Spymail, or email containing hidden tracking, enables senders to secretly collect metadata about if, when, where, and how recipients engage with tracked emails. As more people find ways to take advantage of this information, individuals and businesses face new risks. To better understand these risks, we outline in this article the three main use cases for spymail.
Bulk Marketing Campaigns
Spymails spawned originally as a tool for marketers looking to measure the effectiveness of email campaigns. Marketers use tools such as Constant Contact and MailChimp to deliver marketing emails to large customer lists at once. Beyond automating email sends, these tools offer the ability to track recipient engagement stats to help marketers improve messaging and targeting. For instance, Constant Contact shows the number of emails opened, links clicked, and devices used by email campaign, enabling users to run AB tests to discover the best performing marketing copy, demographic targeting and other campaign variables.
Sales soon followed marketing to adopt email tracking to help prospect and close deals. As sales relies on one-on-one communications, sales automation tools emerged to provide more agility and features on top of the same tracking capability used in bulk marketing.
Yesware provides one of these tools. Yesware’s real time activity feed helps reps identify the most interested customers and schedule perfectly timed follow ups. This explains the seemingly uncanny ability for some sales reps to hit you with a follow up email or call just when you revisit a prior email chain to pull up the proposal they sent weeks ago: they didn’t get lucky, but they got an alert that you reengaged with their emails.
Targeted Information Gathering
Taken one step further, it’s easy to see how anyone can use individually targeted email metadata collection for personal gain. In fact, there are free tools that make it simple for senders to gather the same sensitive information Constant Contact and Yesware offer without the sales and marketing bells and whistles. For example, GetNotify allows users to simply sign up on their website and add ‘getnotify.com’ to the end of outbound email addresses to track them. So, say you want to find out if Bob at firstname.lastname@example.org is really traveling to Boston as he claims to be, you simply send an email to email@example.com. Bob will not see getnotify.com in the email, but the moment he opens it, his physical location will be reported to the original sender based on his IP address.
This third bucket of spymail poses the highest risk to recipients because metadata leaks can unexpectedly cause greater damages. Within sales, the loss of email metadata is only likely to lead to more persistent contacts or perhaps worse pricing, which is bounded by the size of the purchase at hand. But outside of sales, the loss of email metadata can be much more consequential and is more likely to come as a surprise. For instance, an attorney could send the unsuspecting opposing counsel a spymail, which might then be forwarded onto confidential clients or secret witnesses, thus inadvertently revealing their identities.
Spymail may have started out as a mass marketing and sales tool, but is increasingly being used to obtain information about individuals in everyday business or legal transactions. It’s also important to note that the fundamental tracking technology behind these tools are all similar. Someone can deploy a paid mass marketing tracking tool to gather information about one single user just as they can with a free individual targeting tool. This means that all spymail tools can put recipients at risk, so organizations should disable tracking for all inbound emails to protect their employees’ privacy and sensitive company data from loss.