Unsolicited email is becoming a large problem on the internet. One solution to this problem is the use of a micropayments system where emails from sources not on a recipient's white list do not get to recipients unless the sender has taken steps to make a small payment called a micropayment. Emails for which micropayments have been made include in them coding which is called a stemp and which indicates the micropayment has been made. One such micropayments system is disclosed in U.S. patent application METHOD AND APPARATUS FOR IMPLEMENTING A MICROPAYMENT SYSTEM TO CONTROL E-MAIL SPAM, filed Feb. 12, 2004, Ser. No. 10/778,956 as assigned to the assignee of the present invention.
While that patent application describes the details of how a micropayments server cooperates with client computer executing sending and receiving processes, it did not go into a user interface for interacting with users regarding the presence or absence of stemps on incoming emails or the issue of phishing.
Micropayments are effective to stop mass emailers who send out millions or tens of millions of unsolicited emails per day to users who do not want to receive them. Even a payment of 0.01 cents per email will be a considerable amount of money when multiplied by millions of emails per day. However, bulk emailing of unsolicited emails is not the only problem the internet suffers from.
Phishing has become a large problem in email communications over the internet. Phishing involves passing oneself off as a legitimate business from which a user may actually want to receive unsolicited emails. In September 2003, the number of phishing attacks was 279. By March 2004, the number of phishing attacks had risen to 215,643. Spam only gets a response rate of 0.01%. However, phishing, because of the air of legitimacy and the strong call to action, gets a 5% response rate.
Phishing is done with email messages which look very similar or identical to email messages that come from the legitimate business and contain an urgent call to action with a request to click on a link. Clicking on the link takes the unsuspecting user to the phisher's web page where personal information such as credit card numbers or bank account numbers are sought. If the user supplies the information, an identity theft often follows. For example, a favorite recent ploy of phishers is to send an email to a customer pretending to be from the user's credit card company. The email says typically, that a charge for a kiddie pornography purchase is about to show up on the user's credit card statement and requesting the user to click on a link if the user wishes the cancel the charge. When the user clicks on the link, his browser is directed to a web page which actually is being run by the phisher but which appears to be run by the credit card company. The user is then asked to enter his credit card number to verify he wants to stop the charge. Many user's do not recognize the fact that the sender of the original email would already have his credit card number if the email was actually sent by the credit card company it purports to have been sent from. Another favorite recent ploy is to send an email to people who are looking for a job, the email apparently being from careerbuilder.com. The emails says the job seeker has a job offer and invites her to click on a link to learn more about the offer. Clicking on the link takes the job seeker to a page apparently offered by careerbuilder.com which describes an offer and asks for their credit card number to pay the fee of careerbuilder.com and asks for employee identification information such as social security number and date of birth to complete mandatory government forms such as W-2's and I-9's. The fee goes to the phisher, the job offer is totally fictitious, and the identity data is used for identity theft.
Another possible vunerability to phishers is practiced in Europe. There, banks offer a service to send short message service warnings to customers cell phones when their balance gets low. If the phishers can think of a way to abuse this system, they will.
Phishers have been achieving as high as about 5% click through rate on these type ploys and have been stealing a large amount of sensitive information.
Phishers can do all this by downloading into the user's browser Java applets which paint the display to make it look like the solicitation is coming from the legitimate business. Phishers can even hijack the URL bar where user's enter URLs to direct their browsers to a desired web page. When the user clicks on a link provided by the phisher, the address bar of the browser for that session is hijacked so no matter what URL the user types in, the browser will be directed to a web page offered by the phisher. For example, the user may click on a link that he things will take him to www.amazon.com but which is actually provided by the phisher, and a JAVA® applet downloaded into the browser hijacks the user's address bar. Whatever the user types in the address bar will take him nowhere but to a web page supplied by the phisher. There, the phisher displays a web page that looks very similar or identical to the business which the user thinks he is visiting. This user may think she is buying something from or supplying information to Amazon.com needed to correct some problem with the user's account but in reality, the payment or information goes to the phisher and not to the legitimate business to which the consumer thinks the payment is going.
Naturally this ability to cause a user's browser to display a page which looks like it is being offered by a legitimate business can and currently is leading to abusive practices which micropayment systems cannot stop. For example, when the phisher is only sending out a few thousand emails to a targeted list of consumers in the hope of getting just a small percentage of those users to respond, a small micropayment, even if paid, is not much of a deterrent. Micropayments will not stop phishers since they do not send out millions of emails every day. Their volume is much lower because they can use targeted email lists.
There are two kinds of phishing today. The first uses a long URL to obscure the criminal's actual domain name. The second, called social phishing, uses perfectly legitimate domain name registrations, which can be purchased for as low as $8.95 from some sources but which include a famous trademark of another company. For example, there are twenty five imposter, but perfectly legitimate domain name registrations using the trademark Viagra. For example, there is a registration to www.viagra-generic.com. PHIZER®, the legitimate owner of the VIAGRA® trademark, does not own nor is it associated with any of these websites. For an extra $49.95, each one of these imposters can obtain a perfectly legitimate 128 bit certificate that will lock the lock on the browser and support digital signatures. Technical means cannot detect these perfectly legitimate URLs. Further, since the MICROSOFT®/YAHOO® Sender ID scheme only checks for the authenticity of the top level domain, and all these imposters have legitimate top level domains, this prior art authentication scheme will not work to protect a recipient of an email from one of these domains from being confused into believing the email is from PHIZER®. A way to protect users from these social phishers is needed.
Eventually, micropayment-based email may become the dominant form of email traffic on the internet. In addition to the phishing problem, it is annoying to have commercial unsolicited email mixed in with email from friends and family.
In order to fight spam and phishing, email filters are getting tighter. Filters now block up to 50% of permission based marketing e-mails. Legitimate advertisers still need to get their messages through however.
Email presents four challenges to commercial senders.    1. Filters: Filters now block up to 50% of commercial email for some service providers. eTrust is working to solve this. Jupiter says it will get worse.    2. Phishing: The problem with phishing has been discussed above. For email marketing, this is a huge problem. Filter providers say they can fix this problem, but the reality is they cannot. With a 5% response rate, volumes do not have to approach the spam volume levels that trigger filters. The identification of this material is too content specific to be subject to computerized solutions. Technical solutions probably will not work, because clever criminals find ways around such solutions, and technical solutions would have to find universal acceptance which is difficult to achieve.    3. Clutter: When the world is perfect and only permission based email gets in your inbox, the volume of permission based email is growing. Marketers need a way to break out of the clutter. Jupiter says this will get worse.    4. Opt-outs: As legitimate companies get mailing lists from numerous sources and use numerous outside agencies to send email, opting out becomes very hard for the senders of commercial email marketing messages to administer. A way to take this burden off them is needed, and is provided by this invention.
Commercial companies which are legitimate and who want to use the internet to send messages using their logo are bothered by all the above noted problems. In the prior art, AOL® has been using their logo in their webmail to distinguish their own email. They do it in their “type” column. AOL® claims this is secure so that you know for sure this email came from them. But this has not, as far as the applicants are aware, been generalized into a simple general purpose graphical display of verifiable sender identity. Also, it appears to lack the validation feature provided by the invention described herein. A phisher could overwrite this screen and spoof the AOL® logo.
Passmark has a rather complex system that attempts to provide sender validation. What is needed however is a general way to associate security with visualization for email. “Visualization” is more general than simply a picture. It could include a sound note.
Therefore, a need has arisen for a user interface which segregates out paid email from unpaid email and for a micropayments system with antiphishing functionality which authenticates the sources of each paid email so that a user knows from whom each email received actually came. A need has also arisen for a system which provides legitimate marketers the ability to use email in a sheltered, safe environment to deliver legitimate messages to their existing customers and prospective customers. A way to send branded email with logos encrypted with the identity of the sender is also needed to allow commercial marketing messages to be sent by protected email which gets segregated into a separate inbox at the recipient and which uses the valuable and trusted logo of the sender and which the recipient knows is already authenticated when it arrives or which the recipient can authenticate by giving a command on his computer is also needed.