There has been a lot of talk recently about phishing and brand reputation, specifically how phishing attacks often have a major negative effect on how customers view a particular brand. After a phishing attack, many customers lose trust in a brand.
What happens when you lose your customers’ trust?
Successful brands are built on trust. You’ve spent years building your brand and earning your customers’ trust. Don’t leave your brand equity vulnerable to an attack that could cost you your current and future customers.
Your Brand is at Risk
It’s with good reason that, according to Frost & Sullivan, 71% of security executives consider “protecting their brand” as their top priority. Each year, hundreds of brands are targeted by cyber criminals who are launching targeted phishing attacks. According to the most recent Anti-Phishing Working Group (APWG) Phishing Attack Trends Report, the number of brands targeted for phishing attacks reached the highest levels on record last year.
Phishing attacks happen, but can they happen to you? They most certainly can. In fact, there are an ever-increasing amount of high profile attacks reported in the press on a regular basis. Brands who possess customer data that is considered highly desirable to hackers are bigger targets for phishing attacks, but any brand doing business online is at risk.
Brand Damage: The Cost of Phishing to Your Brand
When a brand is attacked, there both are quantitative and qualitative repercussions. The cost of a phishing attack that affects 500 customer accounts can reach upwards of $1.4 million, when you account for the direct financial loss of funds to the cybercriminal plus the strain on internal resources to manage and investigate the crisis. That’s the immediate financial hit that you can expect, but there are long-term costs too – your reputation.
When your customers fall victim to an attack on your brand, consumer perception is that it’s all your fault. Once your brand is targeted, your customers are 42% less likely to do business with you in the future.
This sentiment applies even if the consumer doesn’t fall victim to releasing credentials. Simply receiving a phishing email is enough to write you off. Thus, your brand can be assumed as “guilty by association”. When a consumer is targeted via a phishing attack directed at your brand, the consumer has a negative experience that he/she associates with your brand. Negative experiences will certainly not increase shareholder value.
Adding further insult to injury, the media often takes note of the situation, cementing consumer perception that doing business with you is a risk. While perhaps not fair, your brand becomes caught up in the associated downward spiral. Consumers, fearful of identity theft, choose your competitor.
Be the Brand Consumers Trust
It all comes down to trust.
In many ways, you are the brand that consumers trust. You have a proven track record of delivering quality products and/or services to your customer base. But, cybercriminals are using that same strength and equity of your brand to carry out their mission.
In today’s world, your success as a brand is determined in part, by your ability to protect the safety of your customers. Building a security infrastructure that will allow your customers to do business with you safely is crucial when it comes to keeping and expanding your customer base.
What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).
On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.
“It’s legit,” an APT1 hacker wrote in response to a recipient who questioned the validity of a spear phishing email sent by the now notorious Chinese hacking group. This recipient had the awareness to initially question the authenticity of the phishing email, but when APT1 responded, it added an element of trustworthiness to its communication, one that could trip up even a savvy employee.
This is one of the tactics Mandiant® described in its report about APT1, and is something we at PhishMe® have observed as well from both our customers and our contacts in the industry. To address this issue, we rolled out the Double Barrel, a new scenario type that will simulate the conversational phishing techniques used by advanced adversaries like APT1. This has been in development for months, and it was a happy coincidence that we rolled this out the same week that Mandiant provided the world with a concrete example.