I get a lot of spam, the vast majority unimaginative stuff that sees the trash as fast as I can tap “delete.” Yet occasionally something unsolicited, unwanted, perhaps even unlawful will get my attention. Over the past several months, a few email messages landed in my inbox that I would like to nominate to the fraudulent email hall of fame. Those behind the messages were quite smart and creative. In fact, if fraud had been my calling, they might have given me ideas about how to fool many an unsuspecting soul. Here are three of them:
- My ISP, EarthLink, sent me an email last week informing me my account had been suspended. The short message said: “EarthLink.com Account Management regrets to inform you that your EarthLink.com account has been suspended due to credit card verification problems.” It went on to ask me to “Please take a moment to verify my current credit card information at www.earthlink.com.” The email was signed “Trully yours, Earthlink.com Account Management.”
- On May 24 I received an email from email@example.com. The subject said “Verified by Visa.” This one encouraged me to “Protect your Visa card online with a personal password.” It had a Visa logo on the top and some interesting official-looking screenshots of keywords being entered to protect online purchases. It also had several “Verified by Visa” logos that made it look very reassuring. On the bottom was a form (right in the email) that asked me to submit my name, billing address, billing Zip Code, credit or check card number, and its expiration date (MM/YY) and ATM PIN to participate in this fraud protection program.
- On April 25, PayPal had sent me a similar message. This one was from firstname.lastname@example.org and was sent to let me know me that unless I verified my information in the form (in the email) my inactive account would be deactivated. It asked for name, address, account number, credit card number, PIN, and more.
What did the email messages above have in common? They were clever, well-executed fraudulent attempts at stealing my personal and credit card information.
EarthLink runs from EarthLink.net (not .com). At press time, EarthLink.com looks identical to EarthLink.net. Yet, according to the real EarthLink, it’s a complete hoax, an illegal copy of the EarthLink site set up to help steal information from unsuspecting victims. The email seems to feed the information to Korea (.kr). The salutation at the end, “Trully yours,” was a bit of a giveaway and might cause the recipient to become suspicious. Then again, do people read their email that carefully these days?
To make matters worse, I forwarded the spoof email to the company’s abuse desk. I received an immediate and predictable autoresponse telling me there was not enough information in the message to determine whether it was spam. The message then proceeded to tell me EarthLink had probably already received complaints about this message (assuming it was just regular spam). At the bottom, there was another address to which I could forward my message to have a human being take a look.
A human responded the next day, saying, yes, this was a hoax. In fact, two days after receiving the original, I received a message — ostensibly from Garry Betty, EarthLink CEO — warning all EarthLink subscribers about the hoax and pointing at some useful resources.
But here’s the clincher. The same day I got the message from Betty, I also received one from email@example.com with the subject: “EarthLink Subscriber Alert: Credit Card Expiration.” Impeccable timing! It informed me my credit card on file had expired and please return to the site to update my information. This one was authentic, but how would I know that?
The Visa and PayPal spoofs were even cleverer. They pulled all the images (logos and screenshots) from the Visa and PayPal Web sites, respectively, but the Web forms included in the messages themselves went to an illegitimate server somewhere. The brilliant twist on these messages was they played on security fears to defraud and breach security. It took some “level-two forensics” to even technically establish these were intended to defraud. A quick look at the messages and their HTML code did not make it immediately apparent they weren’t legit.
I have no sense of how many people fell for these clever hacks, but I have to believe it was more than a few. This advanced spoofing phenomenon even has its own name: “phishing.” These attacks could be the single biggest threat spam has posed to legitimate online commerce to date. Yes, those mortgage ads are annoying and the pornography offensive, but this is different. This makes people think three times before clicking on links in legitimate email or even entering credit card information on a Web site. How do I know this email is from a legitimate source? How do I know this Web site is, in fact, representing the company it says it is?
In a July 22 CNN article reporting on this phenomenon, the writer advises how to avoid becoming a victim of a phisher scam. Here are two of the five tips:
- Try not to click on links in an email message from a company. Too many scam artists are making forgeries of companies’ sites that look like the real thing.
- If you want to do business online, don’t click on an email link. Go to the company’s Web site yourself and fill out information there.
It is not uncommon that a company doing commerce online makes 10 to 30 percent of its revenue directly from email marketing programs. Advising people not click on links in commercial email may be a logical conclusion, but it’s not practical.
This problem can only be solved if we make a structural change to email. As long as it’s laughably easy to forge one’s identity in an email, the medium will continue to be insecure and vulnerable to the kinds of attacks. As I argued in a recent column, we must, and can, evolve the email infrastructure to include support for true authentication. If you have to deliver proof of identity to deliver a message, it becomes a lot harder to hide and therefore a lot harder to commit fraud.
In the meantime, let’s make a concerted effort to educate consumers about this problem. I urge any organization using email to communicate with its customers to proactively reach out and inform them of the phisher phenomenon. Offer suggestions for what to do if they think they may have received one. (Here’s part of what EarthLink has done.)
People must know they should never fill out a form asking for sensitive personal information in an email. They also need to know where to report a suspected fraudulent message. Let’s just agree to dedicate firstname.lastname@example.org to be the forwarding address for these things. We’ve gotta fix this one or people could very quickly decide they no longer want to risk entering their credit card information in Web forms. It goes without saying that would be very bad.
As the United States makes way for a new resident in the White House, I've been thinking about the election that led up to it. Others have pontificated about the impact email had on the presidential campaigns, but I'm not buying any of it.
New Top-Level Domains (TLDs) have become more popular in the last couple of years, so here’s everything you need to know about them.
Amazon Prime was launched in 2005 as an express shipping membership program and more than a decade later it has tens of millions of subscribers who enjoy a lot more than just free, fast shipping on millions of products Amazon sells.
Sure, some apps are doing personalized push notifications, but what happens when your users are in the app?