Epsilon Breach Demands New Best Practices

The recent Epsilon breach that exposed millions of email addresses has the potential to create a very big problem for all email marketers and will demand development of new best practices in the world of email marketing. It is of particular importance for banks and brokerages with a retail facing business, as these organizations are the most likely targets for phishing attacks.

This breach is unusual because hackers captured not only email addresses, but also first and last names and associated companies where those users have active accounts. This enables a much more effective fraud tactic called "spear phishing." The fraudsters know that jdoe@gmail.com is John Doe who has an account with Citibank. So they can send a targeted email to John, using his first and last name and sending something that looks very much like it came from Citibank.

The affected Epsilon clients rushed to inform their subscribers of the breach and tell them to be suspicious of any email purported to come from them. The emails made an effort to help consumers distinguish between legitimate and illegitimate emails. But as consumers get better at discernment, they're also likely to become a lot more suspicious of any marketing or transactional emails (a transactional email is correspondence confirming an action or updating a recipient on their account status. Often these emails include offers related to other services, sent in an effort to expand the banks' business with existing customers).

Most phishing emails today contain obvious spelling or grammatical errors and calls to action that are quite different than what the legitimate company would send (e.g., "please log in to verify your account information..."). Users can be trained to detect errors and to recognize when a phisher asks for information that a legitimate company would not request in email.

However, I would posit that the phishers are getting more and more sophisticated with their attacks. While much of the phishing is currently originating in countries where English is not the first language, I'm noticing increasing levels of sophistication in design and language in phishing emails. The phishers are getting smarter, and this will make it more difficult for consumers to differentiate. If the hackers that broke into Epsilon's database knew what they were stealing and are planning "spear phising attacks, then it's likely that fraudsters using this data are going to get more sophisticated in their approaches.

The better the attackers get at their cons, and the more consumers get educated about phishing fraud, the more suspicious consumers will be of any marketing or transactional email from their banks, brokerages, credit card providers, etc.

This creates a problem with the way email marketing is done today. For example, most email service providers and marketing automation platforms use tracking code and personalized URLs (PURLs) in their links. These allow marketers to observe click through rates and measure effectiveness of their efforts. They also greatly simplify the process of finding information that might be buried deep in the linked website, significantly improving the user's experience.

The more educated the recipient becomes; the more likely he or she will be to detect complicated PURLs and distrust these links in emails. When suspicious of an email or link, he won't click it, opting instead to type a URL he already knows directly into a browser. This creates two problems as I see it.

First - our marketing automation software won't be able to detect a click. This makes linked calls to action and response measurement much more complicated.

Second, and more importantly, the user is less likely to type in the full URL of our landing page. For example, they're far more likely to type in www.communitybank.com than https://www.communitybank.com/Community/retailoffers/account/login.aspx?acid=0000000. So how do we then lead them to our offer? Do we modify the home page for every campaign? How will this affect complex trigger campaigns? How will this affect transactional emails where the links need to take users to specific pages buried deep in a navigation hierarchy?

This breach will make it critical that email marketers, demand generation specialists and email service providers define new email marketing best practices.