The latest trend in spam and identity theft is called brand spoofing. The spam has no traceable return address and appears to be sent from a large company seeking information from its customers. Pretending to be a large business, say Sony, BestBuy or eBay, which has a relationship with the user, the spammers ask for critical password, user names and credit card information.
It's both spam and identity theft. But now there's a heightened level of sophistication to the trickery being used to fool people into giving up critical personal information. And it has the potential to not only empty people's bank accounts but to sully a company's reputation.
''This is extremely dangerous,'' says Susan Larson, vice president of global product content at SurfControl Plc, a London-based Web and email filtering company. ''It's like organized crime on the Internet... They use the name of a large company and the idea is that with a large spam attack, at least some of the people receiving the spam will have done business with that bank or retailer or company. It gives it an air of legitimacy that is fooling people.''
Larson says brand spoofing spam is generally looking for account information, passwords, user names and credit card information. The spam recipient is usually asked to click on a link to a page that has been doctored up to look like an official company page, or they're asked to send a reply email with the requested information.
''The idea of being able to completely mask who you are, being able to blast emails to large numbers of people who might have a connection with these companies is all fairly devious,'' says Larson, adding that they first saw signs of brand spoofing in late February or March but it's since been picking up speed. ''They only have to get a very small hit to do some damage and make some profit on this one.''
But the damage isn't being limited to a consumer's checkbook. Ray Everett-Church, chief privacy officer for Philadelphia-based ePrivacy Group, Inc., says these new attacks are quick to damage a company's sacred name.
''Any time you have spam masquerading itself as coming from a legitimate source, it can severely damage the brand name being spoofed,'' says Everett-Church. ''This is a company's brand. This is their business... Anytime somebody is using your brand in a way they're not authorized to, it's a problem.''
Everett-Church says IT managers need to be aware of the earliest warnings signs that something is amiss.
''You have to be extremely vigilant in all of your customer-facing activities,'' he notes. ''Be on the lookout for reports of strange emails -- anything that might suggest your brand is being spoofed. If you receive strange bounced emails, a lot of attempts to visit a Web page on your site that doesn't exist, or if people go first to a page deep in your Web site without going to the homepage and navigating through, these are all telltale signs.''
Everett-Church recommends that IT managers sit down with business executives and compose an email to customers. They should warn customers of the brand spoofing problem and make them aware that they will never ask for people's private information or passwords via email. Warn them not to go to a Web site if they're not entirely sure it belongs to the legitimate organization. Educate customers about the company's normal practices, and give them easy-to-use feedback channels to report suspicious emails.
SurfControl's Larson also recommends that IT managers make sure employees are educated about spam and fraudulent emails.
''IT managers need to make employees cyber security aware and spam savvy,'' says Larson, who adds that a recent SurfControl survey showed that 90 percent of IT managers do not do any employee education. ''Make them aware of the latest spam trends and make them aware of what information they should never pass on.''