E-mail Scams
Ethical Dilemmas in this Chapter:
Monetary Gain
Identity Theft and Scams for Personal
Information
E-mail Chain Letter
Introduction
E-mail scams are rampant on the Internet and most people do not know what to
do when they receive them in their e-mail box. Unfortunately, many have fallen
victim to them. Individuals who are scam savvy just delete and forget about
them. However, some scams can fool even the most competent and aware individual.
The following is a sample of such a scam that is sure to catch unsuspecting
people off guard. In this example, the scammers pass themselves off as the
Federal Deposit Insurance Corporation (FDIC) and use real federal government
agent names.
-------- Original Message --------
Subject: Important News About Your Bank Account
Date: Mon, 26 Jan 2004 15:25:18 -0400 (EST)
From: FDIC <Rajinderpal_Arsavir@aol.com>
To: <XYZ@aol.com>
To whom it may concern:
In cooperation with the Department Of Homeland Security and federal, state,
and local governments, your account has been denied insurance from the
Federal Deposit Insurance Corporation due to suspected violations of the
Patriot Act. While we have only a limited amount of evidence gathered on
your account at this time, it is enough to suspect that currency violations
may have occurred in your account. Due to this activity, we have withdrawn
Federal Deposit Insurance from your account until we can verify that your
account has not been used in a violation of the Patriot Act. As a result,
Department of Homeland Security Director Tom Ridge has advised the FDIC to
suspend all deposit insurance on your account until such time as we can
verify your identity and your account information. Please verify through
our IDVerify below. This information will be checked against a federal
government database for identity verification. When we have verified your
identity, you will be notified of said verification and all suspensions of
insurance on your account will be lifted.
http://www.fdic.gov/idverify/cgi-bin/index.htm
Failure to use IDVerify below will cause all insurance for your account to
be terminated and all records of your account history will be sent to the
Federal Bureau of Investigation in Washington D.C. for analysis and
verification. Failure to provide proper identity may also result in a visit

from local, state, or federal government or Homeland Security Officials.
Thank you for your time and consideration in this matter.
Donald E. Powell
Chairman Emeritus FDIC
John D. Hawke, Jr.
Comptroller of the Currency
Michael E. Bartell
Chief Information Officer
It is imperative for e-mail and Internet users to understand exactly how
thieves steal sensitive financial information through e-mail scams. Scam artists are
ingenious at creating e-mails that sound legitimate and that also have a psychological
affect on the recipient.The psychological affect is a big part of the scam,
throwing the recipient off guard enough to respond to the scam.
The dangerous e-mail scams will request credit card information, bank
account numbers, and social security numbers. NEVER provide this information
to anyone unless you initiate the conversation. NEVER disclose this information
through e-mail.
The issues in this chapter represent a small sampling of the various e-mail
scams circulating today.
Monetary Gain
In one sense, if an individual loses money on a scam for monetary gain, they
deserve it.The reason we say that is that greed is the number one reason people
fall for these types of scams.This is nothing new; flim flam artists have been a
part of human culture throughout recorded history. In a culture that believes in
the concept of an “honorable thief,” a good defrauding might actually be
applauded.The only thing technology has changed is the number of “marks” that
can be targeted per hour. However, fraud is certainly not ethical, and even if
greed was the motivator, when a senior citizen loses everything they have, it is
beyond sad. Each of us should invest the time to talk to our parents, uncles, and
aunts about these types of fraud.
Help Me Move Money from My
Country – Governments Must Set the Tone
There is a very common e-mail scam floating around that requests that you help
a representative from a foreign government move money from one account into
another.This scam is shrouded in humanitarian principles and is very effective.
According to the Electronic Privacy Information Center (EPIC), it nets over 100
million dollars in scam money.The most recent version of this money transfer
scam tries to pull at your heartstrings by including letters from a woman who is
dying, or soldiers who need help.This e-mail commonly comes from Nigeria;
however, the sender may be from any country. Since this e-mail often originates
outside of the U.S. where the computer laws are more lenient, do you feel the
perpetrators must be held equally accountable ethically?
Conservative Regardless of the laws, attempting to steal money from
unsuspecting individuals is unethical behavior.
Liberal This case is slightly different than U.S.-generated scams.They are
certainly inappropriate, but the individuals cannot be held personally
accountable because their government does not hold them accountable.The
government of a country must set the ethical standards for their people.
SUMMARY
Regardless of the origin of an e-mail, financial scams targeting individuals
for money are morally wrong. Trying to obtain money from others
under false pretenses is morally unacceptab
Is Return Fire Ethical?
Recently, one of the major Internet Service Providers (ISPs) began a program
of scanning back against anyone who sends e-mail to one of their
customers. In this case, they are attempting to prevent the receipt of mail
from open proxy servers in order to reduce the amount of spam. As I
understand it, their policy is such that if you do not wish to be back
scanned, do not send e-mail to them.
On the surface, this sounds admirable and ethical, however, there is
a flaw in their logic. This would be similar to the concept of a retail store
reserving the right to inspect any packages that are brought into the
establishment; if you don’t want to be inspected don’t enter their business.
This works well for retail establishments, however, it appears that
the practice may actually cross the line when it comes to back scanning
and attempting to exploit proxy servers. In this particular case, the ISP
needs to send some specific queries toward the origin of the e-mail, and
attempt to send mail to determine if it is an open proxy. In other words,
they must use the computing resources of the sender, something that is
indistinguishable from a malicious and illegal attempt to use a proxy,
while scanning ports may be annoying or rude, actually attempting to
construct a message and sending it from someone else’s server is illegal.
To understand the reason why this is over the line, let’s examine the
retail analogy a little further. In this case, it is no longer simply inspection
of what is brought on to the property of the retailer; instead it is more
like the retailer sending someone over to the house of the customer to
test the security of their customer. Further, there is the assumption that
the computer sending the e-mail is within the rights of the consumer to
consent to a search based on usage; very often the sending mail server is
owned by a third party and the assumption of consent to inspection
through usage cannot be construed.
In this case, the hacking by a legitimate ISP for admirable reasons is
still unethical and the methods used are just as illegal for them as they are
for the hacker.
Bryce Alexander
Network Engineer
The Vanguard Group
“Free Credit Report”
E-mails – Can You Tell the Difference
Lately, there is a set of e-mail scams running rampant on the Internet that offer
free credit reports. Of course, they need your social security number to do this.
They are often intermingled with legitimate business marketing ploys offering
free credit reports.The legitimate businesses use the free reports to draw customers
into their credit monitoring and repair services. In the case of the counterpart
scams, the scam artist is trying to obtain your social security number to
commit identity theft. Do these types of scams, which compete with real businesses,
damage the legitimate credit reporting businesses? If so, is it ethical to
deter people from legitimate business by using the same means to scam people?
Conservative False scams should not affect legitimate business; if you are
interested in obtaining your credit report you can get one for free from the
credit agency.Therefore, the advertising is not very effective to begin with.
In addition, if you fall for the marketing ploy of the legitimate credit business,
you need to perform some research and check with the Better
Business Bureau to determine if the company is valid.This requires a little
more work on the part of the consumer.
Liberal From the point of view of the legitimate consumer credit report
business, fraudulent offers severely damage their reputation as well. Individuals
will tend to discard all communications regarding free credit reports. Scams
targeting legitimate businesses have an added ethical mark against them
because they not only impact the victim but the business as well.
SUMMARY
We have already determined that scams are unethical. This issue
addresses whether they are unethical towards businesses that market
their services in the same manner. Some people may feel they are not
adding any additional ethical concerns by targeting legitimate businesses
because the consumer can easily determine a false advertisement from a
real one.

eBay and PayPal Scams –
You Should be More Aware
Samples of large-scale financial scams affecting a lot of customers are the eBay
and PayPal scams.The user receives an e-mail stating that their account will be
shut off it they do not send their credit card number, social security number, and
other account information immediately to the sender of the e-mail.The sender’s
e-mail name may have the words PayPal or eBay in it.This e-mail often scares
people into action because they do not want to lose their account privileges.
Therefore, they reply to the e-mail and send their personal information.
However, eBay or PayPal did not request this information; it was from a scam
artist.The customer has just exposed himself to credit card fraud.This type of
scam is both unethical and illegal. However, do you, as the customer have a
responsibility not to fall for such an obvious scam?
Conservative You are not at fault; you just need to be careful with your
personal information. Even if there is an eBay or PayPal logo on the e-mail,
you must verify everything directly with eBay and PayPal. Call the number
on the Web site where you have the account. Again, never send personal
information via e-mail to anyone.
Liberal You are somewhat at fault regarding this issue.Anyone who sends
their personal information via e-mail to someone representing an electronic
funds transfer company, must take some blame for the ignorance of their
actions.
SUMMARY
There is no doubt that the customers need to be more aware of scams.
One way to do this is to subscribe to information security services that
periodically send warnings of new e-mail scams.

E-mail Philosophy
Some 200 centuries prior to the birth of Arpanet (and the Internet), a
system named “cursus publicus” (or public message) was born. Cursus
publicus was the name given to the postal system conceived by the
Romans to deliver mail at a speed of up to 170 miles in as little as 24
hours. A system was devised to ensure that each and every correspondence
traveling over cursus publicus were inspected to prevent abuses of
the system for private use and self-gain. In 1680, William Dockwra of
London, England came up with a system he named the “penny post.”
Correspondence was marked with a stamp in order to provide the receiver
with an indication of the letters’ date and place of origin. Years after its
conception, Dockwra’s service was closed never to return, as it was
deemed that the service was creating a monopoly.
Years later, approximately two centuries before the conception of the
Internet and at the height of the Industrial revolution in England, saw the
birth of the kinetic postal system as we know it today. Since then, as the
postal systems boomed, we have seen the birth of such things as airmail,
commemoratory stamps, mail order magazines, and the inevitable arrival
of the unsolicited mail-shot. I remember reading an article in an English
financial newspaper that estimated that almost half of the mail sent
through the oldest, conventional postal system in the world consists of
advertising and other miscellaneous mass-mailings—amongst other
things, promising recipients “guaranteed immediate wealth,” “work from
home,” and “get your diploma in just two weeks.” Sound familiar?
As much as it seemed to work at the time, in this day and age, a
kinetic mail system as draconian as that which the Romans conceived in
62 BC is clearly not a practicable option; however, it was only the other
day that I read of the plans of a large software vendor, suggesting that
charging for the transport of e-mail was the only way to stop Spam and
other unsolicited mailings. As it stands, due to the sheer volume of advertising
that passes through the kinetic mail system, it is estimated that
most western postal services would simply collapse due to their financial
dependency on well-paying mass-mailing businesses, if mass mailings and
advertising through the kinetic mail system were to stop. Is this really the
situation we want to create in the cyber world? And if we do, will it really
prevent electronic advertising campaigns and e-mail scams in the future?

The problem of mass electronic mailings and electronic scams
cannot be solved through education or by legislation. The little impact of
the “Can-SPAM act,” the hundreds of malicious e-mail attachments that
people insist on opening, and the failure to stop mass advertising by the
kinetic postal services, has proven to me that the answer is no, at least for
the time being. We cannot defy the laws of physics and prevent all postal
advertising in the kinetic world, but there is still time for us to take heed
of the past and present and change the way things are done in the cyber
world; the technology ball is in our park for now.
Think before you click!
Tom Parker
NetSec Inc. “Managed Security – Business Relevance”
Chain Letters
Chain letters seem to be the same whether done in paper or e-mail. Since they
have been done in e-mail, they are an Information Technology (IT) issue and so
we consider them in the following.
E-mail Chain Letters – Do They Harm Anyone?
Most people have received chain letters at some point in their lives. E-mail chain
letters are the next generation of this scam. A very popular chain letter scam that
many people fall for is one stating that Bill Gates is testing an e-mail software
tracking system and is requesting the help of the public.The scam states that
Microsoft will pay you a certain number of dollars for each person that you forward
the e-mail to.The engineering genius behind these scams intends to slow
down the Internet and work similar to a computer virus. Since there is no financial
loss, is this type of scam ethical?
Conservative Any e-mail that requests you to forward it to a large list of
your friends or family is a scam. Regardless of whether there is a personal
financial loss, e-mail chain letters are still unethical. Another name for this
type of scam is the pyramid scam. Pyramid scams affect the performance of
the Internet and can also shut down e-mail server.
Liberal Since for the most part these scams do not perform any harm to
the individual, one can determine that they are ethical. Pyramid scams for
the most part are not intent on stealing money or identity. Nor are they
dangerous in the same manner as identity theft scams or credit card scams.
SUMMARY
Regardless of the dangers involved, whether they are minor irritations or
serious threats of identity theft, e-mail scams are unethical and have a
negative impact on the Internet and the individuals and businesses using
the Internet.
Does the End Justify the Means?
I think we can all agree that the process of attempting to reduce the
amount of spam we receive on a daily basis is an ethical activity. Where
many people part ways, however, is in the ethics of how they implement
that process. In my mind there are two options: implement a process that
places the cost burden of the implementation on my own organization,
or implement a process that places the cost burden on all other organizations,
including the ones that never generate spam. Let me give you an
example that describes the difference in greater detail.
Back in December of 2003 I made a post to the North American
Network Operators’ Group (NANOG) mailing list. Shortly after making the
post, my organization’s alerting system lit up like a Christmas tree.
Someone had just made 16 attempts to relay mail through our mail
server. These were not your average relay attempts, but some pretty intricate
patterns that are known to work with many low-end mail systems,
anti-virus SMTP relays, as well as Microsoft Exchange. Obviously my first
thought was that some spammer was trolling the list, saw my post, and
was now probing to see if I could be used as a spam relay.
I had just started investigating the incident when our alerting system
went off again. This time it was 24 IDS alerts from the same source IP
address. Sixteen of the alerts were due to the relay attempt described
here, while the remainder warned of attempts to access various wellknown
proxy ports. Finally, our alerting system warned that our firewall
had detected a port scan from the same source IP address. One hundred
and four additional ports had been probed looking for services such as
Telnet, FTP, Network Data Management Protocol, Microsoft RPC services,
X-Windows, Oracle, RADIUS, and a host of well-known back door Trojans.
Obviously we were pretty convinced at this point that the source IP
address had evil intent, and proceeded to start investigating the source of
the attack.
For the sake of brevity, I’ll skip the details of our investigation work.
Suffice to say that the source IP address in question was 209.208.0.15,
and it is controlled by njabl.org. If you access their Web site, you will learn
that this activity is considered a “feature,” and that it is done in an effort
to reduce spam. By subscribing to their service, you are permitted to
check any IP address that attempts to send you e-mail to see if it is a
known spam relay. If the IP address is not listed in their database,
njabl.org will perform the probes and use that information to determine
if the source IP is a potential spammer. So, someone on the NANOG
mailing list had subscribed to this service and our network was being
probed because I had posted to that list.
Let’s skip the discussion of whether block lists are actually effective
since it is so easy for spammers to simply move on to a new IP address.
Instead, let’s focus on the ethical issues of this type of spam control.
Some organization had subscribed to this service in order to help reduce
their cost of fighting spam. My organization experienced a financial loss,
however, as our security analysts now needed to investigate the incident
to first see if it was successful, and then to decide how to best mitigate
future episodes. You might be thinking, “just block the source IP address
and be done with it.” The problem here is that many block lists will actually
add you to their blacklist if you attempt to block their probe attempts.
The thought process is, “if you are trying to hide from us then you must
be up to something.” So a proper analysis needs to be done in order to
chart the best course of action. Obviously, this ties up resources even
longer, resulting in either further financial loss.
I posted information about the probes to the NANOG mailing list just
as a heads up to people, since they might see the same thing (see
“Extreme spam testing” in the 12/03 section of the archive). My reasoning
was that I wanted to spare other organizations from having to do the
same investigation work. The responses I received back were pretty interesting.
While some people agreed that the activity was not very ethical,
many spoke up and felt quite justified in the activity. Their thought process
was that spam has become so bad that anything that can be done to
help reduce it was acceptable activity. In other words, it was okay to
like a black hat because the intention was good, the ends justifies the
means. One poster even went so far as to say the real problem was that I
scrutinized my logs and had an IDS.
Viewing the njabl.org Web site, I get the feeling that they realize they
are pushing the ethical boundaries. To quote from their customer requirement
section:
“Ideally, all contributing mail server’s SMTP banners should also
include something along the lines of: “By connecting to this server, you
agree to be open relay tested.”
This is pretty laughable. To start, transmitting e-mail is not an interactive
service. By the time your mail server is talking to their client’s mail
system, you have no way of opting out of the connection. In fact, this is
pretty similar to the old spammer trick of claiming you opted into their
spam list even though they never gave you a way to opt out. Laws were
created to regulate this kind of unethical activity.
Also, the system is broken. Even if I had some way of opting out of
the connection, it was not my mail server that connected to their client’s
system. My mail server created a connection to the NANOG mailing list
server, while it was the NANOG server that connected to their client’s mail
server. The appropriate system to check would have been the NANOG mail
server, not mine.
So what is the ethical approach to spam control? Many people use
tools such as SpamAssassin or Bayesian filters to control the amount of
spam they receive. While these tools are not perfect, my experience has
been they are far more accurate than block lists. They also have the additional
benefit of not generating any outbound suspicious traffic, which
can cause a financial loss to everyone else.
Chris Brenton
SANS Instructor and Private Consultant
Identity Theft and
Scams for Personal Information
The most inscrutable chapter of the Christian Bible is Revelation.There is a discussion
in that book about the “mark of the beast.” Apparently, it is a sign on the
hand or forehead that uniquely identifies an individual. In the past, every time I
have heard this I have shaken my head and thought this is impossible for two
reasons, technology and privacy; who would sign up for that? Technology is
an issue anymore. I will never forget having a chip inserted into my dog,Yogi, so
that he could move to Hawaii with us.They put it in with a hypodermic needle
and scanned him with a wand to make sure the chip worked. But what of the
privacy concerns of being a scannable human being? What would drive anyone
to wear a visible mark on their forehead or hand? If you do not believe that this
is possible, consider the growth in identify theft.This is the mother of all cyber
tsunamis—more and more people are getting hurt and hurt badly.The only realistic
solution is to make your identity part and parcel of who you are. In this section,
we consider a number of the growing identify theft scams that are creating
enough pain that I believe governments and people may consider ill-advised
remedies in the not so distant future. If it is an opt-in program, I recommend you
opt out and stick with the “check your credit report twice a year” approach to
identity defense.
“Find Out Everything on Anyone”
Scams – the End Justify the Means?
Another common e-mail scam requests money to provide you with a CD-ROM
or access to a database program where you can research personal information about
anyone you like.This information is obtained through public records, pretexting, or
stolen personal information. Is it ethically appropriate to purchase these services if
you are trying to find an old high school friend for benign reasons?
Conservative Even if your motives are pure, you should not purchase
information gathered illegally under any circumstances.This action promotes
more illegal activity.You should contact your local district attorney’s
office or department of consumer affairs and report this scam.
Liberal You are not ethically at fault for obtaining information that will
help you find your long lost friend, since your motives are positive.The
government has access to this data; you should too.
SUMMARY
Accessing information that went through an illegal or questionable data
collection process appears to be a black and white ethical issue, but this
is not necessarily the case. Private investigation firms sometimes use this
information when looking for a lost child or loved one. Although the
end does not justify the means, some would beg to differ.

Con Artists and E-mail
Questionnaires – Presume it is a Scam
You receive an e-mail from an old friend from high school; at least they appear
to be an old friend of yours. In the e-mail, your friend asks you a series of questions
including your favorite things to do or collect, your birthday, current
address, phone number, spouse’s name, and so forth.You answer the questions and
look forward to reacquainting yourself with your old friend. Have you done
something wrong? Were these questions unethical to ask?
Conservative Do not answer these questions. Do not provide false information
instead of the correct answers.This is a con.The reason why the con
artist asks you about your favorite things is because they are trying to guess
your passwords.This is not an old friend even if the e-mail indicates their
name.They are trying to get information from you to steal your identity or
hack into your bank account.
Liberal A normal response to receiving an e-mail from an old friend is to
start communicating.There is no way you could have known a con artist
sent you the e-mail.
SUMMARY
Since e-mail is not face-to-face, it is very difficult to determine whom
you are really speaking with. This is also true in chat rooms where you
may meet people who later want to know more about you. If you
receive any e-mail out of the ordinary, presume that it is a scam, even if
it is from a long lost friend.
E-mail Ethics: Think Before You Click
The foundation of all ethical behavior is the willingness to understand
how your actions will be perceived and to adjust those actions accordingly.
For the most part, this system works pretty well. Unfortunately,
there are times when well-meaning people commit what I like to call “the

Continued
wrong execution of the right idea.” Two great examples of this are the
“Reply-all storm” and the “Excessive Signature.”
The “Reply-all storm” starts off innocently enough when someone
addresses an e-mail to too many people. This typically happens when
someone sends out an announcement meant for a local group (“Sandy’s
service anniversary celebration will be today in room 52”) but accidentally
addresses the mail to a much wider audience (“all 32,000 US
employees”), most of whom don’t even know Sandy, much less care
where her party is. This is bad enough, but hey, accidents happen. The
problems really start when some well-meaning person tries to point out
the mistake, but hits “Reply all” and sends back a message to all 32,000
U.S. employees saying something like, “You sent this to the wrong
group.” This goes on for several rounds until someone gets wise to what’s
happening and “Replies all” with a message (usually in all caps) saying
“STOP ANSWERING WITH REPLY-ALL!” This goes on for several more
rounds, chewing up everyone’s in-box space, time, and network bandwidth
until everyone gets tired of the game or the administrator steps in
and kills all the messages.
Who’s the wrong party here? he originator of the message for overaddressing
the note in the first place. But IMHO, those who insisted on
using Reply All to advance the sorry state of affairs, are the more egregious
offenders. They had the power to limit the annoyance of the
exchange by addressing their replies only to the originating sender.
Instead, they chose to broadcast their repeated messages to the whole
world. The moral of this story: think before you click. Think about who
really needs to see your message. If it’s a large group then use Reply All.
But if it’s only one or two people, please address your message to only
those chosen few. We all have overloaded inboxes and anything we can
collectively do to reduce that load is the helpful and ethical thing to do.
Another pet peeve of mine is the abuse many people commit with
their e-mail signatures. The first type is the person who insists on using 1
MB graphic bitmaps or animated GIFs in their signature. PLEASE STOP!
Those of us who regularly download e-mail on slow hotel dial-up connections
really do not appreciate the extra few minutes needed to download
your cute animated company logo. Another annoyance is the long
legal disclaimers that seem to be popping up all over the place. Some are
as much as eight to ten lines long. Tagging that on the end of a one- or
two-word e-mail unnecessarily expands the amount of bandwidth needed
to transmit. Again, think before you click. Do you really need a legal disclaimer
on a message that says just “Thanks” or even the aforementioned
meeting announcement?

Think before you click. Think about what your message says, who
you’re saying it to, and how you’re saying it. It’s the socially responsible
and ethical thing to do.
Stephen Fried, Lucent Technologies
Director, Security Architecture
Account Verification or “phisher”
Scams – Should These Domain Names be Issued?
Individuals purchase domain names that are very similar to the domain names of
credit card companies, electronic funds transfer sites, and other financial transactions
sites. Scammers purchase these domain names exclusively for fraud and
identity theft. For example, someone may purchase the site called XYZ-CREDITCARDS.
com when there is a legitimate credit card site called XYZCREDITCARDS.
com. Once the con artist owns the domain, they will issue millions of
e-mails to unsuspecting people asking the customers of
XYZCREDITCARDS.com to verify their credit card account information.
They must update this data on the fake site.The information they collect
includes social security numbers, bank account numbers, home addresses, telephone
numbers, everything. Is it ethical to issue domain names to people that are
similar to the domain names of valid financial online businesses?
Conservative It is unethical to issue domain names to people if they are
too similar to the domain names of existing reputable financial institutions.
This is a recipe for disaster.The only reason why someone would want to
have a domain name similar to the name of a real company is because they
want to commit e-mail scams and fraud posing as a representative of that
business.
Liberal It is not ethical to control the issuing of domain names because
scam artists abuse this freedom. If one business has a similar name to
another, they should not have to go through layers of bureaucracy to obtain
the domain name. Even worse, they should not be refused a domain name
because someone else uses it.

SUMMARY
This issue considers how to protect innocent victims from a scam yet not
impinge on the rights of valid businesses. There is no right answer.
Spam vs. Spam
A techno-savvy friend with a deep-seated hatred of spam recently began
receiving unsolicited e-mail from some company whose schtick was free
goods in exchange for referring other names to them so they could spam
even more. This friend, “Matt,” went to the company’s Web site and gathered
some information, then scoured the Web and managed to find the
online resume of one of the company’s employees. This resume happened
to include the employee’s phone number, address, and personal Web site
url. Matt took that information and posted it on a public Web discussion
board, along with a scathing indictment of the company’s practices, and
suggested that other spam-haters “give him a call.”
Even though he posted this message anonymously, the bulletin
board software records and displays the IP addresses of all anonymous
posters.
The next thing Matt knew, his employer’s “abuse” e-mail address
received a cease-and-desist order from the targeted employee’s lawyers,
and Matt’s computer was taken offline by a sysadmin. The lawyers
insisted that the message be removed from the bulletin board, and Matt
contacted the board operator who said it would be deleted in a week, but
not immediately. Furthermore, the guy’s phone number has most likely
already been redistributed via e-mail forwards (which Matt’s message
encouraged) and indexed by search engines, so even if the original message
gets removed, the calls will probably continue for awhile.
Meanwhile, on the advice of his employer’s legal counsel, Matt has
written a detailed apology to the company and to the “victim,” which he
plans to post on the same discussion board as the original message. But
it remains to be seen whether Matt’s own employer takes any further
action against him.

Continued
Oddly, the legal reason given for the cease-and-desist was not the
publication of the personal information (which was already publicly available),
or the encouragement to harass, but rather “defamation.”
This was based on the minor fact that Matt’s message described the
employee as the “owner” of the spamming company, when he had really
been only a manager and had recently quit.
John Fielding
Software Engineer

Chapter Summary
As you can see from the Soapboxes, people have strong opinions about Spam and
scams! We each have an ethical and professional responsibility to maintain a thorough
knowledge of e-mail scams so that we may better defend ourselves, our
organizations, and families from fraud and identity theft.This chapter only covers
a sampling of the thousands of scams blanketing Internet e-mail today. Successful
scam artists make millions of dollars with these scams.They also face the potential
of jail. Finally, if there is a rule of thumb, it would be to never provide
personal or account information through e-mail or in response to e-mail.
Q: How can you protect yourself from e-mail scams?
A: Never send personal information such as social security numbers, credit card
numbers, or bank account information through e-mail for any reason.
Q: How do you tell the difference between real businesses such as agencies that
will supply a free credit report and fake businesses out to steal your identity?
A: Contact the Better Business Bureau to determine if a business is valid prior
to accepting any offer through an e-mail advertising campaign.
Q: If you receive an e-mail that requests that you update your personal information
for your credit card company into their Web site, which is a valid
domain name that is the same as you credit card company, should you do it.
A: NO! Scam artists are known to purchase domain names similar to those of
real businesses.This is known as a “phisher” scam.