Is it really a good idea to scam the scammers?

When scammers come calling, the temptation is to try and turn the tables on them. Some experts actually do, but is it a good idea for would-be vigilantes to follow suit?

Florian Lukavsky, director of application security services firm SEC Consult, is an expert at these things. He scammed a group of whalers by playing them at their own game.

Instead of targeting random employees hoping to worm their way into a system somewhere, whalers are more targeted, going after important execs with access to cash. Whalers impersonate the CEO or some other board-level honcho, convincing their target that they should send a large sum of money to a fraudulent account. Typically, they’ll pretend that it’s an invoice that needs paying.

The numbers speak for themselves – in April, the FBI said that whaling attacks have risen 270% in the last three years. Attackers have walked away with $2.3 billion.

Lukavsky played along with an incoming whaler, sending them an infected PDF that he said was a transaction confirmation. The malware harvested personal information including Twitter handles and Windows credentials from the attacker’s machine. His company then passed these details along to the police.

SEC Consult says that it worked with law enforcement to pull this one off, and was able to give the information to officers, but most of us aren’t experts in this field, and don’t have police co-operation.

We’ve seen cases where individuals have turned the tables by effectively trying to hack back. And there are other variations on this theme, such as Japan’s cyberweapon virus, which was designed to automatically seek and destroy attackers.

Manipulating other people’s computers – to seek revenge or to fix them – is a bad idea, and not just for the reasons that Naked Security has laid out here. The biggest problem for civilians who would hack the hackers is that altering your attacker’s computer in any way is simply illegal in many places.

In the UK, for example, the Computer Misuse Act explicitly forbids you to secure access to someone else’s machine. In the US, the Computer Fraud and Abuse act says much the same thing. This means that you could technically be prosecuted for knowingly fiddling with an attacker’s computer.

Do governments hack back? Of course they do. Law enforcement, military and intelligence operatives are all authorized to intrude on targets’ computers, but there’s a difference. There is legal approval at a high level, and then at least theoretically a chain of command and an audit trail that documents exactly what is being done, how, and why.

That doesn’t exist at an individual or company level, though, and hacking anyone’s computer – even if they’re trying to scam you out of millions – is a form of vigilante justice that could easily get out of hand.

All kinds of unexpected things can happen along the way. You may be infecting the wrong machine, as attackers have a tendency to compromise other people’s computers and launch their attacks from there. Or there’s a risk you may end up incurring some form of physical retribution from your attacker, who may know a lot about you.

If hacking back became a thing, then we’d be living in the wild west again, with vigilantes who were just as culpable as their attackers. And innocent users would doubtless be caught in the crossfire.

For most of us, the best form of defence is not offence, but education. Take the lady who posts detailed public service announcements on Craigslist warning vulnerable young students how to spot an online rental scam. She hacks public awareness, which is a far safer thing to do.

After all, knowing how to spot a scammer and disengage immediately is one of the best ways to protect yourself. It’s also a lot less work. Leave the Jason Bourne stuff to the professionals.


Here’s a short podcast you can recommend to friends and family. We make it clear it clear that these guys are scammers (and why), and offer some practical advice on how to deal with them.

(Originally recorded 05 Nov 2010, duration 6’15”, download size 4.5MB)