Phishing Threatens Your Brand More than You Think: Return Path
By Ken Magill
While phishing is often considered a threat mainly to big, well-known brands, it’s more of a threat to smaller firms than most people think, according to Sam Masiello, general manager for anti-phishing services for Return Path.
What’s more, when a company gets phished, the costs are enormous, he said.
“Customers are 42 percent less likely to do business with you if you are being targeted by a phishing attack, regardless of whether or not they are actually getting tricked into giving up their information,” said Massiello.
I interviewed Massiello recently as part of the launch of a new series of sponsored podcasts called Reputation Reality Check with Return Path and Ken Magill.
Now granted, Masiello has an agenda, but he also has a lot of interesting things to say.
I consulted my editorial advisory board—aka the wife—and she said that as a marketer she found the interview fascinating. And trust me when I say she never says anything just to make me feel good. “You feel good enough about yourself already,” she says on a regular basis. “I’m not doing anything to make it worse.”
In any case, click here to listen to the podcast.
Or if reading’s your thing and you’re interested in highlights, the following is an edited excerpt:
Ken Magill: Obviously we can see the immediate danger [of phishing] for consumers. But what about companies subject to phishing attacks? What happens to them?
Sam Masiello: There are several different types of costs that occur to an organization that’s really the impact to the organization, what the cost is to them and what it means to them.
Foremost is the direct financial cost. If someone loses their credit card information, somebody starts charging fraudulent charges on that person’s credit card account, the credit card company then reimburses that end user for the fraudulent charges that were made.
Second is the remediation cost. What does the company have to do alert people? Do they have to reset customer passwords? Do they have to send out new credit cards?
Tying back into the direct financial costs for a moment, one example of an attack that had actually some fairly significant direct costs, that the company had to take some pretty drastic measures to help stem those costs, was Intuit.
It was an order type confirmation email, and there was so much volume of attack that Intuit actually had to put a recording on the front end of their customer service message that said: “If you received a message that appeared to be from XYZ, had a subject line of ABC, talking about this order confirmation, it wasn’t sent by us. Please send it to us at such-and-such address.”
The purpose of that was because they were getting so many calls from people who were wondering why Intuit sent this email, they hadn’t ordered this from them, why are you asking me for this information, that they had to do something to stem the costs.
Because every organization that has a customer service department [has] a cost associated with every time that phone rings. So if the phone is ringing over and over and over and people are asking the same exact questions, those costs rack up very quickly.
But the biggest cost that generally occurs as a result of a phishing attack is in reputation. And the reputation cost is generally quite a bit more expensive than the other costs, the direct costs, the remediation costs.
In fact, there was a report that was released by Cisco within the last year that stated that cost per infected or spoofed user as a result of a cyber attack is about $1,900. Which is about six times the cost, generally, of the direct financial cost, or the reimbursement cost.
So if you think that that the direct financial loss is about $200-$300 per user, that reputation cost ends up being about $1,900 for that user. So, that incorporates a number of different factors around whether or not that user will ever do business with you again, the fact that they will probably tell other people that they had a bad experience because they had an email that came from your brand that caused you to lose your identity or get their credit card information stolen.
Putting those pieces together, the reputation cost is quite a bit more damaging than the other two pieces combined because that reputation is fairly key.
KM: There’s also the overall trust issue, right? My guess is that there’s a cost across the marketplace.
SM: Absolutely, there’s absolutely a cost to the marketplace. In fact there was a Cloudmark study that was released a couple of years ago that stated for brands who users are receiving emails on behalf of, they are 42 percent less likely to do business with that brand, just because they are receiving phishing emails that appear to be from that brand.
So it doesn’t even have anything to do with whether or not they are clicking the links or giving up their information, by virtue of the fact that that brand is being targeted by phishing attacks, makes them want to do business with them less over email.
KM: Okay, I’m your average marketer. I’m not Bank of America. Why should I care about phishing?
SM: First and foremost, phishing can impact a company’s brand equity, that brand loyalty over email and how users are interacting with you over email. And it can also then, as a side effect, decrease trust in that company’s email channel.
Just by virtue of the fact that emails are getting into their inbox, that look like it’s coming from your brand, even though you didn’t send it, that’s enough for a user to say: “You know what, I’m not going to deal with emails from this brand anymore because I don’t want to deal with a potential phishing problem. I don’t want to deal with the hassle of potentially losing my identity, getting my credit card information stolen, having my email account hacked, all those other different things. So I’m no longer going to do business with this brand at all.”
And that’s happened a lot in the financial services space, as well. People are saying: “You know what, I’m not going to do any online banking anymore,” or: “I’m not going read any email that comes from Bank XYZ, because every email I get from them, I can’t tell if it’s phishing or not.”
That decrease in trust in the company email channel is extremely significant from a marketing standpoint, because you don’t want to potentially lose that revenue that comes in via the email channel.
It also has significant impact on your email engagement - to tie all those different pieces together. People will be less likely to click on the links in your email, or open your email. As a result, you can see over time the decline of the effectiveness of your email programs just because people are not taking your email seriously.