Consumers’ trust in a brand takes years to win but can be quickly lost if scammers use it in phishing scams, a new survey by Mimecast shows. The poll of more than 5,000 adults from the UK, Benelux and the Nordics reveals that consumers expect their favourite brands to protect them from scams – and that UK customers are especially unforgiving of those that have been impersonated by criminals.
The extent to which a customer favours a brand has little impact on how they would respond to its use in a scam, the survey shows. If a spoofed version of a company’s website tricked them into disclosing personal information, UK consumers are equally likely to lose trust in that brand whether it’s one of their favourites (65%), a brand they regularly use, (66%) or just one they are familiar with (67%). The majority of Britons also expect brands to ensure that channels they use to interact with consumers, such as email, websites and social media, are safe for the consumer.
And it's not just the brand reputation that is at risk: 65% of UK consumers surveyed say they would stop spending money on their favourite brand if they fell victim to a scam impersonating that brand.
Britons are among the least forgiving when it comes to online scams, with 67% saying they would not tolerate losing money in a scam impersonating a brand and 65% saying they would stop buying its products and services. In contrast, just 45% of consumers in Denmark agree with both statements.
UK consumers are also the most wary of email-based scams. They are most likely to apply checks before trusting an email that appears to originate from a certain brand, including checking the spelling of the sender's email address (60%) and the spelling in the body of the email (57%)
This caution is hardly surprising, given that 85% have received emails containing phishing scams at some point, with 45% having experienced that at least once a week and 65% at least once a month. But despite this caution, Britons are also most likely to trust brands they regularly use enough to open emails sent from their domains and to click on links in these emails (47% and 37%, respectively).
The survey also reveals consumers' high expectations for cybersecurity. Most agree it is a brand's responsibility to protect itself from email impersonation (61% for all respondents and 71% of those in the UK) and from website spoofing (63% for all respondents and 64% for Britons). And how a brand responds to cybersecurity incidents can also jeopardise consumer trust, the survey shows, with the biggest reputational risk resulting from refusal to compensate the victims of cyberattacks leveraging its brand (34% of all respondents and 43% of Britons).
How can brands avoid reputational risk from phishing scams?
Mimecast proposes two technical fixes for email scams. The first is domain-based message authentication, reporting and conformance (DMARC), which can identify anyone using a brand's domain without authorisation and intercept the message. This only works for domains owned by the brand and does not prevent bad actors from creating spoof websites and domains that look similar to the original ones; for that it proposes a service that uses machine learning and targeted scans to identify known and unknown attack patterns and block and take down suspicious sites and active scams.
Tackling brand impersonation attacks on the home front may be easier, but it is still challenging. Markus Bauer, senior technology evangelist at Acronis, recommends that companies take steps such as URL filtering, regular penetration testing and security training for employees to minimise the risk of phishing scams or spoofing attacks compromising a company's internal systems.
The real challenge, however, is taking the fight to the enemy and preventing malicious third parties from reaching consumers without the knowledge of the impersonated company. "You need an active online brand protection strategy to combat such behaviour," says Candid Wüest, VP for cyber protection research at Acronis.
As a first step, he recommends that companies claim their primary domains and accounts on social media before anyone else does. In addition, they can subscribe for services that are constantly monitoring and crawling the web for new accounts created with the company brand name and logo, and monitoring the dark web for suspicious activity.
Tools aside, "awareness should also be part of your strategy to minimise brand impersonations," Wüest says. That should include clear communication guidelines to ensure customers know what an official email from a certain company would look like. Such emails would ideally be signed and verified. Asserting that your company "would never ask for your password" can be helpful too, Wüest adds.