The Great Spam Scam

Putting a stop to e-organized crime

by Meryl K. Evans, Editor

The average worker spends at least 20 minutes a day sorting through unwanted solicitations.

The world's Internet subscribers fork over $8.8 billion dollars a year just to glimpse these box cloggers with nauseating headlines like, "Get Rich Quick," "Tired of your current job?" or "Free offer for (your name)." Not to mention the plethora of porn, useless items, and limited time vacation packages that appear.

The Business Software Alliance estimates that world-wide piracy-related losses to software industry were about $11 billion in 2001. That's just software alone.

Many companies have no idea their products are being sold on the black market or that their customers are tangled in credit card frauds thinking they ordered something from your organization and are about to receive zip. These shifty sales schemes cost companies billions of dollars each year in lost customers and sales of products and services. As kings and queens of the techie universe, we can save the Planet Company and be a hero in the earthlings' eyes.

William Plante, ASP Director, for Symantec Corporation and Robert Alberti, CISSP, President of Sanction, Inc. provide information on how spam crimes are perpetrated, what to do protect your organization, and how you techie super heroes can help.

The Ever-Increasing Spam Scam

While Aunt Margaret may have served Hormel canned pork (SPiced hAM referred to as SPAM), like it or not, you knew what was in it. With Internet spam (unsolicited bulk e-mail or unsolicited multiple postings to one or more Usenet newsgroups), you don't always know what you're getting. Some spam messages are convincing. Some are plain annoying. Whether spicy or not, many of them result in criminal offenses on a worldwide level.

Producers of a popular product, a drug like Retin-A, a best-selling software program, or a service such as a vacation package, are all economically affected by spammers. When people buy these knock-offs, legitimate companies lose money. When people order something and don't receive it, your company gets a bad name.

Two Ways Spam Costs Billions of Dollars Annually

William Plante, who formed and chaired Symantec's Brand Protection Taskforce, classifies the costly affects of spam on businesses as: 1) brand erosion and 2) revenue erosion.

Brand erosion. When someone receives spam for a particular product, repeatedly, they get irritated with a deluge of "buy, buy, buy." Unfortunately, they don't usually realize the messages are coming from people not authorized to sell these products. A company's brand name can be tarnished when its customers engage in a transaction for which they paid believing it's legitimate and then receive nothing. Eventually, they may find out you were not the responsible party, but their image of your company has already changed for the worse.

Revenue erosion. When customers buy imitations or illegitimate versions of your company's product, this decreases the revenue flow to your organization.

Spammers make their money through revenue erosions. eMarketer published figures stating an estimated 76 billion spam e-mails will be sent worldwide in 2003, with an average cost to spammers of 0.00032 cents per message. Obviously, their return on investment is high. Once they get hooked, most spammers continue scamming until they're booked for fraud.

The Bad Taste of e-Organized Crime

Most spammers are calculated members of organized crime and continue to spread it. Besides sending missives under aliases (the Federal Trade Commission calls this false representation, which is a crime), two of the other crimes related to spam are felonies and fall in these categories: 1) pirating or bootlegging software or other products (the person thinks they are buying a legitimate copy, but the one they receive is illegitimate); and 2) credit card fraud (never shipping the item). Information including credit card numbers is sometimes transmitted over an unsecured network during these transactions. The numbers can be easily stolen and later sold to other criminals on the black market.

Plante draws on his own company's experience for his diligence in helping stop spam. Last year, $41 million or nearly 600,000 boxes of quality counterfeit Symantec software such as Norton AntiVirus, Norton Personal Firewall, and pcAnywhere were seized. Regarding the biggest software incident in the industry, Plante says, "That was a turning point for us. We didn't want to ever be that blind or vulnerable to that problem again." Since that time, his company has taken many steps toward putting spammers where they belong.

Putting Spammers in the Can

In legal circles, much time and attention has been spent on eradicating spam by going to the source of the spam itself, whether the message was sent from an individual disguised as another source or from a large mail group list through yahoo.com, excite.com, or hotmail.com.

Instead of trying to legislate after the spam has been received, however, Plante recommends going to the end of the line, where the spammer gets paid. He describes the Internet as, "a wild frontier without much regulation. As soon as one e-commerce site closes down, another on opens up within hours. Because there are very few rules on the Internet, there are many ways spam can proliferate. Instead of stopping the spread of spam at the recipient, it's much more effective to turn it back on the spammer."

The Federal Trade Commission (FTC) has passed laws strengthening criminal apprehension rather than about the actual sending of spam. This supports ending spam by following the money trail and hitting criminals hard in their money belts. If a spammer receives money, you can take legal action to stop the fraud, be it black market products or credit card fraud. Plante advises, "Once you stop their revenue stream, the spam will stop."

Yet, while stopping one spammer is great, there are thousands out there. Due to the huge expense on business around the world, we urge organizations, whether small or large, to take action. One way to get started is by creating a task force.

Creating a Brand Protection Task Force

A brand protection task force lets you fight back by protecting your company's brand and monitoring all spam-related activity. This involves setting up a process to handle spam complaints and organizing a team to tackle the spam problem.

A desirability assessment is one tool useful to a brand protection task force. The assessment asks your marketing team these questions: Is your brand a household name? Has your product or services hit the level where spammers will want to steal them from you? How high is your risk for spam-related brand or revenue erosion?

Regarding determining your risk level, Plante says, "If your company is small and you don't have a popular commodity, the chance of being affected by spam is less. You may want to put some things in place, but not create a full program."

Once marketing assesses the need for this kind of a task force, the next step is to clarify the focus. This includes:

• setting up the organization

• determining how involved each task member will be

• allocating how much money will be spent on the process.

With the structure in place, your company can begin taking action with the following snuff-out-spam strategies.

Five Strategies for Protecting Assets

Whether your company sells pharmaceuticals, software, or other products, these five plans of action will help stop brand erosion and revenue loss.

1. Protect your intellectual property.

Follow these guidelines for managing the digital rights to your property and for protecting it.

• Verify everything is copyrighted and trademarks are registered. That includes registering with the U.S. Customs Service, because much of this criminal action happens overseas.

• Make formal contracts with your distributors or authorized resellers. Get it in writing that they agree not to send spam about your products.

Unfortunately, in most cases, your audience assumes you or one of your distributors is sending these spam messages about your product. Most of your customers or prospects have no idea someone completely unrelated to your sales organization would take the liberty to send a missive about your intellectual property.

2. Join industry associations.

Every member of the Internet community will be more effective working together than as individual organizations. One way to connect with other companies facing the same problem is by participating in lobbying efforts with them. If you work together, you can trade war stories and tap into additional valuable resources. Try to connect with people that share the same values your organization does. Communicate regularly about issues surrounding spam and the progress of your task force.

3. Be prepared to react.

Once you catch someone, be prepared to prosecute immediately. Spam prevention can only happen at the expense of current spammers, by taking legal steps to enforce the minimal standard out there, and prosecute those guilty of major crimes.

• Set up investigators to sleuth the problem.

• Set up an abuse e-mail address (abuse@yourcompany.com) so buyers and customers can forward spam to you.

• Report anything that affects your brand to the marketing team.

• Track the spammer down. Instead of starting at the sender of the spam, direct your search to the end result of the spam. You can do this by making a purchase. That way you will know immediately if the spam is criminal in nature. You will also know where the spammer collects his or her payment, and if the spammer is a pirate or credit card scam artist.

• If the party is guilty of pirating your product, work with that third-party payment collection company such as Visa, PayPal, or BillPay and inform them of the problem. They will then get a court injunction to cease and desist, meaning they can shut the guilty spammer down. If the party is guilty of credit card fraud, inform the third party payment company, and also inform the internet service provider (ISP). In the U.S., the ISP will immediately shut down the spammer. Other countries have different laws, however, which is one of the reasons you want to register your product with the U.S. Customs Service.

Know that if your company prosecutes legally, once you get a court injunction and win your case, you are eligible for disgorgement. This legal term means you are entitled to all of the revenue that the spammer collects. While you may not get rich, at least you'll help stop the problem at its source.

4. Establish great relationships with employees.

• This strategy relies heavily on public relations including newsletters. Part of image building, your IT branding falls under ensuring good business relations. Plante recommends the following ways to build these relationships:

• Let employees know that spam exists.

• Send employee surveys about their attitude about spam, piracy, and credit card fraud.

• Create publicity around your steps as a Spam Fighter. Position yourself as a leader in the fight representing the company's best interest. Perhaps, add an occasional article in your internal newsletter about your fight against spam or put a note that spam is not tolerated by the "unsubscribe to newsletter" information.

The reason Plante agreed to be interviewed for this story was because he wants his brand associated with the facts. He wanted to say, "Be careful, when my brand is coming across as spam, it's not our company. We're not doing that." What he's advising people to do is be proactive and get involved and let your current customers and anyone whom could be a customer know that this stuff might happen.

5. Prevent employees from spreading spam to other users.

While legislation is one way to prevent spam from spreading, Robert Alberti of Sanction, Inc., recommends using technology such as firewalls, spam filters, and virus protection to help prevent and detect fraud. Educate employees to not open spam messages and help them recognize what spam looks like.

Whether you create a spam task force or just take steps toward stopping the spread of spam in your organization, make sure you position yourself in the eyes of customers and employees as the "good guys." Regularly inform employees about the steps you're taking to put up a supercharged gate to prevent Trojan horses from breaking in and taking up their precious e-mail time.

As long as you continue to communicate with your employees, they'll realize the people in IT and throughout the Internet community don't like the taste of e-mail spam.

William Plante is ASP Director, Worldwide Security and Brand Protection for Symantec Corporation, the world leader in Internet security technology with a broad range of content and network security software and appliance solutions. In 2002, Plante formed and chaired Symantec's Brand Protection Taskforce. In this role, he was responsible for developing Symantec's strategy for identifying, assessing, and countering counterfeit and piracy threats to the company.

Robert Alberti, CISSP is the President of Sanction Inc., a team of highly-skilled business and technical experts who provide strategic, tactical, and operational guidance for all levels of an organization. Alberti's team keeps operations safer, more secure, and working efficiently. Currently, he is writing a book about protecting e bottom line with business-driven security practices.

Meryl K. Evans is an editor, wordsmith, and writer for InternetVIZ and other resources. The content maven is available for editing, writing, and pepping articles and copy. InternetVIZ is a custom publisher for companies wishing to find, acquire, and retain customers through Internet newsletters