Home  › Marketing › Strategies

If I Were a Spammer

  |  August 11, 2003   |  Comments

Fraudulent e-mail offers lessons, and not just in swindling techniques.

I get a lot of spam, the vast majority unimaginative stuff that sees the trash as fast as I can tap "delete." Yet occasionally something unsolicited, unwanted, perhaps even unlawful will get my attention. Over the past several months, a few email messages landed in my inbox that I would like to nominate to the fraudulent email hall of fame. Those behind the messages were quite smart and creative. In fact, if fraud had been my calling, they might have given me ideas about how to fool many an unsuspecting soul. Here are three of them:

  • My ISP, EarthLink, sent me an email last week informing me my account had been suspended. The short message said: "EarthLink.com Account Management regrets to inform you that your EarthLink.com account has been suspended due to credit card verification problems." It went on to ask me to "Please take a moment to verify my current credit card information at www.earthlink.com." The email was signed "Trully yours, Earthlink.com Account Management."

  • On May 24 I received an email from notification@visa.com. The subject said "Verified by Visa." This one encouraged me to "Protect your Visa card online with a personal password." It had a Visa logo on the top and some interesting official-looking screenshots of keywords being entered to protect online purchases. It also had several "Verified by Visa" logos that made it look very reassuring. On the bottom was a form (right in the email) that asked me to submit my name, billing address, billing Zip Code, credit or check card number, and its expiration date (MM/YY) and ATM PIN to participate in this fraud protection program.

  • On April 25, PayPal had sent me a similar message. This one was from paysecurity@paypal.com and was sent to let me know me that unless I verified my information in the form (in the email) my inactive account would be deactivated. It asked for name, address, account number, credit card number, PIN, and more.

What did the email messages above have in common? They were clever, well-executed fraudulent attempts at stealing my personal and credit card information.

EarthLink runs from EarthLink.net (not .com). At press time, EarthLink.com looks identical to EarthLink.net. Yet, according to the real EarthLink, it’s a complete hoax, an illegal copy of the EarthLink site set up to help steal information from unsuspecting victims. The email seems to feed the information to Korea (.kr). The salutation at the end, "Trully yours," was a bit of a giveaway and might cause the recipient to become suspicious. Then again, do people read their email that carefully these days?

To make matters worse, I forwarded the spoof email to the company’s abuse desk. I received an immediate and predictable autoresponse telling me there was not enough information in the message to determine whether it was spam. The message then proceeded to tell me EarthLink had probably already received complaints about this message (assuming it was just regular spam). At the bottom, there was another address to which I could forward my message to have a human being take a look.

A human responded the next day, saying, yes, this was a hoax. In fact, two days after receiving the original, I received a message -- ostensibly from Garry Betty, EarthLink CEO -- warning all EarthLink subscribers about the hoax and pointing at some useful resources.

But here’s the clincher. The same day I got the message from Betty, I also received one from creditcard@earthlink.net with the subject: "EarthLink Subscriber Alert: Credit Card Expiration." Impeccable timing! It informed me my credit card on file had expired and please return to the site to update my information. This one was authentic, but how would I know that?

The Visa and PayPal spoofs were even cleverer. They pulled all the images (logos and screenshots) from the Visa and PayPal Web sites, respectively, but the Web forms included in the messages themselves went to an illegitimate server somewhere. The brilliant twist on these messages was they played on security fears to defraud and breach security. It took some "level-two forensics" to even technically establish these were intended to defraud. A quick look at the messages and their HTML code did not make it immediately apparent they weren’t legit.

I have no sense of how many people fell for these clever hacks, but I have to believe it was more than a few. This advanced spoofing phenomenon even has its own name: "phishing." These attacks could be the single biggest threat spam has posed to legitimate online commerce to date. Yes, those mortgage ads are annoying and the pornography offensive, but this is different. This makes people think three times before clicking on links in legitimate email or even entering credit card information on a Web site. How do I know this email is from a legitimate source? How do I know this Web site is, in fact, representing the company it says it is?

In a July 22 CNN article reporting on this phenomenon, the writer advises how to avoid becoming a victim of a phisher scam. Here are two of the five tips:

  • Try not to click on links in an email message from a company. Too many scam artists are making forgeries of companies’ sites that look like the real thing.

  • If you want to do business online, don’t click on an email link. Go to the company’s Web site yourself and fill out information there.

It is not uncommon that a company doing commerce online makes 10 to 30 percent of its revenue directly from email marketing programs. Advising people not click on links in commercial email may be a logical conclusion, but it’s not practical.

This problem can only be solved if we make a structural change to email. As long as it’s laughably easy to forge one’s identity in an email, the medium will continue to be insecure and vulnerable to the kinds of attacks. As I argued in a recent column, we must, and can, evolve the email infrastructure to include support for true authentication. If you have to deliver proof of identity to deliver a message, it becomes a lot harder to hide and therefore a lot harder to commit fraud.

In the meantime, let’s make a concerted effort to educate consumers about this problem. I urge any organization using email to communicate with its customers to proactively reach out and inform them of the phisher phenomenon. Offer suggestions for what to do if they think they may have received one. (Here’s part of what EarthLink has done.)

People must know they should never fill out a form asking for sensitive personal information in an email. They also need to know where to report a suspected fraudulent message. Let’s just agree to dedicate spoof@yourcompany.com to be the forwarding address for these things. We’ve gotta fix this one or people could very quickly decide they no longer want to risk entering their credit card information in Web forms. It goes without saying that would be very bad.

ClickZ Live Chicago Learn Digital Marketing Insights From Leading Brands!
ClickZ Live Chicago (Nov 3-6) will deliver over 50 sessions across 4 days and 10 individual tracks, including Data-Driven Marketing, Social, Mobile, Display, Search and Email. Check out the full agenda, or register and attend one of the best ClickZ events yet!

ABOUT THE AUTHOR

Hans-Peter Brøndmo

Hans Peter BrØndmo has spent his career at the intersection of technological innovation and consumer empowerment. He is a successful serial entrepreneur and a recognized thought leader. His latest company, Plum, is a consumer service with big plans to make the Web easier to use. In 1996, he founded pioneering e-mail marketing company Post Communications. His recent book, "The Engaged Customer," is a national bestseller and widely recognized as the bible of e-mail relationship marketing. As a sought-after keynote speaker, he has addressed more than 50 conferences in the past three years, is often featured in national media, and has been invited to testify at two U.S. Senate hearings and an FCC hearing on Internet privacy and spam. Hans Peter is on the board of the online privacy certification and seal program of TRUSTe and several companies. He performed his undergraduate and graduate studies at MIT.

COMMENTSCommenting policy

comments powered by Disqus

Get the ClickZ Marketing newsletter delivered to you. Subscribe today!

COMMENTS

UPCOMING EVENTS

UPCOMING TRAINING

Featured White Papers

Google My Business Listings Demystified

Google My Business Listings Demystified
To help brands control how they appear online, Google has developed a new offering: Google My Business Locations. This whitepaper helps marketers understand how to use this powerful new tool.

5 Ways to Personalize Beyond the Subject Line

5 Ways to Personalize Beyond the Subject Line
82 percent of shoppers say they would buy more items from a brand if the emails they sent were more personalized. This white paper offer five tactics that will personalize your email beyond the subject line and drive real business growth.

WEBINARS

Resources

Jobs

    • Executive Assistant
      Executive Assistant (Agora Inc. ) - BaltimoreAgora Inc., an international publishing company, located in the Mt. Vernon district of Baltimore, MD...
    • Paid Search Specialist
      Paid Search Specialist (Boathouse, Inc.) - Waltham  Boathouse is looking for a Paid Search Specialist to work as a part of the Digital Acquisition...
    • Paid Search / Search Engine Marketing (SEM, PPC) Specialist
      Paid Search / Search Engine Marketing (SEM, PPC) Specialist (HeBS Digital) - New YorkJOB TITLE:     Paid Search / Search Engine Marketing...