Tangled in the Phishing Lines


Marketers will spend a whomping $1 billion this year compiling e-mail addresses, crafting online offers, and sending out messages they hope will trigger action and inspire loyalty in their customers. But much of that effort could be for naught. An epidemic of "phishing" and "spoofing" attacks, in which scammers dupe Web users into divulging account and other personal information by pretending to represent known brands, is eroding trust in all e-mail marketing (see BW Online, 5/24/04, "How to Avoid the 'Phish' Hook").

When the subject of e-mail communications comes up, "my clients just hold their heads," says Howard Davidowitz, chairman of Davidowitz & Associates, a New York retail consulting firm. "My clients are reporting it is one big mess." His advice for now is to hold off stepping up e-mail marketing efforts until phishing problems have been worked out.

Most companies are still adding to e-mail marketing budgets -- but not by much. Total category spending will rise from $1.2 billion in 2003 to $1.57 billion in 2007, but it will slip as a percentage of total marketing spending from 18% in 2003 to 11% by 2007, predicts Forrester Inc.

THREE WAYS. What to do? Given the growing scourge of phishing, marketers had better devote some of their marketing money to protecting their customers -- or risk losing them forever. Security and e-commerce companies say they have no quick fix, although they're increasingly working together to come up with one. "It's a huge problem, it's getting bigger, but it's one we're going to solve," says Neal Creighton, chief executive of online security firm GeoTrust.

Today, three main approaches are available for dealing with phishy e-mail and spoofing scamsters: adopt technology that certifies legitimate mail -- a sort of Good Housekeeping seal of approval; incorporate toolbars that warn users that they may be entering shady parts of the Internet; and use software that can help companies react when targeted by tainted mail, blunting the damage to customers.

GeoTrust's technology falls into the first category. Its software digitally signs and certifies e-mail. Companies pay GeoTrust about $20 a year per user to certify that workers who send company e-mail have their identities verified by an independent third party (in Microsoft Outlook, these e-mails come with an image of a red ribbon).

SHORT-TERM PLANNING. Several other technologies are emerging to compete with GeoTrust to help companies send out e-mail that customers can trust. Some Internet service providers are developing so-called "black lists" that block e-mail from known spammers. In the future, these could be turned into "white lists," so that only e-mail that has been verified from legitimate sources makes it through.

Now, software is available that can help companies react more quickly when their customers are targeted. That way they can better protect customers, keeping them loyal. Since it may be years before any "silver bullet" solution is found, "we're emphasizing short-term goals that can help out," says Shawn Eldridge, chairman of the Trusted Electronic Communications Forum, a cross-industry group formed on June 16 to come up with tech standards aimed at fighting phishing and spoofing. "Companies need to start by bringing in layers of defense."

One key, especially for banks and credit-card companies, is better security systems and transaction monitoring. Information-technology consulting firm Unisys (UIS) works with banks to set up monitoring systems that can spot a phishing attack as it happens.

CAUGHT IN THE NET. Some sites are coming up with their own toolbars, which work as a browser extension and warn users if they have left the service or are on a spoof site. Auction site eBay (EBAY) has one that stays green when users are on eBay, goes gray when they leave the site, and sends out a pop-up message when they stumble onto a known spoof site. "It's a great first step," says Rob Chesnut, eBay's deputy general counsel. "It's not something we're going to be resting on."

Marketers also have to make sure their missives can get through filters designed to fight the spread of unwanted e-mail. "A key challenge for legitimate marketers is that their e-mail is [often] not delivered to consumer in-boxes because of all of the filtering and controls that Internet service providers are putting in place to protect customers," says Forrester analyst Elana Anderson. "There's absolutely no question that spam et al has impacted the effectiveness of legitimate e-mail marketing."

Microsoft (MSFT) recently reported success using a tool from IronPort Systems that creates lists of "bonded senders" whose mass e-mail can make it through filtering software. To gain this status, marketers must agree to standards for sending mass e-mail (such as only sending it to people who have requested additional information) and post a financial bond that's debited if an e-mail triggers complaints.

SLOW TO OPEN. Eventually the future will bring more complex ways for users to sign onto Web sites so password filching won't be so effective. Another possibility is the equivalent of a credit bureau for e-mail where only virus-free, validated messages will make it through to recipients. "There's a growing need for a trusted third party," says Frank Liddy, who heads the North American banking practice for Unisys.

The problem with implementing many of today's available security solutions is that they can make online communication slower, more expensive, and more cumbersome for the average person to use. For example, sites are considering more steps for users to sign in, perhaps requiring a new kind of security key rather than a password. But that could deter frequent visits.

Another potential drawback: GeoTrust's digitally signed e-mail currently requires a time lag of about five seconds to open while the e-message is verified. That could irk users who waited patiently only to be pitched goods they didn't want. "There's nothing out there today that's a Holy Grail to stop this problem," says the TECF's Eldridge.

AVOIDING BAD BRANDING. For now, the best defense for marketers is strong and consistent branding, so customers can tell the difference between a real e-mail and a phishing attack, says David Sable, a vice-chairman at marketing communications firm Wunderman. He says he recently was able to identify a fake message from eBay because the tone of the e-mail wasn't in keeping with eBay's style. "That's proof of brand power," he says.

eBay's Chesnut also advises marketers to never ask for personal information nor link to a page that asks for personal data. "Tell customers where to go, don't tell them to click on a link," he says. Consistency in online dealings with customers can go a long way toward training users to recognize fraud when it hits them, says Jonathan Penn, a security analyst with Forrester.

"Whatever you do, you don't want to create a negative brand experience," says Sable. Companies are still recovering from past e-mail gaffes like flooding customers' in-boxes with too many offers, including so much personal information that customers felt their privacy had been invaded, and failing to coordinate internally so they confused customers with mixed signals, he says.

Davidowitz of Davidowitz & Associates believes e-mail marketing will follow the same course as e-commerce, which was plagued with problems of fraud, poor service, and irate customers in its first few years. "I know it's going to get cleaned up," he says of e-mail fraud. "But now, it's a monster mess." For both marketers and security companies, taming that monster is a critical job. By BusinessWeek Online Senior Writer Amey Stone


Steve Ballmer, Power Forward
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus