Email is in a gray area. As marketers we use it to generate leads, nurture potential buyers through the buying cycle and to keep our current customers up-to-date. As recipients we know that much of email is SPAM, and have it blocked by corporate SPAM filters and often delete it from those that we do not know. We have been taught by to never open an email attachment from someone we do not know or to click on a download button…yet many of us do, often with disastrous results.
The ripple effect of incidents at RSA and Epsilon suggest that a seismic change to marketing’s use of email may take place. RSA was breached and core information taken. RSA has reported:
"The attack itself involved a targeted phishing campaign that used a Flash object embedded in an Excel file. The assault, probably selected after reconnaissance work on social networking sites, was ultimately aimed at planting back-door malware on machines on RSA's network, according to a blog post by Uri Rivner, head of new technologies, identity protection and verification at RSA."
What is surprising about this attack is that RSA employees, who should be knowledgeable about security, were taken in by it. If they were spoofed, what is the likelihood that the average employee in your company will be taken in?
Epsilon was breached and thousands or millions of email addresses were taken. Already some people have reported that they have received “spear-phishing” attacks, where the email appears to have come from a trusted source.
Trust is an earned value. It takes a long time to get it and an instant to lose it.
If, in the past, we trusted email from Citibank, McKinsey, Best Buy or Disney and now we cannot (their email address files were all taken from Epsilon), how can we believe any email we get from these sources, even if it is valid? And, if we cannot trust these sources, why would we trust anyone else?
I expect that many CIOs and CSOs are putting together training packages for all employees that educate about spear-phishing, and emphasize the need to never click on a download button, or fill out a form asking for Personal Identifiable Information (PII). Where does this leave a marketer, who cannot include a newsletter as an attachment, and who will soon recognize that the download button is either stopped by the SPAM filter and is not being used?
Hopefully part of the CSO’s education package will cover how to identify domain names. A valid domain name is https://firealarmmarketing.com/ where the firealarmmarketing.com comes before the second slash. Anything else is probably a phishing attempt. So, rather than use a “click-here” or “download” button, email marketers should use (as they did in the past) the URL for what they want the reader to do. For example, I could say:
To learn more about Epsilon’s data breach see: https://firealarmmarketing.com/2011/04/06/the-lack-of-security-epsilons-data-breach/
(More information about domain names and understanding spammers can be found in this posting: http://www.bustspammers.com/phishing_links.html )
Going forward, fancy graphics and clever links have to give way to re-building trust among readers. Additional steps that may be required are suggesting that the reader Google your company or brand, or that they type in your URL…which may mean shorter URLs and potentially fewer micro-sites.
Establishing trust is key in any relationship. The Epsilon breach and its ramifications to email usage by Marketers are significant in that it damages an already tenuous bond. Those Marketers that can establish and reinforce that trust will be successful.
Have you contemplated how you will change your email campaigns knowing that they may not be opened or that links may not be clicked?
RHM 4/12/2011
