Phishing is an increasing and serious problem. Luckily, consumers and even some tools are getting better at identifying and deleting them. Unluckily, many legitimate messages get thrown away because they look too much like phishing messages. TRUSTe and Ernst & Young recently published a white paper on "How Not to Look Like a Phish". Here are a few thoughts that can help you keep your messages from looking too much like a phish:

  • Don’t request personal information from customers via a hyperlink in an email. If you need information (such as an updated address), tell the customer to go to your company’s website and log in. Don’t provide a "convenient" link.
  • Personalize the email whenever possible. This proves that you know your customer’s name. For example, use "Dear John" instead of "Dear Sir".
  • Don’t get your customers in the habit of linking through someone else to get to you. For example, if you are going to provide a link in the email, if should look like www.yourdomain.com, not www.somebodyelse.com?redirect=www.yourdomain.com;. Never use the IP address in the link. http://208.109.181.210 will still take you to rossander.org but readers can’t be expected to know that or to recognize when the address has been tampered.
  • Be very cautious about using click here links. You may think they read better but customers should rightly be suspicious of any attempt to obscure the destination of a link. Written-out addresses are better.
  • Use simple and intuitive domain names and directory paths. The longer the address line, the more likely it is for something to be spoofed and the harder it will be for your customers to recognize the falsification.
  • Proofread and spell-check all your communications. While more phishers are improving their English, many users still rightly assume that a grammar or spelling mistake is evidence of a possible phish by someone whose native language is not English.
  • Avoid messages with an urgent, threatening or time-sensitive tone. (I had an example in here but it made this message look too much like a phish and got blocked. Don’t say anything about passwords and account cancellation.)

For the full report, go to truste.org.

Leave a Reply