spam, spam, spam,  privacy, security & spam

Back to the main spam page, click here.

For background reading on privacy and web sites, click here.

For a direct link to our data privacy and computer security resources, click here.

For an explanation of why it is okay to say "EMAIL CAN BE SPAM" but it is dumb to say email can be SPAM™ or even Spam, click.

For more about the Trusted Email Open Standard, click here.

 

The Multi-Billion Dollar
Spam Threat

Spoofing, Phishing, and Online Identity Theft

©Stephen Cobb and Chey Cobb, 2003

For pictures of spoofed email and
"phishing" messages, click here. Note that
portions of this article appeared in our regular
column in Newsscan. An extended version
of the article can be viewed in Acrobat pdf.

We’d be very surprised if any reader of this web site could find even one good word to say about spam, that seemingly endless stream of unsolicited email full of offers to sell you things you don’t want to buy and enlarge parts of the human anatomy you may not even possess. But as unsavory as most folks find this subject, we need to bring it up, because spam has now gone way beyond annoying, right pass disgusting, to downright costly. According to Ferris Research, spam set U.S. organizations back $8.9 billion in 2002, based on lost productivity and the consumption of IT resources and help-desk time.

It Gets Worse

Unfortunately, that figure is not, in our opinion, an exaggeration. Even worse, we don’t think it represents the full measure of spam’s economic impact, not by a long way. Even as companies invest in spam filtering software to screen it out of their networks, and ISPs invest in more and more storage and bandwidth to cope with rising spam volumes (which now make up half of all email traffic), the bigger cost may be the spam that some companies don’t even see, because it is screened out.

We are talking about “bogus email,” which is our term for spam that attempts to pass for legitimate email by making unauthorized use of established brand names and logos. A classic example is the mortgage offer spam that uses the brand name and logo of a respected bank or real estate firm to persuade people to supply personal data to the spammer’s web site (under the pretense of confirming a pre-qualified mortgage). Such data can then be sold by the spammer. If phone numbers and physical addresses are obtained, these can be sold as sucker lists for bottom-feeding boiler-room peddlers of things like “limited edition” coins. Any email addresses harvested this way can also be sold—as “confirmed” lists used to send more spam.

A variation of this spam-scam leverages the good name of established software brands, such as Adobe and Symantec, to harvest data that includes your credit card number. Ever wonder why Symantec would authorize those email marketing offers that knock 90 percent off the price of its products? Well it doesn’t. Those messages—often featuring a product that people tend to buy in a state of panic, such as Norton Antivirus—are either looking to grab your credit card or sell you pirated software.

It is a sad fact of Internet life that consumers are sent millions of emails every day that use hijacked brand names and corporate logos to further the—often illegal—profiteering goals of the sender. This unauthorized use of valuable corporate assets ranges from the merely sneaky to the blatant theft of corporate identity, perpetrated for the sole purpose of defrauding consumers. Some of those consumers lose money. How much is not known, but we do know the cost to companies is significant.

For a start, companies like Symantec have to mobilize staff and resources to try and stop this dilution of their brand. But that may just be the tip of the iceberg compared to the effect that brand dilution has on revenues.

The combined annual revenues of the Fortune 1000 are roughly $7 trillion. If top brand names account for just 10 percent of that figure, and those names suffer a 5 percent reduction in revenue due to people’s association of them with unpleasant email experiences, we are looking at $35 billion in lost value (while some might argue that the value is not lost, because demand is not reduced, there is evidence to suggest negative experiences in some product categories do reduction demand across the category; besides, if it is your company’s revenue that is being eroded, you will surely see it as a loss).

Hand Wringing
(top)

You know spam is a problem when you turn on the news and see a reporter talking to you from the Federal Trade Commission’s Spam Forum in Washington, D.C. That is what we saw on April 30 this year, along with a lot of hand-wringing about what a menace spam has become. The focus of most reporters was the pain that spam causes the consumers who find it in their inbox. A close second was the billions of dollars companies pay to prevent spam from flooding their networks.

We heard very little about the tendency of fraudulent email to undermine brand value. So let us present a scenario to make it a little more real. Imagine you run a company that has a thriving online retail operation. One day several thousand customers get email that says:

“As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a periodic review of our member accounts.”

The message sports your corporate logo and the “From” address is at your company’s domain, but your company did not send the message. Even worse, the message goes on to say:

“You are requested to visit our site by following the link given below. Please fill in the required information. This is required for us to continue to offer you a safe and risk free online shopping environment.”

The link contains your site’s domain name, so it looks legitimate, but the link leads to a different site, one that looks a lot like yours, but actually harvests your customers’ account numbers, user names, passwords, and possibly even credit card numbers. This is not an imaginary scenario. The quotes above come from a fraudulent email that we, and millions of other email users, recently received.

Another Threat Surfaces
(top)

If consumers continue getting email like this, the effects are going to be very serious for some companies. Apart from the erosion of brand value that we talked about earlier, there is the possibility of legal action by consumers who have been duped, cheated, or had their identity stolen due to email like this. The perpetrators of these scams are hard to find and harder to prosecute. So lawyers for the plaintiffs are going to look to those they can find, the same companies whose names and logos are being misappropriated.

Some lawyers are bound to be asking themselves these questions: Could Company X have done more to prevent dilution of its brand by bogus email? Could said company have done a better job of protecting consumers from those who are perpetrating email fraud in the company’s name. Class action lawsuits along these lines, from shareholders and consumers, are not hard to imagine.

Without a miraculous end to the flood of spam, the likelihood of such lawsuits will only increase over time, especially if companies fail to take stronger action in defense of their good names. How and when companies respond to this threat will determine the extent to which they are exposed to accusations of negligence with respect to both brand dilution and customer protection.

But is there anything companies can do, apart from encourage the large Internet companies to get their act together to put an end to spam? The challenge can seem daunting when you look at the low cost of entry into mass emailing and the relative ease with which their digital assets can be ripped off. After all, these days anyone can make a pixel-perfect, zero-cost copy of whatever logos, trademarks, and signage appears on your company’s official web site.

With HTML email it is easy to make official-looking messages and hide hijacked links. Even when the email is text, the links are hard for the average consumer to decipher as false. Consider this one:

http://cgi3.householdname.com:aw-cgihouseholdname
ISAPI.dllSignInRegisterEnterInfo&siteid=
0co_partnerid=2@210.103.121.131/
householdnamecgi/>http://cgi3.householdname.com:
aw-cgihouseholdnameISAPI.dllSignInRegisterEnterInfo&siteid=
0co_partnerid=2@210.103.121.131/householdnamecgi/

This came straight from a fraudulent email, except we changed the name of the targeted company—which is a household name you would recognize—to householdname, out of respect and fear of lawyers. Oh, and we also changed one or two characters to prevent obvious reengineering. The point is, something that looks a lot like the above was in a message that millions received. If clicked, it led the hapless consumer one step closer to becoming a fraud victim.

In some ways it might be tempting for some companies to conclude there’s nothing one can do to stop this sort of thing, apart from launch the occasional token prosecution and put up a consumer help line. However, this view is not supported by the facts.

The Two-Pronged Strategy
(top)

The problem can be addressed. How? By combining two proven strategies: positive discriminators and a preponderance of discouragement. A wide range of businesses have faced analogous challenges in recent years. Consider counterfeit goods, fake credit cards, and pirated software. There is no way to stop people trying to make counterfeits. But that does not mean nothing can be done. The answer is to first adopt positive discriminators, for example, inform consumers that all products which lack X are inferior rip-offs, where X is a hard-to-counterfeit mark, like a hologram, embedded logo, and such like. This is then backed up by a preponderance of discouragement, a framework of technical and economic obstacles, legal penalties, and enforcement actions.

Bogus email can be tackled in the same way. The positive discriminator can be something you place in all company email. Today, the technology exists to generate a unique, cryptographically protected, spoof-proof seal or “trust stamp” in each outbound email (this technology is in use today and millions of stamped messages have been sent by consumer companies). The mere presence of this seal will satisfy most recipients that the email is official, but they can also verify the fact using a simple client-server interaction).

You then put everyone on the planet on notice, via your web site and all the other branding channels you use, that only those messages which contain the official trust stamp are official messages and any message that purports to be from your company but lacks a verifiable trust stamp is bogus, illegal, and should be reported.

Having deployed the required positive discriminator in your email, you will find the preponderance of discouragement falls neatly into place. There are plenty of laws under which to prosecute bogus email (trademark and copyright infringement for a start, plus deceptive business practices, which the FTC is eager to enforce against spam). But even more importantly, you have, through the adoption of a positive discriminator, increased the economic obstacles to fraudsters seeking to profit from abuse of your good name.

Due Diligence
(top)

Amazingly, we have heard, as an argument for not making the effort to place trust stamps in consumer email: “spammers will just fake the trust stamps.” This is a preposterous lack of due diligence. The spammers will try to fake the trust stamps, yes. But try is the operative word. To succeed in any plausible way is non-trivial, but the point is that you have raised the barrier for imposters. You have made a good faith effort to employ a remedy that is at your disposal.

About ten years ago, the Royal Bank of Scotland introduced debit cards that had the account holder’s photograph and signature printed on them. Almost immediately, debit card fraud dropped by 70 percent. About five years ago, we were telling this story to some friends in America and got this response: “That wouldn’t work here, store clerks wouldn’t bother to check the photo.” Nevertheless, several American banks now offer this feature.

If your company uses the Internet to communicate with customers you need to realize that right now the average consumer has no way to consistently and immediately distinguish between bogus email (fraudulently purporting to be from your company) and genuine email that really is from your company. Not only is this a major source of frustration and risk for consumers, it is the main reason why fraudsters continue to send bogus email in your company’s name. If you give consumers a positive, non-spoofable means of identifying genuine email, then the fraudster’s ratio of return-on-effort plummets. At the same time, you greatly increase your ability to claim due diligence in the areas of trademark defense and customer protection. Not to mention the fact that your consumers will likely thank you for making an effort to reassure them.


Back to the main spam page, click here.


Updated 2005 by webbloke at cobbsblog.com © Stephen Cobb
Some article content reprinted by permission.
Article content copyright named author(s).