Phishing as the Next Consumer Data Protection Challenge

Phishing as the Next Consumer Data Protection Challenge
featured image

Today’s websites and mobile apps are rife with personal data solicitation and theft.  

First it was cookies. Then it was fingerprints. Now it is pixels. Regulators are getting hip to the glut of consumer data collection opportunities in today’s websites and mobile apps. While the U.S. Federal Trade Commission has been busy shelling out enforcement actions—most recently BetterHelp and GoodRX—the federal government is doubling down on its attempt to ban TikTok with data privacy issues a driving factor.

These efforts overlook another significant manner in which consumer data is unobtrusively stolen during everyday website/mobile app use: Phishing via display advertising. Not just orchestrated via email or text, online phishing detection plays a significant role in malvertising prevention strategies.

Phishing can be a Goldmine…and a Nightmare

Beyond loyalty programs and subscriptions, consumer-facing digital assets can be significant revenue channels for businesses looking to monetize consumer experience—media, retail, healthcare, travel, restaurants, and more. They are also a goldmine for bad actors searching for vulnerable consumer targets.

Each month, The Media Trust detects more than a thousand phishing incidents via display advertising. With each incident typically affecting thousands of consumers, these auto-redirect to content that uses false promises to entice users to click fraudulent links or share sensitive information. Egregious incidents are often grouped: GhostCat, Fizzcore, MimicManager, IcePick. Even worse, the elderly are most affected by phishing attacks. [Figure 1]

Phishing attacks by consumer age groups

Figure 1: Malicious phishing incidents detected across different age groups.

All it takes is a fun quiz, survey, sweepstakes, weight loss, or money-saving promotion to entice a click. The consumer is redirected to a page requesting personal details in order to receive some kind of prize (which is often imaginary).

Phishing attacks can be a prolonged nightmare for consumers. In addition to credential harvesting, these attacks enable data exfiltration, cloaking, exploit kits, APKs, Ad Injector, DDoS Bots and more. Compounding the issue, personal data is resold on the dark web for continued—and, often, more dangerous—attacks. Don’t think that’s a problem? Just ask the people of Ukraine who experienced a barrage of phishing attacks in the lead up to the invasion.

Consumer Data Protection Identity Crises

Enabling digital trust and safety requires strategies that address both data protection and user security. In addition to creative blockers, consumer-facing sites have spent the past few years standing up CMPs (consent management platforms) to maintain access to EU consumers and prepare for the eventual deprecation of the third-party cookie. U.S. audiences are subject to a messy patchwork of consumer data protection laws at the state (6 and counting – Welcome, Iowa!) and federal level (HIPAA, COPPA) that vary in definitions, affected parties, and penalties.

Lacking a national law, U.S. businesses are forced to learn, evaluate, and implement different policies to address privacy or risk being the next enforcement action poster child. It’s easy to get lost in the tactics and overlook the legislative intention: safeguarding the consumer.

Know Your Website. Protect Your Users.

Don’t let the current TikTok or pixel concerns distract you. The current formation of the FTC has been pretty clear with their intentions, warning those that take a cavalier approach to privacy are in their crosshairs.

Be prepared. Along the lines of the established “Know Your Customer” policies in use today, knowing the comprehensive user experience on your digital assets—websites and apps—facilitates compliance with myriad of consumer data protection laws. Documenting executing vendors and their tracking activities (authorized and unauthorized) is critical. As an added bonus, you might even discover digital partners that detract from the user experience, e.g., exploit kits, redirects, large download size, long load time, excessive calls, and so much more.

This is a process in place with premium media sites including those standing up retail media networks. Ask us to show you this information in your environment.