Worst Practices: Are You Ready For Phishing Season?
Three forces are converging next month to create this opportunity. First, more consumers are more engaged with and receptive to email offers than at other times of the year, unusually inclined to read and respond to marketing messages. Second, the surge in volume lowers subscribers’ scrutiny of suspicious messages -- they simply have less time and more to read. And third, many mobile interfaces make it harder to tell marketers’ real messages from criminals’ fake ones. As more email is read on small screens, the appearance of a message is often inconsistent across platforms and sometimes choppy or broken, so a red flag in a desktop environment is relatively normal on mobile devices. Moreover, many email display only the senders’ “friendly from” address, not the actual sending domain, so a common trick to identify phishing attempts – mousing over the address to confirm that the domain matches the sender – is unavailable to a record number of subscribers this year.
Say what you will about phishers, no one denies that they’re pragmatic and smart. They’ll be ready to take advantage of email’s first mobile holiday season. That makes 2013 a unique opportunity to test brands’ readiness to protect their subscribers and themselves from abuse. By the end of the year, we’ll know which organizations are prepared to identify and stop fraud and to educate their customers on how to protect themselves. We could also get a highly visible demonstration of big brands’ vulnerability to phishing attacks.
Brand Experiences Matter
I’ve actually heard marketers question whether this is a big deal. It is. Costs and impact estimates vary, but no matter how you quantify the damage from a phishing attack, retailers – all senders, really – are profoundly reliant on a consistently positive brand experience for their long-term survival and success. Being defrauded is a horrific brand experience, with serious retention and reputation implications.
This Problem is Fixable
Industry leaders including Google, Microsoft, and a host of other prominent companies have adopted and advanced the DMARC protocol to sharply reduce phishing and its effects. For those that implemented it and publish quarantine or reject policies, DMARC is protecting millions of consumers and the brands they transact with from email fraud. New data analysis approaches are already showing the ability to fill gaps left by authentication-based solutions. Phishing is not a problem without a solution.
Consumers Can Help
Educating consumers about how to recognize phishing messages is an effective way to blunt attacks and build trust. Showing subscribers (and non-subscribers visiting your site) what your real messages look like will help them avoid fakes. Monitoring the mailstream and communicating quickly when an attack is discovered can drastically reduce its effectiveness, too, preventing malware infections and possibly protecting your customers from data theft.
A number of top-tier marketers have already implemented these steps to protect their customers, businesses, and brands as the 2013 holiday phishing season approaches. They’re prepared. The rest should probably keep their fingers crossed for the next two months. When the dust, dollars, and DMARC reports have cleared in early 2014, we’ll revisit the data to see how marketers fared during this historic phishing season. Good luck.