Monday, August 18, 2008

Responsibility for a phishing fraud

Recently, an elderly friend ('A') of mine got the following email in his Yahoo inbox:

Dear Valued Member,

Due to the congestion in all Yahoo users and removal of all unused Yahoo Accounts,Yahoo would be shutting down all unused accounts,You will have to confirm your E-mail by filling out your Login Info below after clicking the reply botton, or your account will be suspended within 24 hours for security reasons.

UserName:
Password:
Date Of Birth:
Country Or Territory:
After Following the instructions in the sheet,your account will not be interrupted and will continue as normal.Thanks for your attention to this request.We apologize for any inconvinience.

The friend being not very hep with computers, naively replied to the email with the "requested" information.

The scammer took over the Yahoo account, and sent the following email to all in his address book:

Did you get my previous email, I sent you an email some hours ago, I am in a hurry writing this, i had travelled to Nigeria for official purposes, Unfortunately for me all my money was stolen at the hotel where i lodged, I am so confused right now, I dont know what to do or where to go,I didnt bring my phone here, i have access to only emails, please can you send me $2500 today so i can return home, as soon as i get home i would refund it immediately, you can send it to me through western union as i dont have an account here, this are the informations to send it. Mr A ,Address/location: 30 cole street,lagos, Nigeria,23401, use this text question when sedning it: what is my date of birth, text answer:19xx

Please as soon as its sent scan and send me the receipt of the transfer or just write out the money transfer no and the senders informations, i realy dont have time to write much now, would be waiting. thank you.

He is a globe trotter, and many of his friends (who were themselves very naive and hadn't heard of Nigerian scams) were genuinely concerned. One of his very caring friends (let's call her B) sent GBP 1500 via Western Union. The scammer sent back his gratitude and asked for another USD 1000. She got suspicious and made a few calls and came to realize her mistake.

By this time, I was able to intervene and get back the Yahoo account for my friend. I immediately noticed that the scammer was corresponding with many of his contacts and some of them were close to sending him money. Of course, I immediately sent a FRAUD WARNING message to all in the address book.

Now, A and myself were discussing the financial responsibility of the lost GBP 1500. He was inclined to compensate B the full amount. However, I was of the opinion that both A and B had exhibited gullibility and stupidity, and the loss should be shared. I suggested that he compensate B for 25% of the amount. He finally agreed to pay her 33%. I don't know how B will take the suggestion once it is communicated to her. It should be kept in mind that B might get very offended due to the public loss of face, and A's offer of only 33% may add injury to insult, leading to a breakdown of the relationship.

Here's the problem in semi-formal terms:
  1. A and B have emotional ties (which for the purposes of this discussion, is worth amount R).
  2. A loses his identity to S due to ignorance.
  3. S asks B for money, posing as A.
  4. B is conned and responds with X amount of money.
  5. A and B discover what has happened.
  6. A wants to make an offer of settlement (Y) to B for her loss.
  7. A is apprehensive that B might get offended and
What should be the amount of Y? How should A go about negotiating? What about the cases when R is less than X? What about "fairness" and "culpability"?

9 comments:

Arun Kumar said...

I am not in favor of compensation in such cases for two reasons.

1) The only benefit (though big one) one gets by hacking one's email account is getting access to his address book. Otherwise anyone can send emails from any email address. Hence, such fraud emails can be sent even without hacking a mailbox as well. And in this case "A" will not be at fault.

2) I personally think that even if i get such an email from any of my friend, first thing i will do is try calling him even if he has mentioned that he is not carrying his phone. One can not take responsibility of mistake done by other.

Anonymous said...

If I was in A's place, I would pay the entire amount to B and apologize as well.

Reason: the person acted in good faith and was trying to only help me. yes, B should a certain amount of guilliability but nothing like A who trusted a stranger's email.

Also, if you steal my credit card (or key) to steal money from a joint account then other joint account holder is not responsible for trusting me and hence the theft.

Anonymous said...

Most of these frauds can be prevented if only email providers did a simple of scan of plain text passwords in every outgoing email in order to warn the user.

Why don't Yahoo! or Google do that?

--

What about other parameters here? What if X is millions instead of thousands (assuming B is rich and A is of middle class)? What about the possibility of tracking down the fraud and getting back the money?

Harmanjit Singh said...

To Arun: (1) the other big benefit is impersonation. An email from a known address has much greater possibility of fooling the recipient. and (2) correct, that is why at (B) should at least pay for some of the loss. The question is how much. Your answer is 100%, and I think that may be too harsh. :-)

To Tarun: The phishing mail to A was carefully constructed to make it look like from yahoo. Even though the asking of password should have been a dead give-away.

To Srid: A and B are both equally well-off, and you can't get the money back from S.

Anonymous said...

yes, A is responsible for B's loss and yahoo is responsible for A's loss.

I agree that yahoo should pay A but that is outside of scope of problem asked and unlikely in any case.

Anonymous said...

To Srid: There are levels at which people tend to believe / 'hold off' on spending that extra-effort in verifying the validity of the claim in the email.

A friend's friend of mine gave away his gmail password to a phisher. The phisher went through the chat logs, 'studied' his language and IM'ed his friends asking for their CC details to do a $3 txn for a US high-education application registration. Know what? A handful of his friends ended up giving away their CC details. A bunch of those who gave away the CC details were actually tech savvy - just that $3 didn't seem big to them and since the impostor used the same language style, they didn't even think a second time before giving away the CC details.

Anonymous said...

the problem can be abstracted thus.

B acted in good faith, and any gullability, if at all in her part, was extremely small. You receive a mail from someone you know, in a vast majority of cases you will assume it is them. Let us peg the extent of her gullability at x.

A certainly acted gullably, because he acted on the instructions of an anonymous emailer, and gave away his account details, which contained contacts of people known to him, which might be possibly misused if in wrong hands. It would be reasonable to cross verify a source which seeks sensitive information, including information of third parties which you are entrusted with. Let us call A's gullibility y.

Now, one would think that although A was gullible, a cost of 1500 would be too high considering the extent of the slipup.

But that considered, a cost of 1500has arisen due to the series of events, which must be jointly shouldered by A and B, since there is no third party involved. And it is amply clear that the gullability of A is greater than the gullability of B (y>x).

Hence, one thing is for sure. A takes more than 50% of the cost. Thats all i can suggest, a range. Others are welcome to refine the problem.

However, A might not take the burden of this cost at all if C > M + R, where c = total cost burden of A, M = A's sense of morality, R = the strength of the relationship that exists between them.

the parameter M + R may also determine the amount more than 50% that A will shoulder. If M and R were to be measured on a scale of 1-5 (low-high), i suggest a rating of 5 on both scales should correspond to A shouldering the entire amount in excess of 50%.

Anonymous said...

B is the more gullible one. When it comes to money one should always double check. A's mistake is foolishness for which a technically unsavvy person may be excused. In fact a computer virus on outlook may also start sending out such emails, and to be frank even the most careful person can fall prey to such viruses.

kaa said...

this is probably the first time i have seen a subjective problem being solved objectively. though the various ways to bring it to objectivity (some of them contradictory too) brings the suspicion, that 'Is it even possible?'

anyway i am hooked to your blog :P