« If Wishes Were Phishes | Main | Quick aside »
Companies on the verge of losing contact
Gartner has just published a report about the scope and effects of “phishing” scams. The numbers are staggering. Up to 92 million adults in the U.S. have received phishing attacks – malicious email pretending to be from a real company – in the past twelve months. The real shocker is that out of the 57 million people who suspected that they had received such an email (the other 35 million in the 92 million total were not sure), 11 million followed a malicious link and 1.78 million self-reported giving the fake websites sensitive information such as credit card numbers.
Wow!
That's a “click through” rate of 19% and a “conversion” rate of 3%. Legitimate (ahem) direct marketers would chew off their own fingers to get that kind of performance. Whoever’s writing those emails has some serious social engineering skills. They know how to push all the right buttons; well constructed phishing scams are way more clever than “Nigerian” spam and email attachment viruses. It’s almost as if some cabal of unemployed psychology, literature and web-design majors is exacting their revenge on the post-bubble Internet industry that spurned them.
The potential impact of the phishing problem on consumer confidence, brand loyalty and identity security have been much discussed though not yet fully appreciated. Another consequence is a bit more subtle: companies are rapidly losing all means of communicating important information to customers.
Think about it, how is Citibank going to *really* tell me if there’s a medium to high importance issue that requires my attention? They can’t use email because I don’t trust it due to spoofing. They can’t use snail mail because that’s 90% likely to go straight into the shredder. Their web site can be spoofed. They can try to call, but that’s expensive, inconvenient, and only marginally more likely to get my attention.
Of course, this unsettling blackout of company to consumer communications is at least partly self-inflicted. If private industry hadn’t been so eager to deluge consumers with promotional junk at every opportunity for the past twenty years (I never really needed shampoo coupons in my phone bills), people might now hold corporate communications in higher esteem and be more willing to put in the effort to discriminate between the real and the fake. As it stands, there’s almost no incentive: an unsolicited email from American Airlines - or most other Big Brands - is pretty much either going to be phish or foul, so I may as well just delete it. One percent of the time, it’s actually going to be important. That’s the rub.
Let’s hope that once the worst of the current danger has passed (SpoofStick will help, as will accelerated adoption of digitally signed emails, mutual authentication, increased use of RSS for “real” announcements, etc), companies will use the temporary reprieve until the next malspelled crisis to reconsider how they maintain the attention-value of their customer communications. Otherwise…
Sow. Reap. Repeat.
May 5, 2004 | Permalink
