Readership Survey
E-mail scams, hoaxes on the rise around the world, campus users urged to delete suspect messages
BY ANDREW VOWLES
Doug Blain just won $2.5 million in an online lottery draw. So says the e-mail that arrived on his desktop one recent morning, the one greeting him as a “Lucky Winner.” All he needs to do now is reply with some personal information, and the manager of information technology security in Computing and Communications Services (CCS) will be on his way to early retirement. Or not.
If nothing else, the message provides a timely illustration of one of Blain's pet peeves: the growing problem of e-mail scams.
“We're the same as every other organization,” he says. “We're struggling with how to address it. It's a huge problem worldwide.”
You've seen them in your own inbox. Messages such as Blain's, promising instant riches through online lotteries. Letters asking for help in transferring money from a developing country. Notes purporting to be from a bank looking for account information. Or seemingly well-intentioned but phony messages, such as a hoax that recently engulfed someone at U of G.
The person had received an e-mail warning that a company's outlets might be selling termite-infested mulch from trees downed by hurricane Katrina. She shared the message with friends by forwarding it, and her U of G e-mail signature was automatically attached. Subsequently, the message was altered to include a U of G warning heading while still including her name and University phone number, making the e-mail seem more legitimate. This “legitimate” e-mail then circulated North America, and after receiving numerous phone calls, she had to put a message on her voice-mail to explain what had happened and that the e-mail was a hoax.
“That's the problem with hoaxes,” says Blain. “You take the content of e-mail at face value, and you should never do that.”
After checking Google for keywords — termites, compost, hoax — he found that a false letter had indeed been making the rounds.
“Although people want to be helpful and pass along an interesting article they received, they should practise due diligence before forwarding any e-mails.”
The mulch mail and other electronic-age urban legends can cause embarrassment to individuals and increase costs or affect sales for an organization. (In the mulch case, the company ended up publishing its own statement and notifying customers that its product was safe, according to the Toronto Star.) But even the most innocuous-seeming of bogus e-mail carries costs.
Computer disk space is taken up in receiving and storing messages. Other costs range from employee time (cleaning out inboxes, retrieving legitimate messages erased mistakenly by gun-shy users) to what Blain calls the “chilling” effect of consumer distrust of electronic commerce.
It's recently been estimated that up to 85 per cent of e-mail received by some companies consists of junk e-mail known as spam. “Being able to use e-mail for business is getting harder and harder because the noise from junk e-mail is driving it out,” he says.
Beyond inconvenience or embarrassment, fraudulent e-mail may prove more costly for unwitting or vulnerable recipients. High on Blain's watch-out list are scams intended to bilk unwary recipients out of money, including written pleas for help in releasing funds from a developing country (often called a “419 scam” after the area code of Nigeria, where many of these e-mails originate). According to one estimate he saw recently, this particular scheme has cost victims an average of about $5,000 each and, in some cases, up to hundreds of thousands of dollars.
Another example is that lottery e-mail he received. Typically, the message announces that the recipient has won a substantial sum of money but must first provide financial or banking information or even send money to claim the prize. “You get suckered in,” says Blain.
An automatic scan of the message content using a spam filter (“SpamAssassin”) used by CCS turns up various red flags, including misspellings, mentions of millions of dollars, similarity to Nigerian spam messages and numerous exclamation points. A few more keystrokes and he narrows down the source to Taipei, where he figures a home computer has likely been infected and commandeered by the fraudster.
Another class of e-mail hoaxes is “phishing,” or sending a seemingly legitimate e-mail designed to pry personal information out of recipients, particularly credit card or bank account information. These appear as authentic messages complete with official corporate logos and names — such as Chase Manhattan, eBay, Royal Bank and PayPal — that appear to lead to a legitimate site. (A more sophisticated version, called “spear phishing,” allows the perpetrator to use the recipient's name or other personal information in the salutation, lending the message more authenticity.)
Although CCS filters prevent a lot of outright spam from reaching your desktop, these kinds of messages sneak in under the guise of legitimate mail. Why not simply set the filter to block any message purporting to be from, say, the Royal Bank? The answer is obvious, says Blain. “The more restrictive the University gets, the greater the risk of blocking legitimate mail.”
A key rule is that banks never send information requests online, he says. “If you get a ‘Dear Customer' request, alarm bells should go off right away.”
Robin Begin, director of Campus Community Police, says her department has received no complaints of e-mail fraud.
“People have phoned and asked whether or not an e-mail was legitimate or had concerns about how legitimate the message looked, and we've had calls where people were getting them over and over again, but I don't know of anyone who has actually been defrauded on campus.”
Blain suggests that users delete suspect e-mails and not forward anything they haven't verified as authentic. They should also delete fraudulent letters and not try to contact the sender. You can report suspect e-mails to reportphishing@antiphishing.org, a group that can shut down fraudulent websites.
Blain notes that bogus e-mail can be opened without corrupting software or hardware, unlike computer viruses or worms. U of G's filters stop virus-tainted messages from entering campus computers.
The incidence of viruses on campus has fallen tenfold over the past two years, he says.
