Friday, 21 November 2014

Gone phishing!

I fear it's a fact of life that if you receive email you will receive junk mail of various types, ranging from the harmless but irritating to the downright dangerous: click at your peril!

Such things are very worrying for email users, because it can be very difficult to tell some of them from genuine emails. A sad but typical example has been documented by the BBC's Rory Cellan-Jones, who managed to avoid falling victim to a PayPal payment scam while he was auctioning in aid of the Children in Need charity.

As a recipient you should be able to detect such things by carefully checking any links in the email. (Ideally you shouldn't click on links in emails but, hey, this is the real world.) Usually, by hovering your pointer over a link you should be able to detect the actual address to which it goes, not what the visible text says. If you are more adept you can explore what are called the long headers of a mail to see where it really came from and how it got to you. But some emails are sent legitimately from web servers or other addresses that may not have what is called a mail exchange (MX) record.

I am not a fan of HTML emails but they are here to stay with all the potential for trouble from hidden links and tracking images. I feel it's rather like insisting that telephone calls are sung, not spoken, just because it's nicer. With a text email, it's up to the mail client whether any link text is turned into a real clickable link ... usually triggered by an 'http://'.

Why is this relevant to us as developers and producers of interactive media? I think we need to think carefully about how our clients communicate when using emails to contact their customers, especially if they are asking for information. Our clients are not all banks (or PayPal) so the chances of a scammer sending out emails purporting to be from our clients are slim ... but do their emails always seem to be clearly from them?

Let me give an example. You may use a third party to manage a mailing list for a newsletter. Have you checked to see how those emails actually arrive? The 'Reply to' header may show your domain but the real sender address will be the third party company. The unsubscribe links may be to the third party company. All this is completely above board and I only mention it because there are genuine instances where some of the basic sanity checks on scam emails will fail with the genuine article. To ameliorate this you could be up front about it and say that your mailing list is handled by another company, which will explain the different email domain.

PayPal and eBay have a good technique. They always address you by name whereas phishing emails tend to start Dear customer or even Dear friend. The UK National Savings will send you an email telling you that you need to log onto your online account and read a new message: not particularly friendly but very safe. It's useful to see what other organisations do to help keep their customers safe online. Definitely something that's well worth doing and, coincidentally, good for business.