Thank you for sharing!

Your article was successfully shared with the contacts you provided.
In March, JPMorgan Chase & Co. customers received a purported e-mail from their bank. Chase appeared to ask customers to verify their personal information, and the e-mail supplied a link to a secure Web site to enter their data. But some of the questions were a little odd; after asking for the checking account number, for example, the online form asked for the user’s cash card PIN. And, unlike the usually slick Chase Web pages, some words were mispelled. By now most Internet-savvy people will recognize the purported Chase inquiry as a scam commonly known as “phishing.” It’s the most recent e-threat to companies. These newer strains of the pestilence known as spam pose an insidious and significant risk to corporate America. These e-mail messages, whether outright fraud, or phishing or “spoofing” scams, attempt to trade on a company’s goodwill, trademarks, and customer relationships. But there’s more: These shady characters are helping to undermine confidence in e-commerce for corporations and customers alike. This e-plague is indiscriminate, too. All companies with an Internet presence or an e-commerce portal are possible victims of these types of scams. In-house counsel need to take stock of � and act promptly to shut down � these fraudulent operations. The good news is that the methods used to get the bad guys have gotten more sophisticated and continue to be refined. First there are legal remedies, such as civil suits and actions under antispam statutes. But to track down the miscreants, it can take some old-fashioned gumshoeing, and intelligent techno- sleuthing, too. How big is the problem? The Anti-Phishing Working Group, a coalition of industry and law enforcement participants, received more than 15,000 reports of phishing attacks in December 2005 � almost double the number reported a year earlier. Thousands of new phishing Web sites are created each month; millions of phishing e-mails are sent every day. “Phishers,” or mass e-mailers, broadcast messages throughout the Internet, pretending to be a company, and seek passwords, account information, and financial data. They create professional-looking e-mails and Web sites, mimicking a company’s site � or, as happened recently, even the Internal Revenue Service’s Web site. By stealing trademarks and graphics, and even hot-linking to the real company’s Web site, phishers are remarkably successful at trading on relationships to induce customers to reveal their personal information. Companies also face a serious threat from spoofing spam. In these cases the spammers alter e-mail “From” lines to pretend to be from a particular company. In doing so, spammers suggest to the public at large (and to customers in particular) that your company is sending the offensive spam message. Such e-mail gets past spam filters, and consumers are more likely to be interested in an e-mail seeming to come from a legitimate business than from “ [email protected].” Corporate computer servers are sometimes enlisted in the rogue operations. In March, for example, a Chinese bank, the China Construction Bank Corp. (CCBC), was reported to be hosting spoofing sites that targeted Chase customers. The e-mails sent out from this site, in which the rogue files were hidden deep within folders on CCBC servers, asked recipients to fill out a survey in return for $20. Naturally, to receive the reward, they’d have to supply personal information. A third type of spam that takes advantage of a company’s goodwill is “gift card” e-mail. In this scam, spammers send e-mail using a company’s name and logo, offering a gift card or other credit for shopping at that business’s stores. Customers, believing that the legitimate company sent or sponsored this offering, will often provide private information or buy products under the misimpression that the company will fulfill or has endorsed the spammer’s offering. So what can at-risk companies do? Hoping that the problem will go away by itself is not an option. Although spam-related losses may not be immediate and direct, this new breed of Internet criminals is much more destructive to business than the old-fashioned incoming spam that merely clogged corporate inboxes. But there’s a considerable arsenal of legal and technical tools at your disposal. Among the available legal claims are those based on trademark laws, the federal CAN � SPAM Act, the Computer Fraud and Abuse Act, not to mention claims for fraud. Also, several states have passed antiphishing statutes, providing for significant statutory damages. Using a combination of these remedies, companies have successfully filed civil suits against spammers. For example, over the past year Microsoft Corporation has filed more than 100 civil lawsuits in the United States against phishers, and was the first company to file claims under Washington State’s new antiphishing statute. The software giant claims it has taken down nearly 5,000 domestic phishing sites so far. And in March the Redmond-based company took aim at overseas phishers, again filing some 100 claims, in Austria, Egypt, France, Germany, Morocco, Spain, Turkey, and the United Kingdom. Amazon.com, Inc., among other Internet retailers, has aggressively pursued spammers, phishers, and other Internet rogues using these same legal claims. Effective legal theories, however, are not enough. The key to an effective response and prosecution is locating the Internet crook and cutting off his operation. And this can only be done through a combination of old-fashioned gumshoe work and sophisticated cybersleuthing � tracking the villain through cyberspace by using forensic trace evidence left behind during a fraud attack. By combining forensic investigation capabilities with recognized legal tools, businesses can build a strong enforcement program to thwart attacks. Despite what’s commonly believed, Internet activity is not anonymous. Most ‘Net activities leave a footprint that can be interpreted by experienced cybersleuths. Phishers and other Internet vandals come in varying degrees of sophistication, and all of them must use real-world equipment, space, and financial resources to conduct their operations. Many of them operate in the U.S. and are easily reached � and served with lawsuit papers. Picking up a few crumbs in the cybervillain’s trail � whether an IP address (a number that identifies individual PCs), an Internet domain (the Internet address of a server), or an e-mail address � is often enough to permit a meaningful investigation. By doing this an investigator can pinpoint the location of the server that sent the offending spam and alert the owner of the server to the illegal activity. Although the defendant’s identity may not be apparent, the civil discovery that can be obtained in a “John Doe” suit is a powerful tool in following the trail. In these suits companies ask Internet service providers for the identity of the subscribers sending the offending mail; ISPs, often victims themselves, supply the names more readily than they did a few years ago. By issuing multiple rounds of subpoenas, corporate counsel can follow the cybertrail until it leads to a real-world clue. That’s when traditional investigation takes over � using techniques like financial research and stakeouts. As spam continues to evolve, how companies combat it must evolve as well. In-house lawyers have to be willing to embrace their new role of cybersleuth. With a combination of luck and smarts, in-house counsel can make sure the bad guys won’t succeed in sullying their companies’ good names. David Bateman is a partner in the digital integrity practice at Preston Gates & Ellis.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.