Many e-commerce and multichannel retailers need to go to greater lengths to prevent deceptive e-mail and phishing scams, according to industry group the Online Trust Alliance (OTA).
The organization released a report last week claiming that 56% of .gov Web sites and 45% of leading e-commerce sites are not taking appropriate e-mail and domain security measures.
The report measured 25 government domains, as well as the top 300 online retailers as measured by sales volume.
Analysis was completed from April 3 to April 13, based on examining the public domain name system records of the brands and governmental agencies, as well as more than 20 million e-mails sent to consumers purporting to come from the legitimate brand and domain.
The organization also found that among the top online retailers, 45% have not adopted e-mail authentication, according to Craig Spiezle, chairman and founder of the OTA, which is based in Bellevue, WA.
E-mail authentication has been widely heralded as a best practice to help curb deceptive e-mail and phishing exploits, which are some of the leading tactics for identity theft, he says.
“It is incomprehensible that in this period of escalating online scams and diminishing consumer confidence these agencies and businesses continue to sit on the sidelines,” says Spiezle. “Best practices not only need to be adopted by business, but also by governmental agencies.”
While companies increasingly have embraced e-mail authentication over the past year, it hasn’t been enough, he says.
“We had growth [in that area], but the bad news is that companies we know have been victims of phishing or spoofing in the past year haven’t stepped up their authentication efforts,” Spiezle says.
Many organizations and businesses that have failed to use some form of these e-mail authentication standards, including SPF/Sender ID or DomainKeys Identified e-mail, have become victims of forged e-mail and online exploitation, says Spiezle.
One reason for lack of e-mail authentication adoption among so many companies could be due to a lack of communication, says Dennis Dayman, chief privacy officer for marketing services company Eloqua, based in Vienna, VA.
“What I tend to see is there are so many companies with many divisions, they may not know how many are sending e-mails from that single identity,” he says. “That makes it difficult for e-mail marketers today.”
While many companies authenticate e-mail addresses used on the marketing side, Dayman notes, that’s not always the case with corporate domain name addresses. This is a mistake, he says.
“E-mail authentication should be used on any and all domains you send e-mail from to help identify who sent an e-mail from that domain or identity,” he explains.
Another problem is that many marketing departments leave e-mail authentication issues to their firms’ IT department. That could be trouble, Dayman notes, for departments that don’t generally communicate that often — but can be solved with more communication.
“There should be weekly or monthly meetings with all the e-mail people,” he says. “Find out if you are overlapping [e-mail campaigns], and discuss major changes to your network.”
Dayman applauds companies that use e-mail authentication technology, but warns that simply talking only that step isn’t enough.
“That’s just step one,” he says. “Step two is reputation ? like how many bad addresses or spam buckets you have [in a given e-mail mailing]. That can be improved simply with good marketing practices.”