Spam is also potentially dangerous to organisations, through the damage it can cause to their reputation and image. Typically, the creators of spam send their messages through the servers of well-known organisations. The receiver of the email will often be tricked by this technique, believing it to be a bona fide email from that organisation. Organisations can also suffer from spam through the effects it has on their email server and the computer system generally. Large volumes of spam can slow down a server, while spam emails that contain viruses can damage an organisation’s computer resources. As a result, spam is an issue of importance to the organisation and the individual. The Spam Act 2003 (Cth) was introduced on 11 April 2004 in Australia to regulate the use of email. Under the Spam Act, the Australian Communications Authority (ACA) is vested with the responsibility of policing spam. The Spam Act also applies to SMS text messages on mobile phones. Because of the international nature of email and consequently spam, Australia has also entered into various agreements with other nations, in a bid to cooperatively deal with the problem. These include: • The bilateral memorandum of understanding between Australia and Korea • Memorandum of understanding among Australia, the UK and the United States • Australia–Thailand joint statement on telecommunications and IT.
PHISHING AND IDENTITY FRAUD Phishing is a technique of online deception that has users go to a fraudulent website and leave personal details. The information is then used for identity theft and deception. In the United States more than US$2.4 billion has been stolen from users on the Internet, with 17 per cent of the theft attributed to identity theft, which includes phishing schemes. Banks are a common target, with the perpetrators setting up sites that resemble the URL of the genuine site. For example, if a bank had the URL www.bank1.com.au, the site created by the phishers might be www.bank1.org.au. At first glance, especially to an uninitiated user, these site addresses seem to be the same, so the user unwittingly clicks on the address ending in org.au: the phisher’s site. The fraudulent site will resemble the bank’s genuine site, so no suspicion is raised. Any details submitted by the user will be sent to the creators of the phishing site. This is a real threat for organisations. Websites are relatively easy to create and domain names are easy to acquire. This leaves organisations vulnerable to phishing scams that damage customer trust in the organisation and e-commerce, as well as denting the organisation’s image. Organisations can overcome some of the risks involved through information about IT usage and policies and ensuring that customers are aware of the policies. For example, one could be that the organisation will never request personal details by email or will not communicate at all with users by email. Users aware of this policy would hopefully be alarmed by attempts at phishing. Naturally, this relies on both the organisation having clear communication policies in place, as well as the organisation’s customers being aware of such policies.
HACKING Hacking is gaining unauthorised access to a system. There are many examples of hackers gaining access to high profile systems, e.g. NASA’s system. Hacking is a threat, particularly for large and prominent organisations that, by virtue of their position, become targets for hackers. The increased use of the Internet, combined with the higher levels of IT sophistication in adolescents, has made hacking an increased threat. Recognising hacking as a risk to their system, many organisations are now hiring hackers to test the exposures of their system. The term given to this activity is ‘penetration testing’, which, while familiar to the CHAPTER 3 | INFORMATION SYSTEMS ETHICS
95