Establishing Digital Trust: Don't Sacrifice Security for Convenience
The latest trend in spam and identity theft is called brand spoofing. The spam has notraceable return address and appears to be sent from a large company seeking informationfrom its customers. Pretending to be a large business, say Sony, BestBuy or eBay, which hasa relationship with the user, the spammers ask for critical password, user names and creditcard information.
It's both spam and identity theft. But now there's a heightened level of sophistication tothe trickery being used to fool people into giving up critical personal information. And ithas the potential to not only empty people's bank accounts but to sully a company'sreputation.
''This is extremely dangerous,'' says Susan Larson, vice president of global product contentat SurfControl Plc, a London-based Web and email filtering company. ''It's like organizedcrime on the Internet... They use the name of a large company and the idea is that with alarge spam attack, at least some of the people receiving the spam will have done businesswith that bank or retailer or company. It gives it an air of legitimacy that is foolingpeople.''https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i Larson says brand spoofing spam is generally looking for account information, passwords,user names and credit card information. The spam recipient is usually asked to click on alink to a page that has been doctored up to look like an official company page, or they'reasked to send a reply email with the requested information.
''The idea of being able to completely mask who you are, being able to blast emails to largenumbers of people who might have a connection with these companies is all fairly devious,''says Larson, adding that they first saw signs of brand spoofing in late February or Marchbut it's since been picking up speed. ''They only have to get a very small hit to do somedamage and make some profit on this one.''
But the damage isn't being limited to a consumer's checkbook. Ray Everett-Church, chiefprivacy officer for Philadelphia-based ePrivacy Group, Inc., says these new attacks arequick to damage a company's sacred name.
''Any time you have spam masquerading itself as coming from a legitimate source, it canseverely damage the brand name being spoofed,'' says Everett-Church. ''This is a company'sbrand. This is their business... Anytime somebody is using your brand in a way they're notauthorized to, it's a problem.''
Everett-Church says IT managers need to be aware of the earliest warnings signs thatsomething is amiss.
''You have to be extremely vigilant in all of your customer-facing activities,'' he notes.''Be on the lookout for reports of strange emails -- anything that might suggest your brandis being spoofed. If you receive strange bounced emails, a lot of attempts to visit a Webpage on your site that doesn't exist, or if people go first to a page deep in your Web sitewithout going to the homepage and navigating through, these are all telltale signs.''
Everett-Church recommends that IT managers sit down with business executives and compose anemail to customers. They should warn customers of the brand spoofing problem and make themaware that they will never ask for people's private information or passwords via email. Warnthem not to go to a Web site if they're not entirely sure it belongs to the legitimateorganization. Educate customers about the company's normal practices, and give themeasy-to-use feedback channels to report suspicious emails.
SurfControl's Larson also recommends that IT managers make sure employees are educated aboutspam and fraudulent emails.
''IT managers need to make employees cyber security aware and spam savvy,'' says Larson, whoadds that a recent SurfControl survey showed that 90 percent of IT managers do not do any employeeeducation. ''Make them aware of the latest spam trends and make them aware of whatinformation they should never pass on.''