Blog article
See all stories »

Epsilon Breach Demands New Best Practices

The recent Epsilon breach that exposed millions of email addresses has the potential to create a very big problem for all email marketers and will demand development of new best practices in the world of email marketing. It is of particular importance for banks and brokerages with a retail facing business, as these organizations are the most likely targets for phishing attacks.

This breach is unusual because hackers captured not only email addresses, but also first and last names and associated companies where those users have active accounts. This enables a much more effective fraud tactic called "spear phishing." The fraudsters know that is John Doe who has an account with Citibank. So they can send a targeted email to John, using his first and last name and sending something that looks very much like it came from Citibank.

The affected Epsilon clients rushed to inform their subscribers of the breach and tell them to be suspicious of any email purported to come from them. The emails made an effort to help consumers distinguish between legitimate and illegitimate emails. But as consumers get better at discernment, they're also likely to become a lot more suspicious of any marketing or transactional emails (a transactional email is correspondence confirming an action or updating a recipient on their account status. Often these emails include offers related to other services, sent in an effort to expand the banks' business with existing customers).

Most phishing emails today contain obvious spelling or grammatical errors and calls to action that are quite different than what the legitimate company would send (e.g., "please log in to verify your account information..."). Users can be trained to detect errors and to recognize when a phisher asks for information that a legitimate company would not request in email.

However, I would posit that the phishers are getting more and more sophisticated with their attacks. While much of the phishing is currently originating in countries where English is not the first language, I'm noticing increasing levels of sophistication in design and language in phishing emails. The phishers are getting smarter, and this will make it more difficult for consumers to differentiate. If the hackers that broke into Epsilon's database knew what they were stealing and are planning "spear phising attacks, then it's likely that fraudsters using this data are going to get more sophisticated in their approaches.

The better the attackers get at their cons, and the more consumers get educated about phishing fraud, the more suspicious consumers will be of any marketing or transactional email from their banks, brokerages, credit card providers, etc.

This creates a problem with the way email marketing is done today. For example, most email service providers and marketing automation platforms use tracking code and personalized URLs (PURLs) in their links. These allow marketers to observe click through rates and measure effectiveness of their efforts. They also greatly simplify the process of finding information that might be buried deep in the linked website, significantly improving the user's experience.

The more educated the recipient becomes; the more likely he or she will be to detect complicated PURLs and distrust these links in emails. When suspicious of an email or link, he won't click it, opting instead to type a URL he already knows directly into a browser. This creates two problems as I see it.

First - our marketing automation software won't be able to detect a click. This makes linked calls to action and response measurement much more complicated.

Second, and more importantly, the user is less likely to type in the full URL of our landing page. For example, they're far more likely to type in than So how do we then lead them to our offer? Do we modify the home page for every campaign? How will this affect complex trigger campaigns? How will this affect transactional emails where the links need to take users to specific pages buried deep in a navigation hierarchy?

This breach will make it critical that email marketers, demand generation specialists and email service providers define new email marketing best practices.



Comments: (3)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 21 April, 2011, 13:12Be the first to give this comment the thumbs up 0 likes

@Candyce E:

Banks currently advise their customers to look out for phishing emails by carefully inspecting the URL of the hyperlinks present in emails purportedly sent by them. Not only does this cause the problems for email marketing that you've highlighted so well, but it often fails to fulfill its basic purpose since most people are unable to differentiate between a genuine URL like and a fake one like Let me not even begin to describe the added complications that enter the picture when a bank chooses to outsource its PPC ad and email marketing landing pages and microsite to genuine third-party providers. 

Instead, banks should implement a truly foolproof anti-phishing solution that works by authenticating the bank's website to the user regardless of whether s/he reached it by clicking an email, PPC ad, Twitter tweet or whatever. The genuine website contains the usual branding elements of the bank plus an authentication image preselected by users from a library supplied by the solution. When users reach a website that only contains the branding elements, they know they've reached a fake website. 

I know that HDFC Bank (India) is one bank that has deployed this technology (Disclosure: HDFC Bank is one of the banks I bank with, which is how I know that they've implemented such a solution). If more banks would do so, phishing could be eliminated and email marketers can heave a sigh of relief!

A Finextra member
A Finextra member 21 April, 2011, 16:57Be the first to give this comment the thumbs up 0 likes



I appreciate that you took the time to comment and suggest an approach. The issue demands that we all get creative to find new ways to continue to effectively use email marketing, and you've offered a solid idea.

Thanks also for pointing out the difficulty that consumers will have in distinguishing between a legitamate and illegitamate URL. You make a great point!

I'd love to see more ideas. Anyone?

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 22 April, 2011, 11:05Be the first to give this comment the thumbs up 0 likes

@Candyce E:

Thank you for the feedback. As a firm that provides marketing solutions, we use email marketing heavily, so it's very much in our interest to find solutions to the issues that you've described. I've shared this page on a couple of pertinent groups in LinkedIn. If I get some more ideas from there, I'll past them as additional comments on to this Finextra page.