We all know that phishing attacks came fast and furious. Timed and tailored for maximum effect, these malicious email messages exploit the cruelest of social engineering tactics, preying on customer anxieties, especially in the aftermath of major crises.
This past May, UK banking giant TSB experienced one of these phishing-related emergencies. First came breaking news of a massive system meltdown when the migration to a new banking platform went spectacularly wrong. With accounts knocked offline, and with customers growing frustrated, email-based “security alerts” purporting to come from the bank started hitting email inboxes.
The messages were crafted to resemble authentic communications and informed recipients that TSB Bank accounts had been suspended due to “recent technical and security issues.” They then asked account holders to verify their accounts by clicking on the link embedded within the body of the email.
Of course, the phishing site on the other end of that click harvested the victims’ banking login credentials, Before long, as many as 1,300 customers reported their bank accounts had been robbed of everything they owned. “They’ve taken all my money,” Susie Goode, a 40-year-old mother of four told the Sun-Times. “I’m not sleeping properly because I’m so stressed. I’ve got a family to look after.”
Unfortunately for financial institutions worldwide, this is not an isolated incident.
Today, banks and other financial institutions are hit by an estimated 12,000 unique monthly bank phishing email campaigns that exploit their good names to defraud consumers and businesses. In fact, when cybercriminals impersonate a brand, they choose banks or electronic payments providers 60% of the time. Original Agari research recently found that Bank of America and Wells Fargo were two of the top ten impersonated brands in the last quarter of 2018. The previous quarter, JPMorgan Chase and Bank of America were in the top five.
Typically arriving in the form of fraud alerts, password resets, and account-locked notices, these attacks are expertly designed to incite alarm, stirring recipients to take immediate action. And they’re just one in an arsenal of approaches fraudsters use to trick consumers out of $1.4 billion through brand impersonation and other Internet scams each year.
It’s little wonder that email-based brand impersonation schemes are rising 400% per year. But unfortunately for banks, victims aren’t the only ones to pay a steep price.
The financial damage to consumers and the publicity generated by attacks nearly always negatively impacts the impersonated banks. Even when they are not liable for losses, the fallout can be brutal.
In the case of TSB Bank, for instance, call centers were overwhelmed with more than 93,000 complaints from customers. Most of that had to do with the inability to access accounts due to the outage, but as many as 10,600 cases of potential fraud were identified.
This situation offers insight into consumer and business reaction to bank imposters who exploit real-time news events to exploit human psychology. Few things are more panic-inducing than fears about one’s personal finances. And innocent or not, trust in impersonated banks can be damaged, even though the bank had no part in the scam.
To make matters worse, cybercriminal activity like this causes continued damage, even after the headlines have died down. Legitimate email campaigns suffer, as recipients fail to open their email, fearing additional fraudulent activities. When you consider the ROI from email is $44 for every $1 spent—by far the most of any digital medium—you begin to understand just what a crushing blow impersonation fraud can inflict upon revenue-generating email programs.
As the well-funded, highly-professional cybercriminal operations behind these scams grow more effective, financial institutions must turn to a solution that will stop these social engineering-based impersonation ploys from reaching consumer inboxes.
Over the last few years, Domain-based Message Authentication, Reporting and Conformance (DMARC) has emerged as an effective way for banks and other brands to prevent impersonation scams. At its most essential, DMARC is an open standard for ensuring only authorized senders can use your organization’s domain name in emails—including the lookalike “defensive” domains you proactively register.
When implemented properly, phishing emails sent by fraudsters seeking to impersonate brands have been shown to drop near zero. Yet, according to Q4 2018 research from our team, only 13% of all financial institutions have deployed DMARC to enforce this kind of protection. Nearly 87% have left themselves wide open to attack, including institutions that have deployed DMARC but have not yet set it for enforcement.
Even fewer have adopted the modern, AI-based solutions that leverage real-time intelligence from trillions of emails worldwide to detect, defend against, and deter against phishing emails across the domains they own as well as the ones they don’t.
According to a study from Forrester Research, organizations using Agari Brand Protection, for instance, not only saw impersonation attempts drop to near zero, but they also experienced an average 92% drop in calls from confused or frustrated customers. By avoiding the kind of negative headlines and brand erosion that stems from these cons, organizations have also seen email conversion rates for their own as legitimate email programs climb an average of 10%, leading to an average $4 million from increased customer engagement.
Factor in the costs associated with finding and shutting down phishing sites, call center staffing, crisis management, and legal services, and Forrester reports organizations have seen an average 326% ROI from the Agari solution. Considering the rising threat from bank impersonation through socially engineered phishing scams, those kinds of returns may make brand protection a very wise investment for many financial institutions.
To learn more about phishing-based brand impersonation and best practices for defeating it, download a free copy of “The Total Economic Impact of Agari Brand Protection.”