Search This Blog

Wednesday, February 27, 2013

470 spreads the spam and phish

Here's a suggestion for USAC's planned IT update: hide the email address of the person signing the Form 470.

If you download data from the Form 470, it includes the email address for the Contact Person, but that's it.  However, if you actually look at the form, you can also see the email address of the person who signed the form.  And now apparently one of the companies that packages 470 data for potential service providers has added the signer's email address to their mailing lists.  So now we're seeing bids from service providers to both the contact and the approver.  We're also already seeing non-bid spam to both email addresses.

Which puts us on the slippery slope where we'll start getting spam not related to E-Rate, and eventually phishing attacks.

The new, improved Form 470 should have an online form for handling inquiries, which would be forwarded to the applicant's email without revealing that email address to the spammers and hackers.  Side benefit: USAC would be able to access communications from service providers to applicants.  Even better, set it up to assist applicants in bidder communications, so all clarifications get to all potential bidders.  Give applicants free tools that make it easy to do the right thing.

1 comment:

  1. Today's phishing attack with a virus in the attachment was sent to email addresses from 2012 470s, pretending to be QuickBooks payroll:

    Please find attached payroll reports for the past months. Remit the new payment by 03/03/2013 as outlines under our payment agreement.

    Sincerely,
    Bianca Leblanc

    ReplyDelete