A long-time marketing professional in a diversity of verticals, dmarcian Marketing Director (Americas) John Bowers tells a cautionary tale and speaks to the need for marketing departments to coordinate efforts with their organization’s IT department.
The marketing and domain-security crossroad has become a treacherous place. Less than six months after helping my teenage son set up an account at a major U.S. bank, he and I received a marketing email and text message announcing new account features. The call-to-action in the SMS and email seemed simple enough: just follow this link to login to your account, and we’ll show you the new features.
Later on that hot summer day, I walked over to the bank’s main branch and let them know their domain was being spoofed via SMS and email. The guy I spoke with shook his head, threw his hands up and said, “There’s nothing we can do to stop it.” That wasn’t the answer I wanted to hear, especially from a bank that had been dealing with consumer trust issues.
My story is only one example of the many instances of cybercrime. We all have our stories that have led to cyber fear and suspicion. The Pew Research Center found that “Americans fear they have lost control of their personal information and many worry whether government agencies and major corporations can protect the customer data they collect.”
So, what does this have to do with marketing?
In one word: trust.
When a brand succumbs to business email compromise (BEC) and word gets out, consumers lose trust in the organization. It could have been an employee mistake, a misconfigured server, an insufficient firewall. Whatever the reason, when a network is infiltrated, marketing and public relations is forced to pivot from proactive business-building and nurturing mode to crisis management. BEC is increasing year over year because of scale—email is the largest app on the Internet and thus the prevalent attack vector.
As marketing becomes more and more data-driven and promotional tools proliferate and become available for data-centric marketing campaigns, the richer the ground for either opportunistic or targeted attacks.
Some of the most lucrative attacks for criminals and costly for organizations is BEC. Beyond the financial cost, BEC has the potential of disrupting digital infrastructure in vertical spaces—think power grids and hospitals. One deterrent you can put into place is DMARC. Adding SPF, DKIM, and an aggressive DMARC policy to your DNS will vastly reduce the possibility of your domain being abused. Though it isn’t the silver bullet (there isn’t one; you need a quiver), DMARC is a no-brainer for keeping domains and the associated brands safe and sound.
As marketers, we should check with our IT teams more often to review the technical aspects and social engineering of email campaigns. IT should know, for example, what email service providers we’re using; their input could help engagement rates.
Please don’t get the not-my-job syndrome when you read this: It’s time for marketing departments and marketing leadership to learn more about the cybersecurity frontier and face it alongside IT. Right now, you likely only get together with IT if there’s been a breach and you’re called in to write the apologetic press release and find tactics for communicating the post-breach “we’ve changed” message.
Let’s get proactive here. When we propose a new marketing campaign with leading-edge marketing mechanisms and third-party vendors, let’s check in with IT and do a security check even if, superficially, there seems to be no risk at all.
Let’s face it—to cybercriminals, our calculated marketing campaigns are a target. Break through the organizational silos to show that marketing needs and wants to be involved to safeguard the image of the company—that’s our job as marketers. Consider adding a “cybersecurity review” item to your creative brief template when it involves the digital medium, particularly email. Initially you’ll get incomprehensible looks, maybe some eyerolls, but your intent is mission-centric and for the greater good. Interlace security protocol into your operations and form the tightest alliance with IT, top to bottom.
At the time of the phishing attempt, I had checked the bank’s domain, and there were gaps in their domain security. When I checked again recently, they had a DMARC record and the proper p=reject policy in place.
The transformation marketing has seen in the digital age is not slowing, nor should our efforts to be innovative and take advantage of new resources to reach goals. In these days of big data and big breaches, our stakeholders need to know they can trust our organizations; we need them to trust us so we can advance our missions. With the continuing digital transformation, we need trust and authenticity more than ever.