DMA

Marketers ignore phishing at their peril

How can you protect both your consumers and brand?

For any brand owner whose name and reputation are freely hijacked, phishing presents a complex dilemma. This problem is exacerbated in the financial sector by the fact that many banks and building societies are actively encouraging customers to switch from paper to digital communications. Adoption of these channels is highly dependent on consumer trust, but just as customer communications are becoming more sophisticated, so too are phishing techniques which diminish that trust. Many phishers have moved beyond simple imitation and actually started to use companies own brand collateral against them.

One technique that has been around for a while now is the so-called image based spam, an email with a single image that looks exactly like an existing company’s brand. This image is laden with randomly dispersed clear pixels, so that it looks different every time spam filters see it, making it extremely difficult to detect – by technology or consumers.

Another more concerning and increasingly popular technique is the mimicry of newsletters or other email messages from traditional companies. These look exactly the same as the genuine ones because they actually contain stolen content and links from the original email. The only difference is hidden malicious code, or links to phishing sites, that attempt to plant viruses on recipient’s computers. According to figures from the Anti-Phishing Workgroup, the numbers of crimeware-spreading URLs infecting PCs with password-stealing code rose 93 % in the first quarter of this year to 6,500 sites, an increase of 337 % from the number detected in the same period in 2007.

The good news is that through the knowledge of these practices, it is possible to combat them. Phishers are dependent on consumer ignorance and, as such, widespread education is the best means of protecting your business. For any brand owner or email marketer, there are six crucial steps to take to combat this trend:

  1. Send a standalone email to your subscriber base reminding them you don’t ask for personal financial  information.

  2. Remind your customers each time they login that you never request personal financial information via email.

  3. Ensure that your privacy policies specifically state who sends email on behalf of a brand.

  4. Build a consumer protection web page to speak about phishing attacks and behaviour.

  5. Begin to use authentication practices such as SPF, Sender ID, Domain Keys and DKIM, and consider a third party reputation audit.

  6. Instruct consumers not to click through on any links in a message that asks for financial information. Phishers are adept at making links seem as if they direct the browser to one place when, in fact, they actually direct them to a malicious site.

Simone Barratt
Managing Director
e-Dialog