Online Security Is Marketers' Responsibility, Too

How to Prevent Your Brand From Becoming a Victim of Cyber Fraud

By Published on .

SAN FRANCISCO ( -- Heads up, marketers. You might want to find a time to pay a visit to the IT guys around the corner.

A new study by the nonprofit Online Trust Alliance suggests that marketers are doing too little to protect the reputation of their brands online, with only 37% of Fortune 500 companies taking robust security measures to safeguard against cyber-fraud. And phishing -- fake e-mails often sent under the guise of well-known, trusted brands, usually to obtain credit-card numbers -- is on the rise.

A Gartner study released last week said in the 12 months ended September 2008, more than 5 million U.S. consumers -- 40% more than in the same period a year ago -- lost money to phishing attacks. These well-publicized e-mail scams have made consumers wary of opening commercial e-mails. And perhaps no one feels the pain more than financial services companies, a prime target of scammers.

'Customers are afraid'
"The e-mail open-rates across the entire financial-services industry have suffered over the last few years because customers are afraid," said Erik Johnson, senior VP at Bank of America.

How to Protect Your Brand
An Online Security Checklist
  1. Authenticate e-mails.
    Provide the ISP with information that helps it determine whether an e-mail is legitimate or should be blocked.
  2. Implement security certificates.
    An emerging standard, the Extended Validation SSL certificate, lets online shoppers know they are on a website that belongs to a legal business.
  3. Set up a mechanism to monitor domain registrations.
    New domain names are registered everyday. Some of them can infringe on well-established brand names. For example, consumers might think is owned by Paypal, when it may be operated by an entirely different company. Setting up a process or hiring third-party vendors to help monitor new domain registrations is no different than hiring firms to monitor infringing trademarks.
  4. Set up a process to encrypt and protect customer data.
    Employees lose laptops and storage devices all the time. Have a plan for protecting this valuable data from loss.
  5. Practice self-regulation.
    Consumers are overwhelmed by the volume of e-mails and spam they get on a daily basis. Marketers may want to exercise some restraint in the frequency of their e-mail delivery. Consumers may thank them for it.

Mr. Johnson said the bank has been using an open standard to "digitally sign" its outbound e-mails for the last 18 months to validate its identity as the e-mail's sender, but internet service providers (ISPs) that process e-mails are still learning how to implement the technology.

As e-mail scams multiply, online security experts say marketers need to work with them to raise consumer confidence in interacting with their brands online.

"Brand managers need to understand the issue at a high level, buy into it and get their people to implement it," said Michael Hammer, who heads up online security operations at American Greetings, which, like its competitors, has been a favorite target of phishing attacks.

At Paypal, a culture exists where the security folks are engaged with the marketers. Michael Barrett, the company's chief information security officer, said he routinely has long discussions with marketers about e-mail policy. He said online security is as much a marketing problem as it is an IT issue.

Impact on brands
"There was a brand impact," he said. "We wanted to stop [the fraud] because it was affecting people's perception of our brand."

The OTA study said the overwhelming majority of Fortune 500 brands, including huge marketers such as AT&T, Procter & Gamble, Sears and MetLife, have not taken the two key steps to reinforcing online security: implementing website-security certificates and authenticate e-mails sent from their corporate domains.

What does that mean? E-mail authentication means a marketer provides information -- digital signatures, IP addresses or domain names from which legitimate e-mails will come -- to the ISPs, such as Earthlink or Comcast, or e-mail vendors, such as Yahoo or AOL, that helps them determine that this is truly from the company it claims be from. For example, XYZ company can declare to the ISP that it only sends e-mails from the domain Thus, if the ISP sees e-mails purporting to come from XYZ but that are sent from any other domain, it should block them.

OTA Chairman Craig Spiezle said third-party e-mail marketers are adopting authentication at a rate of 85%, but brands themselves are not protecting their corporate domain names. That means third-party vendors sending e-mails on their client's behalf often authenticate the domain they have set up to control the campaign. For example, an e-mail marketer sending promotional e-mails on behalf of XYZ might use the authenticated domain, but itself is not authenticated. Thus, it becomes easy for someone to forge e-mail that appears to be coming from

Other steps
Brands can also assure consumers that they are shopping or sharing personal data on a legitimate company website by using what is an emerging web security standard, a certificate called Extended Validation SSL. Marked by a green bar across the page, an EV SSL certified website tells consumers that the site is owned by a registered, legal business.

While e-mail authentication and EV-SSL certification are no silver bullets against fraud, they help diminish the risk of cyber-criminals posing as the brands, and they lift consumer confidence. A study by Tec-Ed Research found that 97% of online shoppers are likely to share their credit-card information on sites with the green EV bar, vs. 63% with non-EV sites.

All things being equal, Paypal saw more people create Paypal accounts on their EV SSL-certified sites than those on older browsers not supporting these certificates, said Mr. Barrett. And while he used to get jokes from people he met at parties asking, "When are you going to stop sending me those fake e-mails?" Mr. Barrett said he hasn't heard them in a long while.

Most Popular
In this article: