Emily Booth
October 09, 2003
How long?
3-4 minutes

ANALYSIS: Fighting spoofing at the front line

Online identity is key for brands. Unfortunately, protecting it is becoming more difficult with spammers - in some cases, people looking to steal money or financial details - forging or 'spoofing' identities.

Barclays is the latest high-profile brand to be hit. Scam emails that appear to have been sent by the bank try to fool people into handing over their personal account security details. Customers who receive the emails are encouraged to enter details to fraudulent sites, which appear to belong to Barclays but do not. A Barclays spokeswoman says the bank has taken necessary action against the fraudulent sites and closed them.

Meanwhile, Amazon.com is filing 11 lawsuits in the US and Canadian courts to stop email spammers, which it claims have been fraudulently using its identity to send out spam purporting to be from Amazon.

Spoof emails look as if they have come from an established brand. Spammers have worked out that users are more likely to open them if they seem to be from a reputable firm. Ironically, the bigger and more familiar the brand, the more likely spammers will want to spoof its identity. Technologically, it's easy.

"The problem with spoofing is that a spammer identifies a well known and acceptable domain and then uses it as the notional sender," explains Jon Tullett, UK editor of Haymarket's SC Magazine, which writes about technology security issues.

"They realise that if they substitute the gibberish in the sender box with a legitimate firm, people don't throw the email away and therefore they get a higher opening rate," says Ivan Southall, commercial director at IPT, a direct-marketing services company. "Spoofing seems to be a growing trend, which is why brands such as Amazon are trying to protect their image."

Southall says these spam emails give the impression they are selling a brand-endorsed product as "it's an association with that brand". And he says the practice has been increasing in the last month or so.

For now, the spam industry and the people attempting to stop it are locked in a kind of arms war. The moment the spammers come up with a way of avoiding filtering systems, the ISPs hit back, only for the spammers to come up with ever more devious approaches.

"The spam industry has existed because you can't legislate against something until somebody does it," points out Southall. "Likewise, you cannot guard against something until you know what you are trying to guard against. There will always be windows of opportunity as long as we have people around who can make money out of doing these kinds of things."

Stopping spoofing is tricky. "It happens all the time," Tullett continues. "It's easy to do and quite difficult to stop." According to Southall, it's almost an impossibility: "Legitimate companies have to spend time and effort tracking down who's doing it, and then prove it, before they can claim damages."

Pete Simpson, ThreatLab manager at content-security firm Clearswift, is more positive about the situation. "Amazon's lawsuits are going to nip this kind of thing in the bud. It's a simple case of impersonation, not classic spam. It's actionable," he says.

It is possible to track down each step in an email header to find where it originated. But, says Simpson, a lot of people use email redirection services, which means a message's origin may be different from where it says it's from. "If you jumped to the conclusion that an email was spoofed, in many cases you'll be wrong," he adds.

And there's another problem: often, people selling goods are not spammers themselves, according to Simpson. Retailers using spamming services can be easy to track down because they have to identify themselves at some point to conclude a sale. It's the middlemen, the actual spammers, who often remain anonymous. "They don't close the loop with a product to sell," says Simpson. "They are acting as middlemen and taking a commission on sales."

And while spoofing is clearly a nuisance, there is another more sinister practice, known as 'phishing' - setting up fake web sites with the purpose of user-identity theft. This is the sort of practice that affected Barclays. "There is a significant difference between spamming and trying to obtain credit-card details for fraudulent purposes," Southall adds.

"The best thing brands can do is respond quickly and have a clear line of reporting," suggests Simpson. "Brands need to have a prominent security message for users, explaining that they never solicit credentials via email. And they need to give a phone number that users can call if they are in any way suspicious about something."

Simon Newman, head of internet banking at Barclays, adds: "Customers should never divulge any personal information or reply to any emails that they feel are suspicious. Customers can be reassured that in the very unlikely event that they are a victim of fraud on their account, any losses will be covered by Barclays, whatever the amount," he adds.

Newman says that Barclays' systems have not been compromised in any way and that the bank is taking appropriate action against the fraud and working with the police. "We are notifying all our online banking customers of this attempted fraud and are reminding them of the security measures they should follow when accessing online services," he says.

In the constant fight against spoofing and phishing, and their connection with spam, Simpson has some words of caution about schemes that ask for proof of identity that would allow authorities to deny spammers the use of email.

"Then, anyone could be denied its use. This raises serious civil rights implications, particularly for those resident in countries keen to curtail those rights," says Simpson. "On balance, we may be better served by adapting to meet the challenges of spoofed identities, as well as learning to use multiple aliases to our own advantage."

TIPS FOR MANAGING YOUR EMAIL IDENTITY

1. Keep tight control of your professional email identity and use it strictly for work only. Employers should make this an essential requirement of their firm's email use policy

2. Never be tempted to 'unsubscribe' from spam: you merely confirm the spam has hit a valid address

3. Use a separate identity for personal communications

4. Adopt disposable identities for all other purposes on the internet, especially on usenet groups. Select long email names (more than eight characters) to escape brute-force guesswork. Mix letters and numbers

5. Obtain your disposables from a trustworthy source, such as Yahoo!, Hotmail or Netscape as some free email services will sell your 'free' address to spammers

- Thanks to Pete Simpson, ThreatLab manager, Clearswift.

Join a growing community of media, marketing and advertising professionals today

Read exclusive registrant only articles

Read more articles each month

Sign up for free specialised news bulletins

Register Now
Already Registered?

Forgotten password?

Market Reports

Get unprecedented new-business intelligence with access to ±±¾©Èü³µpk10’s new Advertising Intelligence Market Reports.

Find out more

Enjoying ±±¾©Èü³µpk10’s content?

 Get unlimited access to ±±¾©Èü³µpk10’s premium content for your whole company with a corporate licence.

Upgrade access

Looking for a new job?

Get the latest creative jobs in advertising, media, marketing and digital delivered directly to your inbox each day.

Create an alert now

Partner content

Experience Awards 2025: Elevate Global named best in class for staffing

Experience Awards 2025: Elevate Global named best in class for staffing

Promoted

May 06, 2025
Media Matters: Why magazine media works for… fashion

Media Matters: Why magazine media works for… fashion

Promoted

May 06, 2025
TV’s spring shoots: 5 ads battling for bragging rights

TV’s spring shoots: 5 ads battling for bragging rights

Promoted

May 02, 2025
How is Google Search shaping the future of digital advertising? Tell us and win £200!

How is Google Search shaping the future of digital advertising? Tell us and win £200!

Promoted

May 01, 2025