As email marketing turns 40, more than 90% of companies report fraudsters have impersonated their brand in phishing attacks targeting their customers. Can a new standard known as BIMI be the answer?
Forty-years-old and still the center of attention, despite younger competition. It’s true: Email marketing’s hotter than ever. But it’s also facing a growing threat from brand impersonation scams. Can a new email standard called Brand Indicators for Message Identification (BIMI) be the solution?
Let’s hope so. Brand impersonation fraud has spiked 11x since 2014. Just within the last few months, Citibank, Alaska Airlines, American Express, and Netflix have all seen email phishing scams hit consumer or business inboxes.
Usually projecting a sense of urgency—”Password Check Required,” “Your Payment Has Been Declined” or “Security Alert,” for instance—these emails are designed to fool recipients into responding quickly. Last year, consumers lost $172 billion through these and other types of ploys.
But even when a customer hasn’t been personally defrauded, publicity about sham emails bearing your brand identity can mean they’ll be hesitant to open the next email you actually do send. Email open rates can implode.
Welcome to the Age of Brandjacking
Almost from the moment Gary Thuerk of Digital Equipment Corporation sent out the very first marketing email blast back in 1978, this channel’s role in marketing communications has only grown. When consumer email usage ignited in the early 1990s, it became integral. Today it’s indispensable.
Indeed, despite texting, social media and other new platforms, email is 40X more effective at acquiring new customers than these other channels. And 72% of consumers say they prefer email as their primary mode of communication with brands. In all, companies generate $40 for every $1 spent—by far the highest ROI of any digital medium.
Unfortunately, businesses haven’t been the only ones making a fortune through email. So have fraudsters. And more times than not, their phishing campaigns involve impersonating brands spanning consumer packaged goods (CPG), media, retail, quick-service restaurants (QSR), real estate, banking, government and more.
The Great Pretenders
Brand imposters are surprisingly sophisticated. The clumsy, typo-laden spam of yesteryear? Long gone. Today’s most advanced phishing emails contain none of the telltale signs of fraud. There are no malware-infected attachments to detect, nothing in the email’s code to raise a red flag.
Instead, these filchers leverage social engineering tactics to exploit the relationships that consumers have with brands they know and trust. To complete the deception, fraudsters spoof the brand’s domain. More than 90% of brands report having their domain names spoofed by cybercriminals.
While brand impersonation on mobile and social media platforms seems to generate more buzz these days, 80% of attacks come through email. BIMI is designed to help mitigate this pernicious threat.
The New Brand Identity
BIMI is a new open standard for logo displays in emails that was first announced back in March.
Currently in beta, the standard was developed by the “Authindicators Working Group,” a standards group led by Agari, Oath (the holding company for Yahoo and AOL) and others. These are some of the same forces behind the development of the DMARC (Domain-based Message Reporting and Conformance) email authentication protocol.
To those familiar with it, DMARC stops billions of email-based brand impersonation attacks by enabling senders and receivers to exchange data that can help them detect and block scams. BIMI builds on this foundation, and it’s actually pretty cool.
In a nutshell, BIMI enables brands with DMARC reject or quarantine policies to add their logo to their outbound email messages. The logo is displayed in a space controlled by an email provider—usually next to the email subject line in the recipient’s email inbox and in the upper left corner of the email message itself, outside the email body.
Not only does this offer a visually impactful brand presence, but the logo itself is verified by both the sender and recipient’s email systems—so it can’t be faked. While it’s set up to work with a graphical image of a logo, it could one day even support other types of media files—such as video, animation or audio—like animated logos or aural branding elements used as part of a brand ID, such as the Intel Chime, for instance.
Plenty of Phish to Fry
BIMI pilots are currently underway with brands such as Groupon. But details are being worked out. For instance, Martech reports that it’s possible domain owners will eventually use a third-party Mark Verifying Authority, or MVA, to establish brand and logo ownership, and to receive a BIMI certificate.
As consumers gain confidence in the authenticity of brand messages, it’s hoped that BIMI could help increase response rates and amplify the power of brand outreach via email. As our founder Patrick Peterson recently told Martec, DMARC implementation alone has been shown to boost open rates by 10% or more. BIMI could potentially push those levels higher. Organizations hoping to to be among the first to get their brand identified as a safe-email sender are welcome to join the beta.
Indeed, BIMI couldn’t come a moment too soon. With 22.9 new phishing attacks launched every minute, there are plenty of companies who’d love to put imposters out of business for good.
To learn more about how Brand Indicators for Message Identification (BIMI) can help put your brand front-and-center in email inboxes while protecting your customers from fraudsters, visit brandindicators.org