3 Near-Death Experiences for Email Marketing
In its relatively brief history, email marketing has survived two “near death” experiences — the wholesale blocking of bulk mailers and the myriad laws that led to CAN-SPAM. This doesn't include several lesser ones, such as the suppression of images and links. As an industry, email marketers have learned quite a lot from these experiences and they're all stronger for it. Surely you can survive anything.
Or can you?
Your very survival is threatened once again, this time from “spear phishers” who use social engineering to target your own employees, often to then launch additional attacks in your company’s good name. The bad players used to target just internet service providers (ISPs), but now they have their sights set on you. They not only cause monetary losses and tarnished reputations, but also deal a blow to the trust you rely on every day to do business with your customers and partners.
Will this new threat put you out of business? Will you emerge stronger than before? Time will tell. But first, what did you learn from your first two near-death experiences?
Experience No. 1: Near Death by Blunt Instrument
It was late 2002 when ISPs realized that spam had crossed a magic threshold — about 40 percent of all traffic (incredibly low by today’s standard of 85 percent to 90 percent) — and had to be stopped to protect their networks and subscribers. So at the height of the holiday mailing season, AOL and other ISPs delivered a near deathblow to the industry with a very blunt instrument — wholesale blocking of bulk mailers.
Quite naturally, the legitimate brands and email service providers that supported them were up in arms, not just because wholesale blocking ruined their holiday campaign plans but because email marketing had just begun to prove itself a major contributor to their bottom lines. The protests from email marketers and their proclamations of legitimacy fell on deaf ears, however. The ISPs had a community of subscribers to protect. Yes, their filtering techniques were blunt instruments and caused great collateral damage, but the reality was that ISPs couldn’t tell the difference between the good players and the bad largely because they looked and behaved too much alike.
Those were tough times, with some predicting the imminent demise of email marketing. But email marketing did survive thanks to an uneasy truce with the ISPs based on promised industry reforms and the advent of the spam button and other techniques for coping with spam. Email marketers grew from that painful experience in important ways.
First and foremost was a shift in philosophy amongst legitimate email marketers. They began to realize that customers were behind their email addresses, their marketing practices mattered and email addresses weren’t an inexhaustible resource after all.
Second, marketers came to recognize it wasn’t about “fire and forget.” They really did need to know what happened to what they sent. They needed to capture and apply email disposition data to measure success and improve list management and marketing practices. This was the beginning of true results-based metrics and reporting and an industrywide focus on deliverability. Third, the industry began to seriously examine the systemic problem of email accountability, namely identity and reputation, to differentiate the good players from the bad. This was the time of Project Lumos and the birth of authentication protocols. Lastly, the ISPs began to recognize the existence of “false positives” and the notion that legitimate email shouldn’t suffer that fate.
Experience No. 2: Near Death by a Thousand Cuts
A little over a year after the 2002 holiday season uproar, the atmosphere had become supercharged with consumers protesting loudly about spam overrunning their inboxes. With state legislators responding to their constituents with progressively more draconian anti-spam regulations and California on the verge of imposing the most far reaching of all, the clock was ticking on email marketing. Its future looked particularly bleak. The email industry literally faced a death by a thousand cuts as conflicting state regulations were converting a universal medium into a balkanized one. At the 11th hour, President Bush signed the CAN-SPAM Act on Dec. 16, 2003, saving email marketing from its second brush with death.
While some will argue to this day that CAN-SPAM was an ineffectual law, I prefer to focus on its positives. Aside from saving email marketers from a fate probably worse than outright death, that is, an over-regulated business with more restrictions than opportunities, CAN-SPAM clearly defined what was legal and what wasn't. It gave email marketers the tools and authority of the federal government to prosecute those who didn’t comply.
In addition, CAN-SPAM accelerated the mind shift for legitimate email marketers that had begun with their first near-death experience. It didn’t take them long to recognize that compliance with CAN-SPAM was no guarantee of acceptance by the ISPs. What was legal wasn’t the same as best practices. With deliverability and response metrics as their guide, email marketers began to seriously focus on email best practices — a trend that continues to this day and one that’s benefited all stakeholders and contributed greatly to the health and vitality of the email ecosystem.
Experience No. 3: Near Death by Stealth Intruder
Today’s threat to email marketing comes from a stealthier, more sophisticated cyber criminal, the spear phisher. To be sure, the assault on ISPs continues unabated. But now facing hardened defenses, the bad players have turned their sights on a “softer” target — you. While Epsilon and Sony have been their most celebrated victims, make no mistake that many other service providers, industry suppliers and enterprises have been compromised too. This has been dubbed “The Year of the Breach” for good reason.
As with your first two near-death experiences, it’s the unsavory elements of email marketing that are behind this threat — the malicious actors who pollute your medium with spam, viruses and malware and use spoofing and other illicit tactics to prey on unsuspecting victims. This element has been with you forever. The sales and marketing profession has always had sleazy players motivated by the prospect of easy money, from the days of unscrupulous door-to-door salesman who tagged the picket fence of a good mark to the junk mail and phone scams of an earlier generation. The difference now is that the picket fence is virtual and millions of potential marks can be reached with frauds perpetrated in real time by a simple click. And to add to your troubles, the consequences are far more pervasive.
The new breed of attack instigated by spear phishers represents your third near-death experience. I’d argue further that of the experiences you’ve faced down to date, this one is the most challenging and dangerous to your survival.
These attacks are challenging because spear phishers are smart adversaries and they operate with an insider's knowledge of how your ecosystem works. They know the roles and relationship between us, and attack one of us to get at another — whomever might be the ultimate holder of the data they're after. What’s more, they make clever but perverted use of your own best practices — relevancy and personalization — to induce you to open their email. And once you do, the malware it contains steals access credentials to your databases and deployment systems, allowing the perpetrator to hijack your own data and systems to send malicious email to your customers, partners and suppliers. This fraud exploits your good name and reputation and misappropriates your authenticated domains and IP addresses for criminal ends.
Aside from the great brand and monetary damage done to victimized companies, these attacks are dangerous because of how they’re subverting the trust relationships that underpin your ecosystem. You should all be concerned about the cumulative impact of these attacks, about how they’ll erode the trust consumers have in companies and their willingness to share the data that makes digital communication possible. You should also be concerned about the erosion of trust you have in each other, the diminished vitality of your ecosystem and your impaired individual and collective effectiveness.
Fundamentally, the preservation of trust (and your future success) depends on a safe and secure messaging environment. That’s what makes the insidious nature of these spear phishing attacks so alarming. The only thing more alarming is the inadequacy of our industry response. Sure, the OTA, ESPC and others have issued business practice guidelines and some ESPs have reached beyond their competitive differences to compare notes. But our response hasn't been commensurate to the threat. Too few have taken heed. Overall, our response has been uneven, fragmented at best.
With news of each attack there’s been much talk, hand-wringing and chest-thumping, but little definitive action. As marketers, you persist in the belief that security is someone else's problem and seem content to bury your heads in sand hoping against hope that the spear phishers will pass you by, which, of course, they won't if you've got data they want or can provide access to someone who does. They prosper at your expense, thrive on your inaction.
Will email’s third near-death experience be one from which we emerge stronger? Or will we allow the spear phishers to succeed in destroying our trust relationships and email marketing in the process? Will we commit suicide by our inaction? The answer lies largely in what we individually and collectively do from this point forward. The solution to the spear phisher threat lies in the combination of the right messaging technology and business best practices. It starts with an awareness of the threat and an abiding, sustained commitment to safe and secure messaging as a guiding principle for the future of email marketing. As marketers, that’s a principle you must embrace and champion within your respective companies and industry.
Related story: Managing Risky Client Practices and Ensuring System Security