We have had generations of spam blockers. Yet we still have spam, lots of it, and now we have the combination of phish and spam. Why aren’t people ignoring it, so that it can go away?
The Feds have passed laws. The states have passed laws. We’ve had years of hype and dire warnings. We have had generations of spam blockers. Yet we still have spam–lots of it–and now we have the combination of phish and spam. While most spam tries to sell something, most phish tries to get something, namely your personal information. It’s all unwanted e-mail clogging our inboxes, ISP filters, and the Internet pipelines. And, of course, spam and phish are the handmaidens of fraud and identity theft.
Phishing (as in fishing) is a relatively recent development, bursting onto the scene toward the end of 2003. For the most part, phishing techniques depend on mimicking Web pages and official documents. The object is to look exactly like material from a trusted source–say, a bank or an Internet provider–and then use a cheap psychological technique (such as a threat of loss of service) to elicit private information like credit card numbers. Not long ago, as I deleted eight messages–supposedly from my ISP, all phony, all of them phish that somehow got through my spam filter. It made me wonder, who falls for this stuff?
One theory holds that spam and phish will become increasingly sophisticated in order to capture the wary. Perhaps. But in my unscientific survey (several years of sorting through my e-mail) it seems to me that the vast majority of both phish and spam have not become more sophisticated. If anything, with the advent of spam blockers, many spam mailers have resorted to gibberish messages in order to avoid detection. One that I received the other day was nothing but random words, insults, and obscenities with one line in the middle of the message: “See what we’ve got .”
As poorly as most phish and spam are concocted, somebody must be responding. If there were no responses, eventually the spammers and the phishers would quit; their out-of-pocket expenses and time expended are minimal, but not zero. So logically, enough people are buying from spammers and falling for the phisher’s tricks to keep these scavengers in business. However, it may be worse than just a few bad guys staying in business. Numerous studies continue to quantify the damage in terms of losses incurred by banks and credit card companies thanks to consumers who took the phishers’ bait, and it’s often in the billions.
That much money must mean that quite a few people have been hooked, but I’ve only read a couple of anecdotes to back that up; I’ve never actually met anybody who was phished and defrauded. So for a few days, like a travesty of Diogenes, I set out to find someone who was phished. I started with friends–no luck there. Then I began asking among colleagues, most of who looked at me like I’d suggested they were spouse beaters. A husband and wife among my colleagues said they had never been suckered by a phish, but they believed they knew somebody who had. I hoped they would give me contact information, but they never did. They only wanted to confirm my notion that somebody was falling for phish, but they didn’t want to embarrass anyone by naming names.
After that, I realized I was fighting a losing battle. Phishing victims exist, but few will admit it. I can see why; people caught by a phisher feel there’s a hint of being one of those born every minute.
A phish e-mail, by definition, is fraudulent. This is not true of all spam; some spammers will actually deliver what they sell. In fact, the line here between “spam” and “legitimate advertising” is thin. We do not know what percentage of spam is fraudulent; intuition says it’s high, but does that mean 30 percent or 90 percent? As you go up the scale from no risk to certain fraud (call this the marginal increment of risk aversion), there’s a point where some people will take a chance on purchasing from a spammer–if the offer is for something they really want at the right price. Those who take the chance become the engine that drives the perpetuation of spam.
We’re all have some expertise at detecting something phony, but I’ve seen more than a few phish messages that look exactly like their mimicked source. Even the clever phish have tell-tale signs (the URLs they contain have irregularities) but most people don’t spot this. So, just as there is a point of temptation in spam, there is an effective combination of a genuine-looking message and a natural incentive to check into that PayPal account that might be in trouble. Sure, most spam and phish are obvious and unappealing to most people, but admit it – haven’t you at least considered responding?
Spam and phish are not going away because there will always be someone to answer their siren call. That’s the kind of thinking that drives the spam-blocker industry and the legal efforts: There will always be victims, so the best solution is to attack spam and phish with technology and laws. I used to agree with that line of thinking, but as the months and years go by and the level of dreck in my inbox continues to rise, I’m not so sure.
Somewhere, personal responsibility has to enter the picture. Technology like spam filters and punishment of phishers are necessary, but a lot of proactive good might be done if we all applied a few rules. The first rule is very simple: Never buy from a spammer. If you see something you really want, you can almost certainly get it somewhere like a store or an accredited online outlet. If the price is that good, it’s probably a fraud. The rule for phishing is also straightforward: Never enter personal information online without validating the recipient. This is much like any online transaction: You have to trust, but trust comes either from experience or something like a phone call to confirm the message.
The key to rejecting spam and phish is remembering that they come in unexpected messages. Unless you have an explicit relationship with a company so that they may send you advertising or ask you to update your information, then any unexpected message from that company (or any other company) is suspect. So start with a definition: Spam is any request or solicitation not explicitly permitted. Then the two rules are, never respond to spam and never give personal information to an unvalidated source. Like any rule of thumb, this approach isn’t exception-proof, but it should make responding to a spammer or phisher less likely.
If everybody used rules like these, spam and phish would die out. I won’t pretend that everybody who uses e-mail will get this message and adopt the rules. But lately I haven’t seen much about individual responsibility for dealing with spam and phish. It can’t hurt to remind people about including the personal as well as technological and institutional approaches. When it comes to prevention, might as well draw on the whole kettle of phish.