Beware Disaster-Related E-Mail Fraud

Spammers have begun using the World Trade Center disaster as an excuse to defraud generous people of money. Spammers can't be eliminated, but here's what enterprises can do to protect themselves.

On 12 September 2001, two Internet advocacy groups, Coalition Against Unsolicited Commercial Email and SpamCon Foundation, warned that some people have tried to profit from the World Trade Center attack by sending spam e-mail to solicit donations fraudulently.

Disasters attract spammers who prey on people's generosity, but spammers present a moving target. They often open an account with an Internet service provider, send out their e-mail and then shut down the account so that they can't be replied to or traced. Or they relay e-mail via a third-party's machine to make it seem as though the spam has come from a legitimate source and to cloak the spammer's real point of origin. The e-mail messages include requests to send money to a postal address or to click on a URL and donate money by credit card. Spammers can thus collect money without being identified.

The terrorist attacks will likely ignite a flurry of Internet hoaxes and chain letters. People should suspect any message that asks them to forward the e-mail to others or that does a lot of name dropping — a favorite ploy of scam artists to gain credibility. Such hoaxes live for a long time on the Internet because unsuspecting people forward them to large lists while those who suspect fraud quietly delete them.

By itself, the use of spam blacklists, which highlight the latest victims of relay attacks, is inadequate. By the time the site appears on the blacklist, the actual spammer has moved on to the next victim. Enterprises should therefore:

• Check the validity of e-mail offers with Web sites that track Internet hoaxes and chain letters. Such messages may carry the subject line "Express Relief Fund" or "Victims Survivor Fund."
• Protect mail routers against unauthorized relay so that the enterprise's Internet domain does not wind up on a blacklist.
• Advise employees to reply to those who have forwarded fraudulent messages and ask their help to stop its spread.
• Warn employees to double check legitimate-sounding groups by phoning them for verification. A list of legitimate charities appears at www.forbes.com/2001/09/13/wheretogive.html. People should use great caution when giving out credit card numbers.
• Advise employees to treat spam as they would viruses. People should be suspicious of e-mail they didn't expect to get. If people don't know the person or group sending the e-mail asking for money, it is probably fraudulent as most legitimate charitable organizations do not solicit people with whom they do not already have a relationship.

Web sites that publish information on e-mail hoaxes include:

• www.spamcon.org
• www.cauce.org/
• hoaxbusters.ciac.org/ (sponsored by the U.S. Department of Energy)
• www.nonprofit.net/hoax/
• www.breakthechain.org/
• diamond-back.com/icqlies.html

Analytical Sources: Maurene Grey and Joyce Graff, Intranets & Electronic Workplace