In the past year alone MailGuard has seen a 400% spike in fraud email attacks impersonating Telstra, Origin Energy, ANZ, EnergyAustralia, Westpac and government bodies ATO, ASIC, ACCC, to name a few.
Major Australian brands are fighting a daily battle to protect themselves from the reputational and financial costs of cybercriminal impersonators.
The fraudsters’ tactics are growing in frequency and sophistication. In fact, cybercriminals have a better strike rate than most marketers.
Whether they’re tricking people into handing over money or valuable information, it’s not just the victims who are losing out.
Why companies are counting the costs of ‘brandjacking’
The battle to distinguish legitimate emails from fake is becoming harder.
Google says the overall success rate for email fraud is 45%, meaning nearly half the people who receive a scam or fraud email fall for it.
This creates a huge problem for companies whose names are hijacked by cybercriminals to aid a deception.
Origin under attack: The implications
The risk is not just reputational. Take Origin Energy, for example, which is regularly impersonated in large-scale malware deliveries, disguised as customer invoices. Origin has been mimicked in four highly sophisticated, large-scale attacks in recent months.
This creates a raft of problems – and potential costs – for the energy retailer.
Consider the impacts of an enormous fake-invoice email inundation, using Origin’s trusted brand to succeed. Here are just some of the ramifications:
- An IT nightmare. Last week’s Origin Energy attack prompted some ISPs to blacklist real Origin Energy invoices, meaning they were redirected to customers’ junk-mail folders on the suspicion of being spam. As Origin Energy commented on social media: “Some customers using web-based email services have told us that their energy bills are being filtered as junk mail – we’re working with Internet Service Providers on a resolution and contacting those customers who we think might be affected by the issue.”
- Suspicion surrounding the brand and customer reluctance to open (and pay) legitimate invoices.
- When NSW Police shared news of the scam on Facebook, it quickly garnered 12,000 shares. Many people responded that scams such as that were the reason they refused to accept online invoices. The push to go paperless has been a long time coming. Eliminating a digital process in favour of physical invoices has environmental, labour and financial implications (which customers will ultimately bear).
- Drain on resources such as call centre and tellers, and taking action against the illegitimate domain impersonating your company.
- Misdirected criticism: “How dare you try to charge me twice.” This outpouring of negative sentiment can quickly build if a brand is constantly targeted in online scams.
- Reputational damage associated with frequency of Origin impersonation scams.
US fraud protection expert Estelle Derouet succinctly sums up the cost of reputational damage:
“If your brand reputation is damaged by email fraud, customers won’t open your emails and mailbox providers may not deliver your messages to the inbox. When that happens, you’ve lost a revenue opportunity—both now and in the future.”
A ‘digital Geneva Convention’?
Brad Smith, Microsoft’s president and chief legal officer, has called for a ‘digital Geneva Convention’ in response to the increased frequency and scale of cyber attacks.
“The past year has witnessed not just the growth of cybercrime, but a proliferation in cyber attacks that is both new and disconcerting. This has included not only cyber-attacks mounted for financial gain, but new nation-state attacks as well,” Smith says.
“The bad news starts with the fact that 74 percent of the world’s businesses expect to be hacked each year. The estimated economic loss of cybercrime is estimated to reach $3 trillion by 2020. Yet as these costs continue to climb, the financial damage is overshadowed by new and broadening risks.” Smith proposes six ideas central to his proposed digital Geneva Convention:
- No targeting of tech companies, private sector or critical infrastructure
- Assist private sector efforts to detect, contain, respond to and recover from events
- Report vulnerabilities to vendors rather than stockpile, sell or exploit them
- Exercise restraint in developing cyber weapons and ensure that any developed are limited, precise and not reusable
- Commit to non-proliferation activities to cyber weapson
- Limit offensive operation to avoid a mass event.
How do the best brands protect themselves?
Here are some steps your brand can take to defend against the damage caused by online imposters:
- Get on the front foot. A regular victim of brandjacking, PayPal provides plenty of information on how to spot hoaxes to ensure online safety. The company is also proactive about alerting customers about new scams, and using the media to educate the community about new risks.
- Two-factor authentication is a no-brainer for leading brands. This extra layer of security ensures can’t easily be duped into handing over sensitive information such as passwords and user names.
- Top brands educate their staff and customers about common and emerging online risks, including tactics such as phishing and spear-phishing. Some, such as Australia Post, have revealed they run phishing simulation tests to identify and educate the staff most susceptible to scams.
Cyber scams will continue to grow and gain sophistication. The best brands acknowledge this and adjust accordingly.
For a few dollars per staff member per month, add MailGuard's cloud-based email and web security to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.