Your Reputation is on the Line When your Brand becomes Phishing Bait

03 - January 2019
Elad Schulman

Imagine your customers opening an email, ostensibly from your organization, informing them that you are tightening digital security measures and need them to verify their personal information. They click the link and go to a webpage where they freely hand over their login ID and password, account number and perhaps other personal info. Everything looks to be in order.

Only it’s not.

The email that appeared to be genuine was actually a phishing email. The site your customer landed on was a counterfeit site, impersonating your organization. By hijacking your brand, hackers are able to cloak their criminal activity and lure your unsuspecting customers into taking the phishing bait.

In the best case, the phishing attack will be detected and stopped before any personal damage can occur. In the worst case, your customer will lose personal data privacy and/or financial assets as a result of getting phished. In every case, your brand will take a serious hit.

Whether it’s fair or not, your customers will associate this type of phishing attack with your brand – not with the anonymous bad actor who remains in the shadows. The brand reputation and trust that took years of investment and effort to nurture, can be damaged overnight by a single phishing attack, and may be ruined by repeated attacks.

Reputational damage can be the top business impact from security breaches.

When asked to list the top three issues that would most likely have a negative impact on their organization’s reputation, CMOs and IT managers in the UK listed “data breach” as second only to “poor customer service.” The interesting bit is that there doesn’t have to be any personal damage from the breach in order for consumers to lose trust in a company. Just the knowledge that a breach happened and it could happen again is enough to make them wary. How much more “brand-wary” will consumers become if they suffer a personal financial loss of data breach from a phishing scheme that is impersonating your organization?

Your Reputation is on the Line When your Brand becomes a Phishing Bait

Source: The Impact of Data Breaches on Reputation and Share Value, May 2017

Security breaches reduce customer trust

In a recent report on GDPR, Deloitte also touched upon consumer trust, noting that 25% of their respondents said their level of trust would decrease if the organization was involved in a data breach. An even higher percentage (35%) said their decision to continue doing business with an organization depends on their level of trust in that organization. To address the trust issue, Deloitte noted that companies are investing in systems that will assist with timely anti-breach mitigation and other damage control strategies.

All these breach mitigation systems have one thing in common. They’re reactionary. A hacker got in. Now, after the fact, we have to find, isolate, and neutralize him before he can do any damage.

When you’re reacting to a breach, you’re already behind the eight ball. So says Verizon, who in their 2018 Data Breach Investigations Report (DBIR), prefaced their findings with this sobering statistic:

You have 16 minutes until the first click on a phishing campaign. The first report from a savvy user will arrive after 28 minutes.” (Verizon, 2018 DBIR)

When Verizon says “savvy user” they’re talking about employees who have been trained to spot phishing attacks and even so, a certain percentage continue to fall for phishing scams.

When your customers (who are not trained) get phished, how long between the first click and the report? Maybe hours. Maybe days. Maybe never. No one has done a study to measure it. In the meantime, your brand reputation is at stake.

Why are we so concerned about phishing? It’s simple.

90% of security breaches involve phishing or social engineering

We’ve quoted this statistic before but it bears repeating. This time the statistic comes from the Verizon 2018 DBIR, but I’ve seen it many times – always hovering around 90%. Phishing is widely used because it is a relatively easy way for cybercriminals to get what they want – be it money, intelligence, personal data records, whatever. Rather than try to hack their way past firewalls, IDS/IPS, sandboxes and honeypots, cybercriminals find it much easier to trick unsuspecting people into to handing over their user credentials voluntarily. Once the hacker has obtained valid user ID, password, account numbers, etc. getting into any network is trivial.

While training programs can help to reduce the risk of employees getting phished, security awareness focuses on how to react to a phish. It means the phishing lure is already in front of the employee. He just needs to recognize it and refrain from clicking or taking the bait.

When it comes to customers who are beyond your security perimeter and your ability to train, reactionary measures will always be too late. To prevent brand damage from phishing, you need to prevent the phishing lure from reaching your customer in the first place.

Intervene before phishing attacks impact your brand reputation

If you want to stop phishing attacks from reaching your customers, you need to be proactive. You need to take the battle to the threat actor’s domain, where phishing campaigns are under construction and can be pre-emptively neutralized. Currently, the only way to do this is with anti-phishing technologies, like Segasec, that are able to detect, monitor, and disarm counterfeit phishing sites, malware payloads, and compromised servers before campaigns launch. With a 99.97% catch rate and zero false positives, Segasec’s proactive anti-phishing intervention is the only way to protect your brand reputation from malicious exploitation.