These are no doubt the same people that believe ''eBay'' et al when they get an email from the ''security department'' there requiring users to confirm their account details by connecting to a seemingly harmless Web address and entering their account details.
It's unlikely that anyone using the Internet these days hasn't seen dozens and dozens of these messages. But, I'd posit that the people sending them wouldn't continue, and in fact thrive, if it weren't for the fact that there are people out there who fall for them... over and over.
Old P.T. Barnum must be spinning in his grave. If only he'd had the Internet...
Also, it seems inevitable that whenever you put a bunch of security techies together, the discussion will turn to how to solve spam and/or phishing problems. Some will say it's best to blacklist spam/phish sites to, in effect, isolate them from the rest of the Internet. Some will say it's best to use a whitelist approach and only accept incoming email from ''known'' and trustworthy addresses. Still others will say email is dead as an information medium and we need to start anew with a designed-from-scratch protocol for exchanging information.
I've heard all of these arguments, and I've seen people, companies, and even ISPs that have implemented them.
In response to all of these well-intended schemes, I'm going to butcher a metaphor and say that all we have to do is click our heels together three times and repeat, ''There's no place like home''. Why do I say that? It's because many of the tools we need to address a large part of these problems already are on our PCs and servers.
You see, there's a common denominator among many, but not all, of these email-based issues, and it is authentication. Many of our email problems these days exploit this fundamental weakness of SMTP. Phishing scams and mortgage ''deals'' all dupe users into trusting them to be authentic.
After all, they sure look authentic.
Perhaps the best means of verifying digital authenticity is the use of digital signatures.
Almost every email client in existence today has the ability to verify a digital signature in either S/MIME and/or PGP. S/MIME is arguably the more ubiquitous of the two, as most enterprise-level email clients come with S/MIME built in, including a repository of root certificates to form the basis of trust in verifying a digital signature on an incoming message.
The capability is out there. It may not be a perfect solution, but it's out there on the vast majority of PCs. And, just as many users have learned about the little padlock icon in the corner of their browser windows to indicate that SSL encryption is turned on, they can learn how to know when an email has been digitally signed with S/MIME.
So, why do so few sites make use of it?
I'm sure there are many reasons. People think it would be too difficult for their users to understand it. They'd have to buy a digital certificate from one of the certificate providers in order to send emails out to their customers. Maybe they aren't even aware of it.
Take note that you'd only need to buy a certificate (or run your own certificate service) if you're sending messages that need to be signed. The recipients can verify the authenticity of your messages without having to buy anything more than what they already have.
Now, I should add a caveat here that digital signatures won't stop spam delivery. That's not what I'm trying to say at all. They will, however, provide a good basis for email recipients to trust -- or not trust -- the authenticity of incoming emails.
That's a start.
The time has come for us to start using digital signatures in our emails. Waiting for the perfect solution to come along isn't going to help us today. The tools are there. Let's use them.