I recently spoke with two of my European colleagues who regularly attend email marketing industry events. They told me that one of the most surprising things they hear from email marketing professionals in Europe is a lack of concern over phishing and spoofing. The comments they most often hear are, “Sure, we’ve seen Return Path’s blog articles on how to set up DKIM and SPF but why should we take the time to do this? We’ve never been spoofed.” Or as my German colleague was recently told, “Why is that my problem? Our IT department is worrying about security issues.”
While it’s true that financial companies and social media sites have taken the brunt of the damage caused by phishing, the phishing phenomenon has impacted the entire email channel…permanently. From the consumer’s perspective, trust in email has dropped. From the ISP’s perspective, their focus is on protecting their infrastructure and users from the ever-evolving risk.
As the phishing and spear-phishing threat has not only persisted but advanced, ISPs discovered that phishing messages slip through their reputation-based filters. Additionally with adroitly devised phishing messages containing minimum text and images and often only one URL for users to click, many ISPs have found that these phishing mails get through older content filters and into end-user inboxes, creating a serious security issue for both the ISP and the end-user.
The History of the ISP Response to Phishing
Email-borne phishing and malware threats became a mainstream problem in about 2004. Before then, spam was an annoyance but not the same level of threat that it is today. The ISPs sought to reduce spam by means of various, rather unsophisticated methods. According to Ken Liao of Proofpoint, “the great thing about that period was that as long as the ISP had some solution in place, they could knock down around 90% of unsolicited messages and the spam that did get through wasn’t really dangerous.”
After 2004, spam volumes began to climb each year. As of August 2010, the amount of spam was estimated to be around 200 billion spam messages sent per day. What was once merely an annoyance had become a very hard problem for ISPs, competing to keep their end-users happy. As the volume of spam advanced so did the spam filtering technology. ISPs began using more advanced Bayesian content filters that can learn and continually adapt to spammer’s tricks and reputation-based filters that work by identifying the sender and assigning a corresponding reputation score. But here’s the caveat with almost all spam-filters; they were designed to address spam as volume issue. After 8 years of steadily increasing volumes of spam, in 2011 spam-levels dropped to a historic low. In the same year however, targeted, advanced and dangerous phishing attacks entered the email landscape at never-before-seen levels. According to both Cisco and Proofpoint, the spam-filters that have been so effective at blocking high volumes of spam, were not equipped to handle the low-volume phishing campaigns.
Filter providers and ISPs alike realized that accurate, deep, content analysis is more important than ever. They also realized that phishing messages need to be handled differently than spam. Normally when a filter identifies a message as spam, the messages is placed in a quarantine folder (i.e. the bulk folder). The end-user can access the quarantined messages and decide to act on them, i.e. open them, respond, click on links, etc. In fact, my colleague, a previous postmaster at a major ISP recently told me, “we saw an alarming number of TINS (‘this is not spam’) clicks from end-users on phishing messages.”
How it Impacts You
Placing phishing messages in such a folder is dangerous. When some ISPs identify a phishing message, they don’t want the end-user to access it at all. So it’s placed in a separate quarantine to which the end-user does not have access. As an email marketer, do you see the impact of that on your campaign if your messages are falsely identified as phishing? They will never make it to the inbox or even to the spam folder. The user will have zero chance of reading it or marking it as “this is not spam”.
Mailbox providers know that false-positives happen. This is why, when their filters cannot make a definitive decision about a message, the mailbox provider may opt to deliver the message but flag it as potential phishing. Once again, if you are an email marketer, you are impacted by this response. Even if you have never been spoofed, your clients’ trust in your brand will drop once your mails are flagged as potential phishing attempts.
So far we’ve identified two ways in which the phishing phenomenon impacts senders even if you’ve never been spoofed. 1. Your mail is falsely identified as a phishing attempt and disappears into the ether and 2. Your mail is delivered but flagged. In one case your client never sees your mail, in the second they see it but their trust in your brand immediately falters. How much money do you stand to lose if trust in your emails drops?
In the beginning I wrote that the issue is one of wrong assumptions. The children’s book author, Lemony Snicket once wrote “Making assumptions simply means believing things are a certain way with little or no evidence that shows you are correct, and you can see at once how this can lead to terrible trouble. For instance, one morning you might wake up and make the assumption that your bed was in the same place that it always was, even though you would have no real evidence that this was so. But when you got out of your bed, you might discover that it had floated out to sea, and now you would be in terrible trouble all because of the incorrect assumption that you'd made.”
So you haven’t been spoofed…yet. But have you considered…what if? What if your company joins the ranks of the brands that are spoofed? All it takes is once. In Europe, RSA reports that companies in the UK, Germany and France were the victims of nearly 20% of all phishing attacks in 2013. Reacting to a phishing attack takes time and money. The very public phishing data-breaches that Sony had to deal with cost them an estimated 170 million dollars. That’s an example of waking-up to find that your bed is out-to-sea.
You are being impacted by phishing, right now. So do something about it, drop your assumptions and bolt your bed down to the floor. In my next article, I will tell you how to do that.