Memo to hospitals and healthcare providers: A growing number of phishing scams are targeting consumers—including your customers and patients—through email messages that appear to come from your brand. As these attacks continue to rise in coming months, they could cost consumers—and your brand—plenty.
Without a doubt, the spear phishing and business email compromise schemes that target your employees and result in data breaches cause enormous financial and reputational damage on their own. But in 2019, that may be rivaled by the havoc wrought by attacks that hijack your brand and its email domains right from under your own nose in order to defraud unsuspecting consumers.
Today, 98% of healthcare companies have not deployed the industry standard email protocols needed to protect themselves from this kind of impersonation. But is DMARC-based email security really enough to inoculate them from the threat?
According to reports, brand impersonation scams have soared 11X since 2014. While social media is the launching pad for a growing number of these attacks, 80% of all malicious impersonation schemes focus on your most valuable outbound communications channel—email.
As it stands now, 22.9 new phishing attacks impersonating trusted brands are launched every minute. Across industries, one in five outbound emails is now suspicious. And in healthcare, it’s even worse. A staggering 57% of all consumer email purporting to come from healthcare brands is fraudulent. In fact, healthcare is now at higher risk of such “brandjacking” ploys than any other industry except retail.
Leveraging cunning social engineering tactics, these imposter emails are expertly crafted to instantly elicit enough anxiety to fool recipients into forking over account logins or payment details before ever thinking to confirm a message’s legitimacy. Typical subject lines include “Past Due Alert,” “Password Update Required,” or “Coverage Cancellation Notification.”
According to the FBI, these and other Internet scams lead at least $1.45 billion per year. And even when you’re unaware of the crimes committed in your name, the damage to your brand can be profound.
For one thing, email remains your most important digital channel for marketing and ongoing customer communication. According to McKinsey, email is 40X more effective at customer acquisition than social media. In fact, 72% of consumers prefer email as their primary mode of communication with brands—and healthcare, some providers find that 60% of patients feel the same.
Beyond new customer acquisition, email is a critical driver of numerous ongoing revenue streams, customer engagement, and increasingly, doctor-patient interaction. In all, email generates an ROI of $38 for every $1 spent—by far the most of any digital medium.
But when impersonation scams hit, who will victims blame? Despite your innocence, the ensuing publicity from these attacks can spread like a contagion. Call centers are inundated by complaints. Staffing, legal, and crisis management costs skyrocket. Social media rants go viral. And negative news stories will always be one Google search away.
But that’s just the start of it. Suddenly, your legitimate email programs become toxic to consumers, if they ever receive them at all. When domain names are exploited in emails scams, deliverability rates can collapse and critical health information may never reach patients. The impact on email marketing can be catastrophic. And if you don’t think your brand is vulnerable, think again.
The good news is that there is a solution. Over the last few years, Domain-based Message Authentication, Reporting and Conformance (DMARC) has emerged as an effective way for brands to prevent these kinds of impersonation scams.
For those not familiar with the term, DMARC is an open standard for authenticating outbound emails claiming to come for your company, to ensure only authorized senders can use your organization’s domain name in emails. This includes various business units, third-party vendors, and other email distribution partners.
When implemented properly, phishing emails sent by fraudsters seeking to impersonate your brand have been shown to drop near zero. There’s just one problem: only 1% of all healthcare companies are using the standard to protect patients and other consumers against impersonation scams.
Even fewer use the modern, AI-based solutions needed to make full use of DMARC to detect, defend, and deter against phishing emails that leverage the domains they own. Fewer still leverage the kind of real-time threat intelligence from trillions of emails worldwide that is required to detect and help shut down the use of look-alike domains.
Meanwhile, organizations that do adopt these solutions and approaches have realized extraordinary results. Using Agari Brand Protection as an example, a study from Forrester Research found organizations have seen email conversion rates climb an average 10%, leading to an average $4 million from increased customer engagement.
Factor in the costs associated with brand impersonation, including finding and shutting down phishing sites, call center staffing, crisis management and more, and Forrester reports organizations have seen an average 326% ROI from the Agari solution. In fact, one healthcare brand was able to negotiate a 25% reduction in cyber-insurance rates, saving more than $875,000 over three years.
Given the threat from impersonation scams, and the benefits that come from reducing said threat, it is only a matter of time before DMARC-based email security jumps to the top of the agenda for healthcare brands. With any luck, the brand imposters will never know what hit them.
To learn more about best practices for preventing phishing-based brand impersonation scams, download “Getting Started with DMARC for Healthcare Organizations.”