If you're like me, this year you plan to do more shopping online. Analysts such as Forrester Research predict that U.S. online retail sales will reach $33 billion in 2007, a 21 percent increase over last year.
Employers must face the fact that much of this shopping takes place from the office. Two years ago, BusinessWeek reported that 58 percent of people do most of their online shopping at work, and I'm sure not much has changed since then.
At the same time online retailers celebrate, so do online criminals. A new breed of criminal is emerging, which we call Pirates of the Web. These crafty thieves hide out in dark corners of cyberspace and attack from multiple angles, stealing valuable personal information. Even savvy computer users fall victim to their scams.
McAfee Avert Labs says that one in four Americans are exposed to online identify thieves. While compromising an individual's personal identity is bad enough, if it happens at work, it can put an entire business network at risk.
Spam — the pirates' hook
Many people think of spam as a nuisance, clogging email boxes with unwanted—yet valid—advertisements for products and services. However, spam has also become a hook for phishing scams, which are anything but valid.
If you click on a “legitimate” spam message, the worst that might happen is that you'll invite more spam. But if you click on a phishing spam message, you might be opening a virtual can of malicious worms. Spam has become a tool used by sophisticated pirates to target unsuspecting consumers. It's a major threat to individuals and businesses alike.
When it comes to managing spam, the mantra has traditionally been just don't click on it! But web pirates have become so sophisticated in employing social engineering techniques that many people don't realize the evil nature of some emails. For example, it's easy to identify an email about Viagra as spam, but what if you get an email from a site you've shopped at in the past? What if it's an invitation from a friend to check out a cool video on YouTube? That shopping site is trustworthy, right? The YouTube email is from a friend, so there's no harm in checking out the video, right?
Wrong. YouTube was hacked earlier this year to distribute malware—and not for the first time.
The danger of clicking on emails from online retailers is that they might take you to a site that has been compromised by web pirates. And if that's the case, those pirates could install spyware or a Trojan on your machine, which could in turn infect your company's network. Consumers looking for good deals online are especially vulnerable to these types of emails. With phishing kits selling for as little as $30 USD, the pirates sending them out aren't going away anytime soon.
The answer? Maintain a holistic view—and be wary
Short of restricting employee internet access completely, what is the solution? It's important to look at the problem from a holistic perspective. The tricks pirates use are interlinked, so any defense must be as well. Implementing a spam solution alone won't halt phishing, and implementing a phishing solution alone won't stop spam.
If you somehow manage to stop all the spam and phishing emails from coming in, your employees might still visit a legitimate site that has been comprised. Even Google can't track every site that appears on its searches, and your network might end up infected anyway. All it takes is one innocent visit to a malicious page, and your network could be in serious trouble without the right combination of technologies in place. Companies need an integrated defense that includes protection against attacks. This integration can also simplify a company's security policy and increase its level of protection..
On the end-user side, caution is the key. Here are some tips for staying safe:
- Always look at the sender of the message, and if you don't recognize the name, do not open it.
- Never click on a link that comes in an email. If you want to know what's behind the link, you can mouse over it and see the origin. If you really want to open it, open a new browser window and type the URL into it. Do not copy and paste.
- Don't unsubscribe to a mailing list you haven't subscribed to in the first place.
- Type in your email address on Google or Yahoo. If it shows up on numerous sites, you're at risk for malicious spam.
- Don't put your email address out all over the Web, and if you have to put it on a site, spell out DOT COM when you can.
- Download a product that alerts you to malicious sites.
The more people shop online, the more web pirates will look for ways to deceive them. The bad guys have gotten smarter, but so have the good guys, and the pirates can be beaten. Consumers must be careful, and businesses must take a holistic approach to their security solutions. But the technology exists to drive these bandits out of cyberspace, and we should not stop until they're long gone.
