When Email Tracking Goes Wrong — And What to Look For
Simply opening an email — benign or malicious — can divulge a surprising amount of data about the recipient: when the email was opened; the device used; and location data. Clicking on a redirected link can reveal even more. As email tracking technology becomes more prevalent, it can be misused in ways that compromise individuals’ privacy and put sensitive information into the hands of cybercriminals.
A recent article from the Electronic Frontier Foundation (EFF) calls upon organizations to be more conservative and security-conscious in how they gather and retain information through email tracking, and offers tips for protecting end users.
Common Email Tracking Techniques
Email tracking has long been a useful and legitimate tool, but now it’s being misused by spammers, phishers, and just plain nosy people. Free, user-friendly tracking software may also be contributing to this widespread data harvesting.
While tracking tools and methods are numerous and always evolving, the most common types are tracking pixels (also known as web beacons) and link tracking. A tracking pixel is a practically invisible, 1x1 pixel image that downloads from the web when an HTML email is opened; the details of this download (time, IP address, etc.) are then gathered by the email tracking software.
Link tracking, also called “link shimming,” is “the practice of obfuscating URLs in emails for tracking purposes,” according to the EFF. Additional code is added to the beginning and end of a web address the user wants to reach, redirecting the link through another URL and gathering additional contextual data.
Security and Privacy Concerns
Many organizations use email tracking responsibly and securely, in ways that benefit the sender and the recipient. But like any technology, tracking can be used improperly, and even with malicious intent. “Bad email tracking is ubiquitous, secretive, pervasive, and leaky,” according to the EFF article. “It can expose sensitive information to third parties and sometimes even others on your network.” The EFF researchers found that much of the data gathered by tracking pixels and links is transmitted over unsecure, unencrypted HTTP (that is, not HTTPS), exposing personal information to attackers.
More concerning is that spammers and phishers can use tracking to verify that an email address is active, and to identify susceptible individuals. Unfortunately, large numbers of working adults around the globe still lack awareness of fundamental cybersecurity issues such as phishing, ransomware, and malware, as we found in our 2018 User Risk Report, and tracking could help reveal these vulnerabilities.
An article from Wired suggests that a growing number of tracked emails are being sent by individuals: from friends and spouses to business partners and competitors. As an individual, do you really want these people to know when — and potentially where — you’re checking your email? On an organizational level, there’s also the risk of revealing an employee’s whereabouts and work habits — for example, accidentally exposing information about a confidential business meeting to a competitor. Scammers and other cybercriminals can also use a person’s schedule and location details to create targeted attacks such as spear phishing.
Furthermore, much of this tracking is surreptitious; Wired notes that “billions of emails are sent every day to millions of people who have never consented in any way to be tracked, but are being tracked nonetheless.”
For additional insights into end-user security awareness, download your copy of the report.
Tips for Protecting End Users’ Privacy
The risks from malicious and poorly secured email tracking can be mitigated through security awareness training about good email hygiene practices, as well as software tools. Consider teaching your end users about the following security measures (which are useful both at work and within personal email accounts):
Blocking Image/Resource Downloading
Email clients can be configured to prevent images from loading when a message is opened. “Blocking third-party resources limits the ability of email senders to track when you read or open emails,” suggests the EFF. “If you need to view images in a particular email, you can selectively turn on this feature for that particular email, but be aware that this allows email-open trackers to work.”
Turning off HTML Email
A more extreme tactic is to opt for plain-text emails only, an approach that prevents tracking codes from being hidden in HTML. This change could result in a less usable and aesthetically appealing email experience for the average user, but some experts claim the security gains are worth it.
As computer science researchers Sergey Bratus and Anna Shubina wrote in The Conversation, “Returning email to its origins in plain text may seem radical, but it provides radically better security. Even the federal government’s top cybersecurity experts have come to the startling, but important, conclusion that any person, organization or government serious about web security should return to plain-text email.”
Avoiding Clicking Links
Best practices for avoiding phishing links also help to curb link tracking. URL wrapping technology that helps detect and block malicious links is very beneficial in the workplace, but personal accounts are also targeted. Users who are security aware should be taught to hover over (or “mouse over”) a URL to examine the actual destination address, which can help reveal a hidden redirect and/or tracking code. For the best security, advise users to take a manual approach by keying in known, trusted addresses into their web browsers rather than clicking links within emails.
Using Anti-Tracking Software
Although these tools are not foolproof, both the EFF article and Wired suggest using some of the many services designed to block tracking pixels in email and disable third-party cookies in browsers. We suggest taking a proactive stance; review some of the options out there and offer your advice to users about the best option(s) available to them.
Though we utilize tracking on our external email communications (like most others do), we follow best practices to protect recipients’ privacy, including the use of HTTPS, inclusion of unmasked links, and adherence to all email regulations (such as CASL, GDPR, and anti-spam laws).
Subscribe to the Proofpoint Blog