The mark of a good scam is that
you fall for it. By the time this happens,
of course, it is usually too late to
retrieve your money, or your dignity, or
whatever else you may have lost. Indeed, in
the very best scams you may not even
realise that something has gone missing.
The mark of keen professionals
involved in Information Risk Management
is a tendency to hold deep suspicions about
life and the universe in general, and technology
in particular. Not for us the cheerful handing over of
credit card numbers or bank details, in response to a plausible email
from Africa. The spurious virus warning, the latest urban legend,
all these things bring only a wry smile to our lips. We spot
these things a mile off. We are the great Guardians of Disbelief.
This kind of drift into
complacency needs, perhaps, to be challenged
from time to time. One way of doing this is to take a
look at some of the many web sites which catalogue Internet ruses,
hoaxes and scams. Many of the incidents which are cited are
sketchy and anecdotal. However, they should not be underestimated
as a source of ideas. For example, what kind of
stories does it seem that people want to
believe? Do the stories actually suggest
ways in which fraud might be attempted in your business?
Take the case of the employee with
the wheelbarrow.
Every night for twenty years, an
employee left the factory pushing a
wheelbarrow full of waste materials. On the day of
his retirement, the guard told him: "I’ve seen you walk out
of here every night, and I know you’ve been stealing something.
But I can’t for the life of me see what it is!"
"Wheelbarrows" said the employee.
This is a classic tale of
misdirection, which prompts some interesting
thoughts when you are looking at ways of regulating traffic
through a firewall, or policies on Internet access. It tells you
never to assume that something is innocent because it is familiar.
It makes you think laterally about the risks which you may
be facing. Other stories can have a more direct relevance, such as the
one about the embarrassing Post-it.
A tourist complained to an
airline about finding cockroaches on one
of their aircraft during a flight. He received
a lengthy and apologetic letter, explaining how concerned the airline
was about this problem, and the measures
they were taking to eliminate it. Unfortunately, he
also found, stuck inside the envelope, a post-it note which
had been written by the PR manager to his secretary.
This read: "Just send this jerk the standard cockroach
letter".
This too has some electronic
parallels. For example, the Word document
that you are sending your client as an attachment may
contain all kinds of buried information about previous drafts,
or even perhaps some scurrilous annotations by your colleagues.
Constant hitting of the email "reply" button is also a
good way of forwarding a whole sequence of messages which have
stacked up between various senders, perhaps going back a
lot farther than you intended.
Needless to say, the above stories
have been taken from hoax and scam web
sites. Here is another one, aimed more simply
at scaring readers. When you go to an
automatic teller machine to make deposits,
make sure you don’t lick the deposit envelope. A
customer died after licking an envelope at Yonge & Eglinton.
According to the police, Dr Elliott at the Women’s
College hospital found traces of cyanide in the lady’s
mouth, and the police traced the fatal poison to the glue
on the envelope. They then did an inspection of other
envelopes from other teller machines in the area and
found six more.
Such "urban myths" can
gather momentum quickly, because of the
speed with which they are passed on via the Internet. The
best stories are intriguing, scary, and full of circumstantial detail.
Some, like the tourist who was drugged and relieved of a
kidney, or the cinema-goer stabbed with an AIDS-infected needle,
have re-surfaced countless times, with various different alleged
victims and settings. The appeal to morbid curiosity is much
the same as that exploited in the heading of a hoax virus email,
where the aim is to make people feel guilty if they do not
take immediate action to warn their friends or colleagues.
A useful introduction to urban
myths, with examples of some of those that
have stood the test of time, can be found at
www.urbanlegends.about.com
A more systematic directory of stories
currently doing the rounds can be found at a site run by the
Computer Incident Advisory Capability of the US Department
of Energy, at www.HoaxBusters.ciac.org.
The CIAC site provides pointers for some,
but not all, of its stories, for those who
want to find more about the supporting evidence (or lack of
it). Ultimately, of course, it is unlikely that any story can ever
be completely disproved. The "Urban Legends
Reference Pages" at www.snopes2.com
wrestle with this problem. Each story is
given a colour-coded rating. This may be simply "True" or
"False". Many of the ratings, however, are in between, denoting
"undetermined or ambiguous veracity", or "indeterminate
origin".
For hoax viruses, a good source of
reference is again the CIAC site (above).
Details of around 140 hoax viruses can be found
at www.symantec.com, while nearly
twice as many are indexed at www.europe.f-secure.com.
Being able to identify a hoax or
legend does not of course enable you to
stop it in its tracks. By the time you have discovered
its arrival, it may have been forwarded to half the staff
in the company. However, it can be useful to be able to show
just how old and tired a particular story is, with a view to
embarrassing everyone who enthusiastically passed it around.
Hoaxes waste time and create
anxiety, but e-commerce scams are intended
to cause more direct damage. For example,
one recent survey of Internet vendors found that fraudulent
transactions accounted, on average, for a loss of about
3% of revenues: (see www.cybersource.com).
Both can be played, and a good first port
of call for reference material is the site
run by the US Federal Trade Commission at www.ftc.gov.
The FTC has now brought a number of successful prosecutions
for Internet fraud, and also tracks the steady stream
of complaints that it receives from consumers. Coverage of
e-commerce issues is to be found mainly in its pages on Consumer
Protection. The FTC provides a list of "Top 10 Dot Cons",
concluding each one with a simple piece of advice for consumers.
It also nominates a "Dirty Dozen" of the scams most likely
to arrive via bulk email. There is a search facility, that can be
used to find details of the FTC’s position papers and submissions
on matters such as cramming, identity theft and cross-border
Internet fraud.
The Scambusters site at www.scambusters.org
offers another view of the current
"Top 10 Scams", and provides a free
monthly newsletter, that is also archived on the site. This site
is well presented and has a search facility, but the material is
of variable quality, and much of it is very specific to cases and
legislation in the USA.
A site operated by the US National
Consumers League at www.fraud.org
has useful information on the problems which can
arise with on-line auctions. However, it is generally a bit haphazard
in its coverage. The UK Consumers’ Association has a
limited amount of advice for on-line shoppers, at www.which.net,
which tries to steer a rather less alarmist course
than some of the other sites.
Finally, for those who would
prefer to download a report on techniques
available to combat Internet fraud, a Fraud Prevention
Guide can be obtained in Adobe format from www.clearcommerce.com,
on registering with your name and address.
This just leaves the question of
ultracrepidation. Learned readers of this
journal will know that this means giving advice which
goes beyond the scope of your expertise. Web sites frequently
seem to ultracrepidate. At least, this may or may not be
the right word to describe what they do. For example, a common
thread in advice on web fraud is that statements should
never be taken at face value, but should always be carefully
checked out. Yet the same site may offer absolutely no
evidence or authentication for the claims it is making.
Such are the paradoxes of the
Internet. Is it possible that an anti-hoax
web site might actually be hoaxing you? Or could it be
well out of its depth in terms of the technical information it provides?
If so, would it be ultracrepidating? Or would another word
be more appropriate?
If you can help to resolve this
question, please do send your comments to
the Journal Editor. (But beware. You have no reliable
information as to who, or where he is. Could it be that he
is just another Internet hoax?).
Andrew Hawker can be contacted at the University of
Birmingham on 0121 414 6675 or by email A.Hawker#bham.ac.uk |
