There’s a huge threat looming out there for businesses, and it often goes ignored. When it comes to cybersecurity, concern often turns to phishing and the human element. “Train your employees!” experts tell us again and again. “Then train them some more.” When it comes to email marketing the worries are sales, conversions and staying one step ahead of your competitors.
But when you look at outbound phishing – that other half of the phishing equation that usually slides under the radar – it’s not your employees or your competition that’s at stake. It’s your customers, those long-term relationships that may continue for years – or may slip away over security fears. That mashup of a large-scale phishing attack and fake emails playing off your carefully cultivated image is where outbound phishing lies, and it can cause serious damage to a company, especially one that relies on e-commerce and email marketing
“This is the biggest threat to the email program and to the online program, bigger than a direct competitor trying to win your top customers over. This is a bigger threat to your business as a brand owner, yet no one really focuses on it because they don’t see the direct impact,” said Ken Takahashi, general manager of anti-phishing solutions at Return Path.
Look at some of the cybercrime news coming into HackSurfer the past two weeks: warnings of consumers to be on the lookout for emails from Expedia, from the Electronic Federal Tax Payment System, from Westminster Hotel. Of course they’re all fake, and they’re all designed to infect your system with malware.
What’s the Business Impact?
There’s direct costs associated with such outbound phishing attempts. People are questioning the email’s legitimacy, so call center support goes up, email support goes up, maybe some customers fell for a phish and it led to a fraudulent charge, but it’s the indirect costs that can really add up. Customers may lose faith and become leery of your legitimate emails.
“Monday I send a legitimate campaign out that says, ‘Hey, buy my product,’ and I get my typical clicks, opens, conversions – everything that I normally see. And then on Tuesday there’s a phishing attack that’s hijacking my brand,” Takahashi said. “It’s bad enough the people that fall for it. That’s bad, but the people that don’t fall for it become very, very skeptical of emails that come from that brand. So what happens the Wednesday the next legitimate campaign goes out?”
Even before getting duped by an outside scam that springboards off a brand, there’s little faith with consumers that companies will keep their information safe. Just today ThreatTrack Security released the results of a survey conducted by Opinion Matters: 75 percent of consumers are already concerned that their personally identifiable information would be compromised if a company was attacked. That means a full three-quarters of customers are pre-loaded with skepticism. Throw in an outbound phish using a brand, and it may be enough to turn them off of that company for good.
“Long term I think it is pretty simple. Cloudmark ran a study: 42 percent of people that fall victim to a phishing attack no longer trust that brand online,” Takahashi said. “So all the effort to move people online, cost savings, better customer experience, all that stuff is totally wiped out by one phishing attack.”
Who’s running this ship?
Last month David Knight, executive vice president of product management at Proofpoint, discussed a new trend called longlining. “This is an industrial-scale phishing attack,” Knight said, laying out examples his company had seen like the fake Walmart shipping campaign: two million messages using 20,000 IP addresses and 450 compromised sites with a whopping 14 percent click-through rate.
“The Walmart example that you mention, that is happening every day,” Takahashi said, adding that the focus often falls on the business employees getting phished, not the consumers who may be getting duped by criminals. “When you ask most security professionals about the phishing problem, they’re only thinking about their own network. They’re not thinking about their brand getting hijacked everywhere else. I think that’s confusion point number one. Confusion point number two, I believe, is because anything outside of their system is something they can’t see, feel or touch. If someone tries to breach their website, they own the website. They see the traffic. If someone tries to DDoS them, they see the repercussions of it, but if someone tries to phish their brand at consumer IPs around the world, their alarm systems don’t go off. But I’ll tell you what, they’re top line revenue is guaranteed to be impacted.
Return Path is a founding member of DMARC (Domain-based Message Authentication, Reporting & Conformance), which is a group of organizations that came together in the Spring of 2011 to collaborate on a method for combating fraudulent email. The goal is to make it easier to determine if messages are legitimate and to keep spam and phishing messages out of people’s inboxes. Takahashi said that if everything is set up correctly, they can proactively block 80-85 percent of those emails from ever reaching their destination. For the first time we have what he calls “phishing prevention.” Still, there’s a lot of confusion in most businesses, which he believes is due to a lack of communication:
“Everyone is starting to realize that the era of marketing and security not talking to each other is over. I typically talk to the marketing department saying, ‘Hey, are you worried about phishing?’ They’re like ‘Absolutely, yes, but I think my security team is working on it.’ And then you ask the same security department, ‘Are you worried about your brand being phished?’ and they say, ‘Well, we are, but until marketing tells us that it’s important, we have 50 other things to get done with a limited budget this year.’”
They’ll never be able to completely stop phishing attacks. That much is obvious, but it’s a start. With so many brands paying careful attention to managing their image in this engage-your-audience world, criminals hijacking their brand should be one of their top worries.