Dear sales representative who wants me to buy your company’s products,
If I’ve emailed you a link to this blog posting, it’s probably because you’ve sent me multiple unsolicited sales emails. Welcome to the club of vendors from whom I’m unlikely to ever purchase anything!
No unsolicited sales email I have ever received from a vendor has ever been welcome. Never. Not one.
Unsolicited sales emails are a scourge on the information security industry.
Here’s how I purchase information security products and services from vendors:
- Identify a need.
- Research which vendors offer products or services which meet that need.
- Contact potential vendors and start conversations with them.
- Evaluate the products, services, support, and pricing offered by the various vendors and select the one that is the best overall fit for our needs.
Notice that step 1 is, “Identify a need,” not, “Allow some vendor to convince me that there is a need which, not coincidentally, their products will address.”
Notice that step 3 is, “Contact potential vendors,” not, “Reply to unsolicited sales emails from vendors.”
This is how all competent information security professionals operate. If you know this, then I can only assume that your sales strategy is to target incompetent information security professionals. I prefer not to do business with vendors whose target demographic is incompetent people.
If I already know about your company and its products, then emailing me accomplishes nothing except to annoy me and waste my time.
If I am unable to find your company easily when I start Googling for potential vendors in step 3, then your marketing department is bad, and that’s probably reflective of the quality of your company in general, and therefore I am probably not going to want to buy anything from you.
I know I’m tilting at windmills here. The ship has sailed, the train has left the station, the horse has left the barn, etc. Unsolicited sales emails are probably here to stay, and anything I say or do is unlikely to change that. Heck, I know that even the companies I work for send unsolicited sales emails! I therefore tend to cut vendors some slack about sending me one — only one — unsolicited sales email. If you send me a second email when I didn’t respond to the first one, then the chance of my ever buying anything from your company drops precipitously.
If your first email ended up in my spam folder, then your second email is going to end up in my spam folder too, so you haven’t accomplished anything by emailing me again. You should know this.
If your first email didn’t end up in my spam folder, then I saw it and chose not to respond. If you email me again, then you’re saying that your desire to establish contact with me is more important than my desire for you not to waste my time. This does not increase my desire to do business with your company.
All of this goes double if I have purchased products from your company in a previous job. If you have a halfway decent CRM, you should already know that, so you should already know that I am aware of your company and its products and presumably will reach out when I have a need for them, which means emailing me out of the blue is an even more unjustified waste of my time. If your CRM doesn’t provide you with this information, then you’re bad at sales, and that’s probably reflective of the quality of your company in general, and therefore I am probably not going to want to buy anything from you.
All of this goes triple for phone calls.
A fairly typical information security professional with vendor decision-making authority
Pingback: Why you should not use RegScale – Something better to do
I hate spam as much as the next guy, but it’s pretty arrogant to claim you know everything. And that’s exactly what you’re doing when you say you must first identify a need. Sometimes there is a better way of doing things, but you’re unaware because you only know what you know and you’ve found a tedious or less than ideal workaround. Sometimes it takes someone else to point out a problem because you’re so close to it that you don’t even realize it’s a problem. And then to double down on the arrogance by saying anything other that what you’ve defined in your narrow view means that a vendor must only be targeting incompetence is just the icing on the cake. Check your ego, bud.
I’ve been exasperated by the number of unsolicited vendor emails I get, too. Found your blog post after trying to figure out how to deal with this.
My biggest pet peeves are :
(1) Follow-up emails. Bonus hate points if they’re automated. “Joe – checking in again. I know you’re busy but did you get my last message?”
(2) Tracking pixels. If you’re sending me a personal cold call, don’t put a tracking pixel on it. I will assume it’s spam the moment I see that Outlook has blocked remote images. You don’t have the right to know when or where I read your message so you can validate or resell it.
(3) People who don’t bother to understand what I do or scrape LinkedIn to populate fields. “Hi Joe, since you are Experienced Marketing Professional at Fortune 500 Subsidiary, have you considered your NFT strategy for 2022?”
I work for a really large company, and people should realize we have super-strong pre-filters that can block their emails across all 30,000+ users on our domain. I will not hesitate to submit their email to our cybersecurity team for consideration if they persist.
I have long-since concluded that replying is often futile, and it’s
better to instead report such junk mail to third-party spam reporting
and abuse clearing house services like Spamcop. This provides feedback
to junk mail filtering services to update their statistics and improve
their pattern-matching. In addition, this sometimes even gets the
attention and action of those who have actual motivation and desire to
fix the problem, the administrators of the originating mail servers, who
may not be aware of, let alone approve, this use.
Every once in a while, however, I get a reply back from someone who
claims to be the owner of a legitimate brick & mortar business, saying
that they meant no harm, that they were just trying to market and
advertise their products or services, and even claims that my address
was obtained from a “guaranteed 100% opt-in e-mail list” of sales
I am torn whether or not to reply to such messages. Is this really a
legitimate business caught up in a scam? Is this subterfuge by spammers
to determine my threat to them, possibly get my real e-mail address
versus an anonymized report from Spamcop, leading either to listwashing
(removing me so I can’t trouble them with future complaints) or more
malicious kinds of retaliation against me?
Guaranteed 100% opt-in e-mail address lists of sales prospects really
don’t exist, or really aren’t used in the indiscriminately targeted
manner that I typically see. If a legitimate business bought such a
thing, I wonder if it is my sad duty to tell them that they got ripped
off, and possibly became a party to an unlawful act in violation of
various pieces of anti-spam legislation.
Some of these e-mail addresses at which I have been targeted are purely
for administrative uses by various projects such as non-commercial hobby
web sites or on-line forums such as Usenet newsgroups. Often they have
“owner”, “request” or “master” in their mailbox names. They aren’t
completely secure, and can and probably will be indiscriminately
harvested for use by others for other than their intended purposes.
More to the point, they have never been submitted by me as an e-mail
address to establish a relationship with a business, nor have I given
direct or implied consent to sell that address to other parties.
Unless, of course, a third party fraudulently submitted it somewhere as
their own e-mail address as a revenge tactic (website maintainers and
on-line forum moderators can wind up attracting a very peculiar kind of
enemy that will resort to sometimes bizarre and quite passive-aggressive
revenge tactics). Even if so, best practices for e-mail address signup
should be to immediately reply to that e-mail address and request
submission of a confirmation code at that site to verify consent.
This blog posting is targeted specifically at sales people who use lead-generation databases like ZoomInfo and Apollo.io to find potential customers and make unsolicited contact with them. What I had in mind when I wrote this was not the more generic spammers whom I think you’ve described in your comment. I pretty much never respond to generic spammers who make it through my spam filter; their messages go straight into the spam filter to train it to do better in the future, and my spam filter setup also reports them automatically to SpamCop. I do not think the value of replying to generic spammers ever outweighs the risks, which you described, of doing so.