Tip: Don’t use URLs as your link text
As a Campaign Monitor customer, you are probably well aware of phishing - attempting to steal private or sensitive information by enticing people to click a link to your fraudulent website. What you might not know is that some email clients have phishing detection built in.
Normally that's a fantastic feature for protecting people, but it can also catch legitimate emails, including those sent from Campaign Monitor. Here's the deal:
The problem
One of the ways phishing is detected is comparing the actual href URL to what is shown to the reader of the email. When you import your email into Campaign Monitor, we take all your links, and convert them to a Campaign Monitor URL, so we can track who clicked them, report on it, and send them on to your original destination.
So your original HTML might be
<a href="http://www.abcwidgets.com">http://www.abcwidgets.com</a>
but once you have imported it, it will look something like
<a href="http://abcwidgets.create...com/t/y/l/dijkdh/l/t">http://www.abcwidgets.com</a>
It is the mismatch between the link text (which is http://www.abcwidgets.com) and the actual href URL that phishing software can pick up on, and then trigger alerts.
The simple solution
You'll just want to make sure to stay away from using URLs as the visible link text in your campaigns, and in templates you create for your clients. Use the website name instead, as in
<a href="http://www.abcwidgets.com">The ABC Widgets website</a>
That way there is no mismatch, and no security issues. It's very simple to avoid, once you know about the problem.
Posted in: Tips & Resources
Comments for this entry are closed.
Browse the Blog
- Behind the Scenes (28)
- Interviews & Buzz (132)
- New Features & Updates (229)
- Observations & Answers (210)
- Release Notes (1)
- Tips & Resources (478)
Explore the Email Gallery
- All designs
- One column (368)
- Two column (221)
- Three column (33)
- Announcement (126)
- Newsletter (445)
- Invitation (37)
@herron_bird That’s totally awesome - thank you for checking out worldview! :D ^RH
Follow us on Twitter-
Single-click testing
See screenshots of your email in 20+ email clients and check against spam filters.
-
Create a free account
Sign up, kick the tires and start sending in less than 60 seconds.
-
Free templates
Over 30 professionally designed email templates tested in all major email clients.
About • Our Book • Contact • API • Anti-spam Policy • Terms of Use • Privacy Policy
Follow us on Twitter 
Become a fan on FacebookProud founders of the Email Standards Project and supporters of the design community.
21 Comments
Richard Pearce
March 19, 2009 2:57pm
Have you tested to see what happens in a plain text campaign?
David Greiner
March 19, 2009 3:32pm
Hi Richard,
We don’t allow link tracking for plain text campaigns, so this is only an issue in HTML emails.
Jeph Kryzak
March 20, 2009 12:21am
I know Gmail does this. What other mail services do we know that does this?
The major drawback to this, according to my CM reports, is that people click links that say “www…” far more (~60%) than “Event Title.”
Frances Dugan
March 20, 2009 12:52am
good to know - thanks for the info!
Jake Holman
March 20, 2009 9:42pm
This is brilliant advice, seriously. When your email is marked as a Phishing Email, you can be sure people won’t do anything other than delete it.
@Jeph - Hotmail, Web Exchange, Yahoo do this to my knowledge. As well as most Anti-Virus, Firewalls & Anti-Phishing. Also, it’s ~60% higher only because the call to actions on other links isn’t obvious enough. If a link isn’t obvious enough, don’t send the email.
Pete Prodoehl
March 25, 2009 9:02pm
From a branding perspective, this makes me sad… as we commonly use http://www.NameOfBusiness.com where “NameOfBusiness” is the link text, which helps build awareness of the URL, and is available if the email is printed out. Do you know if it will still be marked as a phishing attempt if the email address it comes from is in the address book of the receiver?
george
April 8, 2009 1:33am
It is unfortunate, we also use it.
But what if the the link is to the same domain only to different page on the site? for example http://www.example.com?tracking=01 and the link text “www.example.com” would that still be a problem is some clients?
Jonathan
April 8, 2009 1:48am
This is perfectly logical, but regrettable.
Campaign Monitor could offer a workaround. Don’t burn the heretic, but you could allow us to tag a URL as non-trackable, which would then not be converted by CM. Sure, no click stats, but these are probably for generic links in an address block or the like. It would be up to us to choose. Change the link text and track, leave it and risk being phishicated, or sacrifice the tracking.
Happy Tuesday.
Chris McMahon
April 8, 2009 1:56am
I second Jonathan’s suggestion
Version-X
April 8, 2009 3:08am
As a simple alternative way to get the actual URL in there you could always do a graphical button with the http://www.yoursite.com in it.
Matthew
April 8, 2009 3:53am
Jonathan, Chris, you can indeed do this. Add cm_dontconvertlink to your links. And cm_dontimportimage works for img tags.
Simon
April 8, 2009 4:28am
What about http://www.WebsiteURL.com as the text inside the A tags? (Without the http:// prefix) Will this also cause the same problem?
Derek Harris
April 8, 2009 8:13am
This is not specific to Campaign Monitor as many ESPs will change the URL to allow for link tracking. I have worked for a number of ESPs over the years and this issue has come up, but it has never been as prevalent as in the last year or so. Emailers will need to adapt, just like we had to adapt to the new MS Outlook and CSS changes.
Idea Man
April 8, 2009 12:02pm
Would URLs as link text be flagged as a phishing link if tracking was done via a subdomain that points to CM…?
Mathew Patterson
April 8, 2009 1:33pm
As far as we have seen, having the http part in, or not in the rendered text doesn’t make any difference, it will still be flagged, so better to avoid it.
As Matthew mentioned above, you can turn off link tracking for individual links - see http://help.campaignmonitor.com/topic.aspx?t=83 for details. That will avoid the issue at the cost of losing tracking.
Harish
April 8, 2009 3:01pm
Hi,
I like this website very much. There are lots of informations that a designer needs to be.
Hey guys, do you have another such kind of websites that is beneficial for a web designer. Please send me the URLs at .(JavaScript must be enabled to view this email address)
I shall be really thankful to you all. Hope I will get lots of good URLs from you all soon.
Thanks,
Harish
Simon
April 9, 2009 4:53am
My comment above automatically inserted http://
If you didn’t use the protocol prefix, would there still be a problem?
George
April 9, 2009 8:35pm
My solution: create a redirect from your domain to CM tracking url which then redirects back to your website URL.
So url will be http://www.example.com/email.php?number=1
Link text can be http://www.example.com
The redirection script will then point to your tracking url.
Michael Wickler
April 10, 2009 7:34am
Matthew, can you be more specific?
When you say: “Add cm_dontconvertlink to your links. And cm_dontimportimage works for img tags.”
How do you add these to your tags? Are they IDs, classes, something else?
Michael Wickler
April 10, 2009 8:05am
Ah, I found my answer. Add cm_dontconvertlink to the link tag as a stand-alone item (not an id/class/etc.) which is then removed during the send, leaving an untracked/clean URL. This is a nice quick solution when it’s crucial to have display text match the URL, as long as you can live without the tracking. Otherwise George’s solution seems good.
PamelaLYNC
May 24, 2009 2:22am
I love it! That is way cool man! The steps weren’t that complicated too, which is great.