❮ Back

Gone Phishing: the Con is Still the Con.

The confidence trick, the swindle, the scam, the grift, the flimflam, the hustle: the con. The confidence trick probably dates as far back as to when our earliest ancestors started using tricks instead of muscles to outwit their opponents in winning the more prized portion of the kill.

As a kid, three-card Monte and the shell game were commonplace here in the city. Crowds would gather down in the subways or on street corners around the hustler and his cardboard box standing on end upon which he adroitly "tossed" the cards showing just enough so I could confidently know where the money card was at every turn. I was "marked". Money changed hands. Tempers got heated. I couldn't always tell who else in the crowd around me was also a mark and who was a shill, but I was happy to observe the game. I never played. The mark who played always lost. The con who got a mark to play always won.

I can't remember the last time I saw the game here on the street. The marks all wised up, and so the hustlers went Phishing.

The con artists have definitely set up shop on the internet. In this line of work, I see them every single day, at every turn, on every corner. The con is still the con. A hustler tries to win your confidence through an increasingly imaginative array of longs and shorts.

A modern version of a short con is the forged email or pop-up window that asks you to update your password or to innocently update your contact information. What's gleaned from the short con is easily parlayed into the long con.

Today the long con looks like the request from the Nigerian banker asking for your help to facilitate financial transactions or a more recent incident where grifters intercepted payments between businesses and their customers.

Cons are doing things like looking at the contacts on your website and targeting you with an informed and specific focus. When your site displays the owner's name as well as the book keeper's, it's an easy target. The con simply forges an email from the owner to the book keeper requesting that an urgent payment be made to a specified bank account so that an important deal can be closed. The forged email goes on to say that the owner will be in meetings for the next three hours but needs it done during that time. It's an effective con. Transactions are often urgent. The email seems legit; it's from the owner.  Bamboozled.

As someone who works with the "0's" and the "1's", I'm often asked for the technical silver bullet that will prevent these types of cons from perpetrating. Although there are many things that we can technically do to mitigate the con, the con, by its definition targets and exploits human characteristics. The human characteristic that we see exploited the most is not greed nor opportunism nor naivety but our wont for convenience and speed. We are fast paced. We want everything done quickly with minimum effort, without caution. We want to push one button and have the magic happen.

Financial transactions must be controlled. We recommend implementing rigid protocols appropriate to your business needs that are clearly communicated and understood by your staff, your customers and your vendors. Rigid doesn't have to be complicated. They can be simple but must be strict. The protocol may be purely procedural or it may involve some technical mechanisms. Any deviation from the protocol sounds an alarm to all parties. Establishing and following a set of thoughtful protocols will probably do the most to protect your business from the con.

You're on the internet. You know the game is happening. You can't tell the mark from shill from the con. Amongst the crowd, your best defense is not to join the game at all.