Don't let your loyalty communications become a phishing riskPublished on 06 Nov 2014
The number of phishing emails continues to rise globally and it’s no longer primarily financial services and utility brands that are being used to target unsuspecting consumers. According to Simon Johnston, strategist at customer communications management (CCM) specialist, Striata, “Branded loyalty communications are also being exploited in an attempt to solicit criminally valuable personal information.”
Although the spoofing of loyalty communications is not new, the fact that this is mentioned in the latest Internet Security Threat Report from Symantec reinforces the requirement to safeguard all digital communications – even those that don’t seem a likely target for phishing scams.
Johnston believes that loyalty programs with points that can be exchanged for cash and those that do not follow any anti-phishing communication guidelines are at highest risk of becoming targets.
“Loyalty programs within Banks are high risk based on several factors,” says Johnston, “A stolen member ID for example, can be used to access cash from a member’s accrued loyalty points if that is the reward. Customers may also be less suspicious and not apply the appropriate level of caution when personal information is requested by a trusted loyalty brand.”
Johnston recommends that all businesses with loyalty programs conduct a gap analysis on their member communications to assess the risk of the brand being used in a phishing scam that targets their members.
“The best defense is member education,” says Johnston. “Make your members aware of what will and will not be included in your communication, as well as how to spot a fraudulent email.”
Johnston cites the following ways to protect a brand from phishing scams:
- Digitally sign all outbound email, including your marketing campaigns
- Always personalize your emails to show the recipient you know them
- Use sender authentication to assure customers that your email messages come from a legitimate source
- Discuss the implementation of technologies such as DKIM, DMARC and SPF with your IT department or ESP
eBucks gets member education right!
Leading South African loyalty brand, eBucks, is well aware of the risk of phishing attacks on its members.
“Fortunately eBucks has been educating its members for many years by implementing many tools and tactics, some of which were recommended by Striata to combat phishing,” says Johnston.
Monique Smith, Executive for FirstRand Group Partnerships at eBucks, confirms its ongoing commitment to educating its members. “In addition to constantly reminding our members that we will never send an email requesting personal security details, there are a number of additional points that we stress in our communications:
- Secure sites will publish a Web certificate that shows as a padlock next to the address bar in your browser. This proves that you are entering a secure site. Check the URL. If the URL does not conform to what you would expect, i.e. www.bank.co.za, do not continue. The correct URL, coupled with the presence of the padlock is an indication that you are entering the legitimate site. There are also websites where you can verify the owner of a URL.
- To avoid the risk of downloading spyware or malware, the Internet security settings can be changed to always ask for confirmation before downloading anything to your computer.
- Use common sense: if the email content seems too good to be true, then it probably is. Be cautious when opening unknown attachments or downloading any files, regardless of who sent them. Don’t email personal, financial or password information in the body of an email, EVER.”
“To avoid falling victim to a phishing scam, loyalty programs need to improve their email design, review their security protocols and continually educate members in order to provide the best customer loyalty experience, without the phishing risk,” concludes Johnston.