Back to the main spam page, click here.
background reading on privacy and web sites, click
a direct link to our data privacy and computer security resources, click
an explanation of why it is okay to say "EMAIL CAN BE SPAM"
but it is dumb to say email can be SPAM or even Spam, click.
For more about the Trusted Email Open Standard, click here.
The Multi-Billion Dollar
Spoofing, Phishing, and Online Identity Theft
©Stephen Cobb and Chey Cobb, 2003
pictures of spoofed email and
Wed be very surprised if any reader of this web site could find even one good word to say about spam, that seemingly endless stream of unsolicited email full of offers to sell you things you dont want to buy and enlarge parts of the human anatomy you may not even possess. But as unsavory as most folks find this subject, we need to bring it up, because spam has now gone way beyond annoying, right pass disgusting, to downright costly. According to Ferris Research, spam set U.S. organizations back $8.9 billion in 2002, based on lost productivity and the consumption of IT resources and help-desk time.
It Gets Worse
Unfortunately, that figure is not, in our opinion, an exaggeration. Even worse, we dont think it represents the full measure of spams economic impact, not by a long way. Even as companies invest in spam filtering software to screen it out of their networks, and ISPs invest in more and more storage and bandwidth to cope with rising spam volumes (which now make up half of all email traffic), the bigger cost may be the spam that some companies dont even see, because it is screened out.
We are talking about bogus email, which is our term for spam that attempts to pass for legitimate email by making unauthorized use of established brand names and logos. A classic example is the mortgage offer spam that uses the brand name and logo of a respected bank or real estate firm to persuade people to supply personal data to the spammers web site (under the pretense of confirming a pre-qualified mortgage). Such data can then be sold by the spammer. If phone numbers and physical addresses are obtained, these can be sold as sucker lists for bottom-feeding boiler-room peddlers of things like limited edition coins. Any email addresses harvested this way can also be soldas confirmed lists used to send more spam.
A variation of this spam-scam leverages the good name of established software brands, such as Adobe and Symantec, to harvest data that includes your credit card number. Ever wonder why Symantec would authorize those email marketing offers that knock 90 percent off the price of its products? Well it doesnt. Those messagesoften featuring a product that people tend to buy in a state of panic, such as Norton Antivirusare either looking to grab your credit card or sell you pirated software.
It is a sad fact of Internet life that consumers are sent millions of emails every day that use hijacked brand names and corporate logos to further theoften illegalprofiteering goals of the sender. This unauthorized use of valuable corporate assets ranges from the merely sneaky to the blatant theft of corporate identity, perpetrated for the sole purpose of defrauding consumers. Some of those consumers lose money. How much is not known, but we do know the cost to companies is significant.
For a start, companies like Symantec have to mobilize staff and resources to try and stop this dilution of their brand. But that may just be the tip of the iceberg compared to the effect that brand dilution has on revenues.
The combined annual revenues of the Fortune 1000 are roughly $7 trillion. If top brand names account for just 10 percent of that figure, and those names suffer a 5 percent reduction in revenue due to peoples association of them with unpleasant email experiences, we are looking at $35 billion in lost value (while some might argue that the value is not lost, because demand is not reduced, there is evidence to suggest negative experiences in some product categories do reduction demand across the category; besides, if it is your companys revenue that is being eroded, you will surely see it as a loss).
You know spam is a problem when you turn on the news and see a reporter talking to you from the Federal Trade Commissions Spam Forum in Washington, D.C. That is what we saw on April 30 this year, along with a lot of hand-wringing about what a menace spam has become. The focus of most reporters was the pain that spam causes the consumers who find it in their inbox. A close second was the billions of dollars companies pay to prevent spam from flooding their networks.
We heard very little about the tendency of fraudulent email to undermine brand value. So let us present a scenario to make it a little more real. Imagine you run a company that has a thriving online retail operation. One day several thousand customers get email that says:
The message sports your corporate logo and the From address is at your companys domain, but your company did not send the message. Even worse, the message goes on to say:
The link contains your sites domain name, so it looks legitimate, but the link leads to a different site, one that looks a lot like yours, but actually harvests your customers account numbers, user names, passwords, and possibly even credit card numbers. This is not an imaginary scenario. The quotes above come from a fraudulent email that we, and millions of other email users, recently received.
Another Threat Surfaces
If consumers continue getting email like this, the effects are going to be very serious for some companies. Apart from the erosion of brand value that we talked about earlier, there is the possibility of legal action by consumers who have been duped, cheated, or had their identity stolen due to email like this. The perpetrators of these scams are hard to find and harder to prosecute. So lawyers for the plaintiffs are going to look to those they can find, the same companies whose names and logos are being misappropriated.
Some lawyers are bound to be asking themselves these questions: Could Company X have done more to prevent dilution of its brand by bogus email? Could said company have done a better job of protecting consumers from those who are perpetrating email fraud in the companys name. Class action lawsuits along these lines, from shareholders and consumers, are not hard to imagine.
Without a miraculous end to the flood of spam, the likelihood of such lawsuits will only increase over time, especially if companies fail to take stronger action in defense of their good names. How and when companies respond to this threat will determine the extent to which they are exposed to accusations of negligence with respect to both brand dilution and customer protection.
But is there anything companies can do, apart from encourage the large Internet companies to get their act together to put an end to spam? The challenge can seem daunting when you look at the low cost of entry into mass emailing and the relative ease with which their digital assets can be ripped off. After all, these days anyone can make a pixel-perfect, zero-cost copy of whatever logos, trademarks, and signage appears on your companys official web site.
With HTML email it is easy to make official-looking messages
and hide hijacked links. Even when the email is text, the links are
hard for the average consumer to decipher as false. Consider this one:
This came straight from a fraudulent email, except we changed the name of the targeted companywhich is a household name you would recognizeto householdname, out of respect and fear of lawyers. Oh, and we also changed one or two characters to prevent obvious reengineering. The point is, something that looks a lot like the above was in a message that millions received. If clicked, it led the hapless consumer one step closer to becoming a fraud victim.
In some ways it might be tempting for some companies to conclude theres nothing one can do to stop this sort of thing, apart from launch the occasional token prosecution and put up a consumer help line. However, this view is not supported by the facts.
The Two-Pronged Strategy
The problem can be addressed. How? By combining two proven strategies: positive discriminators and a preponderance of discouragement. A wide range of businesses have faced analogous challenges in recent years. Consider counterfeit goods, fake credit cards, and pirated software. There is no way to stop people trying to make counterfeits. But that does not mean nothing can be done. The answer is to first adopt positive discriminators, for example, inform consumers that all products which lack X are inferior rip-offs, where X is a hard-to-counterfeit mark, like a hologram, embedded logo, and such like. This is then backed up by a preponderance of discouragement, a framework of technical and economic obstacles, legal penalties, and enforcement actions.
Bogus email can be tackled in the same way. The positive discriminator can be something you place in all company email. Today, the technology exists to generate a unique, cryptographically protected, spoof-proof seal or trust stamp in each outbound email (this technology is in use today and millions of stamped messages have been sent by consumer companies). The mere presence of this seal will satisfy most recipients that the email is official, but they can also verify the fact using a simple client-server interaction).
You then put everyone on the planet on notice, via your web site and all the other branding channels you use, that only those messages which contain the official trust stamp are official messages and any message that purports to be from your company but lacks a verifiable trust stamp is bogus, illegal, and should be reported.
Having deployed the required positive discriminator in your email, you will find the preponderance of discouragement falls neatly into place. There are plenty of laws under which to prosecute bogus email (trademark and copyright infringement for a start, plus deceptive business practices, which the FTC is eager to enforce against spam). But even more importantly, you have, through the adoption of a positive discriminator, increased the economic obstacles to fraudsters seeking to profit from abuse of your good name.
Amazingly, we have heard, as an argument for not making the effort to place trust stamps in consumer email: spammers will just fake the trust stamps. This is a preposterous lack of due diligence. The spammers will try to fake the trust stamps, yes. But try is the operative word. To succeed in any plausible way is non-trivial, but the point is that you have raised the barrier for imposters. You have made a good faith effort to employ a remedy that is at your disposal.
About ten years ago, the Royal Bank of Scotland introduced
debit cards that had the account holders photograph and signature
printed on them. Almost immediately, debit card fraud dropped by 70
percent. About five years ago, we were telling this story to some friends
in America and got this response: That wouldnt work here,
store clerks wouldnt bother to check the photo. Nevertheless,
several American banks now offer this feature.
Updated 2005 by webbloke at cobbsblog.com © Stephen Cobb
Some article content reprinted by permission.
Article content copyright named author(s).