Phish and User Lapses are Bad News for Online Sales

Teach a person about phish and you help online commerce

Two dissimilar items, a survey and an article, recently caught my attention. The survey notes that consumers have become more aware of phishing, but aren’t yet perfect. The article says that the growth of online business will slow.

I think the two are related and any company with a retail side should pay attention.

The article, written by Allison Linn of MSNBC, looks at the future of online sales. The numbers are huge. Forrester Research predicts U.S. online sales growing from $132 billion in 2006 to $271 billion in 2011. Online sales, however, represent only nine percent of total retail sales. Conversely, Jupiter Research sees the online sales growth slowing to single digits by 2010. Although many other industries salivate over a nine percent growth rate, online business could do better.

The good news is that those who buy online will increase their online purchasing. The bad news is that those who don’t buy online still won’t. The number of customers who don't shop online is bigger than the number that do. Although analysts mention that one inhibition to online purchasing is the quality of the shopping experience, I think another is trust.

Part of that trust, or lack of it, is highlighted in a Harris Poll survey of consumer computing habits and attitudes. The survey was commissioned by e-mail security company Cloudmark. For the record, Cloudmark sells its anti-virus, anti-spam, and anti-phish service to many SMB customers, but the bulk of the 200 million e-mailboxes they help protect are carriers and ISPs, such as Cablevision, Comcast, and Cox.

Most people take any survey with a few grains of salt; any company-sponsor survey is looked at with a bit more suspicion. Even so, the survey of 2,200 computer users paints a picture of progress and problems. Among the statistics:

  • 89 percent are "as concerned" or "more concerned" this year than last year that they could become a phishing victim
  • 45 percent said they are receiving more phishing e-mail than last year
  • 27 percent are concerned that they cannot tell the difference between a legitimate e-mail message and a phishing message
  • 23 percent know of someone who was a phishing-attack victim

Among those concerned about phishing, some have changed their online commerce behavior:

  • 29 percent only use certain credit cards or accounts when they shop online
  • 21 percent only pay certain bills online
  • 20 percent have decreased the frequency of their online shopping.

I actually use the first strategy, but the second and third strategies are increasing business’ costs (still paying in person or by mail) or inhibiting sales. Therein lies the problem for businesses.

In the survey, 89 percent of the respondents believe that they should assume some responsibility for protecting themselves against phishing attacks; 82 percent think the ISP shares that responsibility.

Part of the self-sufficiency solution is user education. In many cases, education has succeeded. The decline in virus-laden e-mail attachments shows the fruits of that effort.

Is education the cure-all? As teenagers, we anxiously sat in driver’s education courses and dutifully absorbed and regurgitated regulations and practices. How many of those former teenagers do you see driving erratically or illicitly on your morning commute?

The same holds true for online activities. According to the survey, the numbers are improving but aren’t perfect.

  • 37 percent opened e-mail from unknown senders
  • 13 percent clicked on links in e-mail from unknown senders
  • 16 percent have given out personal information on a Web site that was "optional"
  • 9 percent opened attachments in e-mail from unknown senders
  • 6 percent responded to e-mail claiming there was a problem with their account; they owe money, they are owed money, or have an opportunity to make money

Several factors, such as having a public-facing job, make avoiding unknown e-mail senders impossible and justify strong anti-virus products. Anti-spam and anti-phishing products preserve our productivity and sanity. We have collectively become smarter about attachments.

Nevertheless, I’ve seen the flood from a single infected machine take out network segments. Imagine the damage when 9 out of every 100 machines go red, or when even 6 out of 100 people respond to phishing or 401 scams?

We need to do better.

Don't forget the final factor: confidence. Law enforcement is unaware of a single case of credit card numbers being intercepted during a Web transaction. This would seem to indicate that thieves get those numbers from users' computers or from company servers. Can you say TJX or ChoicePoint?

We need aggressive anti-spam and anti-phishing controls. We need to remain vigilant with servers holding transactions. We need to keep reminding our corporations' customers to maintain protection and stay smart. If online business is to increase, we need to earn more trust—and to justify that trust. Consider it a cost of doing business.