How to Prevent Phishing Scams from Impacting Brand Reputation
“You’ve received an inheritance. I need your bank account information to send you the money.”
The email sender looks like a legitimate company. Sounds too good to be true, right? That’s because it most likely isn’t. This is a phishing scam in its most basic form.
As a best practice, it’s a good idea to double-check any suspicious emails that request sensitive information, like password resets or billing details. After all, that innocuous email could be a sophisticated phishing attempt or malware attack from cybercriminals.
Falling for a scam is always a little humbling. But when an email marketer gets caught in a phishing attempt, it’s extra embarrassing. But damage to your ego isn’t the only thing at risk.
While you might fall victim to a phishing scam, it’s also possible that scammers will lean on your brand name to scam other individuals. Let’s go over what phishing emails are, how to recognize them, and how to protect your business from being misappropriated by phishing scams.
What are phishing scams?
Phishing scams are when cybercriminals send fake emails while pretending to be legitimate companies or email senders. These scams try to get victims to share sensitive information, like passwords, financial information, or credit card details. In doing so, scammers simultaneously hurt their victims while damaging the reputations of legitimate brands.
Cybercriminals use phishing messages to:
- Learn your login details
- Steal your money and open bank accounts or credit cards under your name
- Make purchases
- Get cash advances
- Commit identity theft by stealing your social security number
- Sell your information to other parties who will use it for illicit or illegal purposes
There are specific types of phishing attacks, like spear-phishing (a more targeted version of phishing) and spoofing. In this article, we’ll go over how email spoofing affects your brand reputation.
Why is phishing so rampant?
Phishing is such a lucrative livelihood for scammers because it works by playing to people’s basic instincts, like self-care and survival. In short, phishing relies on social engineering to engineer security threats that exploit vulnerabilities. And, with roughly 3.8 billion email users worldwide, it’s no surprise that phishers see email as an easy target. For them, it’s just a numbers game. The more people they try to scam, the higher the likelihood of their efforts being rewarded.
According to Crane Hassold, the Senior Director of Threat Research at Agari and formerly a digital behavior analyst for the FBI:
“The thing I find fascinating about phishing is it’s really exploiting a very primal part of human behavior. It’s all about curiosity, trust, and fear. Those qualities are hardwired into humans, so a lot of protection against phishing has to do with conditioning yourself to look out for things that could be a red flag.”Crane Hassold, former FBI analyst
What are some types of phishing techniques?
Phishing sounds pretty rampant and quite scary, right? Right. Before we go over how to protect your brand from phishing attempts, let’s look at some common types of phishing emails:
The Login Scam: The hacker will ask you to log into an account via an insecure link. During this process, the scammer stores your login credentials to hack your real account.
The Fake Invoice Scam: This phishing email tries to gain access to your bank account by asking you for personal details. The scammer may use this information to steal your money or open bank accounts and credit cards under your name.
The Google Docs Scam: This one’s a bit tricky. The scammer pretends to send you a document from one of your contacts. You’re asked to click on the link to “open the Google Doc.” The hacker then uses this opening to install malware on your local device or steal sensitive data.
The Expiration Date Scam: This seedy scam uses a scare tactic: one of your accounts or subscriptions is about to expire! You’re then asked to supply login credentials or bank details that the hacker will abuse.
The Friend or Government Scam: This phishing attempt relies on your trust in your friend or the government to trick you into revealing sensitive information, like your social security, login details, or bank account number. They might also ask you to send money to a friend in need or donate to a government cause.
How can phishing hurt my brand reputation?
While there’s a possibility you or a fellow employee might be the victim of a phishing scam, these attacks are actually more relevant to your business in that a scammer might pretend to be your business to scam others.
This type of phishing scam is called spoofing and involves the creation of fake emails that appear to come from a legitimate company that subscribers trust and expect to see in their inboxes. In short, scammers pretend to be you and target your subscribers to exploit them. You can see how this ends badly for both your subscribers and you. In fact, phishing scams both damage your brand reputation and lead to a decrease in email engagement. This is the exact opposite effect you want from your email marketing efforts!
How do scammers spoof your company?
Besides the actual content of the phishing scam message, scammers use the email header to confuse their victims. Email headers contain the recipient, the sender, and the subject line. Scammers can forge information in the email header to make it seem like you are the sender. If your subscribers are familiar with your brand, they may not pay too much attention to whether or not the email really is from you.
These spoofed emails then include malicious links to a false web page – this is usually a phishing site that also mimics your visual brand identity). There, targets are asked to enter account login credentials or sensitive information such as credit card numbers.
What are some tips for phishing prevention?
In general, it’s good to implement proper cybersecurity practices. Even though scammers are pretty crafty, there are a few ways to signal to your subscribers and their email service providers (ESPs) that you’re a legitimate sender. The best way to do this is to:
- Use appropriate subject lines so that your legitimate emails don’t look like cyber attacks.
- Use proper email authentication protocols.
- Set up domain alignment.
Let’s go over what these mean in more detail below.
How do I signal to my subscriber that my email is legitimate?
Since your subscribers are also constantly on the lookout for phishing emails, it’s crucial that you use intentional “from” fields, a clear sender name, a well-crafted subject line, and thoughtful preheader text. Simply looking legitimate can go a long way toward not being mistaken for a phishing attempt. These simple tricks can keep your users engaged and protect your brand reputation.
How do I set up email authentication protocols?
It’s also important to signal to ESPs that you’re who you say you are. Proper email authentication protocols help ESPs identify you as a legitimate sender and deliver your email messages to your subscribers’ inboxes. To set up authentication protocols, you want to use the following:
Sender Policy Framework (SPF): SPF uses a Domain Name System (DNS) record to identify whether an email source is valid for a specific domain. SPF also decides what to do with the messages that don’t originate from those sources. Set up your SPF to indicate which IP addresses or hostnames are authorized to send email messages from your domain.
DomainKeys Identified Mail (DKIM): DKIM is like a “digital signature” for each of your email messages. Set up your DKIM to authenticate that your emails are indeed coming from you. Your subscriber’s email client, like Google, Yahoo, or Microsoft Outlook, uses DKIM to identify and protect email recipients from phishing, spoofing, and forgeries.
Domain-based Message Authentication, Reporting & Conformance (DMARC): DMARC gives you better control over your SPF and DKIM records. DMARC also handles messages that fail to align with SPF and DKIM protocols and gives you feedback on why these messages failed.
BIMI authentication: BIMI authentication is a subscriber-facing authentication that displays a logo to your readers, indicating your email is safe to open. It’s the email equivalent of the lock icon in your address bar that tells you which websites are safe to browse. Gmail announced BIMI support last year, and other email clients will follow suit as it exits beta testing. Once adopted, BIMI could become the top-drawer verification for subscribers to know who is emailing them.
How do I set up domain alignment?
After you set up email authentication protocols, you can implement domain alignment, which ensures that your authenticated email domain aligns with the domain in the “From” header.
Basically, domain alignment indicates that the email address you send your emails from is the same as your authenticated email domain. This means your email address displays as “firstname.lastname@example.org” instead of “email@example.com sent via emailonacid.com.”
The benefits of aligning your domains include:
- Your sending domain appears more trustworthy to ESPs, which can affect your email deliverability.
- All your hyperlinks and tracking links are redirected using your own domain instead of another, like emailonacid.com.
- Your “From” address displays as your own domain and not as “Sent via Email on Acid.”
- Your subscribers will see the email is indeed sent from your domain and not routed through a third party. This increases brand trust, which translates to user engagement and improved brand reputation.
Phishing scams are terrible for victims and for brands, but with proper preventative measures, you can implement proper email security and maintain trust with your subscribers.
Ready to get cracking? Try out Email on Acid today and test your emails with our Campaign Precheck workflow so you can stay out of spam folders and increase email ROI.
This article was updated on June 1, 2022. It was first published in September of 2019.
Improve Deliverability to Hit More Inboxes!
Nothing ruins a polished email’s ROI potential like a trip to the spam folder. Run a Spam Test right within your Campaign Precheck workflow so you can land in more inboxes and increase email ROI. With Sinch Email on Acid, you can check your email against 23 of the most popular spam filters and your domain against the most popular blocklists before you hit “send”. Sign up for a free trial and try it out today.
Author: The Email on Acid Team
The Email on Acid content team is made up of digital marketers, content creators, and straight-up email geeks. Connect with us on LinkedIn, follow us on Facebook, and tweet at @EmailonAcid on Twitter for more sweet stuff and great convos on email marketing.