If Your CEO Asks if Your Domain or Brand is Being Phished, How Do You Respond?
As I've been traveling around the country this month, there’s one question that I ask people I meet: "If your CEO asks if your domain or brand is being phished, how do you respond?" The answers are always nearly the same:
- Phishing doesn’t concern me since we’re not a financial company.
- I have no idea.
- I tell the CEO to talk to the security team. They should have a process for handling this.
- We have a plan in place and we on top of it.
These responses are similar to what we saw in The Relevancy Group’s latest survey. Their survey found 20% of respondents didn't know if they had a phishing problem. They lack the tools and visibility to know if their brand is being hijacked. 61% of the respondents state their domain has never been spoofed. The other 19% stated they've been phished at least once with 31% being phished more than once. My guess is that the people I meet who reply with #3 above are the people where it’s a common occurrence.
For those at aren't concerned at all? Let me give some reasons why you should care:
- Brand Trust: No doubt you've worked hard at establishing brand identity. Brand identity and trust is something that is built over time. What are the implications to your business if 20% of your customers no longer trust your brand, and no longer open your emails? How about 50%?
- Inbox placement: In my last post, I alluded to some brands being classified as spam due to phishing attacks on their brand. A popular social site experienced all of their content being filtered after a significant phishing run spoofed their domain and hijacked their email template. The mailbox providers’ Bayesian filters then fingerprinted the template, so all of their legitimate emails got caught in the crossfires.
- Time = Money: Reacting to a phishing attack costs time and money. If you’re one of the 20% of phished brands, you probably distinctly remember the first time. It becomes an all-hands emergency across the company. Concerned calls and emails from customers flood your customer service team. Your network or security team spent hours and days researching the attack to minimize the impact. The list goes on.
- Engagement: Subscriber engagement metrics such as opens, clicks and conversions, can also take a toll. Think about popular payment services that are heavily phished. How many of their emails to you either open or actually click links within? All email users have been targeted by phishers which spoof these brands, so the answer is remarkably few. Now imagine how much you spend on your email program. If subscriber trust was eroded due to phishing emails, and your conversions dropped by as much as half, how much money would you stand to lose? Brands need to treat their email and domains no differently than their logos or even how they manager counterfeiting. Would a brand marketer allow their logo to be used by fraudsters thousands of times a day? How much do high end and commodity brands spend on tracking and taking down counterfeiting rings as it dilutes their brand image? This is happening thousands of times a day right under brand marketer’s noses.
Take some time to think seriously about how much money you spend on your email marketing across everything – acquisition, deployment, retention, and design. Marketers should protect their email marketing investments, and possess the following solutions to prevent serious damage from a spoofing and phishing attack:
- Claim Your Identity – Protecting yourself starts with authentication. If you haven’t read my post from last week, please do so. I go into the importance of SPF, DKIM and DMARC.
- Right Product for the Right Job – the biggest issue that marketers face is the visibility into phishing. Previously, marketers lacked tools to monitor mail streams for phishing, so we developed Email Brand Monitor to give every marketer, large and small, not only this insight, but also the intelligence to act quickly. You can monitor your own domains, and see who is also impersonating your brand, and move to prevent them from ever reaching anyone’s inbox. A solution like Email Brand Monitor is similar to credit monitoring. They both are cost effective in the long run as they prevent theft of identity – brand or personal.
So back to my original question, your CEO asks if you’re brand is being spoofed, what do you say? If you’re authenticating and using Email Brand Monitor, you’ll have a solid answer. Not only can you tell your CEO if you’re getting phishing, you also can tell him or her you have an action plan in place. Who wouldn't want that?