Here are the show notes for this podcast episode, "Emailexpert Inbox Intel," covering critical topics in email marketing and security:

Email Expert Insights: Navigating AI Threats, Legal Minefields, and Data Pitfalls

This episode of Email Expert Insights dives deep into the most critical challenges and groundbreaking developments shaping the email landscape today, from sophisticated AI-driven cyber threats to costly legal battles and the often-overlooked problem of dirty data.

I. New Class of AI-Driven Email Threats: The Google Gemini Exploit

• AI-Driven Phishing: Cybercriminals are now leveraging AI tools not just to generate attacks, but to weaponize the recipient's own inbox AI features. A new vulnerability in Gmail's Gemini summarization feature highlights this emerging threat.

• Prompt Injection Explained: This novel phishing technique bypasses traditional email defenses by exploiting Google Workspace's AI-powered summarizer, Gemini. It requires no links, no attachments, and no visible malicious content in the email body. Instead, it relies on "prompt injection," hidden invisibly within the email, often using techniques like hidden HTML/CSS styling, to manipulate the Gemini summary.

• Demonstrated Exploit: In a real-world example, the Gemini summary falsely warned, "Gemini has detected your Gmail password has been compromised, please call us immediately at [phone number]". This "carefully crafted hallucination" is a social engineering tactic designed to induce panic and an immediate response, allowing the malicious AI summary to deliver the attack.

• Shift in Attack Surface: This incident signals a significant shift where attackers are designing exploits that target how machines interpret email content, rather than how humans do. AI-generated UI elements like summaries, alerts, and previews are now attack surfaces in their own right.

• Mitigation and Future Outlook: Google has acknowledged the issue and is "hardening its protections against prompt injection attacks". For security teams, this calls for improved input sanitization in AI summarization engines, new heuristics to detect prompt injection attempts, and enhanced user education about relying on AI-generated summaries for security-related information. Legitimate senders should also maintain clarity and consistency in message formatting and monitor inbox renderings.

II. Costly Legal Pitfalls in Email Marketing

• Nike Inc. Class Action Lawsuit: Nike is facing a proposed class action lawsuit in Washington state for using misleading subject lines that allegedly created a false sense of urgency. Examples include "Only a few hours left" or "Ends tonight," which implied imminent sale endings but promotions were reportedly extended or fabricated. The lawsuit claims violations of the Washington Commercial Electronic Mail Act (CEMA) and the Washington Consumer Protection Act.

• Crucial Legal Precedent - Brown v. Old Navy, LLC: This Nike case is significantly bolstered by a landmark Washington Supreme Court ruling in April 2025 in Brown v. Old Navy, LLC. This ruling broadly interpreted CEMA to impose a $500 statutory penalty on every commercial email containing false or misleading information in its subject line sent to Washington residents, without requiring proof of actual financial damages. The "injury is receiving the email that violates CEMA".

• Tim Hortons Class Action Lawsuit: A Quebec Superior Court judge authorized a class action lawsuit against Tim Hortons due to a "catastrophic email marketing error" in April 2024. Approximately 500,000 contest participants, including thousands in Quebec, falsely received emails stating they had won a $64,000 boat and trailer. Follow-up emails retracted the win, citing "technical issues".

• Quebec's Consumer Protection Act: The lawsuit argues that Quebec's Consumer Protection Act prevents companies from simply claiming "mistake" to void contractual agreements formed by contest win notifications.

• Lessons for Marketers: These cases highlight the importance of accuracy in subject lines