6532110 The 3 most common use cases for Spymail | Resources | MessageControl
← Back to Resources

Spymail Threat

The 3 most common use cases for Spymail

By Amy Margrave

Spymail, or email containing hidden tracking, enables senders to secretly collect metadata about if, when, where, and how recipients engage with tracked emails. As more people find ways to take advantage of this information, individuals and businesses face new risks. To better understand these risks, we outline in this article the three main use cases for spymail.

Bulk Marketing Campaigns

Spymails spawned originally as a tool for marketers looking to measure the effectiveness of email campaigns. Marketers use tools such as Constant Contact and MailChimp to deliver marketing emails to large customer lists at once. Beyond automating email sends, these tools offer the ability to track recipient engagement stats to help marketers improve messaging and targeting. For instance, Constant Contact shows the number of emails opened, links clicked, and devices used by email campaign, enabling users to run AB tests to discover the best performing marketing copy, demographic targeting and other campaign variables.

These marketers are not trying to measure each individual recipient’s email behavior; instead, they want to evaluate the effectiveness of the overall campaign. So, even though Constant Contact embeds each email with a unique tracking code to build data for the overall campaign, individual users are masked by thousands or millions of other users, partially protecting their privacy. More importantly, companies generally ask email recipients to accept their privacy policy when they sign up for an email list that contains hidden tracking.  Therefore, bulk marketing campaigns usually pose the lowest relative level of privacy and data security risk to recipients.

Client Prospecting

Sales soon followed marketing to adopt email tracking to help prospect and close deals. As sales relies on one-on-one communications, sales automation tools emerged to provide more agility and features on top of the same tracking capability used in bulk marketing.

Yesware provides one of these tools. Yesware’s real time activity feed helps reps identify the most interested customers and schedule perfectly timed follow ups. This explains the seemingly uncanny ability for some sales reps to hit you with a follow up email or call just when you revisit a prior email chain to pull up the proposal they sent weeks ago: they didn’t get lucky, but they got an alert that you reengaged with their emails.

Yesware and similar tools therefore pose higher risks than bulk marketing: while marketers collect aggregate data to improve email campaigns sent to groups of recipients, sales reps use recipient data to target individuals. What’s more, there is no privacy policy, so end users have no idea that their email activities are being spied on. Beyond the nuisance of more sales calls or emails, spymail for sales can also be a threat: in contract negotiations, any information can lead to an upper hand. Just envision a multi-bid scenario where one vendor knows precisely how receptive the buyer is to their emails: how often the pricing quote was opened, the last time a reference material was read, and to how many people the final proposal was internally forwarded. These are powerful data that can let the vendor know if it’s on the short list of finalists or not, and how many concessions it may be willing to make to win a deal.

Targeted Information Gathering

Taken one step further, it’s easy to see how anyone can use individually targeted email metadata collection for personal gain. In fact, there are free tools that make it simple for senders to gather the same sensitive information Constant Contact and Yesware offer without the sales and marketing bells and whistles. For example, GetNotify allows users to simply sign up on their website and add ‘getnotify.com’ to the end of outbound email addresses to track them. So, say you want to find out if Bob at bob@example.com is really traveling to Boston as he claims to be, you simply send an email to bob@example.com.getnotify.com. Bob will not see getnotify.com in the email, but the moment he opens it, his physical location will be reported to the original sender based on his IP address.

This third bucket of spymail poses the highest risk to recipients because metadata leaks can unexpectedly cause greater damages. Within sales, the loss of email metadata is only likely to lead to more persistent contacts or perhaps worse pricing, which is bounded by the size of the purchase at hand. But outside of sales, the loss of email metadata can be much more consequential and is more likely to come as a surprise. For instance, an attorney could send the unsuspecting opposing counsel a spymail, which might then be forwarded onto confidential clients or secret witnesses, thus inadvertently revealing their identities.

Spymail may have started out as a mass marketing and sales tool, but is increasingly being used to obtain information about individuals in everyday business or legal transactions. It’s also important to note that the fundamental tracking technology behind these tools are all similar. Someone can deploy a paid mass marketing tracking tool to gather information about one single user just as they can with a free individual targeting tool. This means that all spymail tools can put recipients at risk, so organizations should disable tracking for all inbound emails to protect their employees’ privacy and sensitive company data from loss.

About the author

Amy is the Director of Finance & Accounting at MailControl. Prior to joining MailControl, she worked in corporate FP&A and public accounting.