The world has experienced an unprecedented growth in Identity Theft during recent years, fueled by multiple channels including sophisticated Phishing schemes, Malware and infiltration of organized crime. The globalization of Identity Theft will mean that regional efforts to contain the problem will achieve minimal results at best.
In the U.S. it is estimated that as many as 17.3 Million individuals were victims of Identity theft during 2005 and 2006 on a combined basis, with an estimated total of $106 Billion in associated losses (BBB/Javelin). In Canada, the Canadian…More…
Is technology a blessing or a curse? Some may reply: what kind of question is that, after all, if technology was not a blessing, why would human kind pursue it? Technological advances have given us the car, the plane, the moon, an ample food supply, solid shelter, warm clothes, energy, medicine, etc… Technology has also given us nuclear bombs, germ warfare, global warming, and some would argue, loss of privacy… More….
Most consumers concerned about Identity Theft have heard of Phishing: a name given to a fraudulent communication, typically transmitted through an email, pretending to be from a trustworthy institution, such as a bank. A Phisher looks to acquire sensitive private personal information, from unsuspecting individuals. Such information is then used to fraudulently withdraw money from the victim’s bank account, or to engage in another Identity Theft related crime.
Until recently, Phishers have used “generic” techniques, reproducing the corporate identity of a reputable institution, such as Paypal or Chase bank. Such Corporate Identity, distinguished through logos, colors, formats etc… is used to highlight a generic message such as: “The security of your account may have been compromised, and unless you click the link below to verify your information, you will loose access to your account.”
Such criminal techniques have become well known. Consumers have been well advised not to click on such emails. Consumers are still left with the task of distinguishing between authentic and fraudulent emails. When the email’s message is generic and non-personal, a consumer can safely assume it may be a form of Phishing. However, when an email’s message is personal, or relates to a recent action by the consumer, then the consumer is less likely to identify Phishing.
Such “Custom” Phishing is likely to increase Identity Theft risks. Criminals use spyware and other investigative techniques in order to acquire semi-private personal information for a certain individual. Then such information is embedded in a Phishing email, in order to retrieve additional private and sensitive information.
In an example of “Custom” Phishing, an individual recently received an email pretending to be from Paypal (a payment processing company with more than 120 Million customers). Such email looked exactly as if it had been sent by Paypal, with the proper logo, colors, formats, etc…. Furthermore, such email warned the recipient that he has been accessing his account from outside the U.S., and unless information is verified, his account will be frozen.
As it turns out, the recipient was indeed accessing his account from outside the U.S. during the past few days. Whether the Phisher attained such information through a spyware, investigative technique, or pure luck, is not known. Despite the recipient’s Identity Theft and Phishing awareness, the timing of the Phishing email, and the nature of its content, caused him to wonder whether such email was authentic or not. Rather than click on the email, the recipient forwarded the communication to spoof@paypal.com , and Paypal confirmed that such email was indeed Phishing.
As such “Custom” Phishing techniques evolve, there is a higher likelihood that even suspecting consumers can possibly fall prey to a Phisher’s net. In order to avoid becoming a victim of Identity Theft, a consumer may soon have to request authenticity validation for most or all communications received from a “supposed” reputable sender. This could ultimately lead to the “Next Generation” of Smart Email Management Programs. Such programs would have the capability to automatically validate any incoming emails, and placing all suspect emails in a “Phishing Alert” folder for review and possible deletion. Until such day arrives, Consumers Beware….
According to a weekly informal poll published on www.creditlock.com, more than 81% of respondents reported that they believe that more than 45% of emails they receive contain fraudulent claims. Furthermore, 26% of respondents believe that more than 90% of emails they receive contain fraudulent claims. In a previous weekly poll, when asked which Identity Theft threat concerns consumers the most, 33% of respondents chose Phishing, placing such threat concern in the number one spot.
Despite such strong consumer awareness about the threat of Phishing and Email Fraud, the FTC reported that in 2006, in 60% of fraud complaints, the company’s initial method of contact was either email (at 45%) or web (at 15%). Furthermore, “Electronic Funds Transfer-related Identity Theft remained the most frequently reported type of Identity Theft bank fraud”, and 23% of consumers reported wire transfer as the method of payment. When engaging in Identity Theft on the web, in email, and through illicit transfers, criminals often resort to Phishing to retrieve valuable consumer personal information.
Why is it that despite very strong consumer awareness about Phishing and Email Fraud, such venues continue to remain a serious Identity Theft risk? The answer lies in the astronomic number of emails sent each day worldwide. Estimates for the number of emails sent each day worldwide vary widely. Some estimate such figure at over 60 Billion emails per day in 2006, while others, such as the Radicati Group, put such number at 171 Billion emails per day. Furthermore, the Radicati Group estimates Spam at about 71% of all emails, while others, such as Postini (a US Email Security Company), puts such figure at 90%. Postini also estimates that there are about 200 criminal gangs generating 80% of Spam emails.
Given such tremendous volume of emails, if unsuspecting consumers respond to only 1 per Million of such emails, then the number of responses per day can be anywhere between 60,000 and 171,000. If 80% of such emails make fraudulent claims, then you can potentially have between 48,000 and 142,000 responses to fraudulent emails. If we divide such number by 30 to account for emails sent to same person, and other factors, we are still left with about 1,600 to 4,700 potential fraud victims per day. Such number is extremely conservative, given our assumption of a response rate of 1 per million, and the additional division by 30.
Our objective is not necessarily to arrive to an exact figure, but to demonstrate that given the sheer size of emails sent each day, it only takes a micro response rate to generate a substantial number of fraud victims each day.
It is unfortunate that the distinction between fradulent content emails, and “cold-marketing” emails is probably disappearing. If 26% of the respondents to the poll published on www.creditlock.com believe that more than 90% of emails make fraudulent claims, then that certainly does not leave much room for marketing emails that have no fraudulent content. Although it is necessary to try to control and stop emails that have fraudulent content, it is almost impossible to do so without limiting all Spam emails: those with legitimate content, and those with fraudulent content. Some would not mind limiting all such emails. Others, don’t mind receiving a legitimate email about a topic or a product they may be interested in. However, most likely, given the risk of viruses, and fraudulent content, those who don’t mind receiving legitimate marketing emails are willing to sacrifice such preference for the sake of security.
Until such day arrives, where all Spam emails, and fraudulent content websites, are somehow abolished (which is highly unlikely to happen), Phishing will most likely continue to be a serious Identity Theft threat.
Click Fraud - another form of Identity theft? Absolutely.
According to www.CreditLock.com , Identity Theft is when a criminal steals your name and other personal information and takes on your identity, criminally abusing your information for various fraudulent purposes (such as credit card fraud, loan fraud…). Many other sources also define Identity Theft in a similar manner.
What if a person does not assume the specific identity of another person, but pretends to be a person of certain characteristics, or qualifications, for the sole purpose of defrauding others? In such case, there is no specific person whose name is being fraudulently abused. However, the entity or person being fooled by the false identity characteristics is a victim of Identity Theft; the victim in this case is not sustaining damage by having his identity stolen, but by being led by someone else to mistakingly believe that that someone else is of certain characteristics.
An employer is a victim of a form of Identity Theft, when hiring a candidate who fraudulently claims to possess an MBA from Harvard University. A hospital is a victim of a form of Identity Theft, when hiring a Doctor who fraudulently claims to have graduated from Johns Hopkins Medical School. A home resident is a victim of a form of Identity Theft when giving entry access to a thief claiming to be a police officer.
Similarly, an advertiser is a victim of a form of Identity Theft, when paying for “Per Click” advertisements, when such advertisements are clicked on by someone whose purpose is not genuine consumer interest in the advertisement content; but whose purpose is either A- to deplete the advertiser’s click budget or B- to financially benefit from the associated Click revenue generated.
If losses from such forms of Fraud were to be included in Identity Theft losses, then we would see total identity theft losses increase by several billion dollars. Excluding such items, Identity Theft losses are estimated at over $56 Billion in 2005. Pay per Click advertising is estimated at over $12 Billion in 2006, and is expected to grow to almost $30 Billion by 2010. Click Fraud is estimated at anywhere between 15% and 30%. Hence, between 2007 and 2010, losses associated with Click Fraud alone would range anywhere between $1.8 Billion and $9 Billion. Such figure assumes that click fraud rates do not exceed 30%. If such figure is incorporated into Identity Theft losses, along with losses stemming from resume false claims, background check expenses, etc…, then it becomes very clear that Identity Theft is taking a very serious toll on our society.
Click Fraudsters engage in such act for one (or more) of the following 3 reasons: 1- to cause damage to the advertiser, 2- to cause damage to the publisher, 3- to enrich themselves.
Regardless of the motive, Click Fraud is carried out in 4 general ways: 1- by directly repeatedly clicking on an advertisement, 2- by using a computer to carry out “automated” clicks, 3- by engaging others to conduct clicks, in return for compensation 4- by engaging in “Impression Drowning”, deliberately calling upon impressions to appear, without clicking, resulting in a dilution of Click Through Rates, which ultimately cause the advertiser to lose the right to advertise for a certain keyword.
Unsophisticated Click Fraud can be detected and dealt with easily. Publishers and advertisers can easily detect multiple clicks from a single IP address, regardless whether such traffic is manually or electronically generated. Furthermore, sophisticated programs can also detect Click Fraud generated from sources that rotate IP addresses, by analyzing geographic location of Clicksters, length of visits, unusual traffic spikes, conversion declines, etc…
Sophisticated Click Fraud, on the other hand, is much harder to detect and deal with. Consider Pay To Read rings, who create websites carrying nothing but PPC advertisements, and engage thousands of other people to click on listed advertisements, for a share of the click revenue.
An example of how this is accomplished is as follows. A website lists on its pages 1,000 pay per click advertisements, categorized under many different page/directory headings. The operator of such website then proceeds to place an advertisement to recruit Clicksters. Such ad could read: “Make Thousands of dollars from your own computer at home! All you have to do is review some of our content, and help us design better advertisements.”
To do so, the Clickster is encouraged to click on specific advertisements at the site, in order to see how they are written, and then submit another version of such advertisements. The Clickster could be encouraged to click no more than 5 times on one specific ad, before moving on to another ad under the same category.
If the Clickster ends up clicking on 20 advertisers, 5 times each, then he has generated 100 Clicks. If each click generates $0.50 cents to the website operator, then that translates to $50 in revenue. The operator then can proceed to pay the Clickster $10 and retain $40 in profit. In essence, what has happened is that the website operator has defrauded the advertiser, causing him $50 in damages in this one instance. The Clickster can then move to another category, and repeat the process.
Similarly, the website operator can have 10 people daily doing the same thing. If there are a total of 10 categories, then 10 x 10 x $50 = $5,000 in fraud revenue daily. That translates to over $1.8Million annually!
Such fraud is difficult to detect because there are no more than 5 clicks generated from the same source. Furthermore, the Clicksters are spending time reading the content, and different Clicksters are spending different amount of time due to their different reading capabilities. To make it even harder to detect, the website operator can randomly have his Clicksters make an occasional purchase (for example by spending 10% to 20% of revenue generated).
There is no question that major publishers, such as Yahoo and Google, find it in their own best interest to eliminate Click Fraud. If they didn’t, their entire business model will fall apart, as advertisers simply abandon Pay Per Click. Considering that Google is a $100 Billion plus company, whose main revenue source is Pay Per Click Advertising, it has to, and does, take Click Fraud seriously. Despite such will, as Click Fraudsters become more sophisticated, then detecting such fraud also becomes more difficult. We believe that unless Advertisers themselves also become active in detecting Click Fraud, such problem will not be overcome.
Here are 4 ways of how Advertisers can help fight sophisticated Click Fraud:
1- You may want to avoid PPC advertising on websites that carry nothing but PPC advertisements, unless you are 100% certain that the website (and any other websites to whom it allocates your advertisements) does not engage in Click Fraud
2- If you find your Advertisements placed with reputable places such as Yahoo and Google on other websites whose content is only PPC advertisements, then find out how your advertisements got there, and you may want to ask Yahoo, Google or whomever to stop forwarding your advertisements there. They have a vested interest in fighting Click Fraud, and at the least, they will investigate the circumstances and give you an update.
3- Monitor your website traffic, page by page. Establish a general pattern for your expected conversions rates, length of stay, etc… from referrers you deem reputable, such as Google and Yahoo. If you find that data from other referrers contradicts your trusted data substantially, with expenses substantially exceeding associated revenues, then you may want to consider removing your advertisements from publishers you suspect of click fraud.
4- If you are unable to stop your advertisements from appearing on some suspected websites, consider substantially reducing your keyword bid, or totally removing the keyword generating such traffic, as long as you are willing to accept the consequences to your overall traffic from such action. This could also cause you to lose traffic from trusted sources, so you must consider such action very carefully. Many are willing to live with the possibility of Click Fraud, as long as they believe they have a net income, as opposed to a net expense. You are the best person to judge your own situation.
Although there are some laws in place to help fight Click Fraud, such as California Penal Code 502, we do not believe that Click Fraud is yet considered a serious crime. Officially categorizing Click Fraud as a form of Identity Theft would immediately make Click Fraud a serious crime. Hence, we would also encourage parties concerned about Click Fraud to request from appropriate authorities such as local authorities, agencies, or even the FTC to officially categorize Click Fraud as a form of Identity Theft.
If various measures are not successful at containing Click Fraud, then we could find ourselves migrating to a model of “Pay Per Sale (PPS)” as opposed to “Pay Per Click (PPC)”. In a model where advertisers only pay advertising fees upon the completion of a successful sale and its associated revenue stream, there is no incentive to click for the sake of generating revenue from clicking.
Such model, however, would not necessarily satisfy the needs of many online advertisers who do not conduct online sales. Pay Per Click is definitely an innovative advertising channel that needs to be protected from Click Fraud, another form of Identity Theft.
Save To Del.icio.us 
Seed Newsvine
