When It Comes To Personal Data Protection, It’s A Myth That Some Types Of Information Are More Harmful To Lose Than Others.

The washingtonpost.com has an article today on “money mules,” people who make possible certain forms of phishing and other on?line cons and scams.  One of the ways it works is as follows:  A person is contacted to see if he’s interested in making a little income.  He agrees.  He receives some money in his bank account or via Paypal, and is asked to forward the money to someone else—say, via Western Union.  He’s to keep 10% of the money as a commission.


Sounds like a scam, smells like a scam, looks like a scam…it is a scam; however, this is where the social engineering part kicks in to deodorize the stench.  The “mules” are contacted through e-mail, stating that their address was found via an on?line job posting, such as via monster.com.  Then, the scammers make it sound like a legitimate job.  They’ll construct—or better yet, copy an entire website—for the purpose of pulling off the scam.  They’ll have the mule sign a contract for the job just to make it seem legitimate.  The money is sent by the scammers and the mule forwards it to someone else.  Everyone’s happy.  After all, the necessary checks were done, and everything seems to be legitimate.  Plus, you’ve got a contact, remember?  Sit back and watch the money roll in.


Then the e-mails and calls start coming in from random people.  When will you be sending the camera that I bought from you on eBay, Mr. Mule?




And guess what?  Based on past rulings, Mr. Mule is responsible for refunding the money, not the scammers.


Of course, you don’t actually have to sign up for anything to become a victim.  Sometimes just reading the e?mail itself is the danger.  Again, from the washingtonpost.com:

“For example, money mules have helped to generate profits for the individual(s) behind some 15 separate, targeted malicious software attacks last year that came disguised as e-mails from the Better Business Bureau, according to iDefense, a security firm owned by Verisign. In those scams, the fraudsters sent virus-laden e-mails to tens of thousands of individuals whose resume and contact information were stolen in a previous compromise of a Monster.com job-seekers database, said Matt Richard, director of iDefense Rapid Response.” 

This is why when any organization alerts the public that a laptop or a computer was stolen and—while there was no data encryption like AlertBoot to protect the information—there’s no need to worry, there was no financial information involved…you should worry nevertheless.  That’s because a random e?mail address is pretty much useless, whereas one that is confirmed as a legitimate one is worth—well, it’s worth a little more than a random e?mail address.  But get enough of them, and it definitely becomes palatable for scammers.


At this point, someone will raise their hand and say, “well, that’s true for random e?mail addresses as well.  Get enough of them, and it’s palatable for scammers, too.”  And this is not wrong.  However, we should imagine what the rate of success happens to be in either case.


For random e-mail addresses, a scammer is stuck sending Viagra commercials, hoping to catch Bob Doles.  Or perhaps you don’t have performance problems but you’d like a genuine RoIex.  It’s all very hit and miss.  However, if I know as a scammer that you’re looking for a job and that you’ve posted your résumé on monster.com….well, that gives me something to work with.  That’s where the social engineering kicks in—and why danger lies ahead for the unsuspecting victim.  Of course, you could randomly send monster.com scam e-mails…but scamming people costs money, and the phishing industry is looking at its bottom line, just like any industry.  Concentrate on those you know that use the job boards, and the probabilities of success are much better.


In this day and age, when it concerns personal data, I don’t think one can make a distinction on “safe to lose data” and “unsafe to lose data.”  I’d say it behooves any legitimate company to protect its data (and their customers’ data) regardless of what they think the level of safety happens to be, with true-and-tried information protection measures such as whole disk encryption.

Comments (0)

Let us know what you think