February 15, 2018
Your business spends a great deal of time and effort preserving brand integrity and keeping your customers satisfied. But there is an insidious Internet crime that can ruin your company’s goodwill and cost you a fortune.
AOL and PayPal Pretenders
In one scam, PayPal customers received e-mail messages with the company logo claiming that due to a “recent system flush,” the customer’s billing and personal information was temporarily unavailable.
The messages directed customers to a website, which resembled PayPal’s real site. There, customers were told to verify their identities on a form or risk having their accounts canceled.
However, the form wasn’t on PayPal’s website. It was on a server at a different IP address.
A number of AOL customers received e-mail messages claiming there was a problem with the billing of their accounts.
If they didn’t update their personal information, the recipients were told, they could lose their AOL accounts and Internet access.
Customers were told to click on a hyperlink to connect to the “AOL Billing Center.” The site appeared to be AOL’s Billing Center, with the firm’s logo, design, and links to real AOL Web pages. In actuality, the site was set up by a teenage con artist.
“The defendant had hijacked AOL’s identity and was going to use it to steal consumers’ identities,” the FTC alleged.
The case was settled in U.S. District Court in the summer of 2003. The defendant agreed to pay $3,500 in restitution and be barred for the rest of his life from sending spam. (FTC v. a minor, US Dist. Ct., Central Calif., No. 03-5275
The fraud is called “spoofing” or “phishing” and it is committed by technologically-savvy criminals who defraud people using legitimate companies’ trusted names and images.
Here’s how spoofing typically works. A spammer sends out e-mail messages that recipients believe are from specific, trusted companies. The messages direct customers to a “ghost” or phony website that resembles the company’s real site. There, the customers are asked to provide confidential financial information, such as a Social Security number, password or e-mail address.
Criminals use the information to commit credit card fraud or identity theft. In some cases, messages are sent promoting pornography or adult services.
Spoofing can involve trademark and other intellectual property violations. It can also lead to two scenarios that strain a valid company’s customers, employees and technology systems:
- Customers who trust the company open the messages and get ripped off. Without the right response, they will be left with a bad feeling about your business.
- Customers who fear becoming victims of fraud ignore legitimate messages from your company, causing you to lose business.
Spoofing criminals prey on all types of businesses, from small firms to large, well-known corporations including Best Buy, UPS, Bank of America, eBay, Sony and First Union Bank (see right-hand box for descriptions of how AOL and PayPal were victims).
The increase in spoofing is linked to “open relay” or “open proxy” servers that let spammers send anonymous, nearly untraceable e-mail messages. Lists of loosely-managed or insecure proxy servers are available online, along with tools for locating them.
Criminals use the servers to forward large numbers of e-mail messages to recipients. An open proxy server not only forwards the messages, but also inserts its own Internet address in place of the original source information, effectively covering the spammer’s tracks.
Companies have sued spammers and won, but the cases generally take a year or longer before coming to trial because of a lengthy discovery process and the tendency of cyber-criminals to change Internet companies and addresses every couple of days.
Your company needs to proactively fight spoofing. Here are some of the steps experts recommend taking:
- Notify customers and employees that any e-mail asking for personal information is suspicious and should be reported immediately to a security contact at your company. Websites should not ask to verify or update confidential information via e-mail.
- Urge customers and employees not to open e-mail or visit the websites mentioned if they receive suspicious messages. Just visiting some sites can trigger the automatic download of a virus or Trojan horse program that allows the spammer to control a computer remotely.
- Monitor Internet and spam security information resources.
- Install filtering systems that stop unwanted or dangerous messages before they hit your corporate network.
- Tighten registration procedures for your customers.
- Design e-mail in ways that cannot easily be replicated.
- Inspect every server and close any open relays.
- Tell technology staff members to look for bounces of e-mail messages that were not sent by your company and to keep an eye out for customer complaints.
- Make it known you’ll prosecute. Have a dedicated e-mail address posted on your site for reports of abuse.
In the event of a spoof attack, good PR is the first line of defense. Have an auto-reply form letter ready explaining the fraud. Acknowledge the problem and clean up the mess. Spoofing may not go away, but you can be prepared to deal with it in ways that protect your brand and your customers.