Keep in the Christmas spirit - give nothing away

Rupert Goodwins: Festive fraud is in your mailbox, but is there more we should be doing?

Ever get the feeling you've been cheated? The Sex Pistols aren't everyone's idea of a nice Yuletide tune, but as stories of eBay-related email fraud fill the news there's a good argument for making Johnny Rotten's snarled soundbite a replacement sample for "You've got mail". This month, millions of people have received urgent messages to the effect that their eBay subscription details are about to be lost, and that they should log in to a special Web site and retype them immediately. The site is special in more ways than one: it might have eBay in the name but the only auction going on is of the hapless users' credit card details. Nothing new there: I've lost count of the number of times I've heard from "AOL Accounts" warning me of imminent meltdown over the years.

The question isn't why the scams are suddenly getting more popular, more why they're still so scarce. It's close to the perfect crime -- all it takes is one stolen credit card number, anonymous access to the Internet and a couple of weeks. Even if only one in ten thousand people respond, you can still walk away with hundreds if not thousands of new numbers, guaranteed to work. All the criminal has to do is not make a stupid mistake, and the fraud is effectively untraceable.

The sad truth is, there will always be enough people responding to plausible emails to make such a crime attractive. Even the brightest and best can be vulnerable if the circumstances are right: you've got ten things on the go at once, the last thing you need is another problem and here's just one more little thing to do to keep everything on track. Barristers from the best-advised family in the country have been known to slip up when faced with a sympathetic con, and for the rest of us this time of year is one where juggling fun, finances and family leaves us open to the wrong snap decision.

Some responsibility lies with the companies in whose names the rip-offs are done. There should be one way and one way only for people to attend to account queries, and that should be through the home page of the service. That home page should always have a well-signposted link to a description of any current frauds: it might sound like a marketing disaster to constantly remind your users that the digital mafia are trying to shake them down, but it can be dressed up. We're looking after your interests. We care about your online safety. Click here to read the latest from our free customer protection programme. High street banks have traditionally lived behind massive frontages, all thick stone and enormous pillars: the message is that people want to steal your money, but we're stronger than they are. Online services need to adopt the same up-front image of incorruptible sturdiness.

Education is another essential. Of course, it's important for services to constantly remind their users that "our agents will never ask you online for your password or account details," but it's not much good to just repeat that until our eyes glaze over. The message is important, and it should be given just as much attention from the marketing department as any of the constantly changing, eye-grabbing adverts they dole out daily.

Technology can help, too. There is a need for proper security in email with digital signatures that positively identify the source of an incoming message, and it should be something that the user need not even think about. To be effective, this has to be an open system so that everyone who produces email software can freely adopt it and everyone who sets up an online service can reasonably expect that their users can run the right software. If ever there was a case for governments to set public policy and ensure compliance, this is it: a clear case of a public good that should be available to all. Failing that, given that the scammers are so often unable to spell or punctuate, just throwing away any email that doesn't pass a simple spelling check would get rid of most of them.

What would be particularly satisfying, when faced with the latest doltish amateur rip-off attempt, would be to send back a special credit card number back that figuratively blew up in the blagger's face. A code that automatically alerted the local plod whenever it re-entered the banking system would be nice: a little extra something they weren't expecting, just to keep them on their toes.

After all, it is Christmas.

To have your say online click on TalkBack and go to the ZDNet UK forums.