The email fraud landscape is a constantly evolving one. Cybercriminals are always coming up with new and sophisticated ways to leverage email to do harm.
Combating threats like these isn’t just your security team’s job. As owners of the email channel, marketers have a responsibility to help protect it.
Fraud can ruin email marketing effectiveness, jeopardizing brand trust and, ultimately, revenue. Customers are 42% less likely to interact with a brand after being phished or spoofed.
The first step to beating the cybercriminals is to understand how they operate. Here are three email fraud tactics all marketers need to know.
1. Spam
Spam is unsolicited email sent in bulk, usually from someone trying to sell something. Spam may (or may not) contain phishing links that trick users into giving up confidential information, or malware sites that download malicious software on a user’s computer.
Spammers harvest valid email addresses in a number of ways, including:
- Purchasing or trading lists with other spammers.
- Using special software which crawls web pages, mailing list archives, internet forums, and other public online sources containing email addresses.
- Launching a “dictionary harvest attack,” or an attack where valid email addresses at a specific domain are found by guessing, using common usernames in email addresses at that domain.
- Soliciting a valid email address with the promise of a free service or offering.
2. Spoofing
Spoofing is the forgery of an email so that the message appears to have come from someone or somewhere other than the actual source. Spoofing can take place in a number of ways. Common to all of them is that the actual sender’s name and the origin of the message are concealed or masked from the recipient.
Many, if not most, instances of email fraud use at least minimal spoofing, since criminals are trying to avoid being traced.
Major spoofing methods include:
- Direct domain spoofing, which mimics the precise sending domain of the brand (e.g., support@mybank.com).
- Cousin domain threats, which are messages that spoof the brand name but are sent from domains not owned or controlled by that brand. (These domains may resemble the brand’s domain name—e.g., support@mybankk.com—or may not.)
- Display name spoofing, which mimics the name that comes before the “from” address in the header field of the email (e.g., Return Path <phisher@phisher.org>).
- Subject line spoofing, which mimics the brand in the subject line (independent of the domain or display name) in order to get the recipient to open the malicious message.
The tools necessary to spoof email addresses are surprisingly easy to get. All you need is a working SMTP (Simple Mail Transfer Protocol), a server that can send email, and the right mailing software.
3. Phishing
Phishing is a type of spam that is intended to trick email recipients into giving up sensitive information or credentials for malicious reasons. This information could include social security numbers, bank login details, credit card numbers, and other personally identifiable information (PII).
To conduct phishing attacks, cybercriminals will spoof, or masquerade as, a legitimate government agency, bank, retailer or other brand the recipient might recognize. Here’s a glimpse into how they pull it off:
Phishers will either profit directly from data like credit cards and/or the sell data on the black market to other phishers who are developing their own cybercrime schemes.
Ready to protect your customers and your brand? Believe it or not, there’s a lot marketing can do to help fight threats like these. Get The Marketer’s Guide to Email Fraud to learn more.