A game of minesweeper in the inbox
Darren White looks at how organisations can prioritise email security to protect their customers online.
Darren White, vice president of EMEA at Agari
Email has become the number one tool that brands use to communicate with consumers and complete a myriad of interactions over the internet. From shopping online to managing a bank account to exchanging a faulty item, email is at the centre of how brands authenticate each transaction. However, where there is opportunity, there is also risk.
While email has become the digital backbone of online transactions, it has also been tirelessly exploited by sophisticated cyber-criminals. With no security authentication built in, there is a fundamental flaw in the architecture of email that means anyone can send a message pretending to be from another person or brand. More worryingly, these illegitimate emails are often well written, seem to come from a trusted source and relate to actual issues making it very difficult to tell sophisticated phishing emails apart from their genuine counterparts.
When it comes to the inbox, customers are playing a game of minesweeper. They are being forced to sift through an avalanche of emails to quickly decide what's safe to be opened and what might detonate in the inbox. In tandem with this, phishing volumes are continuing to rise with the RSA identifying a new attack every minute.
However, despite the prevalence of email attacks, the response to the problem has been limited. Brands have effectively admitted defeat, broadcasting warnings on corporate websites and social media that tells customers a breach is taking place. While there is a danger that consumers won't even see the warning signs, making a breach common knowledge can also have an adverse affect. Instead of reassuring customers, the warning fosters a feeling of distrust that damages corporate reputations, dilutes brand equity and impacts revenues.
Customer centered organisations understand this risk and are adopting a more proactive approach that secures the email channel and turns the table on criminals. Ultimately, if it can't be guaranteed that only brand messages get delivered to a customer's inbox then it shouldn't be used as a channel to communicate customer information.
The never-ending cyber-security story
It's important to remember that it will never be possible to completely eradicate new cyber-attacks but there are steps that brands can take to effectively authenticate email and allow customers to trust that every email landing in their inbox is legitimate. Brands need to start by making it hard for attackers to confuse customers by using open security standards like DMARC (Domain-based Message Authentication, Reporting & Conformance) to authenticate outbound email and lock phishers out of the inbox. Using DMARC data, organisations benefit from an extra layer of protection that allows them to discover all of the domains – both good and bad – that are sending emails referencing the brand and then work with email receivers around the world to let them know which ones are legitimate and which ones can be rejected.
By fixing one of the fundamental flaws that criminal innovation is relying on, it's possible to defend the ROI of email so that it remains the number one way for communicating with customers.
Contributed by Darren White, vice president of EMEA, Agari.