Yesterday I read a report from Symantec that said that spearphishing is up 91%. In the old days phishing was a numbers game, but as internet users got smarter the returns fell and cybercrooks had to step up their efforts.
Some of the phishing emails that I’ve received recently show that the phishers out there know quite a lot about me—and probably you too. They know where I was born, which university I went to, where I went on holiday, what my political leaning is, a whole host of information; some of it quite personal. The amount of personal information that we share has exploded since the advent of social media.
What’s more, some of the messages look pretty sophisticated, are better written than a lot of emails that I receive, and are clearly part of a long game. Whereas early examples of phishing were pretty blunt and basically said “give us your bank details now”, some spear-phishing includes sophisticated social engineering. Crooks will try to build up a detailed profile using multiple messages, phone calls and mining of social media profiles. This gives them a mass of information to guess answers to security questions—they’ll know your mother’s maiden name and other old favourites. And they are no longer just after bank account or credit card details—there are lots of ways that crooks can make money. If they reset the password to your email or Twitter account and locked you out, how much would you pay to get back in? Mat’s story is a terrifying example of how far it can go.
So my question is, why are so many marketers so bad at doing this? Not perpetrating cybercrime, that is, but at putting in the effort to profile and target their prospects like the unique individuals that they are? I’m not suggesting that marketers should stalk potential customers, but everybody would benefit if more marketers did their homework.
Tailoring content by industry vertical is all the rage at the moment; and some companies are doing it well, but most are just paying lip-service to it. We’ve seen so many companies split their market into just six, seven or even a dozen groups and assume that their situations and needs are “close enough” to being the same that the differences don’t matter. Well, the differences do matter.
Let’s take Metro Bank as an example. If you assumed that it fell into a “financial services” category, you’d be lumping it in with insurance companies, merchant banks and financial advisors. These are all quite different types of companies with different needs. Even if you went down a level and created a group for “retail banks”, you’d be way off the mark. Metro has “stores”—it doesn’t call them branches. These stores open 362 days a year—yes, including weekends and most Bank holidays (and they open late too!). It hasn’t made any money yet, but that’s because it’s investing in growing. It prides itself on doing things differently: for example, it says that it should take less than 15 minutes to open an account—and that includes getting a debit card, no waiting for it to arrive in the post. Doesn’t sound a lot like Barclays or Natwest does it?
Metro’s needs and interests are probably more in line with those of many retailers than other finance organisations. But retail is just as diverse: how much does Apple have in common with Tesco? Their margins, supply chain, use of in-store technology and lots of other things are radically different.
I’m not saying that vertical marketing is useless unless you have a thousand categories—I doubt any company has the time or budget to segment that much. But we could all do with keeping the sheer variety of businesses in mind as we choose our target markets, and when it comes to reaching out to important prospects, learn from the spearphishers and really focus down on the individual. We could call it “spearmarketing”.
Posted by John on 4 July 2014