media planning & buying

You see the evidence everywhere you go -- whether it's graffiti on a curbside wall or the classic "Nigerian Scam" come-on in your email: It's a lot easier for criminals to spread their dirt than it is for law-enforcement officials to clean it up.

And the incentives are powerful enough to keep those criminals highly motivated, particularly cybercriminals who do their nefarious work online. For example, a recent study conducted at the University of California at Berkeley and also at San Diego tracked more than 350 million spam messages and found a response rate of only 1 in about 12.5 million. Yet even that tiny percentage of successful victimization was enough to generate about $3.5 million per year. And this represents just a tiny slice of the world's total traffic in spam.

That's why threat researchers and risk managers are discovering more than 90 percent of today's emails to be spoofs and spam, often directed by professional "pharmers" and "phishers". There is no authoritative count of phony websites, but they are certainly plentiful.

As nearly everyone knows by now, "spoof" refers to any online messaging that purports to be from a certain person or organization but really isn't. "Spam" is the name for messages you didn't request and generally don't want to receive. "Phishing" is the process of sending online messages that try to fool innocent or unsuspecting people into revealing their confidential information (name, account number, SSN, DOB, passwords, etc.). "Pharming" is the same, but done via a spoofed website rather than an email.

In many instances, cybercriminals use these techniques to con you, and your clients, out of money or the next best thing: confidential information they can either sell to criminals or use in their own criminal activities. When profit is not the objective, spammers and spoofers can be interested in defeating security measures, proving their programming prowess, or monkey-wrenching normal internet operations. In some cases, the "bad guys" are trying to damage or block the use of a particular website.

Negative examples
Any name-brand company can be -- and probably has been -- a target of cybercriminals.

MasterCard, for example, has been spoofed many times through take-offs on its well-known "priceless" ad campaign. Spoofers manufacture good-looking video ads that look and feel like the real thing until a quick shift in the action and a tagline show that MasterCard had nothing to do with this production. Often there's a quick reference at the end to an unrelated product the spoofers are hoping you'll try.

Smart marketers have begun to "hit back" at advertising spoofers by creating their own apparent spoofs of themselves, ending with a brief mention of an actual product they're trying to sell.

But sometimes the spammer's goal is to sell you his/her own product. For example, this past Mother's Day, countless sons and daughters (including my own step-son) were surprised and dismayed to read an email from FTD Florists that purported to be from "Mom", saying (sic): "I saw this website and figured i would just let you know what i wanted for mothers day. Get me these flowers and ill be happy. Love, Mom."

There was even a homey touch at the end: "They said you have to order by Friday for gauranteed (sic) mothers day delivery".

"Why'd you ask for those flowers, Mom," asked one dismayed son, "I've already chosen something much nicer for you."

"I didn't," responded his surprised mother (nevertheless grateful to get a phone call from her darling boy!), thus unraveling the spoof. But how many others were fooled? (To date, FTD has not responded to my inquiries about this campaign.)

Next page >>