Tom Ericson did not think he was the kind of person who would fall victim to a hoax. But the 68-year-old Scandinavian, whose long international business career included a long spell at a large multi-national bank, recently lost £46,000 to a lottery scam.
Ericson received an email in October 2006, ostensibly from Microsoft, which informed him that the company's lottery fund had picked him as the winner of a £500,000 prize.
He was delighted. The Microsoft name reassured him and his telephone call to the number given in the email was handled in a professional manner. He was told a cheque would be posted to him straightaway.
There was just the matter of a £541.10 handling fee to pay first, which Ericson did by Western Union. Then there was a tax charge of £1,620, a $14,600 (£7,350) security deposit, and £3,102 in legal fees. The fees mounted, but no money was released.
In December Ericson became suspicious and went to the police. Sympathetic but unable to offer much help, they referred the case to Microsoft's internal investigation department, which tracks lottery scams in a more systematic way than many police forces are able to.
"We investigate every single lead and try to build cases from them," says Peter Anaman, a former French army officer who now works as a cybercrime investigator at Microsoft.
The US software giant is not the only business developing an online policing role. An increasing number of companies are becoming proactive in tracking down cybercriminals who abuse their trademarks, disrupt their businesses and prey on their customers.
Microsoft has about 65 investigators and lawyers working full-time on tracking cybercrime, such as spam, phishing, malware, spyware and child pornography. PayPal, the online payments service, has a similar number. Some banks, such as HSBC, also invest heavily in in-house teams. Other companies seeking protection may pay six- or seven-figure sums for internet security specialists to provide something akin to a private detective service.
Crack force
RSA, the internet security specialist, for example, works for most of the world's largest banks to identify and stop phishing attempts, in which emails purporting to be from trusted contacts encourage victims to hand over confidential data. Its work involves infiltrating underground networks where hacking tips are traded to find out where the next attack might come from. RSA also runs an international network through which more than 2,500 banks can quickly share information about cybercrime attacks.
Andrew Moloney, RSA's European director for financial services, says the United Nations is considering establishing something similar, but this could take years to get off the ground.
Part of the problem is the sheer scale of internet crime. Symantec, the internet security company, estimated that it blocked about eight million phishing emails a day in the second half of 2006. About 20 million computers around the world are estimated to be in the control of hackers, and researchers say they are seeing more than 6,000 new pieces of malicious computer code created each day. Millions of stolen credit cards numbers are routinely bought and sold for pennies apiece on underground networks daily.
Police resources, on the other hand, are limited. In the UK, for instance, the Serious Organised Crime Agency investigates larger-scale internet crimes. But while the agency has about 4,000 staff, it also deals with money laundering, drug trafficking and other offline issues. Smaller e-crimes are reported to local police forces which are already stretched and tend to lack officers with specialist training needed to track internet crime. Yet it is often this kind of small-scale fraud that causes reputational damage among companies and deters customers from using their online services.
"Law enforcement are quite challenged by the international nature of this kind of crime," says Garreth Griffith, head of risk at PayPal. "It is also quite high-volume but low-value crime, which is difficult for the police to track. If you go to the police and tell them you just sent £500 by Western Union to Romania but didn't get the laptop you thought you were buying, they are likely to be sympathetic, but it won't be a priority for them as it isn't a large sum of money.
"We may be able to build a better picture. There may have been five people who also lost £500 to Romania in the same way. We can go to law enforcement with what is now a £2,500 crime and maybe even some information on where to find the scammer."
Rising numbers
Microsoft has put lottery scams at the top of its investigation agenda after a rapid increase in numbers. "In 2003 we started to see maybe one or two of these scams a month. Now we are seeing about a hundred unique instances each month," says Mr Anaman.
A recent survey conducted by Ipsos on behalf of Microsoft found that half of those polled had received a lottery scam email. About 16 per cent had opened the email and, of these, 10 per cent replied and roughly three per cent of people said they had lost money to scammers.
"There is so much internet crime the authorities can't cope with the volumes. But something has to be done. Criminals have seen there is a no-man's land where no one is taking responsibility. Trust in the internet is going down," says Anaman.
So what practical action are companies taking? Microsoft's investigators compile information about the scammers then hand their files over to the police, who carry out any arrests. Sometimes its investigators bring private prosecutions.
Another tool is training for police officers in regions where cybercrime is rife. In Nigeria, for example, Microsoft investigators hold sessions every few months for about 20 or 30 police officers, teaching them how to trace the source of a scam using the IP numbers that identify individual computers. Anaman says that police have been able to re-open closed cases using these methods.
PayPal, too, trained more than 2,000 police officers globally in 2006 and donated computers to forces in countries such as Romania.
The results of all this activity are patchy but positive. Microsoft has to date supported 550 public and private prosecutions.
"Some people have been locked away and in some cases the criminal activity has stopped all together. It's moving forward in the right direction," says Anaman.
Griffiths said his investigators contributed to at least 180 arrests in the UK alone in 2006. However, no lottery scam investigations - including Ericson's - have yet resulted in any arrests or money recovered. Ericson, who borrowed money against his house to pay the scammers, has had to come out of retirement to rebuild his finances.
"I am angry with myself and my wife is angry with me," he says. "It almost broke up our marriage."
Last month Ericson received a new lottery email in Microsoft's name. This time he ignored it, but was amazed by the scammers' persistence. "I take my precautions and put filters on my computer, but still these come through," he says.
"I don't think there is much the police or companies can do."
Safety net: When the scammers threaten your brand
Microsoft has some words of advice for companies that discover their names used in Internet scams:
- Alert your legal department, which can then notify the national law enforcement body, preferably the national cybercrime unit. They will be in a position to communicate with Europol and Interpol.
-
- Send a "take-down" letter to the Internet service provider requesting the closure of the sender's email account and any email accounts mentioned in the body of the scam.
-
- Keep records of the reports and scams received in order to be in a better position to evaluate the threat and share the results of your investigations with the national law enforcement body.
-
- Consider warning your customers about the scam through the company website, especially if your business is not usually targeted by fraudsters.
