words in your emails. Pixilated images or buttons, or a meaningless subject line leave a negative overall impression. Make absolutely sure that all links in your email function, and follow the “rules of the game”: Each link should reflect the information being advertised. Make sure that your overall image is trustworthy, rather than merely covering the legal requirements.
Express yourself clearly
Be honest, even when it comes to attracting new subscribers to your newsletter. Say what you want in clear and understandable words, and do not attempt to camouflage your request for consent for advertising. The addressee will notice it at the latest when he or she receives a newsletter that he or she has not consciously requested, and will then angrily cancel it again or – even worse – mark it as spam in their inbox.
Create a context for the recipient so that they know why and on what basis you are communicating with them. Set a clear expectation in the recipient's mind by choosing a subject that also reflects the content of the email. And if possible, address the recipient personally.
Do not be a phisher
Through authentication, protect yourself and your brand from being abused for phishing. Use the Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) standards when sending your emails. With the help of DMARC (SPF and DKIM) you have the possibility to make your emails clearly recognizable for a mailbox provider and at the same time determine how emails that are purportedly from you should be handled. This allows phishing emails to be reliably detected and filtered before they reach the recipient and cause possible damage to your customer.
Look for a partner
You have never heard terms like SPF, DKIM, and DMARC? You have only sent individual emails so far, but would like to expand your email communication in the current situation? Sending on a large scale requires compliance with extensive standards for transactional emails (e.g. invoices, order confirmations, etc.) and newsletters. The CSA has brought together the required technical and legal standards in the CSA criteria. Are you thinking about having your email sent via an email service provider? CSA-certified senders have committed to adhering to the CSA criteria and thus to ensuring a very high standard in emailing. You can find certified senders here.
If your Email Service Provider (ESP) offers the option, use a feedback loop. Your provider will then provide you with feedback about recipients who classify your mail as spam or junk. This also helps you with list hygiene, as long as you remove the relevant addresses from your list immediately. The CSA library also contains other informative articles on current challenges.
Julia Janssen-Holldiek became part of the CSA team in 2014 and Director in 2017, and is passionate about creating and enabling quality standards for commercial emailing. Prior to the CSA, she worked for several years in Marketing and Sales at Dell. Julia studied business administration at the University of Cologne and the Universidad Torcuato di Tella, Buenos Aires.