Millions of people check their accounts and pay bills online, and it all seems to work smoothly. Yet every year, millions also get swindled online through different and increasingly sophisticated means that all share one trait: the gullibility of humans.

“Cyber crime is low-risk and high-profit, and it is unlikely that the criminals will get caught,” says Kelly Martin, editor of Security Focus, Symantec’s online magazine. Symantec is one of the world’s leading corporate security firms and is headquartered in Cupertino, California, in the United States.

The cold calculus behind every phishing attempt – where scammers posing as a real bank send e-mails requesting login details – or every e-mail from an African despot asking for help to funnel 45 million dollars to the West, is that someone, somewhere, will always bite.

According to countless media reports there is a brisk international, Internet-driven market for stolen financial and consumer data, not to mention identity theft.

In the US alone, consumers lost more than USD 8 billion to viruses, spy ware, and online fraud schemes in 2005, reports Consumer Reports magazine.

According to various press reports, cyber criminals congregate in Internet forums or online bazaars to trade pilfered credit card numbers and sell access to hijacked bank accounts and personal information such as social security numbers, PINs and passwords. While many of these sites, such as carderplanet.com, get closed down when they are discovered, others soon pop up to replace them.

This information is gathered through increasingly sophisticated means that, in some cases, register everything anyone types on a computer – account numbers, passwords and so on – and the hackers sift through it all to find pertinent information.

Here is how the scam works, or has worked, explains David Thomas, a former hacker turned FBI informant, to Wired Magazine. Once in possession of a stolen – and functioning – credit card number, Ukrainian thieves bought USD 30,000 worth of goods online and shipped them to a post office box in the US. Thomas then picked up the goods and resold them on eBay, keeping 40 percent and wiring the rest to Russia.

Of course, this isn’t the only scam. The New York Times reported in July 2006 how Shiva Brent Sharma bought access to stolen credit card numbers online, changed the cardholders’ information, and then wired money to himself using false identities backed up by seemingly legitimate drivers licenses.

Sharma, 22, who said he could earn USD 20,000 a day, is now serving a four-year sentence at the Mohawk Correctional Facility in Rome, New York.

“Chasing these carding fraudsters is like chasing terrorists in Afghanistan,” says Yohai Einav, director of the RSA Security’s Tel Aviv-based fraud intelligence team. RSA Security is an American provider of secur-ity solutions to companies. “You know they are somewhere out there,” he says, “but finding their caves, their underground bunkers, is almost impossible.”

While there have been some well-documented arrests of cyber thieves, most reports stress that this is only the tip of the iceberg.

It is not all bad news however. The 2007 Identity Fraud Survey Report, compiled by Javelin Strategy and Research, found that identity fraud in the US dropped 12 percent in the past year. Claiming to be someone else is one of the first steps in any kind of cyber crime.

“Approximately 500,000 fewer adults in the United States fell victim to identity fraud in 2006 than in 2005,” says the report. “In terms of total dollars, identity fraud in this year’s report dropped by an estimated 12 percent over the previous year, from USD 55.7 billion to USD 49.3 billion.

James Van Dyke, Javelin’s president and founder, comments: “While identity fraud is still a serious criminal issue in the United States, Javelin’s new study points to significant identity fraud reduction as a direct result of changes in industry and consumer behaviours. Thanks in part to comprehensive data protection, fraud monitoring and consumer education, we now have more effective methods to quickly catch, or prevent, fraud before it occurs.”

Glossary:

• Bot is a term used to describe a computer that is remotely controlled by someone else.
• A botnet, or bot network, is a group of thousands, or even millions, of computers controlled remotely. Estimates are that the largest bot networks have more than 1.5 million computers. Botnets are the cyber engines driving nearly all criminal activity on the Internet.
• DoS stands for Denial of Service attacks, where botnets are used to basically flood a Web site with debilitating volumes of traffic, thereby making it inaccessible to others. Like kidnapping, there is often a ransom note attached: “Pay up or we’ll DoS you.”
• Almost a household name, phishing is the term used for stealing banking details from hapless victims through e-mail and redirecting them to a fake banking Web site, only to empty their accounts at the real bank. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report of February 2007, 23,610 unique phishing-attack Web sites were reported during that month. And according to the Why Phishing Works? paper produced by students at Harvard and the University of California at Berkeley (one of the first academic studies on the topic), good phishing Web sites fool 90 percent of Internet surfers.
• A trojan, named after the horse in the Greek mythology, is software that gets installed on a computer without the user knowing it and circumvents anti-virus protection.
• Keystroke logging, or keylogging, is a software tool that captures the user’s keystrokes. It can be useful to determine sources of error in computer systems, but it can also be used to spy on the computer usage of others. Keystroke logging can be achieved by both hardware and software means.