HOW DOES IT WORK?
By far the simplest and most common scam is known as phishing. In a phishing scam, the victim receives what appears to be a legitimate e-mail from a trusted financial institution or social networking site requesting a verification of account numbers, user names, passwords, or other sensitive information. Often, the e-mail will include a link to what appears to be the actual website of the organization.
Once you enter whatever information is requested into this fake website, the scammer will quickly hijack your account, stripping it of everything valuable—credit card numbers, bank account information, social security number, and cash. Anything of immediate value, like credit cards and bank accounts, goes into the pocket of the scammer. Identity information enters a vast black market trolled by terrorists, drug smugglers, and spies.
More sophisticated phishers have done their homework, using relatively simple software to deduce which banks and credit cards you actually use. A few years ago, it was all spam, using the letterhead of a popular bank or other service in the hope that some proportion of potential targets would actually be clients. Now, phishing e-mails are targeted; you can count on a clever con man to already know where you bank before he contacts you.
Phishing is a short game with a huge earning potential, but it’s also fairly easy to spot. Your bank won’t send you an e-mail with a bunch of misspellings in it, and even if they did, they would never ask you for this kind of information. Your bank already knows your name and account number because they’re your bank. Many victims notice fairly quickly that fraudulent charges are being made against their credit cards or unauthorized withdrawals are being made from their bank account. If you’re fast, you can often stop the theft before significant damage is done.
The longer game, with even greater potential earnings, is the one in which the victim is convinced to eagerly hand over his money. Most commonly known as a Nigerian 419 scam (for the part of the Nigerian criminal code that supposedly governs such fraud), this is a variation on older traditional con games.
It begins with an e-mail—usually from someone claiming to be a relative or agent of a deposed African prince, discredited politician, or down-on-his-luck oil baron. The e-mail will weave a tale of the unjust imprisonment of a beloved ruler, and obscene wealth secured just out of reach of the relative or agent—wealth he is willing to share with the person kind enough to offer assistance. For a small initial investment of only a few thousand dollars, the victim is assured to receive tens of millions of dollars in return.
The initial e-mail is like those big yellow envelopes the Publisher’s Clearinghouse used to send out promising millions of dollars in cash and prizes. It draws you in with a promise of millions, and secures your trust with the smiling face of Ed McMahon. If you’re foolish enough to reply to one of these e-mails, you can look forward to a long, complicated e-mail relationship in which the con man will appeal to every emotion you have. He will make you feel guilt for prolonging the captivity of the poor African prince; impatience for the vast wealth you’re about to receive; and affection for your new Nigerian friend.
Inevitably, once you have wired him the first few thousand dollars, complications will arise, requiring more funding. A skilled and aggressive scammer can keep you going until you’re cleaned out. They will encourage you to tap your relatives and friends for funds. Sometimes, when your financial resources are completely drained, he will encourage you to come visit him to meet and receive the thanks of the happily freed sovereign. Upon your arrival, you may be kidnapped and held for ransom or simply murdered.
Phishing and 419 scamming are arts that require time, skill, and a ruthless sensibility. They are vastly profitable, but not necessarily for everyone. Some business models resort to a more brute-force style. If the 419 scam is the Internet equivalent of being gently swindled at a Monaco casino, malicious software is like being mugged by the Internet.
Malicious software comes in numerous forms, and can be deployed in a number of ways. Viruses are self-replicating programs primarily designed to inflict maximum chaos and damage on the largest number of computers as quickly as possible. Worms replicate and move from machine to machine, but rarely do direct damage to individual machines or networks; instead, they deliver a payload to a target computer, usually something designed to allow a remote operator permanent access to the machine.
Viruses can wreak untold damage, but the typical loss is only information. They can cost corporations and governments millions in labor, data recovery, and equipment replacement, but they rarely have the far-reaching consequences of the far more insidious worm.
Viruses and worms are typically deployed through malicious e-mails, links on websites, or simply as apps that run as soon as an infected website is accessed. They can also be loaded as Trojan programs into files downloaded from peer-to-peer networks or other legitimate-seeming pieces of software. Worms can enslave your computer, forcing it to work as part of a remotely operated malicious network known as a botnet.
Without your knowledge, your computer could be engaging in the distribution of spam, the serving of illegal or pirated software, or a concentrated attack on a corporate or government network. It could also be remembering your passwords, account names and numbers, and e-mail addresses. It is almost certainly copying and distributing itself to your friends and coworkers. Even as it subverts your machine to do the bidding of its evil masters, it is quietly delivering your identity into their hands.