Several years ago when I first saw an e-Card, the first thing that I thought was that these would become a very successful tool for social engineering attacks designed at spreading malicious software. The current wave of “storm worm” spam uses this exact tactic. Emails such as the following are how users are tricked into running malicious software.

Subject: You’ve received an ecard from a School mate!

Hi. School mate has sent you an ecard.
See your card as often as you wish during the next 15 days.


If your email software creates links to Web pages, click on your
card’s direct www address below while you are connected to the Internet:


Or copy and paste it into your browser’s “Location” box (where Internet
addresses go).

We hope you enjoy your awesome card.

Wishing you the best,

I could go into the obvious signs that this is not legitimate, but the real problem is that e-Cards, etc. teach people to take candy from strangers.

Take a look at the dynamics of the e-Card scheme. To start with you go to a web site run by a company you probably know nothing about. Next you give them your friend or family member’s email address, generally without knowing if this will be used for spamming. The person then receives an email from someone who claims to have something they want and claims it is from someone they know. This works a few times. The recipient gets used to seeing nice things called “e-Cards.” The bad guys know how this works.

The average user is not going to see the difference between “Frank has sent you an e-Card” and “You’ve received an ecard from a School mate!”

Effectively, without thinking about it, by sending e-Cards we teach people to become victims. It’s like giving a stranger a piece of candy and asking them to deliver it to a child. People become conditioned to click on links in email that more and more frequently result in the infection of their computers.

Because of the horrendously bad computing habits e-Cards and e-Vites teach I refuse to use them. I will not participate in teaching people to become victims.

Randy Abrams
Director of Technical Education

Author , ESET

  • David Rowell

    “Teach[ing] people to become victims.” You may be overthinking this issue a bit.

    Like you, I don’t use e-Cards or e-Vites either, but that’s because I don’t want to receive any, not due to the effect on others of using them.

  • David Harley

    Randy’s not “overthinking” at all. Legitimate organizations whose bad practice “grooms” their customers into accepting malicious approaches have made a very significant contribution to the phishing problem. Banks and such do at least (usually) recognize this fact and many have made strenuous efforts to do better. If ecard providers do the same (and I’m not holding my breath), that may have some beneficial impact on the problem. Even then, however, fake ecards and such will continue to be a major vector for compromising and infecting systems, as they have been for quite a few years now. Which is why some major organizations have made policy decisions outlawing them.

Follow us

Copyright © 2017 ESET, All Rights Reserved.