spam, spam, spam, privacy, security & spam

For more on why we are skeptical of this prediction, click here.

For network-based spam-fighting at the enterprise level, check out TurnTide anti-spam router

10 things companies should do about spam

 3 steps to protect corporate email and online identity

 More about phishing and brand theft (pdf)

Why it's okay to say EMAIL CAN BE SPAM but it's dumb to say email can be SPAM

For lots of statistics about the spam problem, click

Spoofing, Phishing, and Online Identity Theft: Examples

On this page you will find early examples of a particularly nasty form of spam, messages sent to consumers by persons who misappropriate corporate identity for malicious purposes. This is known as phishing (click here to read our introduction page if you are new to this topic).

Given the dramatic increase in phishing activity in 2004, we no longer have sufficient resources to keep this collection up-to-date. However, the examples on this site serve to illustrate the basic techniques used in phishing attacks.

The Anti-Phishing Working Group (APWG) is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing and email spoofing of all types. You will find a large archive of attacks, as well as news on the latest attacks, at the APWG web site.

In our opinion, phishing is likely to continue unabated, costing financial companies and individuals billions of dollars every year, until two things happen:

1. The major ISPs set aside their tactics of using anti-spam features as a marketing tool against each other and come together to fight spam.

2. Internet users are taught to accept and fulfil their responsibilities as computer system operators.

However, we should be wary of efforts to lay all of the blame on gaps in user education. The companies who over-sold users on the boundless benefits of Internet connectivity bear a lot of responsibility for making good on their promises.

FDIC Patriot Act (phishing)
A particularly nasty example that preys on people's fears of big government and shamelessly subverts the War on Terrorism to fraudulent ends. We also have a picture of the bogus web site to which the link in this message leads. Note that it looks as though it is www.fdic.org, but it is not. Click here for a view of the bogus site.

Bank of America (phishing)
One of the first to use images and achieve a really wide distribution. Evidence that phishers use spamming techniques to achieve rapid dispersal in an effort to get as many 'catches' as the can before being shut down.

Citigroup (phishing)
This is the one the press called about. Over 50 newspapers around the world carried this quote:

"We are seeing a lot of this [brand fraud in email], and it's been my contention that this is one of the biggest threats to brands and consumer confidence that we've seen over the Internet," said Stephen Cobb, senior vice-president of research and education at ePrivacy Group, an anti-spam technology company in Philadelphia. "It's very distressing, and it can't help but have an impact on your assessment, not necessarily of the bank, but of online banking with the bank." Mr. Cobb said his firm, along with several others, make technologies that work to sort legitimate e-mails from fakes.

eBay (phishing)
Forwarded to me by several people, just one of many different fraudulent emails targeting eBay users.

PayPal (phishing)
Spotted 1/18/03, this is probably the most professional of the phishing messages we have seen so far. Rivals the Microsoft malware message for authentic appearance. The spelling and grammar are the highest quality yet.

Generic US Bank (phishing)
This is interesting because it probably conned a wide range of people: potentially anyone who thinks they are a customer of a US bank. I realize there is a "U.S. Bank" and it has over $180 billion in assets, but I also know consumers and I bet some fell for this even who don't even have accounts at U.S. Bank. Note how the link looks like plain text and very honest:

https://www.usbank.com/account_verify/cgi/index.htm

but it is actually html coded to go here:

http://www.usbank.com@bos.es.kr/index.htm

Microsoft (malware)
Not phishing like the other examples, but similar in its abuse of corporate identity to achieve malicious ends. This message, notable for the way it mimics Microsoft's web style. has been used to spread various worms.

Note: All trademarks displayed are the property of their respective owners. Images may include copyright material and are displayed for educational purposes. Email users should think twice before replying or responding to any message requesting or referring to personal information such as user name, password, social security number or bank account.

Trusted Email Open Standard
TEOS is a practical roadmap to a spam-free future. Co-authored by Stephen Cobb and his colleagues at ePrivacy Group, endorsed by several consumer groups, TEOS offers enormous benefits for everyone who uses email. Find out why your ISP should back TEOS today.

Trusted Sender
Using patent-pending technology that is available today, Trusted Sender is one thing every company can implement right now to fight back against spam, email fraud, and corporate identity spoofing. It could even help government agencies such as Homeland Security protect against cyber-terrorism tactics like an email disinformation campaign aimed at hampering first responders.

The Multi-Billion Dollar Corporate Spam Threat
(and we are not talking about the cost of filtering)
Spammers regularly take the identities of leading companies in vain and perpetrate fraud in their name. Unless company executives take steps to help consumers distinguish legitimate email from fraudulent spam, they could face some tough consequences.

The SpamSquelcher Press Release: 2/11/03
Announcing a product developed by ePrivacy Group to prevent spammers from stealing network resources from companies and Internet Service Providers. Very cool stuff because it won't block legitimate messages, but it will save companies money (when you read the claims we are making for this product, you might be tempted to think it's just marketing hype: it's not—this really is an important new development in the war on spam).

The AES Trusted Sender Press Release: 2/04/03
A landmark in the development of Trusted Sender, which uses ePrivacy Group's Postiva technology. The Trusted Sender program has the potential to eventually render spam irrelevant.

Press release on the New York spam verdict: 1/24/03
My reaction to a potentially landmark decision in a spam case in New York.

Cobb article on the economics of spam: February, 2003
Until the "parasitic economics" of spam are reversed, spam will continue to grow (it is currently growing at 15 percent per month, at least) to the point where it overwhelms legitimate email. Understanding spam-e-nomics is the first step to solving the problem and reversing the trend

Updated 2005, by webbloke at cobbsblog.com, © Stephen Cobb, 2005