One man’s phish is another man’s poison. As a legitimate digital marketer, your reaction to the latest online scam, leading to the posting of thousands of email log-in details, is likely to be disapproval and nothing else. Instead, it should be the trigger for two distinct courses of action.
The first is to review your email marketing database. Chances are that a large proportion of the target addresses you use are for Hotmail, Yahoo!, Google or AOL email accounts. In the wake of the recent phishing, you could find your clickthrough rates significantly reduced and bounceback rates rising.
Holders of email accounts with these providers are likely to have been made nervous about their security at best, or to have been directly exposed at worst. While it is hard to know exactly how many people were affected by the scam, assuming 1 in 100 seems reasonable.
Those individuals who know their log-in details have been published not only will change them, there is a strong chance they will start to use a completely different email provider. Even those not sure if their account has been compromised may choose to change.
As a result, an email database that was valid and responsive last month is likely to have been corrupted and in need of cleaning. As a first step, it will be worth inviting customers and prospects to provide an alternative address, or to carry out a data capture exercise to get more permanent contact data. Many consumers who use POP email also have other addresses, often those provided with their Internet access. Getting them to provide this address is a good hedge against losing contact.
The other action should be a trust exercise. Individuals who were scammed into revealing their log-in details did so in the belief that they were being asked for it by a legitimate brand owner. Spoofing websites is a common technique and, while it may be obvious to digital marketing experts, the validity of these locations is not always in doubt to the consumer.
So your brand needs to act in order to maintain the belief of your customers and prospects that you are legitimate and your domain has not been hijacked. That is no easy task if you rely on email to solicit a response which is driven to your website. Phishing uses exactly the same mechanism.
Some brands are already sitting pretty. First Direct has long made it clear that it will never request personal information and log-in details via email, for example. For other brands, it may be too late to change strategy. But anyone relying on email files that contain a lot of POP addresses is affected by phishing, not just those individuals who had the misfortune to fall for the scam.