Don’t get Hooked by Phishing or Spear Phishing

Cyber attacks such as the Anthem breach, the Home Depot breach, and the Target breach are becoming almost commonplace.  Major cyber attacks compromising information about millions of people often start not with a bang, but a whisper – a “phishing” or “spear phishing” email through which an attacker tries to acquire login credentials that can be used to launch a sophisticated and crippling attack. Over 90% of cyber attacks take the form of, or start with, a spear phishing attack, and phishing attacks are also very common. These attacks happen both in the office and at home. Phishing and spear phishing attacks can happen at any time, and can target any person or employee.

What is “Phishing?In a “phishing” attack, an attacker uses an email sent to a broad group of recipients (and not targeted to a specific group) to impersonate a company or business in an effort to get you to reveal personal information or login IDs/passwords, or to install malware or exploit a security hole on your computer.  It generally uses an official-looking email and website to gather information, and often contains the logo(s) of the company it is impersonating.

What is “Spear Phishing?In a “spear phishing” attack, an attacker uses an email tailored for a specific group of recipients (e.g., a group of employees at a specific business), often impersonating an individual such as someone from your own company or business, in an effort to get you to reveal personal information, login IDs/passwords, to steal money or data, or to install malware or exploit a security hole on your computer.

How do I spot a phishing or spear phishing emailLook for one or more of these key indicators that an email in your inbox is actually a phishing or spear phishing attack.

  • The email has spelling or grammatical errors. A phishing or spear phishing email often contains spelling or grammatical errors, and does not appear to be written by a business professional.
  • You do not recognize the sender’s email address. If you get an email asking you to click on a link or open an attachment, look carefully at the email address of the sender.  Be especially alert for email addresses that are similar to, but not the same as, your company’s email address (e.g., “joe.johnson@microsoft.co” instead of “joe.johnson@microsoft.com”).
  • The email contains links that don’t go where they say they do. Before you click on a link in an email you don’t recognize, “hover” your mouse cursor over the link. A pop-up will appear showing you where the link will go.  If they don’t match, it’s probably a phishing or spear phishing attempt.  In this example, this innocuous-looking link actually goes to a malicious website:

Bad link sample

  • The email asks you to open an attachment you don’t recognize. Many spear phishing emails ask you to open an attachment or click on a link.  If an email you don’t recognize asks you to open an attachment you weren’t expecting or that doesn’t look familiar, or to click on a link you don’t recognize, don’t click on it or open it, and check with your IT or Security department if you want to know for sure.
  • The email seems to be a security-related email, or asks you to take immediate action. Watch out for emails that state that your account will be suspended; ask you to reset, validate or verify your password, account information or personal information, or otherwise ask you to take immediate action to prevent something from happening.
  • The email relates to a current news event. Many phishing emails use a current news event, such as a natural disaster or security breach, to get you to provide information, click a link or open an attachment.
  • The email contains information from your social media accounts or other public information. Spear phishing attackers will often look at your public social media accounts (e.g., your Facebook feed, LinkedIn profile, tweets, etc.) and other public sources (e.g., Google searches) and use information about you or your friends to make a spear phishing email seem authentic.  If an email contains personal information about you other than your name and email address, take a close look to ensure it’s not a spear phishing attempt.

If you think an email you received is a phishing or spear phishing attempt, (1) do NOT click or open any links or attachments in the email, (2) if you are at work, immediately contact your Security or IT department to report it, especially if you clicked on an attachment or link or otherwise took action before you realized this (failing to report it will be much worse, so don’t be embarrassed); and (3) delete the email immediately.

Demystifying Text Marketing and Double Opt-In

Sending advertisements and promotions through SMS text messages to mobile devices is a compelling digital marketing method for a good reason — the incredibly vast number of mobile devices.  Apple announced last week that it sold a mind-boggling 74.5 million iPhones worldwide in the fourth quarter of 2014.  That’s 33,740 iPhones every hour, 24 hours a day, for 3 months. And an estimated 300 million Android phones were sold worldwide in the same calendar quarter.  Diving into the world of text marketing poses many challenges given the myriad of laws and rules to follow, and stringent compliance requirements such as “double opt-in.”  However, it isn’t really as daunting as it seems at first glance.

The many rules of text marketingA number of laws, rules and guidelines govern text marketing:

  • Text marketing messages are communications distributed over the cellular phone network, and fall under the laws, rules and regulations governing wireless carriers and mobile phone calls. This includes the Telephone Consumer Protection Act (TCPA). The Federal Communications Commission (FCC) enforces the TCPA.
  • CAN-SPAM, the law and associated rules that govern commercial email messages, also governs commercial emails sent to a mobile phone, e.g., 9525551212@vtext.com. The Federal Trade Commission (FCC) enforces CAN-SPAM, as well as laws and rules governing deceptive and unfair trade practices which apply to all marketing.
  • Mobile carriers can have their own rules around text marketing through their systems.
  • Industry groups have published best practice guidelines for companies engaged in text marketing, such as the Mobile Marketing Association (MMA)’s Consumer Best Practices for Messaging.
  • CTIA, the wireless trade association which operates the “Short Code” system used by many companies for text marketing (the “12345” in “Text ABC to 12345”), publishes the Short Code Monitoring Handbook. The Handbook contains rules governing SMS marketing campaigns that use Short Codes. SMS marketers found to be in violation of CTIA rules may be reported to wireless carriers by CTIA, potentially resulting in temporary or permanent suspension of the ability to run text marketing campaigns through those carriers.

Compared to email marketing or even print marketing, the rules governing US text marketing can seem downright draconian. For example, In US email marketing under CAN-SPAM, you can market to someone who hasn’t opted-in as long as you follow CAN-SPAM’s rules, including offering them the right to unsubscribe from further marketing emails, and consent for CAN-SPAM purposes can be oral or written. In US text marketing, to send a commercial text message to a mobile device you must have the unambiguous written consent of the mobile device owner, and “written” means “documented and saved.”  In email marketing, you can purchase opt-in lists; in text marketing, purchasing opt-in lists is not allowed.

Why is text marketing different?  There are three primary reasons.  First, unlike marketing emails, text messages aren’t free.  Consumers directly pay for text messaging services, regardless of whether it’s a flat monthly fee or a per-message charge. Consumers don’t directly pay to receive email marketing messages (the cost of Internet access is an indirect cost).  Second, text messages are viewed as more personal than other types of digital marketing, as they come right to a consumer’s mobile device and not to a device-independent email account. Third, text marketing messages are sent through already heavily-regulated cellular phone networks, and fall under many of the same stringent requirements that have been adapted or expanded to cover SMS – they’re considered on par with (and just as regulated as) a phone call. Keeping spam off the cellular phone networks has been a long-time focus of the FCC and mobile carriers.

Double Opt-InOne of the more misunderstood concepts in text marketing is the “double opt-in.”  Many believe that written consent from a consumer on a paper or web form is all that’s needed to send commercial text messages to that consumer.  However, remember that in text marketing, you need the unambiguous written consent of a mobile device owner before sending text marketing messages to that mobile device.  Don’t just focus on the consent being unambiguous – the consent must unambiguously be provided by the mobile device owner.

  • If you get written consent via an SMS text from a mobile device itself (a “device opt-in”), you have the written consent of the mobile device owner, and since it came from the mobile device itself it’s pretty clear, for consent purposes that the mobile device owner gave the consent.  (You still have to send a welcome email with certain information, such as message frequency and how to stop future text messages.)
  • However, if you get written consent through another method, such as a paper or web form (a “non-device opt-in”), it’s not clear that the person giving consent is the mobile device owner.   Even a statement on the paper or web form that “I own the device associated with this mobile number” is likely not sufficient – you can’t demonstrate conclusively that it’s true.  You don’t have unambiguous written consent unambiguously provided by the mobile device owner, and that’s where a second opt-in comes in.

The CTIA and MMA rules require that in addition to a non-device opt-in, a marketer must send a single text message to the mobile number provided through the non-device opt-in, asking the mobile device owner to text a response to start receiving marketing text messages for a campaign (e.g., “text ‘Y’).  If the mobile device owner sends the correct reply text (“Y”), he/she is confirming they want to receive marketing text messages (you still have to then send the welcome email noted above).  This confirmation – the “double opt-in” – removes any ambiguity around who provided the original non-device opt-in, turning it into unambiguous written consent unambiguously provided by the mobile device owner. The double opt-in isn’t to confirm the initial consent is valid – it’s to unambiguously confirm that the mobile device owner was the one that gave the consent.  (It’s important to note that double opt-in is a recommended best practice for device opt-ins too.)

The laws, rules and requirements around text marketing can seem daunting, but the potential rewards and ROI from well-executed text marketing campaigns can be quite significant for businesses.  Many service providers provide turnkey text marketing solutions designed for compliance with the various rules and regulations around text marketing.  And partnering with a digital marketing attorney focused on helping you achieve your business objectives while managing legal risk can help ensure you are on the right path as you move through the thicket of text marketing.