There is an old adage that it takes years to build a good reputation and mere seconds to destroy it. But what if you’re a big business whose reputation has sustained damage from elements outside of your control?That’s precisely the situation large companies such as PayPal and Australia Post have found themselves in the past. As trusted brands, they provide the perfect ‘Trojan Horse’ for cyber-criminals to exploit the trust of customers to gain access to key credentials via an email scam.
The scam itself is simple yet sophisticated in its execution. Using masked URLs that appear to be from a trusted brand, the customer receives an email that looks to be from a brand they trust and interact regularly with. The email will contain links to web pages that look legitimate and are designed to encourage users to sign in, therefore capturing their credentials. Quite cleverly, the user will often be diverted back to the legitimate website and may remain unaware that they have ever been scammed.
It’s easy to see how this can happen. Scam emails are often designed in much the same way as legitimate marketing emails, with a link to a landing page along with a call-to-action inviting the user to input their credentials.
Understandably, it makes it difficult for your staff to differentiate between the real and the fake, and will become more difficult as cyber criminals become increasingly innovative in their approach to email scams.
Last week for example, a scam email was sent to PayPal customers purporting to be from PayPal, advising customers that their accounts had been limited. The email requested customers to input their credentials via a link to a fake website. Ironically, the email also contained security tips in the footer which only served to make the email look more legitimate.
Sample of the legitimate PayPal email sent to PayPal users
The MailGuard team was able to identify this email, protecting our clients’ employees who were recipients of the email, but other businesses would not have been so fortunate.
Following this attack, PayPal sent an email to their customers this week asking them to save several new email addresses to their safe senders list. Despite the legitimacy of this email, a number of customers clicked the ‘report as spam’ links, confusing it as yet another scam.
This is significant, not just for PayPal, but for any business whose customers have been scammed. The fallout for any business can be catastrophic, and not simply in terms of lost revenue but more broadly in terms of remediation costs and the business’ relationship with its customers.
Put simply, customers are less likely to want to do business with you if they perceive your business to be associated with a scam, even if your company had nothing to do with it. The media often takes note of the situation, cementing perceptions that doing business with you is risky, and customers consequently choose your competitor for fear of identity theft.
So what can you do to rebuild that trust?
Take immediate action
Time is of the essence, and the faster you kick into action, the better your chances of salvaging your business reputation.
Inform your customers of what you’re doing to remediate the situation. While you may not have a legal obligation to wade in and fix the damage, positioning yourself as your customers’ ally at a time when they will be feeling particularly vulnerable will go a long way to rebuilding the trust and strengthening the relationship with your customer.
This may be in the form of sending non-email communications to them in the form of SMS alerts, or posting prominent alerts on portals to ensure customers know what to look out for.
Advice in this instance should cover off what the scam looks like, what it does, and the steps customers should take to ensure their credentials aren’t compromised further.
Leverage the power of the press
The media can be a powerful tool and, where appropriate, you should leverage the power of the press to issue a statement outlining the fact that the scam has taken place, reiterating that it has nothing to do with your company but that you are committed to working with your customers who have been compromised to limit the damage.
Press statements carry weight and, executed correctly, lend credibility to the message you are putting out in the market place. It can be the difference between retaining or forfeiting the trust of your customers.
Educate your customers
In the longer term, it is advisable to educate your customers on the types of phishing attacks they could be susceptible to. For example, if your business never requests passwords via email, this is a key message you should be driving home to your customers. Equally, putting in place two-factor authentication, and encouraging your customers to change their passwords frequently will remind them that their online security is of paramount importance to your business.
Human beings are eager to click, and it is this characteristic that enables cybercriminals to compromise credentials easily. Phishing and Spear Phishing attacks are extremely hard to detect and the human factor is the weakest link. When staff checking email don’t know what to look for, or how to identify the characteristics of a scam, they are easy prey for cyber criminals.
You need to build an infrastructure that enables your customers to do business with you safely, and part of that infrastructure includes proactively educating your audience.
In today’s world, maintaining your reputation as a trustworthy business is determined as much by your ability to assure your customers’ online safety as it is by your ability to deliver an exceptional product.
If you're experiencing issues with spam, malware and phishing attempts to your business, feel free to reach out to MailGuard to see how we can help via email@example.com