• United States




Webmail services should help protect against scams

Dec 04, 20096 mins
Data and Information SecurityEmail ClientsSecurity

If Yahoo and Google already search e-mail to generate targeted ads, why not targeted warnings?

A friend of mine has lost her life savings in an online scam. She had attempted to buy a car via, a reputable car sales site. The seller offered the perfect car for my friend — at a substantial discount, of course, with free shipping.

Had I heard these words before my friend had gone through with the transaction, I would have warned her off the deal. Better yet, had her Webmail providers used their mail-snooping technology for good rather than just generating targeted ads, she might still have her life savings.

[ Discover the scariest e-mail phishing scam blunder of 2009. | Learn how to secure your systems with InfoWorld’s free security newsletter. ]

First, some background on how the scam went down: My friend took what she thought was every precaution. She started from a reputable site.  She communicated with the seller several times via e-mail and over the phone (calling him directly). For e-mail, she sent and received messages from two different addresses, one with Google and one with Yahoo. She didn’t realize, however, that the seller’s personal e-mails were now taking her away from AutoTrader and the (limited) fraud protection the site offers.

Once my friend and the seller settled on the deal, she insisted on using a reputable escrow service; she also made sure that she recognized the receiving bank’s name. After she sent the first escrow transfer, the seller called to say the money had not arrived because my friend had entered an incorrect digit in the bank account number. The seller suggested another “reputable” escrow service, named under My friend didn’t know about bogus URL name tricks; to her, it looked legitimate.

(Hint: Internet Explorer and other browsers today will highlight the correct domain URL, filtering out the bogus characters when visiting a site.)

She went to her bank and requested the new wire transfer, handing the bank teller the e-mail with all the relevant details. The bank teller did as requested, although why all bank tellers aren’t trained to spot scam e-mails, I don’t know.

With the transfer complete, my friend eagerly awaited the delivery of her new car — but it never arrived. After a few days of waiting and sending many unanswered e-mails, she discovered that the seller’s phone was disconnected and that the name on the receiving escrow account was completely different from what she’d been given. (Again, where was the bank in verifying this information?)

My friend has started all the appropriate actions to get her money back, including reporting it to the local authorities and all the involved services. She also called me in to assist with forensics. Unfortunately, as I told my friend, the chances of recovering her money are beyond slim. In my 20-plus years of computer security, I have never heard of anyone recovering their money in scams like these. It’s gone!

I’m heartbroken that my friend fell for the scam — just months after recovering from a life-threatening accident, no less. When I read the e-mail exchanges between her and the seller, it was readily apparent to me that it was a scam. But then, if you don’t know, you don’t know. After seeing so many people ripped off over the years, I understand that these scam artists successfully prey on everyone, including Ph.Ds and Nobel Prize winners. Intelligence has nothing to do with it.

I performed an Internet search of a few of the keywords from their exchange (“escrow,” “wiring,” and “bad account number”) to show my friend how common these scams are. Millions of hits and thousands of stories immediately came up — so many, it gave me an idea.

If the Internet search engines can readily reveal a scam with a few keywords, why can’t the Web e-mail providers? Both Yahoo Mail and Gmail scan users’ e-mail messages for keywords, which they use to display advertising on a side column. For instance, my friend’s e-mails between her and the seller generated many targeted ads trying to sell her related cars. Why can’t those same e-mail scans be used to warn people that they’re possibly about to be duped into a scam?

After all, as long as the Webmail services are reading everyone’s e-mail contents anyway, why not provide an extra service that might warn of something potentially malicious? It would take a simple extension of the anti-spam services they are already implementing.

For instance, when my friend was writing and receiving messages from the escrow scam artist, why couldn’t a noticeable link appear in the side column ads saying something like “Click here for information on scams”? The link wouldn’t even have to say why it was placed where it was (because it spotted suspicious keywords) — just a chance to put out a little knowledge to possibly help someone avoid losing lots of money to miscreants.

I proposed this idea to a bunch of security-minded friends, and immediately, many of them said that a false-positive identification would put the Webmail service at risk of a lawsuit if it made a potential buyer forgo a legitimate sale. I guess that’s true.

But all I’m proposing is extending what is very anti-virus-, anti-spam-like behaviors to try and identify scams as they unfold. The Webmail service could have all its users acknowledge the potential for false-positive scam identification, just as they do with the anti-virus and anti-spam services. I really don’t know how this recommendation would be any different.

Obviously the anti-scam service would have to use some sort of weighted Bayesian or heuristics technology. But how hard can it be to publish a link when the words “Nigeria friend death offer you successful transfer” appear in an e-mail? Heck, I think my scam-warning link idea is less risky than anti-spam filters, which completely block most candidates. My idea would only publish a harmless link. Would the innocent notice the links and be less likely to commit to the fraudulent transaction? I don’t know, but what could it hurt to try?

No doubt that scam artists would use the very Webmail services to learn how to craft e-mails that would escape the warnings (as do virus writers and spammers today), but any protection is better than nothing. A decade has gone by and the problem lingers. Our friends and family members are losing money to scams that should have died by now. There has to be a better way.

This story, “Webmail services should help protect against scams,” was originally published at Follow the latest developments in security at


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author