Phishing or for Real? Why Companies Need to Take a Closer Look at Their Email Marketing

 

In July 2016, Hilton HHonors loyalty program members received an email asking them to log into their Hilton HHonors account to confirm their correct email address, mailing address, and other personal details.

The email set off alarm bells for a number of customers. One tweeted a screenshot of the email to the Hilton HHonors Twitter account, asking, “… is this legit? Looks very much like a phishing email…”

Hilton’s support team responded, “This is not an email from the HHonors team. Please do not share your account details.”

The only problem? It was a legitimate email from Hilton HHonors, but it so closely resembled a phishing email it fooled Hilton’s own IT team.

Hilton is not the only company to inadvertently send customer emails that are nearly indistinguishable from phishing emails. Many companies send emails asking their customers to log in to confirm account information or confirm payment details. Sometimes, cautious customers will reach out to the digital community for feedback on whether an email is real or fake.

These emails are a problem because not only do customers believe them to be phishing emails, but they normalize emails that ask for personal information—making people more vulnerable to real phishing scams in the future.

Marketers need to understand email marketing best practices to send secure customer messages that don’t endanger customer privacy and data. Here’s everything you need to know from a technical and content perspective to make sure your email isn’t mistaken for a phishing scam.

Understanding Phishing

Phishing emails are designed to appear like they came from a friend, bank, service, or other trusted source. These emails ask the recipient to provide sensitive information like usernames, passwords, and credit card details. Sometimes cybercriminals create entire websites that mimic the websites of trusted sources as part of their elaborate schemes to retrieve your sensitive information.

Around the world, unreliable sources send more than 150 million phishing emails daily. Of these 150 million emails, only 16 million make it past email filters, but that’s more than enough to cause real damage.

It takes less than two minutes for phishing emails to hook recipients. Roughly 80,000 people fall for phishing scams every day, sharing valuable information with cybercriminals. A 2014 report estimated phishing scams and other forms of identity theft around the world cost around $5 billion each year.

Anyone can fall victim to a phishing scam. Incredibly, the CEO of FACC, an Austrian aerospace company, fell for a phishing scam that cost his company $47 million. Unsurprisingly, it also cost him his job.

Not even security companies are immune. In 2011, international security firm RSA was breached after cyberattackers sent targeted phishing emails to its workers.

With phishing being such a problem, it’s important your company’s customer emails are secure and are identifiable as coming from your organization.

How to Create Secure Customer Emails

There are many things your company can do to ensure its emails are secure and are not mistaken for phishing scams.

Here are some technical steps your company can take:

• Avoid using deep links. For example, direct the email recipient to log in to their account on your homepage, rather than linking directly to the login page.
• Validate your DNS domain, and send emails from that validated domain.
• Protect against man-in-the-middle attacks by employing HTTPS in embedded links.
• Use Sender Policy Framework (SPF), Domain Message Authentication, Reporting and Conformance (DMARC) and DomainKeys Identified Email (DKIM) protocols to authenticate your sending server and verify your emails are trustworthy. Surprisingly, few companies take this important step. One study found less than one in four of the top S&P 500 companies had a strong SPF in place.
• Make it hard for others to send phishing emails using your company’s credentials.

The content is just as important as the technical considerations. When writing your content, take care to:

• Encourage the recipient to call a phone number they already have (such as on the back of their credit card) or tell them to find the information on your website, rather than providing the phone number in the email itself.
• If applicable, refer to a recent transaction the customer made, but without revealing sensitive information. By showing the recipient details of a transaction they recently made, you are verifying that it’s your company sending the email, as no one else would have those transaction details.
• Pay attention to the language in your email. Poor grammar, odd punctuation, liberal use of all-caps, and overly urgent or threatening language, such as “Pay your bill now or there will be consequences!” are all red flags that could make the recipient of your email suspect your email is from a phisher. Take the time to run the copy of your email through a spelling and grammar checker, or have it edited.

Of course, protecting your company and your customers from phishing goes beyond email. It affects every technical aspect of your Internet presence. Beyond email, your company may want to:

• Call rather than email customers about sensitive transactions or account information.
• Make sure that your company site ranks high on relevant search engine results pages so it’s easy for your customers to find your website and where they can log into their account.
• Register common typo domains, so phishers can’t set up websites at those domains to exploit your customers.
• Avoid using email for support and help desk requests. Rather, use a closed ticketing system that requires a login to access, where encryption is used and identity can be verified.

As the Hilton IT team and the now-former CEO of FACC know, it can be difficult to distinguish between a phishing email and a real one. Make it easier for your customers. Follow these best practices in email marketing to craft secure customer emails your customers will know are from you.