How Phishing Attacks Impact Real Email

By Sean Michael Kerner  |  Posted 2016-06-30 Print this article Print
phishing attacks

A Return Path study warns marketers of the dire consequences of fraudulent email, as consumers lose trust in a brand impacted by a phishing attack.

There is an impact that phishing and fraudulent email has on organizations of all sizes, and that impact isn't just limited to security risks, but also to marketers. Email delivery vendor Return Path has examined the cost of phishing on marketers in a report that reveals the wider impact of phishing campaigns.

According to Return Path's analysis, consumers are less likely to trust a brand after it has been impacted by a phishing attack. As such, for consumers who have been tricked by a phishing email allegedly from a brand and then received a real email from the same brand, they are less likely to open the email. Average read rates for messages from brands where a phishing attack occurred were 18 percent less on Gmail and 11 percent on Yahoo than for brands that were not phished.

While it's not all that shocking that there is a connection between phishing and consumer behavior, the study also found a few surprises.

"We were most surprised by the disconnect between the perception and the reality of the phishing problem among marketers," Estelle Derouet, vice president of marketing and email fraud protection at Return Path, told eWEEK.

The study found that 81 percent of marketers would be concerned or very concerned if customers received a malicious email that appeared to come from their brand and yet only 32 percent of marketers say that securing the email channel is a top priority in 2016.

"To us, this suggests that most marketers just don't think email fraud is happening to them," Derouet said.

She added that Return Path analyzed Gmail and Yahoo inbox placement rates across 71 brands within 10 days of a phishing attack and found that one in five phishing attacks results in reduced deliverability and one in three phishing attacks results in reduced engagement.

"For anyone relying on email marketing to generate revenue, this can have catastrophic consequences," Derouet said.

According to Derouet, the Return Path study discovered that 76 percent of marketers surveyed say they have little to no visibility into phishing attacks leveraging their brand. Among the challenges that face brand owners is also the fact that phishing attacks are not always the fault of legitimate brand owners.

"Even if the brand has the most secure email program in place, there's a chance they'll get phished," she said. "It is the brands who are not implementing the latest and greatest email authentication measures that put their legitimate email at risk."

Derouet noted that, in contrast, email providers such as Google and Yahoo are primarily concerned with providing a great experience for their users by keeping malicious email out and legitimate email in user inboxes.

"These companies watch user behavior carefully to inform their delivery decisions," she said. "If a lot of users start flagging a brand's email as malicious or as spam and that brand doesn't have adequate authentication measures in place, the sender reputation will suffer and, as a result, legitimate mail is more likely to get blocked."

There are a number of standards-based approaches to help organizations deliver authenticated email; among them is the DMARC (Domain Message Authentication Reporting and Conformance) protocol. That said, Derouet commented that DMARC scares a lot of people—especially the nontechnical among us.

"But it is, without a doubt, the best technology out there to fight domain spoofing," she said.

According to Derouet, any email, no matter how sophisticated, that spoofs a company's domain in the visible "'From address" (e.g., From: Sender <>) will be blocked before it reaches users with DMARC.

The ability to block phishing emails before they reach consumer inboxes is a big deal.

"As our report revealed, users are pretty terrible at identifying today's class of phishing messages," Derouet said. "Ninety-seven percent of recipients will open a malicious message, and 45 percent of users will offer up personal information during a phishing scam."

The hope that Derouet has is that marketers will come to understand that not only are their customers being impacted by phishing, but that it's also up to the marketers to help fix the problem.

"Email fraud is a business problem, not just an IT or security problem," Derouet said. "The cost of doing nothing about phishing is not sustainable for businesses."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel