Over the past 6 months, 100% of Agari customer brands and more than 80% of their domains have been the target of consumer phishing or B2B phishing attacks impersonating their brand to commit fraud. While the cost of phishing attacks isn't always visible, there are very real costs to businesses in the form of email deliverability, brand value and fraud costs.
The root cause of this problem is that email has a fundamental flaw – anyone can send email using someone else’s identity or brand. This flaw has put the power of the world’s most admired brands in criminal hands – through email, criminals can use almost any brand to send spam, phishing emails and malware installs, inflicting direct losses to customers and eroding the brand equity companies have spent years building up.
As a result, consumers and businesses receive an ever-increasing number of fake emails that appear to come from companies they know and trust, but in fact are designed to fool them into revealing sensitive information or making payments or purchases that actually go to the criminals' banks accounts. Last year, consumers lost $172 billion through these and other forms of online fraud. There are also business-to-business forms of fraud like partner invoice scams that target a business’ supply chain and its trust relationships.
Your Customers Aren't the Only Ones Who Pay
To be sure, email remains the most powerful and direct channel to customers you possess. According to McKinsey, email generates $40 for every $1 spent—which is far more than any other digital medium. And it's 40 times more effective at acquiring new customers than any other channel. What's more, 72% of consumers say they prefer email as their primary mode of communication with brands. Even other forms of digital communications with your customers, rely on email for account creation. For someone to view your ads on Facebook, Instagram or Twitter, they first have to sign up for an account that is tied to an email.
But when consumers and clients are targeted by email fraud, they naturally associate what can be an unnerving experience with the brand, even though the companies themselves were also victims. They also tend to avoid the next legit email those companies actually do send and are reluctant to click on links or execute digital transactions. And negative publicity can amplify and extend the fallout even further.
Email deliverability rates, open rates and engagement rates can crater, having a negative impact on the revenues of your business. So why aren't organizations putting email authentication in place to stop this kind of brand-jacking and fraud from happening?
Here are a few of the reasons I have heard and my rebuttal/advice:
1. I wasn’t aware that my customers or partners were being phished
If you talk to the people at your company responsible for interacting with customers and your supply chain, I guarantee you will find instances of phishing and abuse reported. People are often surprised what they find. With a simple DNS change to point DMARC reporting to Agari, you can know within a couple of weeks, at no cost, what types of fraud and abuse are being committed in your name.
2. I wasn’t aware that there was a way to stop phishing using my brand
This is not surprising. While the DMARC email authentication has been a standard for 8 years, it is not ubiquitous. However, if you participate in your industry Information Sharing and Analytics Center (ISAC), this has been a topic of conversation for years, including H-ISAC, the U.S. Federal Government, and Bank domains calling for their member organizations to implement DMARC email authentication. For a quick primer on DMARC, read Getting Started with DMARC.
3. It’s not my responsibility to protect other organizations or people from phishing
This argument misses the point. It is not about who’s responsible. Fault and responsibility don’t matter. The fact is that by failing to act, you are losing customers, revenue and impeding your digital commerce. DMARC email authentication is now a standard. If your brand is being used in phishing attacks to defraud your customers or partners, it is negligent if you don’t take simple steps to protect them and your brand.
4. I don’t have the budget or resources to implement DMARC
With information security organizations understaffed and underfunded, this can be a real challenge. The rest of this blog will be dedicated to helping you make the business case to secure budget and resources to implement DMARC. You’ll see from the data that implementing DMARC is a slam dunk business case.
When a business is weighing new investments in email delivery systems to fuel collaboration and communication, funding can be a non-issue. But as we discussed in Part One of this series, the value of security can be harder to quantify, even when it's needed to stop phishing attacks that damage your brand and reduce revenue. Investing time and resources to neutralize emails the company doesn't even send can be a tough sell if you aren’t equipped with a framework for a business case and some statistics to support your claims.
Here in Part Two, we'll look at some core considerations our team has used in helping Agari customers put solutions in place for identifying and neutralizing fraudulent email messages that can hobble your brand and blunt its growth prospects.
The Rising Price of Phish
When it comes to phishing attacks using your brand, there are three consistent areas of cost savings or revenue increases that will contribute to your business case:
- Revenue increases based on improved email deliverability
- Risk reduction of brand damage from phishing incidents hitting the press
- Eliminating direct email fraud costs
The more quantitative you can be, the stronger your business case. To that end, here is a basic framework for identifying the costs associated with maintaining the status quo and comparing it to the reduction in costs and business uplift from acquiring and retaining customers without added competition from fraudsters leveraging your hard-won brand equity.
Many of these have been derived from independent research conducted by Forrester Consulting. Forrester interviewed four existing customers with years of experience working with Agari. The organizations have leading brands that are often targeted by groups perpetuating malicious emails with the intent of hacking customer accounts. Using Agari, each of the organizations eliminated the majority of malicious emails perpetuated under its brand name. In one case, using Agari established the company as a leader in cybersecurity among its peers and has made security a differentiator with its enterprise customers. The image below is from an infographic showing the results of the Forrester report.
1. Revenue Increases Based on Improved Email Deliverability
To estimate the potential increase in revenue from implementing DMARC and brand protection, we will need to know your current email marketing volume, email marketing conversion rates, and the lifetime value of a newly acquired customer. Then, we can estimate the increase in email conversion rates after implementing DMARC based on similar experiences by other organizations to calculate the net benefit of implementing DMARC.
Here are some simple formulas you can use:
Customer Lifetime Value (CLV
$1,000 Average Net Profit Per Customer Per Year x 3 Years Average Customer Lifetime = $3,000 CLV
Customer lifetime value is defined as net profit throughout the entire lifetime of the average customer.
Current Email Marketing Revenue Generation
10 Million Email Volume Per Year X Conversion Rate of 0.5% = 50,000 New Customer Per Year
50,000 New Customer Per year X Customer Lifetime Value of $3,000 = $150 Million in Revenue Per Year
Customer interviews conducted by Forrester of four customers saw an average of a 10% increase in email conversion rates. So, we’ll model that increase for the example below.
Potential Email Marketing Revenue Generation
10 Million Email Volume Per Year X Conversion Rate of 0.55% = 55,000 New Customer Per Year
55,000 New Customer Per year X Customer Lifetime Value of $3,000 = $165 Million in Revenue Per Year
$165M in Revenue/Year - $150M in Revenue/Year = $15 Million Per Year Net Revenue Increase
2. Risk reduction of brand damage from phishing incidents hitting the press
When phishing incidents using your brand hit the press, stock prices go down and potential new customers can go to competitors that they perceive to be more secure. While this risk and the benefit of reducing that risk is difficult to quantify, I have found the best measure is to use the Goodwill line item of a the company balance sheet.
“The elements or factors that make up the intangible asset of goodwill are comprised of things such as a company’s good reputation, a solid (loyal) customer or client base, brand identity and recognition, an especially talented workforce, and proprietary technology. These things are, in fact, valuable assets of a company; however, they are not tangible (physical) assets, nor can their value be precisely quantified.” - Corporate Finance Institute
This number is easily obtainable for a public company by looking at the balance sheet in their financial disclosures. I find finance.yahoo.com the easiest place to look this up quickly. The screenshot below shows the goodwill for Walmart, which has goodwill assets valued at $18.2 billion.
Here are some simple formulas you can use to calculate the value of the risk reduction to your brand:
18.2 Billion Brand Value x 0.5% Reduction in Goodwill = $91 Million Potential Brand Value Reduction
$91 Million in Brand Risk x 0.5% Probability of Phishing Scam Hitting Press = $4.5 Million Brand Risk Reduction
3. Eliminating direct email fraud costs
When fraud is committed with a phishing attack against one of your customers, there are several possible direct fraud costs that can occur:
- You can lose the customer (and all future customer lifetime value)
- The customer can request reimbursement for fraud losses
- There can be legal, investigation or regulatory fine costs
The expectation of reimbursement will vary by industry. For example, banking or credit card customers have an implicit expectation to be reimbursed for fraud losses regardless of the method. When a wire fraud scam related to a real estate transaction occurs, the Title company will certainly get a call from a customer if they lose their down payment. However, the loss of a customer spans all industries. When customers lose the trust of a brand, they switch to the competition.
Here are some simple formulas with a B2B fraud scam example you can use to estimate direct fraud costs:
10,000 Customers x 5% of Customers Receiving Email Fraud Scams = 500 customers fraud scams
500 Fraud Scams x 1% Probability of Falling Victim = 5 Customer Victims
5 Customer Victims x $159,468 Average Fraud Loss [FBI average for BEC attack]= $797,340 fraud losses
$797,340 fraud losses x 10% reimbursement = $79,734 in fraud reimbursement
5 Customer Victims x 60% customer loss rate= 3 lost customers
3 lost customers x $100,000 customer lifetime value = $300,000 in lost future revenue
5 customer victims x $10,000 average legal/investigation costs = $50,000 in legal/investigation costs
Your Brand is Your Most Valuable Asset—Why Not Protect It?
In 2018, we are on pace to have 50 billion fraudulent emails impersonating the brand of Agari customers, according to the Agari Threat Center. With 3.8 billion email users globally, that is more than 13 phishing attacks per user just for Agari customer brands. The question isn't whether cybercriminals will target your brand. The question is when and how much will it cost your business.
The fact is, it takes years to build trusted relationships with your customers and your email channel takes center stage in digital conversations. Fraudsters abuse that trust, using your brand name as a disguise to trick your customers. The results can be catastrophic for the victims, as well as for the value of your brand and its revenues. Fair or not, your customers expect you to protect them—or risk brand erosion, reduced engagement levels, customer abandonment and ultimately loss of revenues.
In the three examples I provided above, the benefits were:
- $15 Million Net Revenue Increase from improved email conversion
- $4.5 Million Brand Risk Reduction from preventing phishing incidents
- $429,734 in direct fraud costs avoided
With an average total cost of implementing email authentication for an enterprise in the $100,000 to $500,000 range, the ROI is almost always incredibly high. When you present this information to your business, you may get some pushback that this is too high and lose credibility for the project. What I recommend is to be more conservative and discount the benefit upfront by a percentage (maybe 80%) to make the numbers more credible and state that you are being conservative.
With that in mind, the time to act and build the business case for solutions that can protect your business, your customers and your brand is now.
I hope that the framework presented in this post has given you the tools to identifying the cost, benefit and risk factors involved in protecting your business, brand and customers from phishing.
Editor's Note: To read Part 1 of this series, click here.