enterprisesecuritymag

Think Fighting Email Fraud is Someone Else's Job? Here's the Real Cost of Doing Nothing

By Dennis Dayman, Chief Privacy and Security Officer at Return Path

Dennis Dayman, Chief Privacy and Security Officer at Return Path

Cyberattacks against your brand can be very damaging and costly to both your revenue and your reputation. Cyberattacks are more than someone breaking into your databases or systems and stealing data; instead, this term refers to fraud and the hijacking of brands to steal customers’personally identifiable information (PII).

Looking at the online fraud landscape today, there are threats like phishing, business email spoofing scams, and malware. While phishing has been around for more than 15 years and is effectively the “grandfather” of all scams, the methods are continuously evolving. Email is the most valuable marketing channel and also the least secure due to its aging infrastructure,making it an attractive target for data breaches. In fact, the IRS has stated that phishing attacks in non-financial industries increased by 400 percent during 2016 tax season.

"Authenticating your email will not only help block phishing attacks before they reach your customers’ inboxes but will also preserve the effectiveness of your legitimate campaigns"

As an example, luxury brands have always had to fight against fraud, initially in the form of counterfeiters who set up stalls on street corners selling knock-off items. Over the past decade, luxury retailers have begun courting a broader audience and marketing to people who normally might not shop in high end stores. Now it’s not their products that are being counterfeited but rather their brand and digital presence. These brands are engaged in an increasingly complex game of Whack-A-Mole as they try to crack down on the online version of those fly-by-night shops loaded with counterfeit products, as well as fraudulent emails designed to mimic their brand experience.

What we know is this: phishing and fraud are on the rise

In the first quarter of 2016, the Anti-Phishing Working Group (APWG) observed more phishing attacks than at any other time in history—and that phishing has real, direct costs. The average large company (defined as 10,000+ employees) spends $3.7 million annually to recover from phishing attacks, including lost productivity, customer service, and regulatory fines.

Mailbox providers are also changing the game. Google and Microsoft are taking action to crack down on companies that fail to follow best practices for email security. As of February 2016, Google has begun flagging emails that fail authentication by replacing company avatars with a red question mark, thereby removing the guesswork for their end users and protecting them from potentially malicious senders. Similarly, Microsoft now inserts a red safety notification at the top of known phishing messages and any message that fails authentication. When consumers see these warnings, studies show they are less likely to engage with both the individual email and the brand that sent it.

Mailbox providers themselves are also targets of email fraud, so many are implementing a reject policy on their own sending domains. By doing this, when someone sends a fraudulent email purporting to be from or to Gmail (@gmail) or Outlook (@outlook), they can reject the message without delivering it or notifying the sender.

So what will happen if marketers choose to ignore email spoofing of their brands?

We know that phishing damages engagement. Subscribers are less likely to trust a brand following a phishing attack. Reports show that when email is negatively impacted, average read rates dropped by up to 18 percentage points at Gmail and 11 percentage points at Yahoo.

We also know that phishing impacts deliverability. Following a phishing attack, mailbox providers are more likely to flag legitimate email as spam—not because their content filtersare out to get legitimate senders, but because the only way to protect users from fraud is to aggressively block anything that looks like a phish. Research shows that when email is negatively impacted by phishing and fraud, average inbox placement rates dropped by up to 10 percentage points at Gmail and 7 percentage points at Yahoo.

How can marketers join the fight against phishing? As guardians of the brand and owners of the email channel,it’s time for marketers to join the fight against email fraud. Doing so isn’t just about preventing a future attack—it’s about protecting the end user, the brand, and the ROI of your email program today. Here’s how you can get started:

First, authenticate your email. Your first line of defense should always be technology, not people. Ninety-seven percent of users around the globe can’t identify a sophisticated phishing message, so you can’t simply assume your customers will avoid engaging with fraudulent email. Authenticating your email will not only help block phishing attacks before they reach your customers’ inboxes but will also preserve the effectiveness of your legitimate campaigns.

Second, collaborate with your security team. Partnering with your security team to develop an email security strategy is essential and is not as tricky as you might think. Like their CMO colleagues, CIOs are increasingly concernedwith keeping the customer happy. The CMO can only be successful when he partners with the CIO to protect the data, systems, and processes that define the company’s brand and business dealings in the marketplace.

Third, raise awareness with top executives. Investing in email fraud protection requires top-down buy-in, from executives to the guy in the mailroom. It’s an“all hands on deck” partnership. Creating a sense of urgency around this problem is an effective tactic to this secure buy-in. Communicate the risks of not taking action. Think about doing a series of short lunch-and-learn sessions that are recorded and available via your Intranet. It's a great way to communicate the message you want. Set up surprise phishing tests, spot checks to gauge your efforts, unearth vulnerabilities, and reinforce a culture of security companywide.

Last, educate your customers. The reality is, no matter how sophisticated email authentication protocols become, some bad email will always reach the inbox. Educating customers is a great way to mitigate the impact of those fraudulent messages. Create a customer education portal, or remind customers that you’ll never ask them for certain information over email.

Brands need to be aware of all threats to their brand and leverage every available tool to monitor, detect, and protect their organizations to gain a better understanding of the real risk of fraud. Fraud affects every part of your business, from the cost of goods and services to new customer acquisition. Stopping fraud can’t be an afterthought; it has to be the new model for how we deliver goods and services to a global electronic market that’s nothing short of the Wild West.

Read Also

How Do We Know We're Secure?

How Do We Know We're Secure?

Joshua Danielson, Chief Information Security Officer, Copart [NASDAQ:CPRT]
Security in a  Digital Age

Security in a Digital Age

David Behen, DTMB Director & CIO, State of Michigan
Enterprise Risk Management and Cyber Security

Enterprise Risk Management and Cyber Security

Monica Khurana, CIO, RS Investments