A strong brand conveys a company’s promise, attributes, and personality. When you think of top brands like McDonald’s, Coca-Cola, and Apple, there is an immediate connection – you know who they are and what they offer. As the battle for customers intensifies day by day, a strong brand is critical to succeed. That is why companies go to great lengths to protect their brands and to eliminate imposters peddling cheap knockoffs.
Phishing is just another one of these frauds – scammers masquerading as trustworthy entities to rob consumers and sully your brand equity. While large, well-known global brands are typically the prime targets for use in phishing, that doesn’t mean that smaller brands are safe. Whether you’re a big brand, a small niche product, or any company that deals with financial information, brand protection in the electronic space should be just as important as it is in the physical space. Luckily there are several things you can easily implement to help protect your brand and educate your customers – many of which can be done for free or at minimal cost.
Publish a DMARC Policy
As defined by DMARC.org, “Domain-based Message Authentication, Reporting and Conformance is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse, by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.”
Imagine that there was a way to tell a receiver what to do with mail upon receipt if your domain was being used for phishing. Well, thanks to the companies who got DMARC off the ground, like PayPal and inbox providers like Google, Yahoo, and others, this is a reality that you can share.
If you are already authenticating all of your mail with SPF and DKIM, you are well on your way to implementing DMARC, as it utilizes both forms of authentication to enforce the policy. If you haven’t authenticated your mail yet, now is the time. By implementing DMARC through a simple DNS txt record, you can inform a DMARC-compliant receiver what you would like them to do with messages using your domain when they don’t pass both DKIM/SPF authentication checks. Best of all, with DMARC you now have a feedback mechanism to see if the policy is working. (See DMARC.org for technical details and history.)
Make Up Your Mind
Determine your brand identity and stay consistent. If you want to make you brand memorable, don’t dilute it with confusing MX records or change it every other month. For example, if you sell widgets and your company is called awesomewidgets.com, it doesn’t make sense for your marketing domain to be 123.wdgt-corp.srx.net. What does that even mean? Most likely it’s just something originally set up within your company, which under other circumstances would be fine, but as the face of your email marketing program it isn’t ideal. If you don’t know what that represents, it’s very likely that your consumers have no clue either. Recognition is vital to establishing a brand, and if you aren’t clear who you are through email, that first impression can be lost in just one click – “Delete.”
The better alternative is to use something that is consistent with your brand. And if you have multiple message streams, use domains that fall in alignment with that brand such as:
If for some reason you do need to change branding in your emails, be sure to inform your customers (you wouldn’t change your company name or logo without a press release, right?). Notify them through a dedicated email from your old brand with instructions to update any address book or whitelist entries.
It’s also important to avoid direct links in emails that require users to log in to your site; this creates habits in your customers that could lead to successful phishing attempts on them. If you want your customer to log in to your site to take an action, rather than directly linking them, give them clear instructions instead (i.e., “Go to our company home page and then log in to your account.”). If you can provide a message center in their online account, even better.
Create a “Phishing Education” Microsite
This is a must if you deal with any financial transactions. Educate your customers about what to expect from your email program, including visuals of what your emails look like, as well as the “from” names and addresses they should expect to see. Ideally, you should also include clear and specific information about how to identify a real message. I’ve seen this range from simple screenshots to some excellent pages with complete header breakdowns from each major inbox provider.
Your brand and your customers are of the utmost importance to your success, so why not go the extra mile to protect them both? At the end of the day, phishers and spammers will always be there and will continue to evolve. But with a little effort you can at least put up some extra defense. A quote from vintage SportsCenter referring to many a star basketball player sums it up best, “You can’t stop him, you can only hope to contain him.”