I Get Asked the Darnedest Things – Including How to Protect Ill-Gotten Gains

March 5, 2012

I recently spent a week teaching several hundred students, teachers and parents in several schools and school districts across North Carolina. The sessions are always great, but since there is never enough time to answer everyone’s safety, security and privacy questions, I encourage listeners to leverage the “Ask Linda” section on my website.

The questions I typically get asked range from “is_____ a strong password”, to questions about situations that need immediate intervention. However, among the many follow up questions from this trip came my first request for assistance in protecting stolen funds. The audacity and irony in the email are just too good not to share, so with identities hidden, here’s the original email – and my response. Enjoy.

On 12/16/2011 “Michael”:

Today, you spoke my school (xxxxx).  The talk was the best I have ever heard at a school event because during 2009-2010 I recovered other people’s old RuneScape accounts.  I learned many ways to look up people, many of which you mentioned today.  I have since stopped recovering because many people have found out this easy way to make money and so there are far fewer unused accounts to steal. I also did a fair bit of phishing on the system pelican (fish.in.rs) which is a mass mailer of runescape phishers, so all I needed was an email address owned by a scaper.

Since then, I have been sitting on a few thousand dollars worth of RuneScape currency. With college coming up, I am hoping to sell this on the RuneScape black market sythe.org .  The preferred method of communication of most members is MSN which I saw on your website that you used to work for.  One of the questions I had for you is: can another person that is chatting with you on MSN get your ip address?  I have heard many hackers claim they can get ips through skype, MSN, and email communications.

On another note, I plan on majoring in mathematics and becoming an investor.  However, I am wondering what classes are recommended to become an internet security consultant such as yourself.

Enjoy your stay in North Carolina,




The answer to your question is yes, MSN or windows live uses the Microsoft notification protocol that carries the client IP address in some of its headers. While I’m pleased that you found my internet safety, security and privacy presentation to be useful, I’d say that given your phishing and account theft activities the field of security is not the right one for you, and recommend you stick to investing.



80% of Americans Will Purchase a Gift Card this Holiday Season; Know the Risks

December 6, 2011

A record number of gift card purchases are expected this holiday season according to an NRF survey conducted by BIGresearch which estimates 80.2% of American’s will purchase at least one gift card[i].

The research also indicates that holiday shoppers will spend average of $155.43 on gift cards, a 6.7% rise from $145.61 last year. If these numbers hold true, total spending on gift cards this holiday season will reach $27.8 billion dollars, a 12% increase over the $24.78 billion spent in 2010.

Unfortunately, the convenience of giving gift cards isn’t reflected in the actual use of the cards.

Why gift cards can be risky

Studies show that consumers lose billions of dollars from gift cards each year as cards are forgotten, misplaced, portions are taken as user fees, or the stores behind the cards go bankrupt.

Last year, (2010) the financial services research firm, The Tower Group, estimated consumers lost about $2.5 billion from gift cards. This loss stems from a number of issues:

  • According to a Consumer Reports poll, 27% of people who received gift cards last holiday season have yet to use them (Oct. 2011 data). Respondents were most likely to say this was because they did not have time (51%) or because they forgot about the gift card (41%)sub>[ii]. Lost or damaged cards are also responsible for a slice of the money lost from unused cards.
  • In spite of the 2010 Credit CARD Act that put stiffer laws into effect in August of 2010 intended to protect consumers from high usage fees, short expiration dates, and other practices. However, gift card issuers can still charge hefty fees to buy the cards (expect a fee ranging from $3-7 dollars per card).
  • Card issuers may also charge a fee for every month of inactivity; Visa gift cards for example lose $2.50 a month after 12 months of inactivity[iii].
  • Another loophole not covered in the Credit Card Act is that card issuers do not have to reimburse the value of the cards if they go bankrupt[iv]. To make matters worse, stores do not have to inform you that they have filed for bankruptcy when selling their gift cards – allowing them to collect substantial sums they will never have to repay and even after a company has gone bankrupt, gift card resale sites may still be selling cards to unsuspecting consumers[v].
  • Thieves may have tampered with the gift card before you even purchased it. Using a handheld scanner, thieves read the card’s code, and, when combined with the information on the front of the card, it gives the thieves all they need to redeem the card before you do. On cards without a fixed value they simply call the 800 number to see if it has been loaded with a dollar amount, and if so for how much.  Consumer reports recommends that to reduce the chances that thieves will drain the card, don’t use gift cards hanging on a rack, ask for one that is behind the counter, and if the card is preloaded,  ask the cashier to scan the card to see that the value is intact[vi].
  •  designed to make redeeming the full value of gift cards difficult or impossible.

When giving a gift card, think safety

The Consumers Union has lobbied petitioned the Federal Trade Commission on behalf of consumers asking the commission to go further in their protection of consumers holding gift cards particularly when companies are facing bankruptcy so that funds are set aside to cover the value of these cards. They also recommend that the FTC establish a registry of businesses who have filed for bankruptcy so that consumers have an easier way to gauge the risk of a gift-card purchase. Until these proposals become law, you still have to largely take your own precautions:

  1. Consumer reports says you can reduce the chances that thieves have compromised a gift card, by following a couple of simple steps: 1) don’t use gift cards hanging on a rack, ask for one that is behind the counter, and 2) if the card is preloaded, ask the cashier to scan the card to see that the value is still intact[vii].
  2. If purchasing gift cards online, always look at the site’s refund policy and keep your receipts in case of trouble and you need documentation.
  3. Check the solvency of the card issuer; this is particularly important for restaurants and smaller businesses, but bankruptcies have hit companies of all sizes.
  4. Look for the gotcha’s – excessive fees, penalties for not using the card within a specified time period, etc.

Not all gift cards are equal if you try turning gift cards into cash

There are now several websites like Plasticjungle, Giftcardrescue, and Cardpool that allow you to exchange your gift cards for cash for a percentage of their value – they also resell these cards at a discount.  What you’ll find however is that just because the dollar amounts on gift cards are equal, doesn’t mean the cards have equal value. These websites usually pay more for cards from huge chains like Home Depot or Wal-Mart where there is a large consumer interest in the resold cards, and less for cards from more niche businesses.  Because the value of a card can vary, be sure to look at several card exchange sites to get the best deal; you may get 95% of the card’s value, or you may only be offered 50%.

At the end of the day, a nice holiday card with cash inside is a far safer form of giving.


Cyber Monday Sales Skyrocket – Now Watch Those Credit Card Statements

December 3, 2011

It has been a profitable week for retailers. According to comScore, online sales rose 22% to reach a new all-time single day high of $1.25 billion. A separate report by IBM’s Benchmark research firm, reported a 33% Cyber Monday increase, but didn’t provide an actual dollar value.

The volume of internet sales highlights the comfort consumers have with online shopping, whether that is via computer, or increasingly, through mobile transactions. Last year 2.3% of Cyber Monday shopping occurred via mobile phone, this year that has increased to 6.6%[i].

Yet in spite of the convenience online shopping offers, too few consumers have adequately protected their devices or their information, too few carefully research the stores and store policies on sites they use, and during this busy season many will fail to closely monitor their credit card statements for signs of fraud. And the crooks are counting on these gaps.

To be safer when shopping see the blog I posted last week titled 6 Steps to Avoiding Black Friday Scams, but after you’ve shopped, stay alert. Watch your credit card statements. Check your credit scores. And act swiftly if something seems amiss.

Take 8 immediate steps if you discover that you have been the victim of identity theft:

  1. Contact the fraud departments of any one of the three consumer reporting companies:
    1. TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
    2. Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
    3. Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9554, Allen, TX 75013
  2. Close any account that you know or believe has been taken over, or been opened by, ID thieves.  Your credit card companies have 24 hour call service where you can report the theft or abuse of your card. Check the statements of any other credit cards you have to see if the thieves have also compromised those cards.  Ask your credit card company to send you any dispute forms you may need to fill out.
  3. Check your credit report to look for credit cards or loans you did not open. By law you have the right to three free credit reports per year; from Experian, Transunion, and Equifax. If you have already used these free reports, pay the few bucks to get your credit scores checked again.All three credit bureaus work together through a website called AnnualCreditReport.com so you can quest one, or all three reports at once in one of the following ways:
    1. Go to the Web site. Through this highly secure site, you can instantly see and print your credit report.
    2. Call toll-free: (877) 322-8228. You’ll go through a simple verification process over the phone after which they’ll mail the reports to you.
    3. Request by mail. If you live in certain states, fill out the request form and mail it to the Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. (Get more details.)
  4. File a complaint with the FTC. A typical police report doesn’t contain the details about fraudulently opened accounts or accounts used by ID thieves. By reporting the ID theft to the FTC and filling out an ID Theft Complaint, you can add the supporting detail to a police report that is necessary to making it an Identity Theft Report.
    1. What should I know before filling out the FTC’s ID Theft Complaint Form?
    2. Instructions for completing the ID Theft Complaint Form
    3. What should I know once I’ve filled out and printed the FTC’s ID Theft Complaint Form?
  5. File a report with your local police. Filing a police report helps document that the crime occurred. Call your local law enforcement office and ask if you can come in and file the report in person or if this needs to be done online or by phone. Some jurisdictions are reluctant to let you file a report, so you may have to contact your state Attorney General’s office to learn whether the law requires the police to take your ID theft report. To find the contact information for the Attorney General in your state you can check www.naag.org.
  6. Notify your health insurance carrier. Identity theft can also be used to commit medical fraud where someone poses as you to have medicines, checkups, even surgeries performed in your name. By contacting your insurance provider, you alert them to take extra precautions and can help prevent receiving a bill for someone else’s medical expenses.
  7. Set up a fraud alert. There are two kinds of fraud alerts, an ‘initial fraud alert’ that stays on your credit report for 90 days, and an ‘extended fraud alert’ that stays on your credit report for 7 years.You can set up an initial fraud alert the moment you suspect trouble – you can’t find your wallet, or you think you have been or will be a victim of ID theft (for example, you receive a notice from a company or bank you use notifying you that their data center has been breached and your information may be compromised).  With this initial alert in place, potential creditors have to take additional precautions to be sure that new credit isn’t given to the ID thieves by verifying your identity.

    To set up an extended fraud alert you have to have been a victim of ID theft and be able to prove this by showing one of the credit scoring companies your Identity Theft Report (see step #4). When an extended fraud alert is in place, creditors are required to contact you or meet you in person to verify your identity before they can extend credit.

  8. Stay alert. Watch for additional signs of identity theft like:
    1. False information on your credit reports, including your Social Security number, address(es), name or employer’s name.
    2. Missing bills or other mail. If your bills don’t arrive, or come late, contact your creditors. A missing bill may indicate that an ID thief has hijacked your account and changed your billing address to help hide the crime.
    3. Getting new credit cards sent to you that you didn’t apply for.
    4. Having a credit approval denied or being subjected to high interest rates for no apparent reason.
    5. Receiving calls or notices about past due bills for products or services you didn’t buy.

Once your identity has been stolen, you should also consider subscribing to a service that will constantly monitor your credit and alert you if something changes. Even though you change your credit card number, you aren’t likely to have changed companies, or changed your name, your social security number, your address, etc., and it is a stupid criminal who throws away such valuable information. In all likelihood, you will remain more vulnerable to future attacks and should monitor and protect accordingly.



Estonians Charged For $14 Million in Click Fraud – Is Your Computer Infected?

November 22, 2011

In a particularly advanced two prong click fraud scheme, 7 men are charged with infecting 4 million computers worldwide – 500,000 in the U.S. alone. Once infected, the criminals would redirect users search results to websites that would pay the criminals a referral fee, so the more searches they redirected, the more money they made. The second method used was to replace legitimate ads on websites with ads from companies that paid for referring clicks.

In a statement by Janice Fedarcyk, assistant director in charge of the FBI New York office, “They victimized legitimate Website operators and advertisers who missed out on income through click hijacking and ad replacement fraud.”

Hijacked sites included The Wall Street Journal and ESPN. An article in the New York Times included the following illustration of how ESPN ads were swapped; the page shown on the left has a legitimate Dr. Pepper ad, while the ad on the right is for a timeshare company that paid for clicks.

Called the biggest cybercriminal takedown in history, the FBI worked with international law enforcement agencies, security companies, and security experts for over two years to crack the case.

This malware that infected both the Windows and Mac operating systems did not target consumer information; it was designed to defraud advertisers and website companies, but in order to avoid detection by antivirus software the malware blocked antivirus updates. This means that infected users were (and are) vulnerable to other malware.

What this means to you:

Although the FBI has replaced the malicious servers involved, infected users remain infected with the DNSChanger malware, and any other malware that was able to crawl into computers while security software updates were blocked. If you’ve seen unlikely ads or suspect your machine may be infected, the FBI has created a website that will help you detect the malware and get rid of it.


6 Steps to Avoiding Black Friday Scams

November 21, 2011

The onslaught of holiday advertisements is in full swing, flooding mailboxes, inboxes, TV, websites, and mobile phones, and these ads will continue increasing until all last minute shopping has been done as retailers try to squeeze out every possible dollar in holiday revenue. And then there will be the after-holiday sales…

Chances are you will be among the 90% of consumers who say they expect to shop for gifts online this year, a 1% increase over last year. You might even be among the 15% who are expected to purchase gifts through a mobile device [i].  In fact, 60% of smartphone or tablet owners plan to use their device for a range of holiday shopping purposes this year, according to a new report by Prosper Mobile Insights.

This report indicates that among respondents saying they will use their mobile device for shopping this season, 60% expect to use their device as a “mobile mall,” with 56.7% primarily using their device to plan and research purchases, and one-third will use them to make at least 50% of their holiday purchases.

Whether you are shopping for others or for yourself, knowing how to get a great deal takes a lot more than just looking at the price tag.

Fortunately, learning 6 basic precautions will turn you into a savvy and much safer online shopper.

  1. Start with a secure internet environment. If your computer, tablet or cell phone isn’t protected from viruses and other malware your financial information and passwords will be stolen as you make purchases (as will everything else you store on your computer or do online). This concept is so basic, yet far less than half of the US population adequately protects their computers – and only 4% have security protection on their tablets or smartphones[ii].
    1. You must have anti-virus and anti-spyware software installed and up-to-date. If your computer or phone isn’t protected from Trojans, viruses and other malware, your financial information, passwords and identity will be stolen. If the cost of security software is prohibitive, at least use one of the free services available – just search on ‘best free antivirus’, and ‘best free mobile antivirus’ to see your options. If you don’t think you need mobile security software consider this; BullGuard security identified 2,500 different types of mobile malware in 2010[iii].
    2. Secure your internet connection. Make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, search for ‘best free firewall’. Never use a public WiFi service for any type of financial transaction or other type of sensitive information transfer.
  2. Identify trustworthy companies. You need to either know the company – or know their reputation.
    1. If you already know the store, shopping their online store is very safe. If there’s a problem you can always walk into the local store for help. If you already know the online store’s reputation you will also be very safe.
    2. If you don’t know the store, it may still be the best option; you just need to take a few more steps. Search online for reviews from other users to see what their experiences were with the company, and conduct a background check by looking at sites that review e-stores (for example, Epinions, BizRate, Better Business Bureau). If the store isn’t listed as a legitimate site by one of these sources, or the store has a lot of negative reviews, DON’T SHOP THERE. It’s that easy.
  3. Know how to avoid scams. The holiday season is primetime for email and web scammers because they know millions of people will be spending billions of dollars online. To give you a sense of just how much money changes hands, last December (2010), $32.6 Billion dollars were spent on internet shopping sites[iv].  The best way to avoid scams is simple. NEVER, ever, click on a link in an email or on website advertisement no matter how reputable the host website or email sender may be. The website ad or email may be a really good fake, or the website or email account may have been hijacked by spammers. Instead, use a search engine and find the deal or store yourself – if you can’t find the deal on the legitimate store’s site you know that ‘offer’ was a scam. Click here to learn more about identifying scams.
  4. Protect personal information. Many ecommerce and mobile commerce sites encourage you to create a user account, but unless you truly plan to shop there often you’ll be better off not doing so. If you do choose to create a profile, do not let the store keep your financial information on file. All you really need to purchase something should be your name, mailing address, and your payment information.
    1. If the merchant asks for more information – like your bank account, social security, or driver’s license numbers, NEVER provide these. Some reputable companies will ask additional questions about your interests, but these should always be optional and you should be cautious about providing responses.
    2. Keep in mind that the company may not have strong security measures in place. The lack of strong security precautions in many companies is a real concern. Huge companies like Sony have been hacked multiple times and consumer’s passwords, names and financial information has been stolen. And unfortunately, many smaller businesses have even fewer safeguards in place to protect your data – so give them as little as possible! To learn more about these risks, see Small Business Owners Suffer from False Sense of Cyber Security.
  5. Make payments safely using a credit card or well respected payment service. Credit card purchases limit your liability to no more than $50 of unauthorized charges if your financial information is stolen, and the money in your bank account is untouched. Most debit cards do not offer this protection – and even when they do, you’re the one out of funds in the meantime. However, you probably don’t have a credit card, so striking a deal with a parent or guardian to put the charges on their card – with you handing them the cash – may be a good option.  Or, you can use a payment service like PayPal that hides your financial information from the online store and can be set up to take money out of your bank account. Do not use checks, cashier’s checks, wire transfers, or money orders as these carry high risks for fraud.
  6. Do your research. Just because a store claims to have the lowest price, doesn’t mean they actually have the best deal.
    1. Comparing the advertised price of an item doesn’t give you the full picture. You have to look at the final price – that includes any shipping, handling or taxes to see which deal may be really be the better bargain.  Some companies show lower prices, but make up the discount by charging high shipping fees.
    2. Check the company’s return policy. Some companies charge fairly steep return fees for shipping and restocking, so if you think the item may be returned factor this into the price as well.
    3. Look for online coupons or discounts. Lots of stores offer special deals if you just take the time to look for them. Typing the store’s name and ‘coupon’ is usually all it takes to discover whether extra discounts may apply.  
    4. No matter how great the ‘deal’ if you can’t afford it or it’s over your budget, it isn’t a deal. Learning financial responsibility now will set you up for financial security for the rest of your lives. And in spite of all the glittery ads, many of the best gifts don’t cost money.


Happy shopping!


It is Absolutely Critical that you Understand YOU Are the Digital World’s Currency

October 15, 2011

In order to truly be a “free” website the provider cannot charge you fees, collect your information to sell, rent, lease, or share, or put advertising in front of you. Needless to say, there are very few truly free websites; most that are truly free are government, institutional, school, or non-profit websites, though even many of these types of organizations advertise and sell consumer information.

The way most ‘free’ services make money is not by selling advertising. What they sell is access to you, and information about you to advertisers, marketers and researchers, and others.

Your information is the commodity that drives the internet economy. It is collected through your online actions and the information you share, as well as through the exposure of your information by others.

Every piece of information you post, and every action you take online has value to some company or someone. That isn’t necessarily a bad thing. This trade in information lets you use the websites without paying money for your access. Your information helps companies provide you ads that are more targeted to your interests. It helps researchers and companies know what kind of products to design, and so on.

If you read a website’s terms and conditions you should be able to see just what information is being collected and how it is shared, though many companies make it very difficult to understand the full scope of their use of your information.

In addition to the information the hosting site is collecting and monetizing, an entire new industry has been created just to collect all the information posted by you or about you on any site – including government sites – to sell, rent, share, etc. to any interested party – see my blog Civil Rights Get Trampled in Internet Background Checks to learn more on this particular aspect.

And the data collection and reuse does not end with the hosting company or data collection companies. Your information is also collected and used by recruiters to make their hiring or enrollment decisions, potential dates or friends, by journalists interested in interviewing you. It’s searched by charitable organizations that are looking for sympathetic individuals to ask for charitable donations. And your information is collected and used and by far less pleasant people who want to use the information for things like bullying, cyberstalking, identity theft, home robberies, and other crimes.

To really understand your digital value and how this may have consequences far beyond those you feel comfortable with, let’s look at an example.

“Jenny” is 65. She loves using the internet to research information and stay in touch with friends and family. She’s on Twitter with friends, on Facebook with her grandchildren, and on a social networking site for seniors with her interests.

In Jenny’s profile she provides her full name, age, and location. She’s included a short line or two about her interests – chamber orchestra music, gardening, wine and photography. She’s taken a couple of online quizzes of her likes and dislikes which makes it easier for new people to see if they have something in common with her.

In one blog post she notes that she’s fed up with the democratic agenda. In another she talks about her grandkids that come to her house twice a week after school.  She complains that her knees and back hurt twice a week – on the days after her grandkids are over. And she says she hates exercising as much as she ever did, but that it’s even harder to get motivated since her mastectomy.

She tweets from the same doughnut shop every morning where she meets up with friends. On her senior site she joins a wine aficionado group and slyly acknowledges that while she only has one glass of wine a day – she frequently refills that glass several times over!

The photos Jenny has posted are of grandkids, her dog and nature shots.  There’s nothing embarrassing in what she’s posted, she wasn’t mean to anyone, but she doesn’t really understand the far reaching ramifications of what she posts.

How do others use this information?

The web service companies she uses collect this information – as well as information about the website she was on before she came to their site (ah, she banks at Chase) and the website she navigates to when she leaves – (oh, she went to the appointment scheduling page of a doctor in the ABC medical practice). They collect they type of computer/phone being used (wow, that’s an old HP!), it’s operating system, IP address, location, etc.

The web service companies are likely to cross tab this information with other information collected by data aggregators from government websites like Jenny her birth certificate – parents’ names, place of birth, date of birth, which when combined with records where Jenny has entered the last 4 digits of her social security number, provides her whole SSN – see my blog Kids and Financial ID Theft; a Growing Issue to learn how SSN’s are deconstructed.

Data aggregators have also collected the birth certificates of her children and grandchildren, her voter record, criminal record (clean), driving record (two speeding tickets in past 18 months). They’ve also gathered information on her deceased husband, what he did for a living (and her projected retirement funds), and information about her home, and previous properties she’s owned.

Crawling the web, data aggregators also see where she’s donated to charities, what her friends are saying about her, what information is discoverable through her photos, and the vehicles she has registered (one car, one boat).

And so on.

What surprises Jenny is that when she chooses to switch auto and boat insurers, she’s denied because of her potential drinking problem, which combined with her speeding tickets could be an expensive mess for the insurance company. She is also denied when she tries to purchase some life insurance – anyone who eats doughnuts every morning, hates to exercise and has already had cancer isn’t seen as a good risk.

Donation requests from music organizations, and catalogs from gardening, and pet supplies companies start showing up on a whole slew of websites Jenny visits online – and more arrive in her mailbox.

Her granddaughter discovers she will have to pay more for medical coverage because the insurance company learned through Jenny’s posts that breast cancer runs in the family.

Jenny falls for an ID theft scam that looked like a request for information from her doctor’s office asking her to reconfirm her billing and insurance data for their records.

To make matters worse, Jenny came home last week after her daily doughnut shop meet up, to find her home had been broken into. All of her photography equipment was stolen.

Once Jenny recognized how information she posted was affecting her, and her family members, she immediately took down some of her posts. Unfortunately, the data aggregators, and web service companies still have their data sets, so the damage is permanent.

If you take this scenario, and expand it to all the communications, contacts, and digital data collected about you, you’ll begin to see the magnitude of the financial model behind web services and data aggregators.

I am frequently asked why internet service companies don’t do a better job in giving their customers what they want. The answer to this is simple; they are giving their customers what they want – and what they want is your data.

In short, while you are the consumer of a websites services, you are not the service’s customers – those are companies paying to get access to you and your information.

A great illustration of this concept was created by the people behind Geek and Poke, and though the company targeted in the cartoon is Facebook, the concept applies to every other web service or product that makes their money behind the scenes.

As you provide information consider how it is being sold, bought, or simply taken and make sure you’re okay with potential outcomes now and over time.

Learn more about the commodity model in this blog When it Comes to Online Ad Tracking, You Can Opt out Any Time You’d Like – But Can You Ever Leave?

Note: ilookbothways.com does not collect, trade, sell, or use any information about our readers, nor do we accept any advertising on our site. The occasional ad that does land on our pages is NOT associated with us in any way.


Will Spam Volumes Drop as Cybercrooks move to Targeted Attacks?

July 18, 2011

A new Cisco report highlights shifting patterns in cybercriminal exploits as crooks hone their tools and hone in on you.

The good news? Unsophisticated mass spam exploits are receding. According to the report, daily mass spam volumes dropped by 80%; from 300 billion messages in June 2010 to 40 billion last month. Unfortunately, this is not due to prophecies of eradication through technical solutions being fulfilled, it’s because the financial returns from mass spam/e-mail attacks declined by over 50 percent from $1.1 billion in June 2010 to $500 million in June 2011.

In other words mass spam is an outdated business model and state-of-the-art criminal businesses have adapted to focus on greater returns for their investments.

Today, the real money is in targeted, personalized attacks.  The report found that in the last 12 months, spear phishing attacks have increased threefold; personalized scams, malicious and targeted attacks have all risen fourfold, and a good phishing campaign can net at least 10 times the profit of a mass spam attack.

This spam vs. spear phishing table makes it easy to see why targeted attacks carry a much higher return on investment, particularly as law enforcement agencies and large email carriers are coordinating their focus on mass spammers.

Though the costs of spear phishing are estimated to be five times greater per targeted user than a mass attack, cybercriminals are balancing priorities – is it better to infect more users or to keep attacks small enough to avoid notice by security vendors? By targeting high income earners and business users with corporate bank accounts cybercrooks are ensuring they see a stronger return on their lower infection rates. This is why, according to the report, the average value per victim can be 40x that of a mass attack. Balancing this against the greater acquisition cost, the profit from a single spear phishing attack can still be more than 10 times the profit of a mass attack.

Financial Impact to legitimate companies and individuals

Cisco estimates the cost of targeted attacks to organizations to be $1.29 billion annually. This cost is split into three key buckets – the actual financial loss, the cost of remediation, and the cost of repairing the company’s damaged reputation. Cisco calculates that every $1 lost due to infected users, enterprises spend an additional $2.10 for remediation and $6.40 for reputation repair. To learn more see the Cisco Cybercrime Return on Investment Matrix.

The biggest risk of victimization comes through misplaced trust

Criminals have learned that they don’t need to break down the security barriers of a company (or home), they just need to fool one person into trusting them once. One mistake. One person who followed their natural inclination to trust, who was too rushed to take the time to check the facts, or who believed the fake evidence put before them.

“Miscreants are continuing to find new and creative ways to exploit network, system, and even human vulnerabilities to steal information or do damage,” says John N. Stewart, vice president and chief security officer for Cisco. “The challenge is that we need to block their exploits 100% of the time if we are to protect our networks and information. They can be right once; we have to be right all of the time. We need to be ever vigilant in our efforts to protect our assets, information, and ourselves online.”

What this means for protecting yourself and your company

To avoid falling victim to malicious targeted attacks, every computer and smart phone used must have strong, up-to-date security software in place. This should go without saying but unfortunately, the vast majority of personal computing devices remain unprotected or their protection is not up to date.

While this lack of security would seem to only threaten individuals, many employees use their personal computers/phones to perform work tasks at least some of the time thereby exposing their companies through these devices as well.  Additionally, it’s critical to understand that security software alone will not protect you, your devices, home network, or workplace from threats you introduce by falling for a criminal’s exploit.

Every user must be trained to identify malicious links, spear phishing scams, dangerous downloads, and suspect connection points. This training has to be so well instilled that family members or employees who are rushed, focused on something else, or in some way distracted, will still make the right choices and avoid the scams. Yet as Stewart pointed out, making the right choice 95% of the time isn’t enough – a 5% failure rate is more than enough wiggle room for a cybercrook.  The right choice needs to be made 100% of the time.

What are you doing to train yourself, your family, your employees, or your students?

Criminals’ biggest advantage is that most companies (large and small) aren’t providing much in the way of training – see my blog Small Businesses Don’t Think They are Cybercrime Targets – That Puts YOU at Risk. Very few families are providing (or receiving) this level of training, and educators aren’t training our next generation of users Educators Lack Training; Don’t Teach Online Safety.

We can either continue our present course – sticking our heads in the sand and leave our rear ends exposed to whatever exploit comes along, or we can accept the fact that education and skills training are critical components of a secure online environment and fund these initiatives.  To fund these initiatives will require more than lip-flapping. Companies who are cutting back on training expenses have to reinvest. Families and individuals have to stop playing pass the buck and take the time to teach themselves, and schools whose budgets have been decimated are going to have to figure out how to teach online safety, security and privacy in a holistic, skills driven manner.

It’s a lot to swallow and requires a unified effort, but the options are even less attractive.


For more on the internet’s criminal landscape see:

  1. A good decade for cybercrime (McAfee)
  2. Identity Theft Statistics 2010
  3. How Much Does Identity Theft Cost? [INFOGRAPHIC]
  4. Cyber crime: a clear and present danger
  5. Internet security threat report (Symantec)
  6. Social Engineering Bigger Risk to Your Online Safety than Malware
  7. Windows Getting Safer, but Study Finds that 1 of Every 14 Programs Downloaded is Later Confirmed as Malware
  8. Symantec Delivers Threat Report and Excellent Tools that Explain Risks to Consumers
  9. Every 3 Seconds an Identity is Stolen – Don’t Be Next
  10. Are You Sure Your PC is Malware Free??
  11. Are You a Malware Magnet? 4 simple steps can make all the difference