Let's Make Security A Priority This Year
There was a lot of noise recently when comScore released data suggesting (again!) that email is on the wane in favor of mobile (which, um, is also email for many) and social networking (which runs on email). If you are about to click to another column because you think this one is going to be the usual "wait, wait, email isn't dead yet!" piece, it isn't. Keep reading.
I'd like to suggest that the real threat to email isn't coming from mobile devices or social networking or any other new technology> Instead, it's the lack of security in the email channel.
Phishing and spoofing are on the rise. The Anti-Phishing Working Group estimates that more than 30,000 unique phishing attacks are reported every month. What's most troubling is that phishing attacks are no longer confined to financial services and similar industries with direct access to consumer's financial information. Phishers are finding they can successfully impersonate nearly any trusted brand --this includes retail, media, social networks and more. Data I've seen would indicate that if you've got a trusted brand, you're being spoofed and phished.
There are direct costs when criminals are successful in their attempts to phish consumers. Banks frequently repay customers. Customer service and security teams need to respond to phishing attacks. But I think the real, hidden cost is a decrease of trust in email. This is a big threat to the overall effectiveness of email for marketing, transactions, and customer service. And it's a threat that everyone in the email industry should pay attention to.
But wait a minute, you might be thinking, wasn't authentication supposed to fix this problem? It was, but it hasn't.
It's a classic chicken-and-egg problem. Authentication is hard -- and with unclear benefits, many senders have not implemented it. In fact, a review of authentication results data for a set of several hundred highly spoofed domains, finds that only a little more than half of the IPs with Sender Scores over 80 had DKIM authentication. Sender Score is measure we use to assess the overall reputation of an IP. Scores over 80 indicate overall great reputation metrics - low complaints, a clean list, stable sending volumes. IPs sending spoofed messages have scores much less than 80 in most cases For IPs with good reputations to be failing authentication at such a high rate indicates that even the best mailers struggle with authentication, even though they are being spoofed.
Because senders struggle, ISPs and other mailbox providers have been unsure how to handle the flood of unauthenticated and wrongly authenticated email that comes their way. If they block it all, they know that a lot of wanted email is going to go missing. But because they don't block it, there's no penalty for not authenticating, so senders continue to put it at the bottom of the tech to-do list.
The real loser in the equation, of course, is the email consumer, who has to wonder if the message he or she just received is real. Phishers' techniques are getting more and more sophisticated. I have seen highly trained security professional fail at the "is it real or is it fake?" game. How is the average email recipient supposed to trust the emails they receive?
Coming back to the beginning of this column: the real threat to email. I believe that marketers and publishers need to pay a lot more attention to the security of the email channel. Actually, I think we all need to pay more attention to security of all digital channels. It's obvious that I don't think email is going anywhere, but the truth is that the channels that will supposedly displace email are just as vulnerable to attacks. Who reading this hasn't been enticed to "see who's viewing your profile!" on Facebook? Making security of all digital space a priority is necessary to be sure the free flow of ideas and commerce continues.