New ways to pay: Consumers embrace contactless cards while eschewing mobile payments.

What’s up with mobile payments? They’re the epitome of convenience … and yet most people haven’t taken the plunge.

It’s not as if major retail establishments haven’t begun offering mobile payment capabilities. Apple Pay is now available at three-fourths of the top 100 merchants in the United States (and at two-thirds of all U.S. retail locations overall.)  The stats for Google (Android) Pay are much the same.

But just because the capability is available doesn’t mean that people will start using it. Juniper Research recently analyzed the payment behaviors of consumers in the United States and UK.  It found that just 14% are using mobile payments for in-store purchases.

And even before mobile payments have had much chance to get out of the starting gate, another payment option — contactless credit cards — appears to steal their thunder.

Contactless cards act very similar to the way a mobile device would — by simply tapping a terminal at checkout.

Actually, contactless technology isn’t exactly new; MasterCard introduced cards more than a decade ago, and a number of transit authorities like the Chicago and London subway systems were early adopters.

But a critical mass has now been achieved, and market consulting firm ABI Research projects that by 2022, 2.3 billion contactless cards will be issued annually. Companies such as Amex and Capital One are already in it in a big way, and Chase started sending out contactless cards towards the end of 2018.

For consumers, the “tap-and-go” process of these cards takes only a few seconds — in other words, far faster than EMV chip cards that are the most prevalent current practice. Although a few observers disagree, it’s generally believed that contactless cards are nearly as safe to use as chip cards.

Accordingly, the vast majority of card issuers have zero-liability guarantees against fraud, figuring that the faster speed at checkout is worth it to consumers and vendors when weighed against the marginally higher security risk.

What are your preferred payment practices … and why?

Bait for the phish: The subject lines that reel them in.

To those of us who work in the MarComm field – or in business generally – it may seem odd how so many people can get suckered into opening e-mails that contain malware or otherwise wreak havoc with their devices.

But as it turns out, the phishing masters have become quite adept at crafting e-mail subject lines and content that successfully ensnare even the most alert recipients.

In fact, the phishers actually exploit our concerns about security by sending e-communications that play off of those very fears.

To study this effect, cybersecurity firm KnowBe4 conducted an analysis of the most clicked-on phishing subject lines of 2018. Its evaluation was two-pronged – charting actual phishing e-mails received by KnowBe4 clients and reported by their IT departments as suspicious, as well as conducting simulated phishing tests to monitor recipient behavior.

What KnowBe4 found was that the most effective phishing e-mail subject lines generally fall into five topic categories:

  • Passwords
  • Deliveries
  • IT department
  • Company policies
  • Vacation

More specifically, the ten most clicked-on subject lines during 2018, in order of rank, were these:

  • #1. Password Check Required Immediately / Change of Password Required Immediately
  • #2. Your Order with Amazon.com / Your Amazon Order Receipt
  • #3. Announcement: Change in Holiday Schedule
  • #4. Happy Holidays! Have a drink on us
  • #5. Problem with Bank Account
  • #6. De-activation of [recipient’s e-mail address] in Process
  • #7. Wire Department
  • #8. Revised Vacation & Sick Time Policy
  • #9. Last reminder: please respond immediately
  • #10. UPS Label Delivery 1ZBE312TNY00015011

Notice that nearly all of them pertain to topics that seem important, timely and needing the attention of the recipient.

Another way that KnowBe4 analyzed the situation was by pinpointing the e-mail subject lines that were deployed most often in phishing e-mails during 2018.

Here are the Top Ten, ranked in order of their usage:

  • #1. Apple: You recently requested a password reset for your Apple ID
  • #2. Employee Satisfaction Survey
  • #3. Sharepoint: You Have Received 2 New Fax Messages
  • #4. Your Support Ticket is Closing
  • #5. Docusign: You’ve received a Document for Signature
  • #6. ZipRecruiter: ZipRecruiter Account Suspended
  • #7. IT System Support
  • #8. Amazon: Your Order Summary
  • #9. Office 365: Suspicious Activity Report
  • #10. Squarespace: Account billing failure

Commenting on the results that were uncovered by the evaluation, Perry Carpenter, a strategy officer at KnowBe4 had this to say:

“Clicking [on] an e-mail is as much about human psychology as it is about accomplishing a task. The fact that we saw ‘password’ subject lines clicked … shows us that users are concerned about security.  Likewise, users clicked on messages about company policies and deliveries … showing a general curiosity about issues that matter to them.”

Carpenter went on to note that KnowBe4’s findings should help corporate IT departments understand “how recipients think” before they click on phishing e-mails and the links within them.

How about you? Are there other e-mail subject lines beyond the ones listed above that you’ve encountered in your daily activities and that raise your suspicions? Please share your examples in the comment section below.

No End in Sight to the Challenge of Email Deliverability

When it comes to e-mail communications in the B-to-B world, yet another study is underscoring just how challenging it is to reach corporate inboxes.

A new report by cyber-security firm FireEye, Inc. reveals that fewer than one-third of e-mails sent are actually making it into corporate inboxes. The FireEye analysis was based on tracking more than a half-billion e-mails sent between January and June of 2018.

The majority of those e-mails were deemed to be spam or malicious in their intent. Nearly 60% were blocked by threat intelligence and around 10% more were halted by attack prevention tactics such as URL inspection and attachment detonation.

E-mails were deemed suspicious because they triggered one or more of the following “red-light” cautions:

  • Malware-less impersonations
  • Malware viruses
  • Phishing attacks
  • Ransomware
  • Spyware
  • Trojan horses
  • Worms

Interestingly however, it turns out that only a small fraction of the e-mails actually had malicious intent, meaning that the super-strict filters being employed by companies are capturing a huge number of perfectly legitimate e-mail messages in their dragnet and rejecting them out of hand.

On the other hand, the FireEye analysis also determined that impersonation attacks have undergone a shift from domain name spoofing to “friendly” domain name scams – ones in which an e-mail address is manipulated to impersonate a trusted source.

As the study cautions:

“This shift in tactics may be driven by how easily cyber criminals can ‘spoof’ the display name and username potion of an e-mail header. Instead of having to go through the process of buying and registering a domain similar to – or one that sounds like – the recipient’s domain, they can simply change the display/user name.”

The FireEye analysis is a reminder that because of its sheer pervasiveness, e-mail communications are also the most popular conduit for potentially significant cyberattacks. No wonder companies have their guard up.

The problem is, clearly a whole lot of wheat is being thrown out with the chaff.  And that makes e-communications hardly the slam-dunk communications tactic that many people assume it to be.

Fake e-mails: A small percentage … but a big number.

Recently released statistics by e-mail security and authentication service provider Valimail tell us that ~2% of e-mail communications worldwide are deemed “potentially malicious” because they’ve failed DMARC testing (domain-based message authentication, reporting and conformance) and also don’t originate from known, legitimate senders.

That’s a small percentage — seemingly trivial.  But considering the volume of e-mail messages sent every day, it translates into nearly 6.4 billion e-mails sent every day that are “fake, faux and phony.”

Interestingly, the source of those fake e-mails is most often right here in the United States.  Not Russia or Ukraine.  Or Nigeria or Tajikistan.

In fact, no other country even comes close to the USA in the number of fraudulent e-mails.

The good news is that DMARC has made some pretty decent strides in recent times, with DMARC support now covering around 5 billion inboxes worldwide, up from less than 3 billion in 2015.

The federal government is the biggest user of DMARC, but nearly all U.S. tech companies and most Fortune 500 companies also participate.

Participation is one thing, but doing something about enforcement is another. At the moment, Valimail is finding that the enforcement failure rate is well above 70% — hardly an impressive track record.

The Valimail study findings came as the result of analyzing billions of e-mail message authentication requests, along with 3 million+ publicly accessible DMARC records. So, the findings are meaningful and provide good directional indications.

But what are the research implications? The findings underscore the degree to which name brands can be “hijacked” for nefarious purposes.

Additionally, there’s consumer fallout in that many people are increasingly skittish about opening any marketing-oriented e-mails at all, figuring that the risk of importing a virus outweighs any potential benefit from the marketing pitch.

That isn’t an over-abundance of caution, either, because 9 in 10 cyber attacks begin with a phishing e-mail.

It’s certainly enough to keep many people from opening the next e-mail that hits their inbox from a Penneys(?), DirecTV(?) or BestBuy(?).

How about you?  Are you now sending those e-mails straight to the trash as a matter of course?

Keeping law enforcement on the level.

Let’s go to the videotape … or not.

Video is supposed to be the “great equalizer”: evidence that doesn’t lie — particularly in the case of chronicling law enforcement events.

From New York City and Chicago to Baltimore, Charleston, SC and dozens of places in between, there have been a number of “high profile” police incidents in recent years where mobile video has made it possible to go beyond the sometimes-contradictory “he said/she said” statements coming from officers and citizens.

There’s no question that it’s resulted in some disciplinary or court outcomes that may well have turned out differently in times before.

In response, numerous police departments have responded in a way best described as, “If you can’t beat them, join them.” They’ve begun outfitting their law enforcement personnel with police body cams.

The idea is that having a “third party” digital witness on the scene will protect both the perpetrator and the officer when assessments need to be made about conflicting accounts of what actually happened.

This tidy solution seems to be running into a problem, however. Some security experts are calling into question the ability of body cameras to provide reliable evidence – and it isn’t because of substandard quality in the video footage being captured.

Recently, specialists at the security firm Nuix examined five major brands of security cameras … and have determined that all of them are vulnerable to hacking.

The body cam suppliers in question are CEESC, Digital Ally, Fire Cam, Patrol Eyes, and VIEVU. The cameras are described by Nuix as “full-feature computers walking around on your chest,” and as such, require the same degree of security mechanisms that any other digital device operating in security-critical areas would need to possess.

But here’s the catch: None of the body cameras evaluated featured digital signatures on the uploaded footage.  This means that there would be no way to confirm whether any of the video evidence might have been tampered with.

In other words, a skilled technician with nefarious intent could download, edit and re-upload content – all while avoiding giving any sort of indication that it had been revised.

These hackers could be operating on the outside … or they could be rogue officers inside a law enforcement department.

Another flaw uncovered by Nuix is that malware can infect the cameras in the form of malicious computer code being disguised as software updates – updates that the cameras are programmed to accept without any additional verification.

Even worse, once a hacker successfully breached a camera device, he or she could easily gain access to the wider police network, thereby causing a problem that goes much further than a single camera or a single police officer.

Thankfully, Nuix is a “good guy” rather than a “bad actor” in its experimentation. The company is already working with several of the body cam manufacturers to remedy the problems uncovered by its evaluation, so as to improve the ability of the cameras to repel hacking attempts.

But the more fundamental issue that’s raised is this: What other types of security vulnerabilities are out there that haven’t been detected yet?

It doesn’t exactly reinforce our faith in technology to ensure fairer, more honest and more transparent law enforcement activities. If video footage can’t be considered verified proof that an event happened or didn’t happen, have we just returned to Square One again, with people pointing fingers in both directions but with even lower levels of trust?

Hopefully not. But with the polarized camps we have at the moment, with people only too eager to blame the motives of their adversaries, the picture doesn’t look particularly promising …

Declining DUI arrests: What’s the cause?

Looking back over the past eight years or so, something very interesting has been happening to the arrest rate statistics for people driving under the influence.

DUI arrests have been dropping – pretty steadily and inexorably.

The trend started in 2011, in which year an 8% decline in DUI arrests was experienced over the prior year. In 2012 the decline was 4.1% … in 2013, it was another 7.2%.

And arrest rates didn’t plateau after that, either. DUI arrests have continued to decline — even as police departments have continued to put plenty of cops on the beat for such purposes.

One of the most dramatic examples of the continued decline is in Miami-Dade County — the highest population county in the entire Southeastern U.S.  The Miami-Dade police force made DUI arrests in 2017 that were 65% fewer than four years earlier.

Look around the country and you’ll see similar trends in places as diverse as San Antonio, TX, Phoenix, AZ, Portland, OR and Orange County, CA.

There are common thread, in what’s being seen across the nation:

  • DUI arrest levels are down in major metro areas — but not necessarily in exurban or rural areas.
  • DUI arrest levels have declined the nearly all of the metro areas where ride-sharing services are prominent.

This last point a significant factor to consider:  The increasing popularity of ride sharing services has coincided with the drop in DUI arrests.

A 2017 University of Pennsylvania analysis found that in places where ride-hailing services were readily available, in most cases DUI arrests had declined upwards of 50% or more compared to just a few years earlier.

Ride-hailing services are particularly popular with younger adults, who like the smartphone apps that make them pretty effortless to use.  They’re also popular with people who are looking for more affordable ways to get about town compared to what highly regulated taxi services choose to charge.

Plus, the “cool” factor of ride-sharing leaves old-fashioned taxi services pretty much in the dust.

The few exceptions of locations where DUI arrest declines haven’t been so pronounced are in places like Las Vegas and Reno, NV – tourist destinations that draw out-of-towners who frequently take public transportation, hail taxis, or simply walk rather than rent vehicles to get around town.

With the positive consequences of fewer DUI arrests – which also correlate to reductions in vehicular homicides and lower medical care costs due to fewer people injured in traffic accidents, as well as reductions in the cost of prosecuting and incarcerating the perpetrators – one might think that other urban areas would take notice and become more receptive to ride-sharing services than they have been up to now.

But where taxi services are well-entrenched and “wired” into the political fabric – a situation often encountered in older urban centers like Chicago, St. Louis, Philadelphia and Baltimore — the ancillary benefits of ride-sharing services don’t appear to hold much sway with city councils or city regulators – at least not yet.

One might suppose that overstretched urban police departments would welcome having to spend less time patrolling the streets for DUI drivers.  And if that benefits police departments … well, the police also represents a politically important constituency, too.

It seems that some fresh thinking may be in order.

Are we now a nation of “data pragmatists”?

Do people even care about data privacy anymore?

You’d think that with the continuing cascade of news about the exposure of personal information, people would be more skittish than ever about sharing their data.

But this isn’t the case … and we have a 2018 study from marketing data foundation firm Acxiom to prove it. The report, titled Data Privacy: What the Consumer Really Thinks, is the result of survey information gathered in late 2017 by Acxiom in conjunction with the Data & Marketing Association (formerly the Direct Marketing Association).

The research, which presents results from an online survey of nearly 2,100 Americans age 18 and older, found that nearly 45% of the respondents feel more comfortable with data exchange today than they have in the past.

Among millennial respondents, well over half feel more comfortable about data exchange today.

Indeed, the report concludes that most Americans are “data pragmatists”:  people who are open about exchanging personal data with businesses if the benefits received in return for their personal information are clearly stated.

Nearly 60% of Americans fall into this category.

On top of that, another 20% of the survey respondents report that they’re completely unconcerned about the collection and usage of their personal data. Among younger consumers, it’s nearly one-third.

When comparing Americans’ attitudes to consumers in other countries, we seem to be a particularly carefree bunch. Our counterparts in France and Spain are much more wary of sharing their personal information.

Part of the difference in views may be related to feelings that Americans have about who is responsible for data security. In the United States, the largest portion of people (~43%) believe that 100% of the responsibility for data security lies with consumers themselves, versus only ~6% who believe that the responsibility resides solely with brands or the government.  (The balance of people think that the responsibility is shared between all parties.)

To me, the bottom-line finding from the Acxiom/DMA study is that people have become so conditioned to receiving the benefits that come from data exchange, they’re pretty inured to the potential downsides.  Probably, many can’t even fathom going back to the days of true data privacy.

Of course, no one wishes for their personal data to be used for nefarious purposes, but who is willing to forego the benefits (be it monetary, convenience or comfort) that come from companies and brands knowing their personal information and their personal preferences?

And how forgiving would these people be if their personal data were actually compromised? From Target to Macy’s, quite a few Americans have already had a taste of this, but what is it going to take for such “data pragmatism” to seem not so practical after all?

I’m thinking, a lot.

For more findings from the Axciom research, click or tap here.