Khosrowpour (2000) defines electronic spam as a single message transmitted unsolicited to multiple recipients; recipients do not personally know the sender and consider the content of the message to be offensive. Spamming essentially proves to be a low cost option to advertisers and marketers across the globe to communicate the brands they sell and their attributes to prospective consumers across the globe. This renders the marketing communication department of any company the most economically viable means of reaching out to a wider audience within the consumer market.
Spamming prevails in a number of forms, such as chat room, IM (Instant Messaging), mobile phone and electronic forums. This section focuses specifically on spamming in the form of junk electronic mails. This typically involves a source database from which the advertiser procures the list of recipients of the broadcast spam. This has become an enterprise in itself with databases of customer details being available for sale (Shepard Associates, 1999). The database with the appropriate customer profile is procured by the marketer and the preformatted marketing message sent out in bulk to the entire audience.
Applying the principles of the zero-sum game and game theory to spamming seems to indicate that the most ideal way of eliminating spam is for all the recipients to ignore the incoming spam mails. This is because of the fact that even if a miniscule percentage of the readers were to read spam emails, the spammers would be disadvantaged by not sending spam mails (Miller, 2003). The technological solution to this is to use sophisticated email service providers such as Gmail or Yahoomail, which incorporates the intelligence of sifting the genuine mails from spam. Besides, a number of market software is available which is capable of filtering, intercepting and preventing spamming (Vallee, 1999).
Another possible way to protect general public from falling prey to incessant and irritating spam messages is to raise the cost of spamming by having legal penalties and regulatory hurdles to spamming. While this is not necessarily easy to achieve, some amount of success has been garnered in this direction through self-regulation by responsible advertisers.
From the advertisers point of view, in order to ensure that they manage to reach out to a wider audience by taking full advantage of the opportunities the Internet has to offer, but at the same time, do not take the form of spam, various avenues such as opt-in and opt-out mechanisms are available. This is also termed as Permission marketing (Godin, 2001), where customers are sent e-mails or mail flyers, after having asked the permission of the prospective customers. This is very frequently used by Internet and telephone marketers. There are two variants of permission marketing, the first being opt-in wherein prospective customers are first required to give explicit permission that they are willing to receive mailers, and the second being opt-out, where it is considered acceptable to send these mailers, provided the recipients are given the option to stop receiving these mailers.
Electronic Money laundering
Electronic money laundering is defined as the intentional act of converting or transferring property knowing that it is the proceeds of crime with the purpose of concealing the illicit origin of the property, or helping a person involved in the commission of the predicate offence to evade the legal consequences of his or her action (Schott, 2006).
Money laundering typically takes place when dirty or illicit money is transferred from its source through a number of channels across international borders, often through countries whose regulatory regimes protect the identity of the account holders and cannot be coerced to divulge their details. As a result of these series of convoluted operations, when the money does finally surface, it becomes difficult if not impossible for regulators to trace where it has been sourced from, thereby enabling the perpetrators to freely utilise the money without the threat of censure from the regulators.
Given the digitization of money and commercial transactions, money laundering in the twenty first century incorporates a fair proportion of electronic money transfers. The availability of the Internet enables money launderers to use illegitimate money for purposes as basic as pay as you go mobile phones to sophisticated high-value commercial transactions online (Lilley, 2003).
The initiation of money laundering in its conventional form is always the handling of hard cash through depositing it in bank accounts as deposits, but with electronic money, it becomes much easier to identify an unregulated or under-regulated bank or deposit accepting institution (Molander et al, 1998). This can be through an anonymous smart card or purchase of goods and services online. This is followed by layering where multiple transfers are undertaken, facilitated by the electronic route and the ease of achieving everything in quick time from the safety of an unidentifiable personal computer (Masciandaro, 2004). The culmination of the money laundering process, called the integration is where the money is finally sourced back by the launderers for use in legitimate areas (Jason-Lloyd, 1997), and can again be easily achieved by making an online investment, topping up an electronic wallet maintained online or a smart card.
Among the ways of fighting electronic money laundering, one of the most effective would be for a consolidated approach to the issue with all the regulatory authorities across the world undertaking to fight against it together. Electronic money laundering means that dirty money can be rendered untraceable in a matter of minutes, making the development of automated alerts shared across international borders critical to catch the launderers on time. These alerts can be reinforced through modern anti money laundering systems that are capable of carrying out SDN (Specially Designated Nationals) checks, soundex checks for dodgy names and places, artificial intelligence networks, etc. Further, while KYC (Know Your Customer) checks are challenging to carry out in the internet domain, these can be very effective at the specific points in the money laundering process when real cash is converted to electronic money during the initial phase and vice versa during the latter phase of integration.
Leonard (2005) defines identity theft as a fraud committed using the identifying information of another person. As such, it involves the misuse of information that is specific to an individual in order to convince others that the impostor is the individual, effectively passing oneself off as someone else (Jewkes, 2002).
The process of identity theft essentially involves getting intimate details of the target individual to start with, such as his personal details, date of birth, employment and personal details, etc. The second step is to look for an avenue where these details can be used to materially harm the subject whose details have been gathered or alternatively to identify how the impostor can benefit from these details at the expense of the target. This would largely depend on the motivation behind the crime, whether it is greed based on vengeance based. The final step is where the protagonist actually uses this information based on avenues identified, and continues to do so, unless he is discovered or threatened by discovery. This could be as innocent as stalking and harassing a victim, to causing him material damage by impersonating him and causing him financial or social discomfort.
While the conventional sources of information that facilitated identity theft were largely related to dumpster diving, or the process of rummaging through litter-boxes, looking for bank statements and other confidential documents (Hammond, 2003) or shoulder surfing; peeking over somebody’s shoulder as he uses a cash machine or a Chip and Pin reader (Baer, 2003), the emergence of technology and the Internet have made sourcing this information easy to achieve from the comfort of one’s laptop. This could be done through hacking into sophisticated computer systems to get this information with the help of Trojan horses or cookies on the target computer, or by infiltrating organisations that have access to this information, largely aided by technology, e.g. call centres of financial institutions.
One of the best ways to protect oneself from identity theft is to prevent the possibility of anyone laying one’s hands on confidential information about oneself. This can be achieved by sifting confidential documents from the rest, and carefully shredding the confidential documents using a cheap commercially available shredder or using one at work. A number of financial institutions have now started providing identity theft insurance, which is more a corrective mechanism rather than preventive, where if a person were to suffer any form of financial quantifiable loss on account of someone else using his identity, the insurer makes this amount good subject to terms and conditions. Finally, one would be advised to monitor his bank statements on an ongoing basis to detect any irregular activity and take prompt action when discovered. Among the technical ways of protecting oneself against Identity theft, installation of a standard off-the-shelf reputed package like PC Zone Alarm Pro should protect a domestic desktop from attacks from viruses and Trojan horses. Another possible technical mechanism through which identity theft can be avoided is through use of smart cards, which offer the security advantages of user authentication and digital signature generation (Vacca, 2002), thereby thwarting conventional identity theft techniques.
Phishing is defined as the act of sending to a user an e-mail falsely claiming to be an established legitimate enterprise in an attempt to trick the user into surrendering personal or private information. This email typically directs the user to visit a website where the user is asked to update his personal information, such as passwords, bank account numbers and credit card details that the legitimate organisation already has (Krause, 2006).
This section explains in detail, the process that is followed in phishing. The process of phishing can in effect, be viewed as a focused exercise in spamming discussed earlier. Thousands of emails are sent out to an equal number of users, thereby casting a wide net to see how many users can be caught in the net. The victims are sent messages that sound official and are often accompanied with undertones of alarms to ‘confirm their details due to a security alert’. If some of the unwitting recipients actually fall victim to the con, they end up giving their personal details, which in turn can be used by the phisher for his own personal gain. The motivation for this form of crime is mainly greed, or to make material gains from easy pickings.
In its more modern and sophisticated form, phishing has become even more credible with emails actually advising account holders not to reply with their personal details, but providing a link to a bogus website to ‘update’ their details. This lends the phishing message an additional level of credibility, thereby luring more people to compromising on their security details. Phishing can hence be considered a social engineering attack, relying on the naiveté of the victim.
While there isn’t necessarily any sophisticated software available to detect phishing attacks, some proactive and precautionary measures taken by the common man should prove adequate to shield them from phishing attacks. The cardinal rules to follow when it comes to handling one’s financial affairs should be to be careful about their personal account details, and not divulge them to anyone, nor should these be scrawled on a paper or left around for others to view. A second standing guideline to follow is to never use a website link to access one’s account, but to always type in the URL in the address location field to navigate to one’s bank account website, from where the user can log on to his individual account.
For organisations, it becomes doubly important to take preventive measures against them being targeted for phishing attacks – (a) they need to be able to retain the confidence of their account holders, who would possibly switch over to ‘safer’ account institutions if targeted by a phishing attack and (b) they would be open to financial risk of a phishing attack is successful, and an account holder finds himself swindled of his money. Accordingly, it is important for these organisations to reiterate to their customers that their representatives and employees would never ask the account holders for their personal details, and should such a query ever be faced by the users, they should be reported to the Information Security officer of the bank in question.