The British public is being urged to forward any email scams it receives to the National Fraud Authority. The reason? To collect intelligence which might help track down internet fraudsters and bring them to justice.
According to a BBC News report, mass marketing scams account for 90% of losses (an average victim who reports a fraud loses £27,000), but only make up a quarter of all reported fraud.
I personally applaud the motives of the agency. However, I question the effectiveness of this initiative.
It’s all very well that the National Fraud Authority’s Action Fraud website wants to be sent your scam emails – but has it provided members of the public with sensible instructions on how to send them in?
Taking a look at the Action Fraud press release, I see the instructions they give to users who want to assist the initiative:
People receiving scam emails are urged to forward them on to firstname.lastname@example.org.
However, plain forwarding of an email is lossy – in other words, you lose important information that can be helpful in determining who may be behind the scam, or how it is being run. Specifically, full email headers are not normally included when you forward an email message.
This is an issue we know only too well about here at Sophos. Because relevant information can often be lost through the act of simple forwarding an email, the team at SophosLabs asks customers to send us email samples as RFC-2822 attachments. This retains the header information and means that the underlying characteristics of the message are not mangled in forwarding.
By the way, it’s good to see that the agency recommends that users remove personally identifiable information before forwarding the emails – just in case.
In short, even if you believe you are assisting the fight against scammers by forwarding a message to Action Fraud, valuable information may have been lost.
As a separate point, it’s worth noting that the National Fraud Authority’s press release does describe a series of steps that may allow you to spot scams. Unfortunately, in most cases they require a keener eye than and a more fundamental knowledge of email than the general public may typically possess.
Fake emails often (but not always) display some of the following characteristics:
* the sender’s email address doesn’t tally with the trusted organisation’s website address
* the email is sent from a completely different address or a free web mail address
* the email does not use your proper name, but uses a non-specific greeting like "dear customer"
* a sense of urgency; for example the threat that unless you act immediately your account may be closed
* a prominent website link. These can be forged or seem very similar to the proper address, but even a single character’s difference means a different website
* a request for personal information such as user name, password or bank details
* the email contains spelling and grammatical errors
* you weren't expecting to get an email from the company that appears to have sent it
* the entire text of the email is contained within an image rather than the usual text format
* the image contains an embedded hyperlink to a bogus site
I have to ask myself, would most of these tips work with aged parents/grandparents/neighbours?
It’s great that advice is being shared in an attempt to better protect the general public, but we also need to find ways to effectively communicate sometimes complex issues in language that the non-computer literate will understand.