How many times a month do you read about one more hack, or receive a letter from a company that has exposed your information to a threatening force?
We understand that our offices, banks, stores and other data holders are constantly under attack from forces across the globe. The mark of a sophisticated netizen is nonchalance in the face of each accumulating security failure.
But sometimes it takes a personal attack to break through the irony and make us start to worry about a data predator’s effects on our friends, families, and workplaces.
It started with a call from a co-worker just before 5 PM last Friday. After a few moments of idle chat, I asked her what she needed from me. She said, “I’m calling about your email.” Having not sent her an email, I was surprised, but not terribly so. She could have been responding to an old message or just been mistaken. “No, I’m looking at it right now and it says ‘URGENT REQUEST’ in the subject line” she insisted. She had my attention. I was the subject of a social engineering or “imposter” email scheme.
The spoofed email was ridiculously easy to spot. It used my full name, including my middle initial, which I never do. It came from a domain that was so “off” it could have been Philip_P_Gura@spearphishing.com. As mentioned, the subject line said “URGENT REQUEST” and the body of the message all but screamed “mail fraud”. And yet.
The calls came flooding in, faster than I could answer them. Emails, too. Some asked if I had been hacked, but most responding to my “urgent request” as if it were the real deal. The head of our Atlanta office called me from the road to find out what was up.
None of this should have been terribly worrisome to me in today’s “Spy-vs-Spy” world. After all, we don’t really bat an eye when our credit card credentials are compromised and have gotten used to having to remember a dozen different passwords just to download the Sunday crossword puzzle or change a flight. But, here’s the thing: it really shook me. Why?
I may be a jaded tech lawyer, but I am also human. Someone out there was pretending to be me and, worse, was imposing on the people I work with. A sense of outrage and violation rose in my chest and I felt like . . . like I was RESPONSIBLE for the scam somehow. What had I done? What website had I visited that had tracked me down and sold my information to the Dark Web? Had I somehow through carelessness or inaction allowed this imposter under the tent of my firm? Was I in (gasp!) trouble?
Fortunately for me and my blood pressure, I work with some really fine people who very quickly sorted the situation. No harm, no foul. (In fact, one of my colleagues even corresponded a couple of times with the imposter just for grins and general edification. Turns out the scammer asked my colleague to go to Amazon and buy $400 of gift cards and to send the card numbers to the spoofed email address. You’ve been warned.)
The point is, I and a lot of others have written about a “post-privacy” world where it’s only the naïve who still hang on to the mirage of an expectation of privacy and the right to be left alone. Yet, all it took to shake me out of my ivory cell tower was a clumsy, amateurish and doomed to failure spoof and I lost my cyber-shit.
So, maybe I’ve missed the point of events like the recent Equifax $700 million deal to settle investigations into its massive data breach. Companies like Equifax are supposed to be the guardians at the gate, keeping our transactions private and our credit safe. As business people and casual internet users, we can easily see the wave-peak news items about regulation and forget about the sharks and other risks constantly threatening to break the surface. Like the ocean, the internet is a chaotic wilderness upon which we try to impose human order. Knowing that you have only a one in 11.5 million chance of being attacked by a shark at a US beach is significantly less comforting when a whitetip is chewing on your leg.
It is not easy bringing order to a complicated, multi-jurisdictional medium where predators and scavengers hide easily among an overwhelming number of targets. And, like any attempt to impose order on chaos, the state may go too far or begin to activate its own agendas. But through it all, we lose sight of the most elemental threats.
Fighting the fraudsters and straight-up criminals is important work. It takes professionals to lead the charge, and we users bear some responsibility for our own security. In this blog, we talk about the macro issues of law, policy, history, and society, but we may be missing the true prize.
Sometimes we just want to be left alone.