How CASL could be a SpearPhisher’s Delight

For those readers in Canada, you may or may not know about CASL (Canada’s Anti-Spam Legislation – text in italic below are quotes from this site). CASL is a potential nightmare for business and non-profit orgs. CASL in short, applies to “Anyone who makes use of commercial electronic messages, is involved with the alteration of transmission data, or produces or installs computer programs.” If you run a business and turn a computer on in the morning, it will probably affect you. And it’s going to affect you soon. CASL goes into effect July 1, 2014.

I’m not going to go into the details of CASL (just read up in the link above), but the basics are as follows..

  • CASL applies to any CEM (commercial electronic message) which can be email, text, SMS, social media (Facebook, Twitter, LinkedIn etc)
  • To send a CEM to anyone in Canada after July 1 you must have their consent. Consent must be Opt-In
  • You must provide a physical address with each CEM
  • You must provide a simple and quick method to unsubscribe (remove consent)
  • Consent records must be kept specifying:
    • whether consent was obtained in writing or orally,
    • when it was obtained,
    • why it was obtained, and
    • the manner in which it was obtained.

There are also provisions affecting those who write programs and apps, as well as those who provide 3rd party management of end user data such as ad agencies, newsletter services (MailChimp etc).

Oh, and the penalties for non-compliance are up to $1,000,000 for individuals and $10,000,000 for corporations and non-profits, with director liability thrown in for fun. And pending private damages rules coming into force in 2017. So ya. Fun, fun, fun.

Now what does CASL have to do with Spearphishing (or phishing in general). It’s that consent thing. Companies are starting to send out email like the one below.


Expect your in-boxes to start filling up with these during the month of June because companies are just now figuring out that after July 1, you can’t get consent to send emails….by sending an email, because it would violate CASL. Nice.


Now as it happens, this is a perfectly legitimate email from a trade partner but does anyone see a problem with it?

It’s EXACTLY the kind of email we get from a phisher. A single button or link saying click me please. It’s a huge problem for those of us who have telling our users for years not to click links in email. Now your accounting, purchasing and sales departments are going to be receiving dozens of these and while most of them will be legitimate, not all of them will be. It’s guaranteed that there are phishers out there crafting convincing looking Opt-In consent email like the one above.

So what to do.

I’m sending out a policy update today to reiterate to users that they should not be clicking links in email. If they want to consent to further CEM communications with the sender, I’m having them visit the website directly (by typing in the URL).

I’m also knee deep in preparing our systems for July 1 which also includes setting up my own opt-in email will encourage users to visit our website. I suppose I’ll even put in a CONSENT button, because that will get greater opt-in than asking recipients to go to a website. What a nightmare. Thanks GoC.