Email marketing drove more Black Friday sales this year than ever before. While usually lagging behind online search (free and paid), email was the primary channel for shoppers in 2015, driving a quarter of all orders.
One reason email was so successful this year is the fact that consumers increasingly prefer to do their shopping online rather than in the store. In the US, an estimated 151 million people shopped on Black Friday. Of those, more than 103 million—more than 68 percent—said they shopped online.
The digital shift this black Friday
This digital shift wasn’t just good news for email marketers, it was also extremely profitable for cyber criminals who had more opportunity than ever before to spoof major retail brands and target customers with sophisticated phishing messages.
The Black Friday phishing danger
More online shoppers mean more phishing. Last year, CSO Online reported that almost 3,000 fraudulent websites were created using “Black Friday” or “Cyber Monday” as identifying terms. Q3 this year saw a 25 percent jump from the previous quarter in fraud attempts targeting online retailers.
Perhaps the most dangerous part about phishing is its success rate. According to Google, phishing scams achieve a hit rate of 45 percent. Even the worst and most obvious scams can attract clicks from three percent of users. And once users have clicked through on the malicious link, on average, 14 percent of them actually go on to enter sensitive details such as account login credentials or bank card information. The hackers then work quickly to access the newly compromised accounts, with one in five exploited within the space of half an hour.
Black Friday phishing trends among top global retailers
The first step to fighting phishing scams is is to understand how they work. To identify phishing trends this Black Friday among the world’s largest retailers, we turned to Return Path’s email data.
We compared email threats from 16 global retail brands the week before Black Friday to email threats from the same brands the week after Black Friday. We discovered 150 total phishing emails across all of these brands. The majority of these emails (60 percent) were sent before Black Friday. The other 40 percent were sent after.
To understand the tactics cybercriminals used to spoof brands and trick customers, we dug a bit deeper to analyze message level data. We uncovered three key trends:
1. Phishers go after legitimately owned sending domains of target brands. 99 percent of malicious messages used the main sending domain in the header from address. Retail brands are not doing enough to protect their end-users from email fraud—DMARC (Domain-based Message Authentication Reporting and Conformance) can block attacks like these before they reach the inbox, which means nearly every one of the phishing examples we discovered could have been prevented, including the example below, spoofing Tesco’s domain tesco.co.uk.
2. The phishing emails employed a sense of urgency. Urgency was a big trend within subject lines of the phishing messages, enticing recipients to click through. We discovered subject lines that read “Your Account Has Been Compromised,” “Important Information About Your Card,” and “You Have 1 New Security Alert” from the Tesco example above.
3. Phishers lured users with fake coupons. We discovered multiple phishing messages from the same fake discount campaign promising “25% off designer wear.” While this phishing message may not look particularly convincing, emails like it, as mentioned above, have up to a 45 percent conversion rate.
While phishing is clearly a huge problem, retail brands during the holiday season are often too heads down to proactively defend themselves and their customers against attacks. As iSight Senior Director Stephen Ward notes, retail staff is “motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches.”
“Retail staff is motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches.”—Stephen Ward, iSight senior director
But retailers can’t afford to ignore email fraud. Once they have been targeted, it is often too late—customers lose trust, brand reputations suffer, and businesses lose money. The good news is that there are proactive solutions organizations can employ now, including implementing DMARC, educating customers, and getting visibility into all attacks spoofing their brand. Some innovative retailers are already leading the charge. It is time for the rest of the industry to follow suit.
To learn more about how retailers can fight phishing, download The Retail Guide to Email Fraud. In it, we explore retail’s top security challenges, outbound email as a threat vector and best practices for securing email in retail. Ready to start protecting your brands and your business? Get your copy here.