The hoax is on you!

Computerworld - Among the unrelenting spam filling e-mail in-boxes are the occasional "warnings" about devastating new viruses that steal passwords or threaten to wipe all the data from our hard drives.

These warnings are specifically designed to garner attention, persuading users to forward the message to everyone for whom they have an e-mail address. Although they can sound legitimate, the majority of these messages are hoaxes and chain letters.

Although such hoaxes don't infect systems as malicious code would, they are nevertheless time-consuming and, in large organizations, costly to remove from all systems. Organizations sometimes find that they spend more time investigating and discrediting hoaxes than handling bona fide malicious code attacks. Hoax warnings are in most instances simply scare tactics started by malicious individuals and then circulated by innocent end users who further distribute the spurious warnings thinking that they are helping the Internet community.

The cost of being duped

Superficially, it would appear that the cost and risks associated with hoaxes are just incidental, certainly when you consider the cost of handling only a single hoax. The true cost, however, is significant when your tally includes all computers and systems that have been victimized in the aggregate. Actual time spent by employees just reading bogus messages adds up in man-hours -- hours for (and during) which an employee is being paid by the organization.

	Douglas Schweitzer is an Internet security specialist with a focus on malicious code. He is the author of several books, including Internet Security Made Easy and Securing the Network from Malicious Code and the recently released Incident Response: Computer Forensics Toolkit.

25,000 people x 0.01667 hour x $20/hour = $8,335 per hoax

While this may not be a considerable amount of money for a large company to lose, remember that organizations generally receive many such messages. In addition, many employees cost businesses more than just $20 per hour, if you factor in benefits like health insurance.

Now go a step further and imagine the costs associated with a hoax when recipients actually accept its claims as truth and then act upon the bogus message. Hoaxes attempt to validate their warnings by instructing users to scan their PCs for viruses using the built-in Windows file-find utility. The files that the hoax alleges are malicious are actually normal operating system files that are required for the proper operation of the computer. If users follow the bogus instructions and delete those files (thinking they're ridding their PC of malicious code), they've become victims of social engineering, having been tricked into damaging their own PCs. Depending upon the extent of the damage to systems, the organization may be required to invest a substantial amount of man-hours to recover from the incident.