Recently I got a note from an attorney who argues that companies should be held accountable when their brand or name is used to illegally get access to personal information. While I initially argued that such attacks are outside the control of companies such as Yahoo and eBay, Ive come around to his point of view.
I think such companies should be held accountable for the damage caused by these attacks because they know about the activity and aren't doing everything possible to address it. If they aren't doing enough to stop these crimes, such companies become accomplices to the offenses committed in their names.
It will take awhile for the legal community to structure a credible class action suit that can successfully prove this point but when it happens, the liability could easily be in the billion-dollar range. In fact, maybe it's time to figure out how to keep this kind of business-ending lawsuit from getting started.
What is being done today
In most cases, today's frequently-phished companies provide a place on a Website where the witness (or victim) can report the activity. However, on most sites, there is little or no indication that anything is done with these submissions. In fact, I doubt anyone sees or does anything with much of what is submitted.
There are a number of funded efforts to help law enforcement go after phishers who masquerade as major companies, and from time to time, someone is actually caught. But it hardly appears to be a focused activity of law enforcement agencies at least not to the extent of music and movie piracy. I could sum up the efforts to catch these phishers with two words: negligent and inadequate.
Security companies such as Symantec are building advanced tools to help us identify phishing email, related phishing Websites, and other phishing-related activity that could compromise our financial information. Microsoft is arguably the most aggressive anti-phishing vendor on the planet and youll note that the software giant doesn't get phished very often, even though its sites or technology might be used to capture passwords and credit card information.
Phishing affects the behavior of end users and consumers. I, for one, don't use eBay or PayPal. I've stopped using Yahoo shopping. I don't use an online broker, and I use a financial service that is virtually unknown. I use a special, high-security credit card for online transactions that blocks nearly every other legitimate transaction I make until I verbally confirm it. I delete a lot of email in bulk, without reading it, because I assume it is a phishing attack. If it is legitimate, that's too bad.
I don't think I'm that unusual. The more phishing messages people receive, the less they trust the brand that is being impersonated. Such attitudes have to affect consumers' Web browsing and buying behavior.
As the attorney who contacted me indicated, the brand becomes perceived as the criminal, since you don't know the real person or company that sent the mail. This perception gets worse over time, reinforced with each bogus email carrying the brand's name.
In the long run, it could become a liability issue. If I know someone is using my name to bilk people out of their money and if I don't do enough to stop that behavior I'll likely be held liable for at least part of the massive damages. I might even be considered a criminal accomplice, even though I never personally benefited from the scam.
I believe the companies whose brands are currently being used most frequently in these phishing attacks aren't doing anywhere near enough to stop them. And I believe they should be held liable for the result.
What should companies do?
Frequently-phished companies must understand the risks they are taking by not aggressively addressing this threat. If consumers are too afraid to buy their products, these companies will lose revenue. If a politician is successful in holding these companies liable for negligence, their legal costs could skyrocket, and their brands could go into the toilet.
Symantec and other vendors could give these companies discounted or free versions of their products to help protect these users from this kind of phishing attack. Such vendors are developing increasingly stronger tools that can identify and warn users about phishing Websites and email.
In addition, frequently-phished companies could set up strong trust relationships with customers to ensure the authenticity of a particular session or connection. The Trusted Computing Group is one place where companies can learn about this technology and the value of adding another level of security for frequent users.
Finally, frequently-phished companies could, and should, more aggressively seek action against people who are appropriating their brands. Such pursuits should be considered self-preservation, since the risks of ignoring such attackers is great.
At some point, the victims of phishing, spam, and identity theft are going to want to hold someone responsible for their troubles. Who would be a better scapegoat than the company whose brand is doing the damage?
It would be wise and a natural cost of doing business to get ahead of this problem before these frequently-phished companies get shot between the eyes with it.