Responding to a request for information about phishing and malware distribution mechanisms this morning, I happened upon a link on the Anti-Phishing Working Group site to the Silver Tail blog

The site has been running a series of blogs on "Online Fraud from the Victim's Perspective". Author Laura Mather tells the story of two victims, one who fell for a "419" Advance Fee Fraud, and another who fell for a drop-shipping fraud.

There isn't a lot of technical content in these articles, but it's good to be reminded that there is a human angle to such stories that is often forgotten in the security industry, where it's often very easy to focus exclusively on technology and forget about the psychosocial aspects of security.

It's all too easy for  the genuinely security-savvy to "blame the victim", as both Laura Mather and Bruce Schneier have pointed out. Mind you, I'd suggest that  self-perceived experts and the bad guys are even worse at that...

It's not helpful, and it's not fair. Being a victim is not the same as being technologically illiterate or simply stupid. Victims are victims, and even in cases where there's a failure to act sensibly, there's usually also a failure of communication. I'm a firm believer in teaching people to help themselves, though not in relying on end users to do the right thing every time. Education helps, but it doesn't solve everything. (Randy and I have a paper due to appear on the white papers page about that, by the way!)

Laura made one particularly interesting point: law enforcement are, in general, not interested in comparatively small losses, because they don't have the resources to tackle more than a fraction of the cases brought to their attention, so have to focus on the big bucks, high profile cases.

I understand the near-inevitability of this strategy, but I can't feel comfortable with the fact that a business that can accommodate a million dollar loss gets more attention because of that loss than an individual or small business for whom the loss of a few thousand dollars is the difference between solvency and ruin.

The Silver Tail articles are here:

http://silvertailsystems.wordpress.com/2009/03/17/dot-con-electronic-crime-from-the-victim%e2%80%99s-perspective-part-1/
http://silvertailsystems.wordpress.com/2009/03/19/dot-con-electronic-crime-from-the-victim%e2%80%99s-perspective-part-2/
http://silvertailsystems.wordpress.com/2009/03/23/dot-con-electronic-crime-from-the-victim%e2%80%99s-perspective-part-3/
http://silvertailsystems.wordpress.com/2009/03/25/dot-con-online-fraud-from-the-victim%e2%80%99s-perspective-part-4/

David Harley
Director of Malware Intelligence