A lot of our collective efforts – Sophos’s, Naked Security’s, and yours – are aimed at helping friends and family stay safe online.
It’s a never-ending battle, because even the cautious user is at risk, for example when a new zero-day exploit appears.
Zero days, remember, are security holes that the Bad Guys work out how to abuse before the Good Guys have a patch available.
Zero days don’t always win the day, of course.
They can often be defeated before a patch is ready by proactive security defences such as anti-virus, web and email filtering, and network intrusion prevention.
But if a zero-day does get the better of your defences – especially at home, where your “IT department” may consist entirely of intermittent favours from friends – then you may end up with a cybercrook in remote control of your computer.
Worse still, you may have done nothing risker than browsing to a legitimate website that you’ve used before perfectly safely.
What about “obvious” scams?
With this in mind, it’s easy to be dismissive of people who fall victim to cyberscams that a well-informed user might consider obvious, for example:
- Unlikely-sounding fake invoices that arrive as attachments in emails, written in illiterate English, from people you’ve never heard of.
- Job offers that ask for no “skills” other than a willingness to process payments for a third party.
- Security “warnings” claiming to be from a reputable organisation, urging you to login via a website that clearly doesn’t belong to the company mentioned in the email.
- Notifications that you’ve won an extravagant sum in lottery you didn’t enter, asking you to pay some sort of release fee so that your “winnings” can be remitted.
Nevertheless, those who fall for scams of this sort are almost always guilty of nothing more than a regrettable combination of naivety, uncertainty and vulnerability.
Victims are just that: victims
The victims are just that: victims, whose lives are often turned upside down once cybercrooks get hold of them.
Well, here’s an initiative aimed at helping turn the tables on the crooks.
This week (16 June 1024 to 22 June 2014) is National Consumer Fraud Week in Australia, driven by the Australian Competition and Consumer Commission (ACCC), a public service body that goes into bat for Aussie consumers like the FTC does in the United States.
This year’s Fraud Week theme is: KNOW WHO YOU’RE DEALING WITH.
The facts are clear: cybercrime victims are more likely to lose money, and likely to lose more of it, once they are lured into any sort of personal contact with their scammers.
Indeed, the ACCC has just published its 2013 Targeting Scams report, together with a neat infographic for those in a hurry.
Here’s some in-your-face data from the infographic:
Those are the top ten scams reported by type, accounting for losses of about AU$70,000,000 in 2013. (There are only about 25,000,000 people in Australia, children included.)
But notice that the losses from offences we’d perhaps most directly associate with cybcercrime – phishing, hacking and dodgy online merchants – account for only about $10m of the total.
The lion’s share, totalling more than $50m (and those are known losses), are from internet-enabled crimes in which the crooks actually make contact with their victims and work them over from afar, perhaps for months or years.
Of the 2777 people who reported getting caught up in romance scams in 2013, for example, 43% actually ended up sending money, with a mean average of $21,000 coughed up over time once the victim was on the hook.
Surely they realised?
You may be incredulous at this point, asking yourself, “Surely they realised? After the third time their loved one failed to board the flight they’d just paid for, didn’t they rumble that it was a scam?”
But they did not, which is not itself a crime.
And even if they were suspicious, it may well be that their own circumstances – for example: loneliness; vulnerability; an overly trusting nature – caused them to cling to their dreams for a lot longer than they ought to have.
That, too, is not a crime.
(Remember also that the longer a victim has been scammed, the bigger the crash, emotional and financial, when they finally accept that their dream is a nightmare.)
Rather than come up with our own advice, we thought we’d repeat the Top Five tips from the ACCC:
Click on the image above to go to the scamwatch.gov.au website
Take heed of that first sentence above.
It’s an easy-to-remember elevator pitch that is written in plain and unambiguous English:
If you meet someone online and they ask for any money, big or small, you are dealing with a scammer.
No perhapses! No maybes! No buts!
I wasn’t aware that the FTC (or any governmental body in the USA, for that matter) ever went to bat for consumers. After all, “the business of America is business.” (Pres. Coolidge). These scams have been going on for decades without any organization lifting a finger to protect consumers.
You can argue the FTC might have done more, but to say that the FTC has never “lifted a finger” is a little extreme, don’t you think? (To say that means it has never done anything, ever, at all.)
We seem to write fairly frequently about FTC action against internet badness e.g.
http://nakedsecurity.sophos.com/2014/05/08/snapchat-agrees-to-settlement-with-ftc-over-privacy-complaints/
http://nakedsecurity.sophos.com/2013/12/06/ftc-acts-against-brightest-flashlight-app-for-deceptively-tracking-your-location/
http://nakedsecurity.sophos.com/2013/11/22/ftc-fights-the-cybercrooks-who-put-cryptolocker-to-shame/
http://nakedsecurity.sophos.com/2012/11/16/acai-berry-scammers-ftc/
http://nakedsecurity.sophos.com/2012/10/24/ftc-smacks-down-security-sloppiness-by-web-analytics-company-compete/
http://nakedsecurity.sophos.com/2012/10/03/warning-your-pop-up-ads-may-be-fraudulent-ftc-wins-163m-settlement-against-scareware-firm/
http://nakedsecurity.sophos.com/2011/12/12/ftc-issues-rebates-to-victims-of-fake-anti-virus-scam/
http://nakedsecurity.sophos.com/2009/06/09/ftc-takes-3fn/
http://nakedsecurity.sophos.com/2008/12/11/ftc-halts-fake-anti-virus-scans-that-scammed-a-million-people/
Oh, er, there was the $500,000,000 settlement the FTC got out of Google over helping spammers get round blocks on pharmaceutical ads.
And the $32,000,000 the FTC took from Apple over in-app purchases being too easy for kids.
Not that I am trying to evangelise for the FTC here. But “not lifting a finger” seems a charge dismissed by plenty of evidence to the contrary.
PS. I may have been trolled again. I’m not that good a spotting when that happens.
He may have thought you meant involvement in individual cases (though I did not read it that way), which rarely happens with any governing body. They oversee the larger process to try to make it less able to be gamed and make the players aware of the risks. One can argue the FTC has not succeeded, but as Paul shows, they do try to have an impact. The real problem is whoever regulates any process can only affect the behavior of people who actually use the process. That’s why scammers work hard to get you outside of the process, so then their behavior cannot even be easily observed, much less regulated.