Opening my e-mail reminds me of walking through the bazaar of a third world open air market—the pickpockets are everywhere. In the last 30 days I have received spam purporting to be from the Better Business Bureau, the Internal Revenue Service, the United States post office, the FBI, and most recently (this morning) even one from the AICPA—the American Institute of Certified Public Accountants, a group of which I am not a member. The subject line was "Termination of your Accountant Status" and the body of the email explained to me that my status as a CPA was about to be terminated as a result of my participation in the filing of a fraudulent tax return. I was directed to take immediate action by clicking on the link called "complaint." An eternal cynic and professionally paranoid, I did some research and determined that the logo of the AICPA was correct, as were the return addresses and phone numbers listed in the email.
While I am a credit guy, not a debits and credit guy (and having no degree in accounting), I didn't take the threat seriously; similarly, since I hadn't sent any packages through the post office, nor become a member of the Better Business Bureau, I wasn't too concerned about the dire warnings I received from those folks, either. I guess these emails are about as credible as the ones from exiled Nigerian diplomats—remember those? But since I'm getting half a dozen of these a day, we all know that some of the people, some of the time, are being fooled and scams like this are working.
Hacking is a continuously evolving epidemic that is often perceived as a battle between evil and good forces. I am not overwhelmed by the proposals that I have seen to address the problem because they treat the symptoms without paying attention to the infection itself.
Recently both the House and the Senate held cybersecurity hearings again (so many hearings, so much time, so few results—sigh). As one might imagine, the testimony was filled with justifiably dire warnings about the vulnerability of important elements of the U.S. infrastructure, particularly the power grid. Additionally, a fair amount of time was devoted to the hack of DigiNotar, which was owned by the U.S. public company Vasco Data Security, and was an important provider of security certificates for domains based in the Netherlands and beyond. Apparently, the hacker was able to issue about 500 phony certificates for major websites including Google, enabling that fraudster to impersonate a legitimate site and thereby intercept, for example, Gmail communications. The person who claimed responsibility for the attack had asserted namelessly that he was a 21-year-old Iranian student who had hacked several other security certificate issuers, and was cooperating with the Iranian government. Allegedly, the hack of DigiNotar occurred in June 2011; it was discovered in July, announced in August, and the company filed for bankruptcy in September. Such is the impact of being an unlucky target.
[Related Article: After a Decline, Identity Fraud Rose in 2011]