Security Risk

Risks Associated with Spyware

Excerpted from FDIC's Financial Institution Letter 66-2005

Spyware Infection

Spyware is usually installed without a user's knowledge or permission. However, users may intentionally install spyware without understanding the full ramifications of their actions. A user may be required to accept an End User Licensing Agreement (EULA), which often does not clearly inform the user about the extent or manner in which information is collected. In such cases, the software is installed without the user's "informed consent."

Spyware can be installed through the following methods:

  • Downloaded with other Internet downloads in a practice called "bundling." In many cases, all the licensing agreements may be included in one pop-up window that, unless read carefully, may leave the user unaware of "bundled" spyware.
  • Directly downloaded by users who were persuaded that the technology offers a benefit. Some spyware claims to offer increased productivity, virus scanning capabilities or other benefits.
  • Installed through an Internet browsing technique called "drive-by downloads." In this technique, spyware is installed when a user simply visits a Web site. The user may be prompted to accept the download believing it is necessary in order to view the Web page. Another method is to prompt the user to install the program through pop-up windows that remain open, or download the software regardless of the action taken by the user.
  • Automatically downloaded when users open or view unsolicited e-mail messages.