As a financial advisor, you’ve been trained to protect your business by using e-mail appropriately. But that may not be enough: you may be at risk because of others who don’t protect theirs.

Many people believe they are savvy to the perils of spam e-mail, but the extent and complexity of the damage it can create has grown dramatically since the mid-1990s, when it first emerged as a significant problem. That was when spam spawned a lucrative new business model, in which almost anything is for sale through e-mail networks, from fake college degrees to Viagra.

Most people wouldn’t consider buying pharmaceutical products or software from an e-mail sent by someone they didn’t know. But spam has traditionally worked because of its huge volumes. If a fraction of a percentage of people respond positively to such messages, the spam has done its job.

“The problem is terrible and is getting worse,” says John Levine, chairman of the anti-spam research group at the Internet Research Task Force in Trumansburg, N.Y. “A year ago, we estimated 80% of all e-mail was spam. That has since jumped to 90%.”

Much of it is difficult to avoid, adds Andrew Berkuta, senior security strategist at McAfee Inc. in Atlanta: “Some spam materializes in your e-mail inbox via harvested e-mail addresses, and from chat rooms, discussion boards and Web pages.”

Spam can also be sent to employees using a dictionary attack, in which a box simply cycles through hundreds of potential names within an organization, sending large volumes of e-mail in the hope that some names will match. All this can create havoc with computer systems, Berkuta warns. “Your IT budget would be taxed because e-mail takes up space and network bandwidth,” he says, “and your hard drives have to store it.”

Berkuta also notes the ramifications for productivity, as advisors and employees navigate through large volumes of spam to find legitimate e-mail. But spam has other, more frightening implications.

“The worst scenario is someone clicks on this spam, thinking it’s legitimate,” he says. “That could introduce malware into your organization.”

The term “malware” describes malicious software, which can include self-replicating Internet viruses, spyware and Trojan horse software that appear to install themselves to carry out one activity, while secretly doing something else. Since 2004, researchers have noticed a new operating model among spammers that relies not so much on simply selling product as using malware to actively compromise recipients’ computers.

Spam e-mail used to be sent via e-mail servers not protected by passwords. Spammers would use them to send large volumes of e-mail at once, until IT administrators got wise to the situation and began protecting the servers. Even today, many unprotected e-mail servers (known as “open relays”) are used to send spam. However, for the past few years, spammers have been using desktop computers infected with malware to send their mail. The malware, delivered via the spam, turns the computer into what researchers call a “bot.” The bot software usually installs code that turns the desktop computer into an e-mail server. It then listens for commands from its controller using a public chat room system called Internet Relay Chat (IRC). The criminal controlling the bot (the “botherder”) will tell the bot which messages should be sent and to whom. The bot may carry out other malicious activities, including harvesting passwords from infected computers and returning them to the criminal controlling the network. A network of infected machines is known as a botnet, which can contain hundreds of thousands of PCs.

Today’s spam is especially dangerous in the financial services sector, which relies heavily on securing customer information. As the stakes get higher, the cat-and-mouse game between spammers and researchers trying to stop them is getting more frenetic.

“The issue over the past year has been the twists and turns spam has taken,” says Simon Heron, director of security services company Network Box (UK) Ltd. in Beeston, England. One operation uses a malware code-named “Storm,” which joins computers to a botnet that is particularly hard to disrupt. Storm is distributed using various messages, including false greeting cards and storm warnings (how it got its name).

How can you avoid being hit by spammers? You can install protection software at various points in your infrastructure. For example, your ISP will often have anti-spam software on its servers to scan incoming e-mail before it reaches your firm’s computers.

@page_break@But, Berkuta says, an ISP will only trap some spam. “It can’t be too judicious with its scrubbing techniques,” he says, “or you will get false positives.”

False positives are legitimate e-mails that are blocked. He recommends a second line of defence at the gateway level, before e-mail reaches your company’s e-mail server. McAfee and others offer hardware appliances containing anti-spam software designed to plug into the network at the gateway level and filter e-mail.

So, you should use multiple techniques to scan e-mail for malicious content. Doug Bowers, director of anti-abuse engineering at Symantec Corp. in Toronto, says his firm takes multiple approaches to filtering spam and malware. “An approach that does well one day may do poorly the next,” he says.

Firms need a quarantine system that places suspected spam into a folder to be reviewed by e-mail recipients or IT staff. Ultimately, the human element will figure heavily in the war against spam because, even with the best protection, spam will slip through the net. When that happens, the only weapon is common sense. And that is difficult to program. IE