By Jim Clanin
A new study by the nonprofit Online Trust Alliance suggests that marketers are doing too little to protect the reputation of their brands online, with only 37% of Fortune 500 companies taking robust security measures to safeguard against cyber-fraud. And phishing — fake e-mails often sent under the guise of well-known, trusted brands, usually to obtain credit-card numbers — is on the rise.
A Gartner study released last week said in the 12 months ended September 2008, more than 5 million U.S. consumers — 40% more than in the same period a year ago — lost money to phishing attacks. These well-publicized e-mail scams have made consumers wary of opening commercial e-mails. And perhaps no one feels the pain more than financial services companies, a prime target of scammers.
The OTA study said the overwhelming majority of Fortune 500 brands, including huge marketers such as AT&T, Procter & Gamble, Sears and MetLife, have not taken the two key steps to reinforcing online security: implementing website-security certificates and authenticate e-mails sent from their corporate domains.
What does that mean? E-mail authentication means a marketer provides information — digital signatures, IP addresses or domain names from which legitimate e-mails will come — to the ISPs, such as Earthlink or Comcast, or e-mail vendors, such as Yahoo or AOL, that helps them determine that this is truly from the company it claims be from. For example, XYZ company can declare to the ISP that it only sends e-mails from the domain www.bigbookseller.com. Thus, if the ISP sees e-mails purporting to come from XYZ but that are sent from any other domain, it should block them.
OTA Chairman Craig Spiezle said third-party e-mail marketers are adopting authentication at a rate of 85%, but brands themselves are not protecting their corporate domain names. That means third-party vendors sending e-mails on their client’s behalf often authenticate the domain they have set up to control the campaign. For example, an e-mail marketer sending promotional e-mails on behalf of XYZ might use the authenticated e.bigbookseller.com domain, but bigbookseller.com itself is not authenticated. Thus, it becomes easy for someone to forge e-mail that appears to be coming from bigbookseller.com.