by Rob Holmes
Warren Buffett once said: “It takes 20 years to build a reputation and just five minutes to ruin it.” While most ecommerce sites won’t have been building their brand for 20 years, the effort that goes into building and promoting a business online is a significant one, but just one security breach can undo all your hard work.
In a recent report by The Boston Consulting Group, the UK was recognised as a world leader in e-commerce. While this is a great success for the industry, the downside of this accolade is that we have now become the world’s top target for online fraudsters wanting to seek out a large number of consumers. For six straight months the UK has been the world’s largest phishing target, accounting for 69% of global phishing attacks, according to the RSA Online Fraud Report of September 2012.
In order to combat the risk of fraud, the first step is to identify where your company and customers are most vulnerable. The weakest points for any business are the external channels used to communicate and interact with customers and potential customers: through your website, social media channels, mobile marketing and advertising and the most fundamental channel for the majority of businesses – email.
When email was created, security wasn’t at the heart of its infrastructure. However, as email has developed as a fundamental part of the way businesses interact with customers there is increased risk involved in the use of this essential tool. The receiver of any email needs to trust the sender of the email and its contents before opening. If you’re trying to reach customers with new offers and deals or confirm orders, they need to be sure who they’re dealing with. Moreover, you need to have a strong reputation with the ISPs with whom your customers have email addresses, otherwise your email will get caught in their spam filters and will not reach your intended recipient.
While scammers posing as a friendly African millionaire in need of help are still common, the attacks on email in 2012 are far more sophisticated and easy to fall for. Phishing emails from scammers that target consumers are well-designed in their appearance and content, making them hard to detect. Alongside this, phishing technology has now become so readily available that even inexperienced scammers can get in on the act – with ‘ready to use’ phishkits easily located online that produce sophisticated phishing scams.
A major risk for retailers whose customers fall foul to a phishing attack is that those customers will always associate financial or personal information loss with the brand the perpetrator impersonated – affecting not only reputation and trust, but future sales. According to a recent Cloudmark survey, customers are 42 per cent less likely to do business with a brand if they are targeted by a phishing attack impersonating that brand.
Traditionally, the only way to deal with this kind of attack was to detect a phishing attack was in progress (either by using email ‘honeypots’ to look for phishing emails, or by being alerted by a customer) and then set about shutting down the fraudulent website as quickly as possible.
When a phishing email hits, the time it takes to shut down the site is critical. Millions of consumers can be targeted with emails directing them to a single phishing site in minutes. Smart Money magazine recently reported that one phishing attack that impersonated the U.S.-based electronic payment association, NACHA, sent out 167 million forged emails in a single day. The faster a phishing site is shut down, the less amount of time it is live for consumers to visit it and unwittingly disclose sensitive information.
However, many phishing sites can remain live for a few days while the detection and shutdown process kicks in. Even industry best practice of shutting down sites in under 24 hours means there is still a window when consumers can be duped. Finding a way to reduce the losses during that window while the site is being shut down is the key.
A solution emerging is the use of email authentication technologies alongside traditional ‘detect and shutdown’ anti-phishing services. Some retailers may be familiar with email authentication as a way of ensuring those ‘special offer’ emails don’t get caught in spam folders, but it has a very important role to play in stopping phishing emails too.
Email authentication partners have agreements with email providers which means if your business signs up for the service, every promotional email you send to customers who use that email provider (eg. Hotmail, Gmail, Yahoo Mail and so on) is guaranteed to make it into the inbox because the email is authenticated.
When administered with an anti-phishing partner, it also means any email pretending to be your business is prevented from reaching those inboxes – and flagged as a phishing mail so the anti-phishing team can shut down the site immediately. With the right partner who has agreements covering billions of email inboxes, this means a big percentage of customers will not receive the phishing emails in the first place – and therefore, the number of potential victims in that vital 24 hour window is reduced substantially.
With the number of phishing attacks continuing to rise – in the past year attacks have risen 78 per cent globally (RSA Online Fraud Report Sep 2012) – online retailers can’t afford to ignore the growing threat. While anti-phishing efforts are not yet 100 per cent effective in stopping attacks, the advent of email authentication as a preventative measure is a big leap forward in brand protection as the ongoing cat and mouse game of thwarting fraudsters continues.
Rob Holmes is group director of products and solutions for Melbourne IT Digital Brand Services.