December 13, 2017

Email Year in Review: 2017


Can you believe it? The year 2017 is coming to a close and what a year it has been in the email ecosystem. Email’s staying power continues to flex its muscles as a dynamic channel that can adapt to the ever-changing landscape of digital marketing. This past year saw many changes, trends, and announcements that will help shape the industry moving into the New Year. Let’s relive together the most important moments and highlights in email.
 

1. Data Breaches, Phishing, and Email Security

Large companies made headlines in 2017, falling victim to cyber attacks and data breaches that compromised millions of customer records. Many of these cyber attacks were the result of phishing or spoofing techniques that use various methods designed to trick the recipient into giving up his or her personal information. Phishing emails and malicious attachments are still the main causes of data breaches, with 91% of all cyber attacks originating from a phishing email.

During May – July 2017, Equifax, one of the three main credit organizations in the United States, suffered a data breach that impacted as many as 143 million consumers in the US. Cybercriminals gained access to names, social security numbers, credit card numbers, and other personally identifying data from the breach. The attack was traced to a simple software flaw that led to the vulnerability being exploited. To make matters worse, Equifax customer support referred those potentially impacted to a phishing knock-off site instead of their own informational site about the breach.

Not to be outdone, Uber recently disclosed in November that hackers stole 57 million driver and rider’s personal information including phone numbers, email address, driver license numbers, and names. The attack actually took place in 2016, but was concealed for more than a year and included a $100,000 ransom payment to the attackers. Hackers are leveraging the personal information stolen, including names and email address, to target and personalize phishing emails in an attempt to gather login information or trick victims into downloading malicious payloads.

Google Docs was exploited by a phishing scam in May that resulted in more than 1 million Gmail users being compromised. While representing less than 0.1% of Gmail’s active users, the impact wasn’t large but goes to show even the most tech-savvy companies in the world struggle with falling victim to phishing emails and data security.

Yahoo, who was acquired by Verizon in 2016, recently clarified in October 2017 that in fact all 3 billion of its accounts were hacked in a 2013 cyber attack, tripling its earlier estimate of the size. Hackers were able to use a ‘spear phishing’ email to gain access to a Yahoo employee’s credentials to break into the company’s systems. Yahoo remains the largest data breach of the 21st century that we are aware of.

Silver lining? Email authentication and security, like DMARC, made strides this past year, aiming to fight back at email phishing serving as the vehicle for many data breaches. This past October, the Department of Homeland Security announced it is requiring federal agencies to implement DMARC on their sending domains within 90 days. Furthermore, ISPs that support DMARC has significantly grown over the past year, with 4.8 billion inboxes now supporting DMARC, representing 76 percent of the current global email accounts.
 


“Widespread adoption by the USG will be viewed by other governments and large businesses as a positive signal of the value of DMARC in protecting against BEC/EAC scams and other prevalent email-borne attacks. If they were sitting on the fence, the outcomes experienced by these organizations should help push those considering adoption towards getting started with a monitor-only policy.”


Paul Midgen
250ok Advisor and co-author of the original DMARC specification.

 
Alexander García-Tobar, CEO and co-founder, ValiMail, said, “In 2017, email authentication via the DMARC standard moved into the broader marketing consciousness. 2018 is the year DMARC at enforcement becomes the focus – the ability to stop impersonation attacks (phish), improve deliverability, and protect your brand. It brings together CISOs and CMOs for a common cause.”
 

2. Email Privacy and Harassment

While not a new topic, email harassment and invasion of privacy tactics grew in importance this past year. Privacy is a right that humans feel strongly about, and their email inboxes are no different. An email address, in a lot of ways, is your digital identity. It’s how you keep in touch, what you use for accessing sites, and its how you are known. The following are highlights that jeopardized the importance of email privacy and your data.

List bombing or subscription bombing, a cybercriminal tactic that leverages bots to create mailing list subscriptions request at rates over 1000 per minute, shook the email industry in late 2016 and into 2017. This tactic presented a unique problem to ESPs, marketers, and anti-spam vendors alike, as it allowed cybercriminals to create an email ‘DDOS’ style attack to harass individuals. Unique attacks such as these create a sense of collaboration across ISPs, abuse desks, security vendors, and ESPs to share ideas and tactics aimed at combating abusers to stay one step ahead.

Encryption of email during transit has also seen a rise in importance this past year, primarily with the adoption of email providers implementing TLS or Transport Layer Security. TLS encrypts an email in transit making it harder for others to reach what you are sending. According to Google, inbound email encryption into their networks at the end of November 2017 rose to 90%, compared to just 63% at the beginning of 2016. This is a great sign that more marketers and senders are encrypting email while in transit to their customers to protect their privacy. Google also announced in June of 2017 it would stop scanning inboxes of Gmail’s free user mailbox service for ad personalization.

Unroll.me made news in April as it was accused of selling personal email data to ride-hailing service, Uber. Unroll.me, a popular webmail plug-in app for managing unsubscribes reportedly sold personal information to Uber about when its users were switching to Lyft via recipients in their personal email inboxes. What made customers furious, was the dubious nature in which Unroll.me was scraping information out of emails and selling your personal info to 3rd parties. There are other providers that offer similar services, but lesson learned here ensuring trust and transparency with terms and conditions of granting access to such vendors.

“Allowing 3rd parties to access inboxes isn’t simply a matter of privacy. Nearly all modern online services use an email address to identify users and as a way to confirm account ownership and access permissions. Getting access to the inbox opens up access to dozens of other accounts,” said email veteran Laura Atkins, co-founder of Word to the Wise. “Unroll.me used their access to monetize their userbase by selling information without notifying users it was doing so. It’s not out of the question for hackers and criminals to create their own set of ‘mailbox improvement tools’ and use the access granted by users to compromise bank, health care, and other accounts containing PII. It’s the next generation of phishing and users need to be more suspicious of online tools, particularly those that ask for direct access to email accounts.”
 

3. Global Email and Privacy Laws

Many countries and governing bodies around the Globe took steps in updating digital communication laws and governance this past year. Marketers, especially those in Europe, are gearing up for new changes to the General Data Protection Regulation (GDPR) rules that go into effect in May 2018. This legislation applies to all EU businesses that handle personal data and increases the definition and accountability of clear, unambiguous consent.

Over in Canada, their Government announced suspending the provision, knows as the private right of action, a part of Canada’s Anti-Spam Legislation (CASL). The provision would have allowed consumers to sue any company that sent email that violated this law. July 1st, 2017 marked the final rollout of CASL and the end of the transition period for implied consent. 2017 saw the first fine levied against a small business owner, William Rapanos, to the tune of $15k. Total fines issues from infringement of CASL since 2014 total more than $1.5MM.

“We also saw the first Constitutional challenge of CASL fall in favor of the regulators, and the Private Right of Action put on hold for the foreseeable future,” said Matthew Vernhout, 250ok’s Director of Privacy and Industry Relations. “Looking ahead to 2018, we expect to see the review committee and the Ministers recommend changes, if any, to the legislation.”

Here in the US, the FTC is currently reviewing CAN-SPAM, the United States law that regulates commercial mail. Enacted in 2003, CAN-SPAM is in need of a review as the digital landscape has dramatically changed over the past 14 years. This past June, the FTC recently opened a request for comment on ‘the efficiency, cost, benefits, and regulatory impacts of the rule’. Numerous email vendors, anti-spam groups, and advocates have submitted comments to the FTC before the August 31, 2017, deadline.

Finally, some good news for anti-spam advocates everywhere. This past April saw the arrest of one of the world’s more notorious email spammers, Peter Levashov, who was listed #7 on Spamhaus’s World Worst Spammers. Peter was arrested in Spain while on vacation, under an international warrant.
 

4. Industry Acquisitions, Consolidations, and Changes

For deliverability and marketers alike, this past year kept us on our toes with numerous acquisitions and changes impacting the ISP and email vendor landscape.

We saw Verizon finalize its acquisition of Yahoo for $4.4B on June 13th, 2017, creating a new subsidiary called Oath that includes brand assets from AOL and Yahoo. The sale price was slashed more than $350mm following Yahoo’s additional disclosure of the impact and details on their data breaches during 2013-14. As a result, Verizon’s mail system begins to shut down and transition over to AOL’s mail service for @verizon.net email addresses. Verizon began notifying customers in February 2017 providing options to retain their @verizon.net email address, and AOL announced the cut-over date for MX records would be June 20th, 2017.

On the ISP side, many email domains were discontinued in 2017 including British broadband provider EE who owned numerous domains, most notably Orange.net, Terra’s mail service retired on June 30th, 2017, and Vodafone NZ announcing their email service shutting down on November 30th, 2017. Time Warner Cable also announced that Road Runner’s FBL was deactivated in mid-October.

2017 also saw email platforms & security vendors announce exciting changes. This past April, Experian PLC announced it would sell 75% of its cross-channel and email marketing line of business to Vector Capital, which has rebranded this cross-channel marketing business into Cheetah Digital. In November, Proofpoint acquired Cloudmark in a move that bolsters its position in the email data and security space.

We also witnessed an exciting email tech IPO with SendGrid, who was listed on the NYSE on November 15th, raising $131 million during its first day on the market. “SendGrid’s market opportunity is approximately $11 billion today, and we believe we have a long-term growth opportunity to build our business and doing so as a public company gives us a great opportunity to execute our vision.”  Yancey Spruill, CFO, SendGrid.
 

5. Email Channel Staying Power and Deliverability

With the advancement of digital communication through social media, push messaging, mobile apps, and video chat, email remains the most important communication channel for marketers across generations. That’s a lot to be said for a digital marketing channel that is over 40 years old. Email marketing and adoption grew 86% over the past two years, and the number of email users in the US is projected to grow to 244.5 million by the end of 2017. With returns on investment averaging $44 for every $1 spent, there is simply no denying email’s staying power over the years.

An email address has become one’s digital identity. It is the digital key to access accounts, apps, communication and so much more. With the world sending more email than ever before, deliverability and reputation remain vital in ensuring emails reach their intended customer’s inboxes. Inbox delivery remains a top concern for marketers during 2017, with 70% of marketers and brands struggling to have real-time information and data to make timely and informed decisions. 250ok offers a suite of deliverability and email analytics tools to provide marketers to drive world-class email performance.

2017 also saw a sharp move towards domain reputation for senders, predicated by the shift from IPV4 to IPV6. Leading ISPs, including Gmail, put great emphasis on domain reputation in deciding what mail lands in the inbox vs. bulked in the spam folder. Engagement, personalization, and mobile optimization remained consistent themes marketers emphasized in driving email conversion.
 

In Closing…

2017 was another busy year for the email industry. Email made headlines across the world for political reasons, cyber attacks on high profile business, and abuse of personal privacy. Countries prepared for the digital marketing landscape of the future with new governance and legislation aimed at protecting subscribers and holding marketers accountable. Email platforms, security vendors, and ISPs continued to merge and consolidate across the industry while others discontinued domains and webmail service in what has become an ever-changing industry. Marketers continue to harness the power and invest more in the email channel to connect with their customers and drive revenue. To all the pundits out there, email is not dead, it is alive and well, and I look forward to another exciting year in email come 2018!

 

View Email Year in Review: 2017 infographic below.

Author: Anthony Chiulli

Anthony Chiulli embraces the role of trusted advisor with digital marketers to achieve optimal delivery and engagement for their marketing programs, with a focus on Deliverability. Anthony is a senior member of Salesforce Deliverability Services team and a board member of the eec Member Advisory Committee.

You may also like...

How the Top 500 Internet Retailers Collect Email Sign-ups (2016)

  Welcome to How The Top 500 Internet Retailers Collect Email Sign-ups (2016), an analysis of how retailers promote their programs, leverage mobile optimization, use social sign-ups, capture personal data, and more. In addition, we have shared some year-over-year trend insights compared to How The Top 500 Internet Retailers Collect Email Sign-ups (2015). Let’s dig in. […]

How the Top 500 Internet Retailers Collect Email Sign-ups (2015)

We reviewed the top 500 internet retailers to analyze their email collection practices and sending habits. Check out some of the trends we discovered while analyzing over 1,000 websites owned by the internet’s top retailers.

Deliverability Myth: Why You Need to Measure Inbox Placement [INFOGRAPHIC]

It’s important to measure and compare your delivered rate to your inbox rate. What’s the difference? Let’s say your email service is reporting 90% deliverability with a 10% bounce rate. Then you run your campaign through your deliverability service and it reports the same 10% bounce/missing rate, but 72% inbox placement and 18% spam placement. Both look […]

Ready to get started?