Issue #023

Link triggers are dangerous

I think I've changed my mind about one of my favourite email marketing features: link triggers.

A link trigger is a link that you include in your emails that allow subscribers to change something about their segmentation with a single click. For example, "Click here to opt-out of this promotion" or "Which of the following best represents what you do..."

When the subscriber clicks the link, the underlying email service provider (e.g. ConvertKit, in my case) changes something about the subscriber – i.e. adds a tag, updates a custom field – and then redirects them on, usually to some sort of confirmation page.

When a click isn't a click...

Bad actors have increasingly made email marketing more difficult for those of us using it for good.

You've probably heard of phishing campaigns.

These are innocent looking emails that look like they came from a big bank that ask you to do something like login to your account and verify something.

Unfortunately, these emails are sometimes opened by unsuspecting people who happen to do business with said big bank, and they click over to the website to log in using their usual credentials...

Except that website isn't the bank's website, but a copycat website that's designed to just listen and store whatever login details are submitted. Then the spammers take what they've collected, log in to the real bank with it, and wreak havoc.

Internet service providers, email hosts, and security middleware have responded by automatically following links in emails to see if they lead to a nefarious website. If they do, the email is trashed / bounced / ends up in spam. If the links are safe, they don't.

The problem is that a computer is "clicking" those links before the intended recipient sees them. And those links might not be linking to fake banks, but rather that link you included in your email that segments people out of your upcoming sale!

Could email marketing platforms mitigate this? Somewhat.

For obvious reasons, major email marketing platforms and the systems they deliver to (Gmail, Outlook, etc.) are pretty hush-hush about how they use or react to bots.

So most of us end up figuring out the hard way that something is... not quite right.

Here are a few things I suspect some email marketing platforms are doing, but that could help scrub out bots:

  • If the email is delivered and link(s) are clicked soon afterward, it might be a bot... until you realise that there are some people who are just quick at skimming and clicking 😕

  • Optimistically assume that the right user agent is being passed (i.e. "BingAgent" or whatever) and send it on to the page the link trigger goes to but don't actually run any actions. But good bots impersonate things like Chrome or Safari.

  • Assume that no one clicks that fast on multiple links in a single email. If the same source is responsible for clicking the same links across potentially event multiple multiple inboxes, the email platform could register that and maybe even roll-back any segmentation actions that might have occurred.

Let's just say I'm glad I'm not in charge of figuring this stuff out!

It's a giant game of cat-and-mouse, and it doesn't look like there will be a winner anytime soon.

M3AAWG is an organisation that's working to combat spam and whose membership includes all the major email service providers, ISPs, etc.

Here's their mission statement:

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against botnets, malware, spam, viruses, DoS attacks and other online exploitation. We are the largest global industry association, with more than 200 members worldwide, bringing together all the stakeholders in the online community in a confidential, open forum. We develop cooperative approaches for fighting online abuse.

Founded in 2004, M3AAWG is a technology-neutral, non-political working body. We systematically focus on operational issues of Internet abuse including technology, industry collaboration and public policy. Our membership Includes Internet Service Providers (ISPs), telecomm companies, Email Service Providers (ESP), social networking companies, leading hardware and software vendors, major brands, major antivirus vendors and numerous security vendors.

It's a bit sobering, but here's what M3AAWG has to say in their report titled Exploring the Impact of Nonhuman Interactions on Email Send Metrics on what to do about NHI (non-human interactions):

There is no definitive guide to mitigating this problem. The data presented in this document do not cover 100% of NHI, but only interactions that could be identified as such. While a number of signals can help identify these NHI, there is currently no definitive way to accurately remove them without adverse effects.

What can YOU do to not fall victim to false clicks?

Fortunately, there's a workaround.

The workaround is to not use link triggers, but to instead do all that segmentation on a web page rather than via a link click.

The beauty of link triggers is that they're easy for the subscriber – there's no need to re-enter their email address or muck around with forms. The same should be true with how you capture this segmentation information on a web page.

Option #1: RightMessage

I use RightMessage for my website forms / list building, but also to segment new and existing subscribers.

I have a general "manage your segmentation" page that I allow people to change underlying segmentation, but I've also used RM to set up quick and easy landing pages that do the same thing as a list of link triggers ("Choose one of the following...") – and, unlike with link triggers, I can wire up a series of questions + answers rather than just collecting one bit of info at a time.

Option #2: SmartSubscriber

SmartSubscriber, like RightMessage, automatically pulls in segmentation data you have about a subscriber and gives your reader's the ability to self-update any of it.

It's a new platform, but it's very focused. RightMessage wasn't designed to do profile update pages (though it can), whereas SmartSubscriber focuses on exactly that.

Where it might make sense to use RightMessage over SmartSubscriber would be in the situation where you have situational, campaign-based preferences you want to set. i.e. if you want someone to click a link that goes to a specialised landing page and give you their industry and their job role, rather than driving them to a dedicated profile page that has that information along with a bunch of other stuff.

(Funny enough, both of these platforms are developed by the same person: Shai Schecter. He also happens to work with me at the company we both co-founder, RightMessage 😀)

How serious is this problem?

I'm not quite sure, to be honest.

This is one of those things that crops up when a subscriber emails you asking why they didn't get promoted your latest thing, or why you're suddenly personalising their emails in a way that just seems... off.

But it absolutely is happening, and fortunately it is mitigable – even if it means abandoning one of my favourite built-in features that come with most email marketing platforms 😢

Has this bitten you in a way that's affected your business? I'd love to hear more to include in a future follow-up article.

I'm going to keep looking into this, along with reaching out to my contacts who work in email deliverability at major ESPs, and I'll get back to you when I find out more.