IT managers are warned to be on the lookout to protect their company’s reputation, as well
as their users, from a new wave of spam aimed at stealing personal and financial
information.
The latest trend in spam and identity theft is called brand spoofing. The spam has no
traceable return address and appears to be sent from a large company seeking information
from its customers. Pretending to be a large business, say Sony, BestBuy or eBay, which has
a relationship with the user, the spammers ask for critical password, user names and credit
card information.
It’s both spam and identity theft. But now there’s a heightened level of sophistication to
the trickery being used to fool people into giving up critical personal information. And it
has the potential to not only empty people’s bank accounts but to sully a company’s
reputation.
”This is extremely dangerous,” says Susan Larson, vice president of global product content
at SurfControl Plc, a London-based Web and email filtering company. ”It’s like organized
crime on the Internet… They use the name of a large company and the idea is that with a
large spam attack, at least some of the people receiving the spam will have done business
with that bank or retailer or company. It gives it an air of legitimacy that is fooling
people.”
Larson says brand spoofing spam is generally looking for account information, passwords,
user names and credit card information. The spam recipient is usually asked to click on a
link to a page that has been doctored up to look like an official company page, or they’re
asked to send a reply email with the requested information.
”The idea of being able to completely mask who you are, being able to blast emails to large
numbers of people who might have a connection with these companies is all fairly devious,”
says Larson, adding that they first saw signs of brand spoofing in late February or March
but it’s since been picking up speed. ”They only have to get a very small hit to do some
damage and make some profit on this one.”
But the damage isn’t being limited to a consumer’s checkbook. Ray Everett-Church, chief
privacy officer for Philadelphia-based ePrivacy Group, Inc., says these new attacks are
quick to damage a company’s sacred name.
”Any time you have spam masquerading itself as coming from a legitimate source, it can
severely damage the brand name being spoofed,” says Everett-Church. ”This is a company’s
brand. This is their business… Anytime somebody is using your brand in a way they’re not
authorized to, it’s a problem.”
Everett-Church says IT managers need to be aware of the earliest warnings signs that
something is amiss.
”You have to be extremely vigilant in all of your customer-facing activities,” he notes.
”Be on the lookout for reports of strange emails — anything that might suggest your brand
is being spoofed. If you receive strange bounced emails, a lot of attempts to visit a Web
page on your site that doesn’t exist, or if people go first to a page deep in your Web site
without going to the homepage and navigating through, these are all telltale signs.”
Everett-Church recommends that IT managers sit down with business executives and compose an
email to customers. They should warn customers of the brand spoofing problem and make them
aware that they will never ask for people’s private information or passwords via email. Warn
them not to go to a Web site if they’re not entirely sure it belongs to the legitimate
organization. Educate customers about the company’s normal practices, and give them
easy-to-use feedback channels to report suspicious emails.
SurfControl’s Larson also recommends that IT managers make sure employees are educated about
spam and fraudulent emails.
”IT managers need to make employees cyber security aware and spam savvy,” says Larson, who
adds that a recent SurfControl survey showed that 90 percent of IT managers do not do any employee
education. ”Make them aware of the latest spam trends and make them aware of what
information they should never pass on.”