Fraudsters add e-mail swindles to the list of ways used to extort
money from UK businesses
A data protection registration scam that began targeting UK
businesses earlier this year is continuing to plague
companies.
The Office of the Information Commissioner is still receiving about
1,500 calls a week from businesses across the UK about notices that
use threatening language to request sums of between £85 and £120 to
register them under the Data Protection Act.
"These mailings continue to be a daily problem for businesses
across the UK and it is something I take very seriously," said
information commissioner Richard Thomas. "The calls we receive are
just the tip of the iceberg. There is a very real cost in terms of
time and effort to businesses anxious to establish whether the
communications they receive are from an official body."
The Office of Fair Trading has already taken action against the
so-called "agencies" sending out these notices, on the grounds of
misleading advertising. The fee for data protection notification is
in fact £35 a year and can be handled directly by the Office of the
Information Commissioner.
"The OFT has received thousands of complaints about misleading
advertising," said Penny Boys, executive director at the OFT.
"Businesses should contact the information commissioner if they are
in any doubt about their obligations to notify data under data
protection legislation."
The notices, which are on official-looking headed notepaper, are
the latest in a long list of spoofing scams, both online and
offline, that have targeted businesses on both sides of the
Atlantic this year.
IT directors are likely to come under pressure from their boards to
combat these spoofing attacks because they are perceived as being
technology related.
Barclays and Lloyds TSB were hit by e-mail scams in September, in
which customers were sent a message purporting to be from the bank
requesting personal financial information.
In the US, companies including Amazon.com, eBay and Citibank have
been targeted this year with similar scams.
Jonathon Armstrong, technology specialist at law firm Eversheds,
said companies should put one department in charge of addressing
spoofing, which can damage a company's reputation.
"Most companies do not have a hold of spoofing," he said. "Although
all departments ought to be responsible, companies need to put
someone in charge. This could be the finance director because of
the impact these scams have on shareholder value, but there is also
an argument for the chief information officer, because of the
technical aspect. Co-operation is key."
Companies can anticipate potential spoofing attacks by doing simple
searches on the internet and online message boards, Armstrong
said.
"Although the internet has made these scams easier to carry out, it
also presents an opportunity to find out what is about to happen,"
he said. "By looking on message boards to see what people are
saying about you or what e-mails are going around you can get a
good idea of whether an attack is about to happen. The key message
is that there is nobody else out there looking after your
reputation on the internet - do not let it wash over you."
Paul Wood, chief information security analyst at MessageLabs, said
technical measures to deal with e-mail spoofing and identity theft
are hard to implement.
Priority should be given to educating users so they understand that
a legitimate business would never ask its customers to reveal
financial information via an e-mailed link, he said.
"The time is ripe to make users understand how to use e-mails,"
Wood said. "It is like someone knocking on your door pretending to
be from the gas board - you would not assume they are who they say
they are and let them in."
Some experts believe there are technical measures companies can
take to combat e-mail spoofing. Analyst firm Gartner said companies
with strong brands or customer presence, especially in finance and
retail, should evaluate measures, such as encryption for signing
e-mails and web pages.