Phishing, or the practice of sending fraudulent e-mails to gain personally identifiable information (e.g., credit card numbers, Social Security numbers), is still e-mail’s albatross.
The industry is wise to it, and legislators are starting to take notice, but perpetrators posing as friendly neighborhood retail banks or trusted e-commerce sites continue their war of attrition on the channel.
Measures are being taken, but we still have more work to do in consumer awareness and on the technology side to ensure AAR – authentication, accreditation and reputation.
The Anti-Phishing Working Group reports that approximately 150 million phishing e-mails are sent daily, which will grow if left unchecked.
Or consider this statistic released at the E-Mail Authentication Summit in April: 300 trillion messages will be sent in 2006, and 80 percent will illegitimate.
NIMBY? Think Again
Brand leaders like Citibank and Bank of America have been outspoken and proactive about identity theft, including phishing, in both the business community and at the consumer level.
But it’s not just their problem, nor should it fall to Internet giants like eBay. Any Web site retaining consumer information is at risk, even more so if you act as guardian of financial information. Though you’d be surprised how many regional banks consider it a problem for the bigger brand names.
The reality is, smaller companies are vulnerable, as phishers become more creative and more insidious.
“150 million phishing e-mails are sent daily, which will grow if left unchecked.”
E-mail service providers and Internet service providers need to make this part of their dialogue as well. Thankfully, key players are stepping up the program. Microsoft’s Internet Explorer 7.0 browser has stringent anti-phishing guards, and soon we’ll see how that works in practice.
Further, New York governor George Pataki recently signed into law making phishing illegal, authorizing ISPs, trademark holders and the attorney general to bring action and collect damages.
But phishers rely on consumer naiveté, so it’s time for widespread consumer education, including more public service announcements and more corporate advertising, a la Citibank.
Seals Must Be Obvious
The Anti-Phishing Working Group’s sound guidelines (e.g. “Be suspicious of e-mail requests for personal financial information” or “Consider installing a Web browser tool bar to help protect you from known phishing Web sites”) may not be as mainstreamed as we’d like, and more advertising can only help spread the word.
We’re also integrating more technological measures to achieve AAR.
For example, we have e-mail authentication tools such as Sender ID or SPF authentication, which is akin to a license plate that shows from where the e-mail originated. We also have DomainKeys authentication, which is akin to an autograph and shows that an e-mail has not be tampered with since it left the legitimate server.
Studies show that 35 percent of domains are now sending authenticated e-mails, and 1 billion e-mails a day sent to Yahoo are authenticated.
We also participate in accreditation programs and reputation monitoring programs. But how many consumers today recognize what all these stamps of approval mean?
In the end, marketers need to not only recognize these threats and demand such protective measures, but consumers also need to be educated.
Remember, the stakes are much higher with the phishing threat than with spam, which is only irritating or offensive, because phishing can ruin someone’s livelihood and credit.