Email Security Blog

Why DMARC Could Make or Break Your B2B Email Marketing Programs

Armen Najarian May 21, 2019 DMARC

In B2B email marketing, nothing says amateur hour like a landing page with the words “Not Secure” in the URL. A missing SSL certificate is bad enough, but it’s the lack of something called “Domain-based Message Authentication, Reporting & Conformance” (DMARC) that could obliterate your KPIs and cost your company millions in brand reputation and revenue.

As the CMO of a fast-growth technology company based in the heart of Silicon Valley, I’m inundated with emails from prospective vendors. It never fails to amaze me just how many point to slick, polished landing pages offering the exact white paper, case study, or other piece of valuable content I’m looking for—but that won’t download because of a lack of security.

How can I trust your company if you’re not willing to protect the information requested in your lead form? Whatever bounce rates are attributable to this omission today, they’re probably going to get worse.

But now, a number of new industry reports suggest that this may only be the start of marketers’ problems. As important as SSL is to successful web operations, it is DMARC that is emerging as the ultimate, make-or-break component of your email strategy. Here’s what you need to know—before you face serious trouble.

Marketing’s MVP is Under Attack

Despite the popularity of social media and online advertising, email still reigns supreme for the marketing team focused on lead generation and nurturing.

With an average $38 return for every $1 spent, more than 79% of B2B marketers rank email as their most effective digital marketing channel in terms of revenue generation through the collection and conversion of leads. Indeed, 86% of business professionals say email is their preferred mode of communication, helping to produce 47% higher click-through rates than consumer-focused email campaigns.

But that’s if imposters don’t beat you to the punch. With 22.9 new phishing attacks impersonating trusted businesses every minute, and a new phishing site is set up every five, nearly one in five emails is now suspicious. According to a new report from the FBI, US-based companies lost $1.3 billion in 2018 due to targeted phishing attacks designed to fool recipients into paying fraudulent invoices. While those attacks targeted accounting, payroll, and HR departments, your outbound marketing programs will still pay a steep price.

Cybercriminals Upping Their Imitation Game

The fact is, your most important marketing channel is also your least secure. By spoofing or pirating a business’s exact email domain, fraudsters can send phishing emails that appear to come from your company. Imagine your prospects or customers responding to one of those emails and downloading that insightful white paper or case study from what, by all signs, appears to be your email campaign landing page. Except the download is a version of your asset that infects their devices and networks with malware.

Our data shows these kinds of scams spike higher when a company announces a new round of funding or has recently been featured in the news. According to Verizon’s new 2019 Data Breach Investigations Report, cybercriminal organizations are increasingly harvesting email logins for business’ cloud-based webmail accounts. Such attacks now account for 16% of all breaches—up from 3% in just the last twelve months. Once hackers have infiltrated Gmail, Office 365, or other cloud-mail accounts, they can launch “chain phishing attacks“—defrauding companies from within a supplier or vendor’s own email system.

Unfortunately, the damage doesn’t always stop there. When the same login credentials used for webmail accounts are used for other cloud-connected services such as file sharing services, they grant cyberthieves access to whole new avenues for attack. When those credentials grant access to DNS admin panels though services such as Azure, hackers are then able to redirect web traffic from a legitimate domain to a fraudulent one, hijacking the business’s traffic all at once. Just look at the $27 billion Brazilian bank that has already fallen victim to this kind of attack.

Imagine every last one of your visitors doing business—perhaps even placing purchases—from a fraudulent version of your site accessed through your legitimate URL. We’re talking total catastrophe, and it all points back to your business.

From Revenue Machine to Roadkill

When a prospect or customer suffers financial loss due to bogus email scams and website fraud that appear to be perpetrated by your business, expect the fallout to be brutal. Despite the fact you’re innocent, the relationship with the victim is likely damaged beyond repair either way. Plus, negative publicity generated by the attacks can extend the blast radius even further. Call centers are inundated by complaints. Social media rants go viral. Reviews on external sites tank. Negative news stories contaminate Google search results forever.

And your own, legitimate email campaigns can turn all kinds of toxic. Deliverability rates can plummet 10% almost instantly, and conversion rates can crater—as can the entire email marketing pipeline and the revenue it helps generate. It is estimated that email fraud costs brands an average $3.7 million through reduced engagement. Thankfully, there is also cause for hope.

DMARC: Defending Against Imposters

Over the last few years, DMARC has emerged as an effective way for brands to prevent these kinds of impersonation scams. It’s an open standard for authenticating outbound emails claiming to come for your company, to ensure only authorized senders can use your organization’s domain name in emails. This includes various business units, outside agencies, and other third-party platforms like Marketo and Salesforce.

When implemented using email ecosystem management solutions designed to help organizations make full use of DMARC authentication, phishing emails sent by fraudsters seeking to impersonate their businesses have been shown to drop near zero. What’s more, organizations that do adopt these solutions and approaches have realized extraordinary results.

According to Forrester Research, organizations using Agari Brand Protection, for example, have seen email conversion rates climb an average 10%, leading to an average $4 million boost in revenues thanks to increased email engagement. Factor in other costs associated with brand impersonation, including finding and shutting down phishing sites, and Forrester reports organizations can see an average 326% ROI from the Agari solution. Which means there’s plenty of incentive to make sure I can trust the legitimacy and security of the next marketing email I get from you—and plenty to lose if I can’t.

To learn more about DMARC and how Agari Brand Protection uses DMARC authentication to protect marketing teams, download our Agari for Marketing solution brief.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

September 26, 2019 Doug Jones

How to Prevent Phishing Attacks that Target Your Customers with DMARC and Office 365

Editor's Note: This post originally appeared on the Microsoft Security blog and has been republished…

Agari Blog Image

September 16, 2019 Jacob Rideout

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Agari Blog Image

September 6, 2019 Fareed Bukhari

Ensuring DMARC Compliance for Third-Party Senders

Marketo. Salesforce. Eloqua. Bamboo HR. Zendesk. It only takes a minute to realize how much…

Agari Blog Image

August 8, 2019 Fareed Bukhari

DMARC Quarantine vs. DMARC Reject: Which Should You Implement?

You did it! You implemented DMARC and authenticated your email domains. This is no easy…

Agari Blog Image

June 26, 2019 Armen Najarian

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

For many, there are few things more satisfying than receiving an email confirmation for a…

mobile image