The holiday season is once again upon us, and the shopping race is on. This year, perhaps more than ever, much of the race will be run virtually. Forrester Research predicts that U.S. online retails sales will reach $33 billion in 2007, a 21 percent increase over 2006. And to the chagrin of employers everywhere, a great deal of that shopping will take place at the office. Just two years ago Business Week reported that 58 percent of people do most of their online shopping at work, and I think it’s fair to assume that that number hasn’t dropped much since then—if at all.

The hordes of shoppers flocking to the Internet are certainly a boon to retailers, but they also present an attractive target for an emerging band of criminals, which at McAfee we often refer to as pirates of the web. These crafty thieves hide out in dark corners of cyberspace and attack from multiple angles to steal valuable personal information, and if you’re not careful, you could fall victim to one of their scams. The McAfee Avert® Labs team predicts that one in four Americans will be exposed to online identify theft. While compromising your personal identity is bad enough, if it happens at work, you could also be putting your entire business network at risk.

Spam—gateway of the pirates
Many people still think of spam as unwanted—yet valid—email advertisements for products and services. Though that is still true in many cases, spam has also become a root facility for phishing scams, which are anything but valid. If you click on a “legitimate” spam message, the worst that might happen is that you’ll invite more spam. But if you click on a phishing spam message, you might be opening a virtual can of malicious worms. Spam is now much more than merely a nuisance that clogs up corporate networks; it is a key tool used by sophisticated web pirates to target unsuspecting consumers, which makes it a major threat to individuals and businesses alike.

When it comes to managing spam, the mantra has traditionally been just don’t click on it! But the problem now is that web pirates are so sophisticated in employing social engineering techniques that many people simply don’t realize that the emails they are receiving are spam. For example, it’s easy to identify an email about Viagra as spam, but what if you get an email from a site you’ve shopped at in the past? Or an invitation from a friend to check out a cool video on YouTube? That shopping site where you’ve made purchases in the past is trustworthy, right? And the YouTube email is from a friend, so there’s no harm in checking out the video, right?

Wrong. YouTube was hacked earlier this year to distribute malware—and not for the first time. As for emails from online retailers, while many of them are legitimate, the danger of clicking on them is that they might take you to a site that has been compromised by web pirates. And if that’s the case, those pirates could install spyware or a Trojan on your machine, which could in turn infect your company’s network. Consumers looking for good deals online are especially vulnerable to these types of emails, and with phishing kits now going for as low as $30 USD, the pirates sending them out aren’t going away anytime soon.

The answer? A holistic approach—and caution
On the business side, short of restricting employee Internet access completely, what is the solution? It’s important to choose a vendor that looks at the problem from a holistic perspective. The tricks these pirates use are interlinked, so the defense against them must be as well. Implementing a spam solution alone won’t catch the phishing, and implementing a phishing solution alone won’t stop the spam. And if you somehow do manage to stop all the spam and phishing emails from coming in, your employees still might visit a legitimate site that has been comprised (even Google can’t track every site that appears on its searches), and your network might end up infected anyway. All it takes is an innocent visit to one malicious page, and your network could be in serious trouble without the right combination of technologies in place. The answer is an integrated defense that includes protection against these attacks. And integration will simplify your security posture. By taking this approach, you will simplify your security and increase your level of protection— and that’s good all the way around.

One the end-user side, caution is the key. Here are some tips for staying safe:

• Always look at the sender of the message, and if you don’t recognize the name, don’t open it.
• Never click on a link that comes in an email. If you want to know what’s behind the link, you can mouse over it and see the origin. If you really want to open it, open a new browser and type the URL into it. Don’t copy and paste.
• Don’t ever unsubscribe to a mailing list you haven’t subscribed to in the first place.
• Type in your email address on Google or Yahoo. If it shows up on a bunch of different sites, you’re at risk for malicious spam.
• Don’t put your email address out all over the web, and if you have to put it on a site, spell out DOT COM when you can.
• Download a product like McAfee SiteAdvisor™ (free at McAfee.com) that alerts you to malicious sites.

As more and more people shop online, more and more web pirates look for ways to deceive them, especially during prime holiday shopping season. The bad guys have gotten smarter, but so have the good guys, and we can beat them. (In this month’s issue my colleagues Dave Welsh and Ken Gonzalez explain how our recent acquisition of ScanAlert will make online shopping safer. Consumers need to be careful, and businesses need to take a holistic approach to their technology solution. But the technology is there to drive these bandits out of cyberspace, and we won’t stop until they’re long gone.