Skip to main content
Solved

Phishing Link?

  • February 14, 2025
  • 7 replies
  • 44 views

Forum|alt.badge.img

Here’s an odd one that most likely isn’t an issue, but that folks should probably be aware of. We had an email recipient let us know that their “Unsubscribe” link was going to a creepy site that was trying to start a download. Upon clicking the link myself, it was indeed not the normal Unsubscribe page.

I was of course a little freaked out that we just unknowingly sent a phishing email to all of our subscribers! Luckily, digging through test emails, I couldn’t replicate the issue. Digging further, I discovered that the Unsubscribe link should have been: https://ctrk.klclick.com/xxxx. For this particular recipient, a period was removed: https://ctrkklclick.com/xxxxx. (Note: I went a little too far investigating this, but nothing was downloaded - still, click at your risk).

I have no clue when/where the period was removed; my guess is that it was on the recipient’s end. There were also no other links in the email effected (Klaviyo uses ctrk.klclick for all conversion tracking). But still wanted to put it out there as something to watch out for.

Best answer by retention

@ogrsteve I just read through this thread, I agree, this is a bit close to the source.  It never ceases to amaze me the effort and ingenuity behind these fraudstesr.

For what it’s worth, I’d also add here that you may want to consider branded dedicated click tracking to minimize this all together in the future from happening. 

You can read up on that here:

Of course, I suppose, they could also buy a similar domain as your site and do the same things, but since the volume of just your recipients doesn’t compare to the default click tracking domain for most of Klaviyo’s merchants, it may not be worth the effort for the nefarious doers?

View original
Did this topic or the replies in the thread help you find an answer to your question?

7 replies

zacfromson
Problem Solver III
Forum|alt.badge.img+2
  • 2025 Champion
  • 17 replies
  • February 14, 2025

Thanks for flagging this! I’d urge you to set up MFA using Google Authenticator as a way to keep your account secure and to avoid any hacking or phishing attempts. You can see how to do this here.


Forum|alt.badge.img
  • Author
  • Contributor II
  • 3 replies
  • February 14, 2025

Yes, I use MFA on just about everything that lets me, including Klaviyo. That said, I don’t believe this particular case is due to a hacked account. The issue is in the tracking URL that Klaviyo uses, and how close it is to a URL that seems to be a phishing site. To the best of my knowledge, I have no ability to change the URL’s that Klaviyo uses.


Adunni
Active Contributor II
Forum|alt.badge.img+1
  • Active Contributor II
  • 21 replies
  • February 16, 2025

Hi ​@ogrsteve ,

This is definitely concerning, and I appreciate you bringing awareness to it. The issue seems to be that the unsubscribe link was altered, possibly by the recipient's email client or another external factor. Since your test emails didn’t replicate the issue, it’s unlikely that Klaviyo sent out a corrupted link.

To prevent this from happening again:
Double-check your email templates to ensure all links are correctly formatted.
Ask the recipient if they forwarded the email or if any security tools modified the link.
Monitor other unsubscribe links in future emails to see if this was a one-time glitch.

If you want to ensure your emails are secure and error-free, I can help audit your setup and prevent any future issues. Let’s safeguard your email campaigns—reach out now!

Best,
Adunni


Forum|alt.badge.img
  • Author
  • Contributor II
  • 3 replies
  • February 18, 2025

While I do understand that “Take care of your account” is a fair answer, I would like to point out that it’s a little concerning that the URL that Klaviyo uses for ALL of their link tracking can be altered by a single period and go to what appears to be a phishing site. Anyone else concerned by this?


retention
Partner - Platinum
Forum|alt.badge.img+62
  • 2025 Champion
  • 938 replies
  • Answer
  • February 18, 2025

@ogrsteve I just read through this thread, I agree, this is a bit close to the source.  It never ceases to amaze me the effort and ingenuity behind these fraudstesr.

For what it’s worth, I’d also add here that you may want to consider branded dedicated click tracking to minimize this all together in the future from happening. 

You can read up on that here:

Of course, I suppose, they could also buy a similar domain as your site and do the same things, but since the volume of just your recipients doesn’t compare to the default click tracking domain for most of Klaviyo’s merchants, it may not be worth the effort for the nefarious doers?


Forum|alt.badge.img
  • Author
  • Contributor II
  • 3 replies
  • February 18, 2025
retention wrote:

@ogrsteve I just read through this thread, I agree, this is a bit close to the source.  It never ceases to amaze me the effort and ingenuity behind these fraudstesr.

For what it’s worth, I’d also add here that you may want to consider branded dedicated click tracking to minimize this all together in the future from happening. 

You can read up on that here:

Of course, I suppose, they could also buy a similar domain as your site and do the same things, but since the volume of just your recipients doesn’t compare to the default click tracking domain for most of Klaviyo’s merchants, it may not be worth the effort for the nefarious doers?

Yes!! That’s more the answer I was looking for. Too bad the forum automatically made what sounds like a Bot-post the “Best Answer”.


retention
Partner - Platinum
Forum|alt.badge.img+62
  • 2025 Champion
  • 938 replies
  • February 18, 2025

@ogrsteve Why thank you.  I rarely do this, but I did FTFY the “best answers” choice - sometimes the bot answers are actually surprisingly good,  although sometimes it does hallucinate an answer that doesn’t make sense or is just plain wrong (or obsolete).  Glad you are still participating here as a human!