Data protection registration scam shows firms must act to combat online spoofers

Fraudsters add e-mail swindles to the list of ways used to extort money from UK businesses

Fraudsters add e-mail swindles to the list of ways used to extort money from UK businesses

A data protection registration scam that began targeting UK businesses earlier this year is continuing to plague companies.

The Office of the Information Commissioner is still receiving about 1,500 calls a week from businesses across the UK about notices that use threatening language to request sums of between £85 and £120 to register them under the Data Protection Act.

"These mailings continue to be a daily problem for businesses across the UK and it is something I take very seriously," said information commissioner Richard Thomas. "The calls we receive are just the tip of the iceberg. There is a very real cost in terms of time and effort to businesses anxious to establish whether the communications they receive are from an official body."

The Office of Fair Trading has already taken action against the so-called "agencies" sending out these notices, on the grounds of misleading advertising. The fee for data protection notification is in fact £35 a year and can be handled directly by the Office of the Information Commissioner.

"The OFT has received thousands of complaints about misleading advertising," said Penny Boys, executive director at the OFT. "Businesses should contact the information commissioner if they are in any doubt about their obligations to notify data under data protection legislation."

The notices, which are on official-looking headed notepaper, are the latest in a long list of spoofing scams, both online and offline, that have targeted businesses on both sides of the Atlantic this year.

IT directors are likely to come under pressure from their boards to combat these spoofing attacks because they are perceived as being technology related.

Barclays and Lloyds TSB were hit by e-mail scams in September, in which customers were sent a message purporting to be from the bank requesting personal financial information.

In the US, companies including, eBay and Citibank have been targeted this year with similar scams.

Jonathon Armstrong, technology specialist at law firm Eversheds, said companies should put one department in charge of addressing spoofing, which can damage a company's reputation.

"Most companies do not have a hold of spoofing," he said. "Although all departments ought to be responsible, companies need to put someone in charge. This could be the finance director because of the impact these scams have on shareholder value, but there is also an argument for the chief information officer, because of the technical aspect. Co-operation is key."

Companies can anticipate potential spoofing attacks by doing simple searches on the internet and online message boards, Armstrong said.

"Although the internet has made these scams easier to carry out, it also presents an opportunity to find out what is about to happen," he said. "By looking on message boards to see what people are saying about you or what e-mails are going around you can get a good idea of whether an attack is about to happen. The key message is that there is nobody else out there looking after your reputation on the internet - do not let it wash over you."

Paul Wood, chief information security analyst at MessageLabs, said technical measures to deal with e-mail spoofing and identity theft are hard to implement.

Priority should be given to educating users so they understand that a legitimate business would never ask its customers to reveal financial information via an e-mailed link, he said.

"The time is ripe to make users understand how to use e-mails," Wood said. "It is like someone knocking on your door pretending to be from the gas board - you would not assume they are who they say they are and let them in."

Some experts believe there are technical measures companies can take to combat e-mail spoofing. Analyst firm Gartner said companies with strong brands or customer presence, especially in finance and retail, should evaluate measures, such as encryption for signing e-mails and web pages.

Read more on IT risk management