spam, spam, spam,  privacy, security & spam

Back to the main spam page, click here.

For a direct link to our data privacy and computer security resources, click here.

For more examples of phishing messages, click here.

For more about the Trusted Email Open Standard, which would reduce the incidence of scam spam, click here.

"Scam Spam" Response:
The 3-Step Program

(Written by Stephen Cobb, Circa 2003)

A growing list of well-known companies have been victims of "spoofing" attacks referred to as "scam spam" or simply "phishing" (because they "fish" for data). These phishing attacks use email messages that look like they come from the well-known company but they are actually sent by an impostor with malicious or fraudulent intent. Typically, the email tempts recipients to visit a bogus web site where they enter personal information that could be used for fraudulent purposes (such as credit card, bank account , and social security numbers).

The idea of this page is to explain what companies can do to protect themselves and their customers from these attacks (there is also an example of scam spam and a list of companies whose names have been used to dupe consumers).

Short Form:

1. Proclaim: state loudly and clearly, on the company web site and in customer correspondence, that: "All messages from the company bear the company's official mark; all others should be disregarded and reported as potentially fraudulent."

2. Protect: place the official company mark in all outbound messages.

3. Pursue: vigorously pursue legal sanctions against imitators of the company's official mark.

Long Form:

A Standard of Due Care for Corporate Email Protection
The 3-Step Response to "Scam Spam" Attacks

The list of companies around the world that have been targeted by "scam spam" now ranges from Bank of America to Wachovia, ANZ Bank in New Zealand to Commonwealth Bank and Westpac in Australia. They include big Internet brands like AOL, Earthlink, eBay, and PayPal, as well as consumer brands Disney, Best Buy, Microsoft and Sony.

Attacks via spoofed or fake email pose a threat to consumers, whose personal information, including credit cards and bank accounts, may be targeted, and compromised as a result.

For companies whose names and identities are faked in these attacks there are both primary and secondary risks. The primary risk is that the attacks will undermine consumer trust and confidence in the company, the costs of which are obvious.

The secondary risk is that consumers who suffer losses as a result of these attacks will accuse companies of not doing enough to prevent them. The costs here include litigation and unwanted attention from regulators (note that the Federal Trade Commission .

This is why corporate officers need to make sure that their company is taking reasonable and appropriate measures to reduce risks from spoofing attacks. Fortunately, there is a simple 3-step approach that companies can use to mitigate risks from fake email: Proclaim, Protect, Pursue.

Here's how it works:

1. Proclaim: the company states loudly and clearly, on its web site and in customer correspondence, that: "All messages from the company bear the company's official mark; all others should be disregarded and reported as potentially fraudulent."

2. Protect: the company places its official mark in all its outbound messages.

3. Pursue: the company vigorously pursues legal sanctions against imitators of the official mark.

This 3-step approach is based on the well-established principles of positive discriminators and a preponderance of discouragement. In fact, these correspond to Protect and Pursue, steps 2 and 3.

A positive discriminator is something that makes it easier for the consumer to tell the difference between the real thing and a fake. A preponderance of discouragement is the effect of actions such as highly public prosecutions and fining of fakers.

Ample evidence of the reasonableness of this approach can be found in areas as diverse as banking and computer software, to handle fake credit cards and pirated software respectively. Several years ago, banks and software companies started to use holograms to make these items harder to fake (positive discriminators). And they have pursed legal action against those who persist in trying to make fakes (preponderance of discouragement).

It is important to note that the use of positive discriminators aids the preponderance of discouragement by raising the profile of transgressors. The addition of a hologram to a credit card does not prevent someone making a fake credit card, just as placing an official mark in message won't magically stop fake messages, but taking this extra step makes it more expensive to make a credible fake. In turn, this reduces the number of persons willing and able to attempt faking, and it makes it easier to identify those who try it (the design of paper currency is built on the same principles).

Which raises the question: What is the email equivalent of a hologram, something you can place in a message but which is very hard to duplicate? One answer is to embed a unique image or character string in each outbound email. The visible portion of the embedded information reflects the recognizable name and brand identity of the sender. The recipient of such a message can see that it appears genuine, but if the recipient seeks further confirmation, he or she can verify its authenticity through automated interaction with a secure computer system controlled by the sender.

The technology to do this exists and it is in use today (see Trusted Sender for an example). Faking of the information that this particular technology stamps into messages is extremely difficult, making spoofing of messages a far more formidable challenge. Those that attempt it much easier to defeat or pursue that today's scam spammers.

For these reasons, the standard of due care for companies who routinely use email to reach their customers is to follow the 3-step process: Proclaim, Protect, Pursue.

Failure to do so will increase the risks from spoofed email.

About the Author
During more than twenty years in the field of computer security and audit, Stephen Cobb has helped shape current thinking about information security through books, articles, seminars and consulting engagements with Fortune 500 companies and government agencies such as the NRO and the FTC. The author of more than two dozen books about information technology, Mr. Cobb published his first security book in 1992, helping to form the Common Body of Knowledge for the Certified Information System Security Professional. A contributor to The Computer Security Handbook and The Handbook of Information Security Management, he is the author of Privacy for Business: Web Sites and Email, which can be found on the bookshelf of nearly every privacy officer in corporate America. In addition to teaching security to graduate students at Norwich University in Vermont--an NSA Center of Excellence in Information Assurance--Mr. Cobb operates several web sites that provide privacy and security help and helped fund the Trusted Sender technology and the spam "squelching" technology in TurnTide.

Notes:

1. Here is a list of spam scammed companies:
Bank of America
Wachovia
ANZ Bank in New Zealand to
Commonwealth Bank
Westpac
AOL
Earthlink
eBay, and
PayPal
Disney
Best Buy
Microsoft
Sony

2. SpamSquelcher and Trusted Sender are trademarks of ePrivacy Group. All other trademarks mentioned on this page are the property of their respective owners.

3. See below for a screen shot of the Bank of America scam spam. For more examples of phishing messages, click here.

Top of the page. Back to the main spam page.

Screenshot of Bank of America scam spam


Updated 2004 by webloke © Stephen Cobb
Some article content reprinted by permission.
Article content copyright named author(s).