Cost cutting is top of mind for many companies and one way to easily cut costs in an organization is to stop sending paper.
This means getting customers to opt-in to going paperless and interact with you electronically.
However, the mission to protect customers from phishing attacks, while going paperless seems to be at odds.
Do your emails look like you’re phishing your customers?
We don’t want to look like phishers and tell our customers to login from an email. But, if they are paperless via a portal, sending an email to login is usually the method used to get them to view their bills or statements. And if there is an amount due, these emails often ask our customers to go online to pay their bills.
Are you inadvertently teaching your customers to get phished?
Of course that’s not to say customers won’t be phished if you don’t send these types of emails. However, making customers familiar with the process of logging in to view a bill or statement from an email or text notification just gets them far more accustomed to the notion.
If you’re on the hunt for an Email Service Provider (ESP) and you send these sorts of emails, you should ask how they can help you with your notification emails so you can ultimately protect your customers.
Applying best practice based on their expertise is crucial to ensuring your emails pass this test.
Measure their ability! 3 Questions to ask your prospective ESP
1. Can they help verify that your emails are the real deal?
Phishing attacks are usually mass emails sent in hopes that someone will click a link, without noticing that it has gone to a different URL (as the site looks the same) and ‘login’. This action gives phishers the information they need to gain access to their account. It’s not that they know these victims; it’s just a matter of chance as to who will fall for their scam.
Your ESP should definitely help you set up email authentication: DMARC, DKIM and SPF for your emails. However, those processes help ISPs filter your emails from potential phishing emails, not your customer.
Look out for an ESP that can help guide you on how to help your customers. An example would be to include authentication information in the email body. This information can be anything – the last five digits of the customer’s account, along with the first line of their home address. And of course referring to them by their full name in the email is of utmost importance, as phishers don’t have this information.
2. What tactics would the ESP employ to help educate customers?
Your customers won’t necessarily know to always look out for the authentication information, so you’ll have to tell them to. Send out email campaigns literally pointing out (in step-by-step fashion) what they should look out for and what they can expect from you. An ESP with a great UX resource is important here.
Crafting these emails to help educate your customers both in copy and layout will help you down the line.
3. Can your ESP help you bypass the login process?
Asking customers to login or verify their account are two very common ways phishers trick customers into giving their personal information. So, don’t teach your own customers to do this.
Instead, consider attaching the bill or other secure document to the email itself and password protect the attachment.
If this sounds like the solution you need, you will need to ask if your ESP has this capability to send attachments. Also, make sure the attachment type, isn’t a conduit for viruses (.html and .exe attachments for example).
There is no sure fire way to protect your customers from being phished, but finding the ESP that can help you in your process will certainly help ensure you don’t look like you’re trying to phish them.