​Email fraud: why marketers need to fight the rising tide

Author: Theo Noel, ANZ Regional Director, Return Path

Email remains one of the most effective communications channels available to marketing professionals, so guarding against its misuse should always be a top priority.

Used to attract new prospects and retain existing customers, email has proved a valuable tool since first coming into widespread use in the 1990s. Its ability to capture attention, communicate messages and drive response is harnessed by businesses throughout the world.

However email's widespread popularity is also its Achilles heel. Just as it's so appealing to legitimate marketers, it's also a tool of choice for online fraudsters. Email fraud is one of the biggest challenges facing marketers today.

Increasing sophistication

Email fraudsters use three key tactics in their effort to reach potential targets - spamming, spoofing and phishing.

Perhaps the least sophisticated, spamming involves sending unsolicited email in bulk quantities. Potentially containing malware or phishing links, they are usually viewed as little more than a nuisance by email users. Thankfully, a high proportion are captured by anti-spam filters and don't make it into user inboxes.

Spoofing is more sophisticated and involves the forgery of emails so they appear to come from someone, or somewhere, other than their actual source. An email might appear to come from a customer's bank or a retailer with whom they have an existing relationship, enticing them to open it.

However watchful users can often tell when a message appears strange and ignore it.

The most threatening type of email fraud is phishing which is designed to trick people into giving up information such as bank account and credit card numbers or other personal details.

Phishing emails are tailored to appeal to small groups of people or even individuals to make them appear as convincing as possible. They might incorporate legitimate company logos and appear to be a personal note coming from that company's usual email address. Often they also have a compelling subject line to attract attention.

Phishing emails often contain either a link to a website or an attachment that contains malicious code. Once opened, the code attempts to steal personal details or cause disruption to the user's computer system.

Why should marketers care?

According to security company RSA, 73 per cent of marketers say email is the most valuable marketing channel available to them. Of those surveyed, 20 per cent say their business's primary revenue source is directly linked to email's use for marketing.

For these reasons, it's important marketers understand the extent and potential impact of email fraud. According to RSA, customers are 42 per cent less likely to interact with a brand after being phished or spoofed. Globally, phishing attacks are estimated to have cost organisations $4.5 billion in losses in 2014 alone.

As the 'owners' of an organisation's email communications channel, it is vital that marketers take responsibility to help protect it.

Effective email authentication

The most effective way to prevent, or at least significantly restrict, fraudulent email is through the use of authentication. This ensures email recipients can be sure the emails they receive have actually been sent by a legitimate person and any that don't are discarded.

There are three key authentication protocols that help achieve this goal: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication Reporting and Conformance (DMARC).

SPF allows the owner of a domain to specify which mail servers are used to send messages from that domain. This means any emails received from a different server are not legitimate and should be deleted. An SPF-protected domain is less attractive to fraudsters as they cannot make their messages appear to have come from an organisation's mail servers and have them successfully delivered.

DKIM is a protocol that allows an organisation to take responsibility for transmitting a message in a way that can be verified by the holder of the recipient mailbox. It can also ensure a message has not been modified or tampered with in transit by assigning it a digital 'fingerprint'.

Read more: More information sharing on cyber threats, says Abbott

Together, SPF and DKIM form the foundation for DMARC. This protocol ensures that legitimate email is properly authenticated and that fraudulent activity appearing to come from domains under an organisation's control are blocked. Cybercriminals are much less likely to try to use a brand with a DMARC record.

Best practices for fighting email fraud

The first step in combating email fraud is to raise awareness of the problem among an organisation's senior management. They should be informed of the associated risks of brand damage, loss of trust and the potential hit to the bottom line.

A second step is to provide education for customers and prospects. They need to be aware of the size of the fraudulent email challenge and the steps the organisation is taking to beat that challenge. Customers need to know that constant vigilance is important.

As a third step, marketers should collaborate with their in-house IT security team. As emails may be sent by a number of different groups within an organisation, a consistent approach to the security tools and techniques being used is vital.

Through an understanding of the fraudulent email challenge and the formulation of a comprehensive defensive approach, organisations can ensure their email marketing activities will continue to deliver both value to customers and revenue growth for the business well into the future.


Author: Theo Noel, ANZ Regional Director, Return Path

Tags ANZReturn PathCSO Australia​Email fraudSender Policy Framework (SPF)DomainKeys Identified Mail (DKIM)

Show Comments