Few human traits are as admirable as the instinct to rush to the aid of others, and we have seen no shortage of this instinct in the wake of the cowardly and despicable bombings in Boston today, including exhausted runners coming forward to donate blood.
(Update 4/18/2013: The boston.com website has an excellent page of verified links for those who want to help out or donate.)
Sadly, even as details of the blasts were emerging, we were reminded that tragedy can also bring out the worst in some people. As in the wake of the Newtown shootings, cyber-scum have come out of the gutter, looking to leverage technology to profit from the out-pouring of sympathy and generosity that flows from decent people at a time like this. (Within hours, a Twitter account was offering $1 for each retweet and we expect Facebook “Like” requests will be touted to boost page rankings, in addition to fraudulent appeals for financial donations.)
Our advice is to direct your giving and volunteering through established entities such as the American Red Cross, or via event-specific responses that you can take time to evaluate. For example, blood donations to the American Red Cross for the blast victims quickly met demand (as reported by their Twitter account using hashtag #BostonMarathon).
In the days and weeks to come we can expect to see legitimate initiatives launched to aid the victims of this tragedy. Some of these will be online. But before you donate to any entity, check its reputation, its staff, its address, the things that will tell you if it is legit or a sham. (Update 4/17/2013: We have provided details of a malicious spam campaign that exploits the Boston bombing.)
Regular readers of these pages will know that we have issued similar warnings in the past (dating back to at least 2007). I can assure you that we do not do this lightly. We think carefully before writing a “warning” post like this lest it distract from the vital crisis response and recovery processes. However, when we feel there is a real risk of good people getting ripped off by bad people using technology for their own immoral ends, we think the responsible thing to do is to remind folks that they may get phony solicitations via email, SMS, social networks, even Search results, manipulated by the bad guys to deliver malware.
For example, here is my colleague Aryeh Gorestky at the time of the September 2010 earthquake in Christchurch, New Zealand:
“As with any tragedy these days, we expect malware authors to take advantage of Black Hat Search Engine Optimization (BHSEO), also known as “search poisoning,” to distribute their creations. Likewise, we can expect that scammers will try to take advantage of this tragedy by soliciting donations and other scams through phishing emails and spam on social networking sites. We have seen this in the past with the Haitian earthquake and subsequent relief efforts, as well as with other natural disasters such as floods and hurricanes.
We recommend only visiting reputable news sites and charity organizations when trying to learn more about this tragedy or for information on how to assist with relief efforts.”
Good advice to follow in the days and weeks ahead.
Author Stephen Cobb, We Live Security