It struck me after reading APWG’s latest report, “Global Phishing Survey 2H2011: Trends and Domain Name Use,” that the email industry has accomplished a lot in the fight against phishing, but there is a long battle ahead. Unfortunately, issues around phishing are usually regulated to IT departments, or maybe a fraud or security division. Many folks in marketing don’t even know what is being done to combat phishing! But CMOs and email marketers need to make phishing a priority as well to avoid the consequences to their brands and the response rates of their email marketing programs. Let me explain.
According to APWG, phishing attacks targeting brands increased in the second half of 2011 with 23% more attacks compared to the first half of 2011. Phishing attacks targeting brands reached an all-time high in December of 2011 with 362 reported brand attacks. The most targeted industry sector continues to be financial services. However, retail industry attacks surpassed payment services, a once traditional mainstay of phishing. And there is no reason to think this trend is abating.
According to more recent data from the Kapersky Lab Spam Report (May 2012), social network and financial organizations comprised nearly 50% of all phishing attacks, with financial phishing emails holding a slight lead over social network attacks by .08%. Is the shift away from banks to social and retail phishing attacks a sign that attacks on banks are no longer effective?
To find out, I compared engagement rates from two popular, heavily spoofed brands: a bank and a social network. I looked at how many of the subscribers opened, forwarded, marked as spam, as well as how many phishing messages were marked as “not spam.” The results were surprising and troubling.
The good news is the read rates — the rate at which an ISP records an open (as opposed to marketers’ traditional metric of pixel tracking) — were healthy for the banking emails, with an average read rate of 24%. The bad news is the phishing emails saw levels of engagement that defied my expectations, with read rates of 7%. Even more surprising, the phishing emails had an average “this is Not Spam” rate of 3% compared to a “this is Spam” rate of 1%. Nearly 1% of the recipients also forwarded and replied to the phishing email.
While this is bad news for anyone in bank marketing, there is worse news for the social network read rates. The average read rate for the legitimate emails stood at 25% — while the phishing emails had a 19% read rate, making the phishing scams nearly effective as the legitimate emails. The “this is not spam,” forward, and reply rates all came in at less than 1%. While this may seem good, the legitimate emails had similar rates — further confirming that phishing emails can perform on par with legitimate messages.
Bottom line: The average customer can’t tell when a message is spoofed. Which means average consumers are getting phished, and they are getting phished by messages with major brands attached to them.
Combined with Cloudmark’s recent survey showing 44% of people have less trust in email security than they did a year ago, these findings offer an object lesson for every other brand that does business via email: Protect your brand and email channel, or risk losing consumer trust.
There are three things that all brands should do to preserve subscribers’ trust and to avoid a large-scale crisis of confidence in email:
1. Make phishing a marketing priority. I hear a similar response from most marketers about phishing: It’s an IT security problem. Based on the high levels of engagement with phishing from current and potential customers, it’s a mistake for marketers to ignore phishing and its impact on brand erosion and email marketing. Marketers should work together with IT security to protect their most valuable channel.
2. Authenticate ALL domains. The most common authentication mistake I see is overlooking certain domains, such as corporate, CRM, and outsourced service emails, like customer service emails. Inventory all domains and IP addresses sending on behalf of your brand and update your SPF and DKIM authentication records appropriately.
3. Stop phishing with DMARC. DMARC, developed in coordination with Microsoft, Google, Return Path and others, tells ISPs to block spoofed emails that aren’t authenticated properly. Publish your DMARC record in “monitor mode” to verify that all of your email is being authenticated before setting it in “reject” mode. Reject mode should only be used when you’re certain that all domains are passing authentication to avoid legitimate emails being blocked.
I truly believe the email industry can put an end to phishing, but it will require us all to work together. See you in the inbox!
This originally appeared on MediaPost.