Why You Need to Keep Brands Out of Phishing Simulations
The top 4 brands in the world—Apple, Google, Microsoft, and Facebook—are worth over $500B. Not the operations of those brands, not their proprietary technology, or their real estate—the brands alone. When something is that valuable, companies protect it zealously. They monitor how their brands are used and take action to defend them.
Cofense stands firm on not allowing 3rd party brands or logos to be utilized in our phishing simulations without prior express permission. There are times when we may partner directly with specific brands and organizations on the official inclusion of their brand assets in simulation content where it makes sense for something like an enterprise targeted phishing simulation. However, this is done in strict strategic collaboration with the brand’s legal and executive counsels to ensure the mission and strategy of protecting both the brand and reputation of ourselves and our strategic brand-partners is maintained throughout the entire exercise.
Let’s Define “Brand”
Before we dive into the issue of brands in simulations, let’s look at the definition of “brand.” In fact, let’s start by talking about what brand isn’t.
A brand is not a logo. It’s not a tagline, and it’s not an ad. It’s all of those things and much, much more.
A brand is a company’s purpose and a promise. Within the walls of the organization, it’s about a culture that is meaningful and inspiring—the brand is why people show up for work every day. To the public, it’s about delivering unique value. The brand is a promise to customers that’s made and kept time and time again.
Think about your cell phone choice. Think about that bag of chips you just opened. Or how about the handbag you just bought because you wouldn’t pick any other brand. Each of these companies stand for something. Because their brand guides everything they do. This is why people can spend hours watching YouTube videos of others “unboxing” their Apple products every time a new product release hits the market.
Brands do come to life through advertising. But they also come to life in a greeting, the voice on the phone, or an amazing experience. And it’s there, in the brand experience, that real value is created in the form of satisfaction, preference and loyalty.
What’s the Advantage of a Brand?
Brands communicate efficiently. Brands are signals. In today’s busy, fast-paced world, brands cut through the clutter. When you see that simple swoosh or the silhouette of a bitten apple, your mind is flooded with all sorts of associations. The best brands send emotional signals right alongside the rational ones.
Brands are own-able. It doesn’t take much to replicate an innovation these days. And, let’s face it, many products are barely differentiated as it is. Brands stand for more than just product attributes, they stand for how products are delivered and experienced. Your brand might be the only thing you own that isn’t replicable!
According to the World Intellectual Property Organization (WIPO)1, many organizations have begun to realize their IP assets have a greater value than their physical assets. When these intangible assets are protected by IP rights and have a firm value for the organization, they become property, are added to the balance sheet, and cannot be commercialized or used without prior authorization.
Brands are trusted. Brands act almost like insurance policies for consumers. Like people, brands that keep their promises or are recommended by friends build up a kind of trust credit. Consumers tend to choose the brands recommended by friends or family, because they are more likely to be happy with the outcome.
And again, brands are valuable.
This chart spells it out.
When a Phishing Simulation Uses a Brand…
…the emails eventually make their way back to the real company. I know because I’ve seen these and, being known as the “phishing person” in the organization, I always got a glimpse. Needless to say, the company being impersonated, even though “only” in a simulation, isn’t happy. What if a simulated phish is shared on social media? How many people, not knowing the email wasn’t a real phish, would shy away from the brand? It’s not crazy to suggest the brand’s stock price might nosedive.
Most of the brands seen in real phishing campaigns target the consumer. Many of these messages lure consumers to provide their credentials—to their online banking account, to their online music or photo sharing sites, or simply to their social media sites. Why are these credentials targeted? Most people use the same passwords across multiple sites and applications.
Regarding enterprise phishing campaigns (real ones), it’s worth remembering that most are nothing more than a simple request for an invoice, purchase order, or download document, without even mentioning a brand or showing a logo. It’s not absolutely necessary to utilize brands or logos.
When I worked for one organization, I had people at public events seek me out just to tell me how much they really appreciated the company I worked for and the way they always received top notch service. So I recognize the sense of pride a brand can have on an organization. It matters.
At Cofense, we respect these brands and what they stand for—some may even be our customers.
Still Not Convinced?
In a recent report published by RiskIQ, results from a survey of over 1,600 U.S. and U.K. information security leaders across verticals, provided insights into their cyber-risk concerns and plans for 2018. What shows up as #3? Brand.
For insights on other aspects of phishing awareness training, view the 2017 Cofense Phishing Resiliency and Defense Report.
1 World Intellectual Property Organization: http://www.wipo.int/sme/en/ip_business/ip_asset/value_ip_assets.htm
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.