Trend Micro Inc.'s David Perry knows so much about security that he borders on being paranoid. But even he opened a recent e-mail purporting to be from Best Buy's fraud division.
The bogus missive didn't contain malicious code, but its social engineering was good enough to snag Perry's attention. "Now I ask myself, how could I open it up and look at it?" he said recently.
Afterward, Perry, Trend Micro's global director of education, didn't take any chances. He promptly scanned his system for viruses and spyware and reinstalled his firewall (it was down because he had been FTPing large files). Nothing was amiss, but Perry's pride was a little hurt to know that he got sucked in by the message.
Recently, Best Buy sent out a notice to customers warning of the fraudulent e-mail which, incidentally, purported to be from the company's fraud department. The would-be thieves asked Best Buy customers to send in their credit card numbers and other personal information.
The bogus message warned the user of a potentially fraudulent purchase made on their credit card. "Recently, we have received an order made by using your personal credit card information," it said, noting that an order for two car stereos, at a cost of $775.30, was placed at Best Buy's Web site on June 17.
"Our Fraud Department has some suspicions regarding this order, and we need you to visit a special Fraud Department page at our Web store, where you can confirm or decline this transaction by providing us with the correct information," it goes on to say.
One can admire the message's crafty and ironic social engineering, but at the end of the day, the intentions behind it are malicious. "There is nothing legal about it. It's getting-sent-to-prison kind of stuff," Perry said.
Yet the bogus Best Buy message did feature some telltale signs that could have tipped off people that it was not legit. For example, the message didn't show up as having come from Best Buy's domain. Also, the letter begins with "Dear customer." Generally, if there were a problem with an online purchase, the vendor's e-mail would be more personalized, Perry said.
Having a healthy level of suspicion is a good thing when evaluating the legitimacy of e-mail messages. For example, noting the sender's address is a must, especially when a message requests potentially sensitive information, said Nancy Flynn, founder and executive director of the Columbus, Ohio-based ePolicy Institute. Flynn herself once received an e-mail from Asia requesting her band routing information and account number. She was suspicious at first but, after some checking, she realized it was legit; the message came from a person in the accounting department at one of her client firms.
Perry suggested a few things that end users should watch out for when opening an e-mail that could be fraudulent. Messages that ask to be forwarded are almost always bogus. So are messages that ask for passwords or other sensitive information. Additionally, e-mails that shout out that a reply is needed within a certain amount of time in order to take advantage of a really good deal are usually not legitimate, Perry said.
Users can protect themselves further by using low-limit secured credit cards when making online purchases, Perry said. By doing so, one can limit the amount of damage done if a card number gets into the hands of a criminal.
The antivirus and content-filtering vendors could address some forms of e-mail fraud, but so far they have no mandate to do so, Perry said.
The real danger of e-mail fraud, beyond inconveniencing end users, is that people may lose faith in e-mail as a safe mode of communication. "A lot of users don't different the Web and e-mail; they see them both as the Internet. E-mail fraud reduces their confidence in all Internet activities," Perry said.
FOR MORE INFORMATION:
FEEDBACK: Have you lost confidence in e-mail as a mode of communication?
Send your feedback to the SearchSecurity.com news team.