Microsoft and PayPal both employ about 65 investigators and lawyers in the fight against cybercrime, but it is still an uphill battle, writes Maija Palmer.
Tom Ericson did not think he was the kind of person who would fall victim to a hoax. But the 68-year-old Scandinavian, whose business career included a long spell at a large multinational bank, recently lost £46,000 (€61,500) to a lottery scam.
Ericson received an e-mail in October 2006, ostensibly from Microsoft, which informed him that the company's lottery fund had picked him as the winner of a £500,000 prize.
He was delighted. The Microsoft name reassured him and his phone call to the number given in the e-mail was handled professionally. He was told a cheque would be posted to him straight away.
There was just the matter of a £541.10 handling fee to pay first. Then there was a tax charge of £1,620, a $14,600 security deposit, and £3,102 in legal fees. The fees mounted, but no money arrived.
In December Ericson became suspicious and went to the police. Sympathetic but unable to offer much help, they referred the case to Microsoft's internal investigation department, which tracks lottery scams in a more systematic way than many police forces are able to.
The US software giant is not the only business developing an online policing role. An increasing number are becoming proactive in tracking down cybercriminals who abuse their trademarks, disrupt their businesses and prey on their customers.
Microsoft has about 65 investigators and lawyers tracking cybercrime, such as spam, phishing, malware, spyware and child pornography. PayPal, the online payments service, has a similar number. Other companies seeking protection may pay six- or seven-figure sums for internet security specialists to provide something akin to a private detective service.
RSA, the internet security specialist, for example, works for most of the world's largest banks to identify and stop phishing attempts, in which e-mails purporting to be from trusted contacts encourage victims to hand over confidential data. It also runs an international network through which more than 2,500 banks can quickly share information about cybercrime attacks.
Andrew Moloney, RSA's European director for financial services, says the United Nations is considering establishing something similar, but this could take years to get off the ground.
Part of the problem is the sheer scale of internet crime. Symantec, the internet security company, estimated that it blocked about 8 million phishing e-mails a day in the second half of 2006. About 20 million computers are estimated to be in the control of hackers, and researchers say they are seeing more than 6,000 pieces of malicious computer code created each day. Millions of stolen credit card numbers are bought and sold for pennies apiece on underground networks daily.
Police resources, on the other hand, are limited. In the UK, for instance, the Serious Organised Crime Agency investigates larger-scale internet crimes. But while the agency has about 4,000 staff, it also deals with money laundering, drug trafficking and other offline issues.
"Law enforcements are quite challenged by the international nature of this kind of crime," says Garreth Griffith, head of risk at PayPal. "It is also quite high-volume but low-value crime, which is difficult for the police to track. If you go to the police and tell them you just sent £500 by Western Union to Romania but didn't get the laptop you thought you were buying, they are likely to be sympathetic, but it won't be a priority for them as it isn't a large sum of money.
"We may be able to build a better picture. There may have been five people who also lost £500 to Romania in the same way. We can go to law enforcement with what is now a £2,500 crime and maybe even some information on where to find the scammer."
Microsoft has put lottery scams at the top of its investigation agenda. "In 2003 we started to see maybe one or two of these scams a month. Now we are seeing about 100 unique instances each month," says Peter Anaman, a former French army officer who now works as a cybercrime investigator at Microsoft.
A recent survey conducted by Ipsos on behalf of Microsoft found that half of those polled had received a lottery scam e-mail. About 16 per cent had opened the e-mail and, of these, 10 per cent replied and roughly 3 per cent of people said they had lost money to scammers.
"There is so much internet crime the authorities can't cope. But something has to be done. Criminals have seen there is a no man's land where no one is taking responsibility. Trust in the internet is going down," says Anaman.
So what practical action are companies taking? Microsoft's investigators compile information about the scammers then hand their files over to the police, who carry out any arrests. Sometimes its investigators bring private prosecutions.
Another tool is training for police officers in regions where cybercrime is rife. In Nigeria, Microsoft investigators hold sessions every few months for 20 or 30 police officers, teaching them how to trace the source of a scam using the IP numbers that identify individual computers.
PayPal trained more than 2,000 police officers globally in 2006 and donated computers to forces in countries such as Romania.
The results are positive if patchy. Microsoft has supported 550 prosecutions. "Some people have been locked away and in some cases the criminal activity has stopped altogether," says Anaman.
Griffiths said his investigators contributed to 180 arrests in the UK alone in 2006. However, no lottery scam investigations - including Ericson's - have yet resulted in any arrests or money recovered. Ericson, who borrowed money against his house to pay the scammers, has had to come out of retirement.
"I am angry with myself and my wife is angry with me," he says. "It almost broke up our marriage."
- ( Financial Timesservice)