The scam isn't really that complicated. Create a Web site that looks official and trustworthy, send out a flood of emails luring people back to the "spoofed" site and once they're on the site, persuade them to divulge personal and financial information.
If only a few people fall for the ploy, it can still prove quite lucrative.
This practice, commonly known as "phishing," is wreaking havoc not only with privacy groups and consumers but also with email marketers. The recent glut of phishing attacks and high profile data breaches has caused many customers to think twice before sharing their personal information. That doesn't bode well for email marketers who are already struggling to make their message heard above the roar of spam and competitors' materials.
While the primary concern for marketers is still about getting their messages out, awareness of phishing is on the rise, particularly in the financial services industry, according to Shar VonBoskirk, analyst with Cambridge, Mass.-based Forrester Research Inc.
"We have some data we pulled last fall that showed people were very concerned about email fraud, but the number of consumers who were affected was quite small," she said. "It's similar to the [early days of the] Internet when customers were concerned about releasing credit card information. The reality is [the risks are] minimal. That doesn't mean the marketers are scott free. It's their job to educate consumers about the reality of
However, the number of attacks appears to be climbing. According to the Anti-Phishing Working Group, a global group dedicated to eliminating the problem of phishing, there were 3,326 active phishing sites reported in May of this year, up from 2,584 the month before. Additionally, the number of brands used in phishing attempts rose from 79 in April to 107 in May.
The first step marketers should take is to employ authentication, VonBoskirk said. Marketers should always provide their domain name and a sender identification in the email.
The second step is to establish a reputation with email security providers such as San Bruno, Calif.-based IronPort Systems Inc. or Mountain View, Calif.-based Habeas Inc., VonBoskirk said.
"The higher, overarching theme is to really focus on your user's need in your messages," she said. "In general, focus on customers and what they want to hear. That actually ensures the messages are valued."
Predictability can also be an ally in distinguishing your email from phishers and spam. If you deliver messages at similar times on the same day, readers are more likely to consider messages safe.
"Phishing is definitely a different breed of animal compared to spam," said Robb Wilson, vice president of deliverability at Lyris Technologies Inc., in Berkeley, Calif. "It's really impacting the channel as a whole. Companies absolutely have seen a trust issue; they're assuring customers they won't ask personal information. For retailers that's a difficult task."
Recent research from Stamford, Conn.-based Gartner Inc. highlights the pervasive threat of phishing. In a report released last month, the research firm surveyed 5,000 consumers in the U.S. and found that most do not open email from companies or individuals they don't already know. Also, the number of consumers who reported receiving phishing emails went up 28% in the year ending May 2005.
Many companies have no way of knowing whether their brand is being used by phishers. Or, if they do manage to discover that it is, they do not have a "disaster relief plan," he said.
"Typically, it's kind of chaotic," Wilson said. Firms need to include legal, marketing and other business units in preparing for such a scenario. "It really is a cross-departmental solution."
Companies should send out messages with links coded specifically for that email and watch for spikes in online traffic during off days and beware of any traffic that comes from unauthorized emails.
The best protection, Wilson contends, is education.
"Anything you say to make people more comfortable is the same language phishers will use," he said. "The big thing is to bring them back to your homepage and have them log in before they take any action."