Her Majesty’s Revenue & Customs (HMRC) has been in the news recently for all the wrong reasons. January 31st was the final date for tax payers to submit online returns. Perhaps unsurprisingly, there has been a massive surge of fraudulent emails claiming to originate from hmrc.gov.uk, advising recipients that they have received tax refunds – all they have to do is respond! Of course, those who do so end up having their bank accounts emptied, or receive a nasty dose of malware.
In The Times on February 8th the real HMRC said:
“23,247 phishing emails were reported in the three months prior to the self-assessment deadline of January 31, up by 47% on the same period last year. During 2013, customers complained about 91,000 emails with a marked rise in complaints after the tax deadline.”
The reality is much, much worse! Using panel data from Return Path’s Inbox Insight competitor intelligence solution, we estimate approximately 35 million fraudulent emails were sent during this period, with an average Read rate of 3.5% (around 1.2 million recipients). Some performed much better – this example generated Read rates of 32.3%.
Most readers understand the direct financial impact of email fraud – subscribers are tricked into losing their money, while brands incur substantial remediation and brand damage costs. However, there are also many secondary impacts. Consider the graph below, showing engagement metrics for HMRC’s legitimate emails. The “Successful Receipt of . . .” email (furthest right) is generated when online income tax returns are submitted. Note how the ISP-Marked Spam Rate spikes for this message type:
The reason? One of the (many) HMRC phishing emails directly mimics the legitimate email, reading as follows:
Thank you for sending your VAT return online. The submission for reference [redacted] was received on Thu, 6 February 2014 and is being processed. Make VAT returns is just one of the many online services we offer that can save you time and paperwork. For the latest information on your VAT return please open the attached report.
This is near identical to the real version, with the obvious exception of the request to open an attachment. The next graph shows how effective these emails are. They are the fourth most common fraudulent message seen over the 90-day period, and generate significant Read rates.
This explodes another popular misconception about email fraud – “Surely no one actually reads them?” Actually, they do – in addition to the 3.5% average Read rate quoted above, many subscribers even retrieve these emails from their spam folders so they can do so!
Previous research suggests about 30,000 of the 1.2M openers will “convert” by uploading malware or yielding personally identifiable information. The financial impact can be conservatively estimated at around £5 million ($8.3 million). The economics of email fraud are compelling, which is why we are continually seeing more of it (see my previous article on “Teach a man to phish . . . and make him a millionaire!”).
Fraudulent attacks also cause damage because subscribers no longer know which emails to trust. We have recently seen attacks against Barclaycard, advising recipients they have received a “Credit Limit Increase.” These emails are being sent from the same domain that “Your Barclaycard payment is now due” emails come from. This next graph illustrates the resulting impact:
The “payment due” emails normally generate Read rates of around 50%. However, when these emails are sent out immediately after a “credit limit increased” attack, average Read rates of the legitimate emails decline by around 1/5, while ISP-Marked Spam rates increase sharply. This also highlights other potential secondary costs for Barclaycard – loss of trust could mean subscribers opt to receive these notifications by post instead, and call centre utilisation will increase.
In this blog post I have attempted to deal with some common misconceptions about email fraud:
1. Phishing & spoofing emails come from sender domains that look like yours (or are yours!). Many subscribers are not sophisticated enough to differentiate between legitimate and fraudulent traffic – they assume they are receiving these emails because they signed up with your program.
2. Email fraud is not restricted only to financial services. On a daily basis, we are seeing it happen in every sector where there are high-profile brands with high-volume email programs.
3. Don’t assume these emails don’t get read. As the examples above show, significant numbers of recipients interact with these emails, sometimes even retrieving them from their spam folders to do so!
4. It’s not a “victimless” crime. Even if there is no direct impact on your company, it’s definitely hurting your customers. And that will be having a material secondary impact because increasing levels of distrust will contribute to higher list churn and increased customer management, reducing long-term ROI.
5. It’s not just a security issue. Email fraud damages your brand, and Marketing and IT need to be collaborating closely (with real commitment from your financial department too) to combat this threat.
If you accept these points, then what should you be doing to prevent fraud from impacting your email program?
1. Firstly – be aware. For many email program owners, email fraud is a “known unknown” and it needs to become a “known known.” Invest in tools that provide you with pre-emptive visibility of attacks against your brand.
2. Then equip yourself with the ability to block these emails the moment you become aware of them, so they never arrive in your subscribers’ inboxes in the first place.
3. Finally, you should build relationships with takedown vendors, who can eliminate these threats at their source.
Learn more about how to achieve these steps by reading about Return Path’s Anti-Phishing Solutions.
In this blog post, I have focused on why email fraud causes your subscribers to think your legitimate emails are spam. Watch out for my follow-up post in a couple of weeks, when I will consider some additional important factors to watch out for.