“WARNING: XYZ virus will wipe your drive! Click here for help!!!! Warn your FRIENDS – This is URGENT!!”

More than likely, you have gotten an e-mail with a message similar to this one. Of course, being security aware, you probably know that these kinds of messages are always hoaxes, since viruses and worms are never legitimately brought to our attention by random e-mailers on some kind of mercy mission.

Nevertheless, hoaxes can be a major drain on an IT department’s resources. The U.S. Department of Energy’s Computer Incident Advisory Capability office said, “At CIAC, we find that we spend much more time debunking hoaxes than handling real virus and Trojan incidents.” When you realize that CIAC actively solicits new virus code and maintains a laboratory to investigate viruses and worms, that’s a telling statement.

Many hoaxes are simply time-wasting pranks intended to make fun of novice or clueless users, but others include instructions that, if followed, will wreak havoc on a personal system or even a network. And many of the hoax e-mails that don’t contain malicious payloads or damaging directions are used by spammers to collect new victims’ addresses.

Don’t ignore the threat from these time-wasters. Not only will they get you on spam lists, the original hoax can be hijacked and turned into a malicious attack. As McAfee points out on its hoax site, this is exactly what happened with the AOL4FREE hoax when a Trojan was added to the originally harmless hoax.

That hoax was a good example of the social engineering used to get by people’s natural skepticism. AOL4FREE didn’t purport to send users free AOL service; rather, it pretended to warn them that they shouldn’t fall for a nonexistent free AOL letter and solicited their help in eliminating the phony virus by forwarding the warning to all their friends.

What do you do about hoaxes?
As usual, educating users is the best way to combat these threats. You need a detailed usage policy that all users have to read and follow. Part of this guide should be a brief explanation of the basic threats and problems faced by businesses using the Internet.

A brief introductory talk to staff and new workers covering the following topics should suffice for most employees:

  • Virus threats are not announced by e-mails. These are always hoaxes and the IT department is usually notified about new viruses long before you could get an e-mail warning.
  • E-mail addresses can be hijacked. If a message appears to be from someone you trust but the message seems somehow odd, it is probably a fake message that was automatically forwarded by a virus.
  • Never open any unexpected e-mail attachments.
  • Never forward any virus threat e-mails or attempt to deal with the supposed threat by following instructions contained in an e-mail. Contact the IT department if you have a concern, and it will take any necessary actions.

Managing e-mail access
You can cut the number of incidents that you have to respond to by forbidding users to access outside e-mail accounts from work. This is usually done via Web mail, Outlook Express, or even users who’ve loaded AOL software on their work computers. You’ll get a lot of complaints about this policy at first, but you should point out that this is akin to the normal ban on personal phone calls at work, except for emergencies or other urgent incidents.

If you decide on this policy, you will also have to remind workers that their company e-mail account is not private, and  they should never use it for any nonbusiness purpose. Make sure they understand that it’s for business use only, and that their account may be routinely accessed by others in the company for legitimate reasons, such as when they are out sick or on vacation.

A policy banning access to personal e-mail accounts, complete with rigorously enforced sanctions against violators, will not only eliminate many of the threats from time-wasting hoax e-mails, but will also help mitigate a cause of real virus and worm infections: Employees opening infected attachments disguised as everything from lottery tips to nude photos of some actress or actor.

How to recognize a hoax
Most e-mail hoaxes (and almost all of the really successful ones) come in  several recognizable categories:

  • The technical warning. Many successful hoaxes use highly technical language to describe a threat. The description is often complete nonsense.
  • The Good Samaritan ploy. Hoaxes don’t just warn you of a mythical threat, they play on your desire to help your friends, or to appear important, and cajole you into sending the fake warning to everyone you know. This lends the warning an air of authenticity because it comes from someone users know.
  • The too-good-to-be-true offer. Among other common ploys are those get rich quick schemes that clearly sound too good. They’re usually pretty stupid, but people fall for them every day.

The e-mail hoax is just the technological equivalent of the chain letter and follows the age-old three-part pattern of all successful cons:

#1: The hook
First, there will be an appeal to greed or compassion or the chance to show off by being the first to warn your friends. The hook is the virus warning, the dying child announcement, the offer to make Big Money at Home While Sleeping, or a similar catchy subject line that is expanded in the first several paragraphs if you open the e-mail.

#2: The threat or warning
The message will quickly move on to warn of severe damage that could occur to your computer (or some other dire consequences that might befall you) if you don’t take a certain action.

#3: The action
Although a few hoaxes will simply rely on your inherent desire to share good or bad news, nearly all of them will include a final plea to send copies of the original message to as many people as you can.

Certainly the most easy-to-identify feature shared by all hoaxes is this: They come in an e-mail, not from a trusted Web site or a mailing list you have subscribed to, but from an untrusted source. That should be such a gigantic red flag that no other warning is needed.

Hoax resources
Internet hoaxes are so common that virtually every security company or antivirus vendor maintains a Web page just for this problem. Here are some of the most useful sites:

  • McAfee’s site has details on about 50 major hoaxes.
  • Symantec has an even longer list of hoaxes.
  • Another interesting site is provided by F-Secure. This site focuses on the ones that include malicious code but still lists too many hoaxes to count.
  • The CIAC has its own HoaxBusters site, which includes some useful tips on recognizing and combating hoaxes, as well as a helpful list of other legitimate sites that list hoaxes.
  • In particular, CIAC recommends Rob Rosenberger’s independent Vmyths site, in part because it’s not sponsored by any of the antivirus software vendors.

Final word
I realize that you may already know most of this, but as with many of my general columns, I’m not insulting your professionalism—I’m merely trying to help you focus on a threat you may not have spent much time considering recently. I hope this information triggers some ideas on how to deal with this problem in your organization. Maybe these links will help you verify a potential hoax the next time one of your users forwards you an e-mail that directs him to delete a valuable system file that he now believes is the latest virus.