• Offer Grid
  • Posts
  • [Offer Grid] 📬 | Data is the New Oil (How are You Managing Yours?) | Issue No. 10

[Offer Grid] 📬 | Data is the New Oil (How are You Managing Yours?) | Issue No. 10

Let's go back to cybercrime. Many readers told me they liked Issue No. 8, which focused on phishing. I'd like to be very clear that black hat and white hat operators have quite a bit in common. There are some marketing lessons here, as well as safety features you can use to take care of your own business and personal data. Lots of resources in this issue.

Author

Amy Biddle
March 27, 2025

Swinging back around to business email compromise (BEC), email security in your business, and further topics related to keeping your email and email related access safe for your business and your employees (and you!), let’s get back to the cybercrime topics I was mulling over a couple of weeks ago.

You may be aware, and you may already have invested in cybersecurity insurance. BEC is a massive expense for many businesses, even little ecommerce stores.

The average cost of a BEC claim skyrocketed from $84,000 in 2022 to $183,000 in 2023. NetDiligence Cyber Claims 2024 Study

What was interesting to me after I published the newsletter two weeks ago, was that a few of you responded with increased interest in the cybercrime topic.

Considering how common phishing and BEC are, it’s no wonder.

That BEC is a multi-billion dollar industry, is no joke.

And we’re all targets, because by now, most of our so-called “private” data has become public. It’s been stolen. It’s been sold on the dark web.

In April 2024 it was reported that a major data breach resulted in the theft of every social security number, opening all U.S. citizens to the risk of identity theft.

A long while ago I started checking out as much information about cybersecurity as I could in my spare time, in the hopes of protecting my information and that of my clients.

We have had, if I may brag a sec, 100% safety in spite of somewhere around 200 attempts at phishing attacks over the years. I’ve always worked really closely with my clients to stay safe.

Along my research, as I dug into detail about phishing and cybercrimes, I came across one fellow on YouTube who described that we have one internet.

But there are really three internets in one.

The internet. This is what we use. We go to Google, or Bing, or wherever. Sites are indexed. We get our sites indexed. We read and engage with each other on it. The internet as we use it daily, has become a utility.

Deep web. The military and other secret-grade information is on the deep web. Amazon content and other enterprise content resides on the deep web. Cloud data resides on the deep web. Anything stored securely online is in the deep web. This is a place online that is behind a secure wall and you have to have tools or credentials to access it.

Dark web. Data here is anonymous and unindexed. This is the dystopian neighborhood in the movies where anything goes, and you can buy a person, or drugs, or be a thief without being caught. OK, so that’s a little dramatic, but think of it this way. It’s not a safe neighborhood.

The dark web is the same internet as the internet you share your children's pictures and buy your groceries for delivery. You would just use different methods and tools to access it.

When I first heard this I felt a little jolt of fear. It’s kind of shocking to find out how close to danger we could be. But you have to use special tools to access the dark web. Tor (short for “the onion router”) is software that enables anonymous browsing. Perfect for dark web activities. You can’t be tracked.

Then I realized that since I’m not going on the dark web, I only have the standard hazards to worry about.

It turns out, the standard hazards are quite enough, thank you very much.

Attackers are working the internet every day, trying to steal personal information, like social security numbers, addresses, dates of birth, phone numbers, and email addresses.

Using some very simple tools and resources, any one of us can gather that our personal information is, in fact, available online. Assume from there that we’re on lists that are available on the dark web.

Each of us, in fact, is on at least one list that’s for sale on the dark web, being offered to someone with dark intent.

How do I know this?

Check your Google Chrome browser passwords. If you have some passwords saved there you’ll be notified that some of the passwords have been compromised.

Some credit card companies will notify you if your passwords have been compromised.

Now cross match that compromised password with your social security number (which, remember, are all compromised) and realize that you have left the barn door open.

Realize that lists of information about people aren’t just lists of passwords. They are other data points that enable the bad guys access to real accounts, such as your email account, your bank account, and many others.

This is why the bad guys are in business. 

Data is the New Oil

Information about nearly every person on the planet is a commodity. And it’s for sale.

This is also why there are privacy laws in place, like CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), and GDPR (which is a European legislation. If you’re a U.S. business you’re only required to follow GDPR if you sell into EU countries. 

I won’t go into details about these laws here. But by now you’re using a cookie disclaimer on your site (you are, right?) and giving visitors a way to opt-out of data collection.

Data isn’t just for sale on the dark web.

Meta has sold billions of dollars worth of information on every person on the platform (Facebook and Instagram).

Credit card companies sell information about card holders.

Even postal mail information is for sale.

Data is GOLD to people selling things.

If you’re online, you’re leaving a footprint. Your personal information, behavior on a site, and technical data (like what sort of device and operating system you use, and where you’re located)... this is all being collected and sold.

Daily.

What I’m describing is a very high level view of the white hat (good guys) data selling world. Since the dawn of marketing, sellers-of-things have bought and sold their customer lists in order to get new customers.

Marketers know that when they mail to lists of people (mail being postal, email, DMs, SMS, and maybe even carrier pigeon) a certain number of the people on that list are going to convert.

You probably track these things in your own customer list.

If you’re really engaged with your customers, you talk with them on different platforms, and even on the phone sometimes.

What happens when lists are stolen and then sold on the dark web?

Well, the bad guys on the dark web work the same way.

(I gave a talk on this and other situations at a Cybersecurity conference, Simply Cyber Con, in November 2024. You can see the talk and hear more about the story here.

Last year, a friend of my mother-in-law responded to a message. Let’s call her Isabella. 

I don’t remember if it was a text, direct message, or what. Doesn’t matter. She responded. Within two hours of her response to this message, she’d given $28,000 (her only savings) to complete strangers through a crypto ATM.

I walked through the situation with her.

Social Engineering

A big part of the success of this attack came from what’s called “social engineering”. Oxford dictionary describes this as, “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”

Attackers know that when they get someone on the phone their conversion rate will go way up. These scam tactics work, and that’s why they happen.

The bad guys knew about how much money she had in the bank and where she banked, so they knew what to ask for.

They told a serious story about why she had to give them the money. (I went into a little bit of detail about that in my presentation.) And every good marketer knows that a good story greases the skids, right?

They knew how old she was, her phone number, and where she lived.

There is a special place in hell for people who steal from old ladies.

The trauma she endured will never be healed in her lifetime. She’s 80 years old. She has no way to replace the money that was stolen. She’s emotionally scared from the situation.  

My point in all of this detail, is that the information the attackers had are all details available on the dark web.

Phishers and hackers who work on business email compromise (BEC), either steal lists or buy lists on the dark web, and like marketers, they know that a certain number of people will take their “offer”.

If the attackers who stole from Isabella had a list of 30,000 people (a small list), and 1% of the people on the list (300 people) converted (in sales parlance), and each attack resulted in $15,000 on average, theyd pull $4.5 million. And at just two to three hours of work per attack, that’s better than any job.

My point, in all of these details about BEC, phishing, and lists, is this: the bad guys are out there.

The way to stay safe is to NOT click on links you don’t know. It’s a weird kind of “stranger danger”. We spend our days talking to strangers. The really friendly ones are either friends, or they’re trying to rob you blind.

Tough.

You see, these guys are really good at using the same marketing tactics that we use. They’re better than most white hat sales people, actually.

Because really, how often do you call your customers?

How frequently do you create a story around selling, to create a need for your product?

This issue has gotten longer than I wanted it to be, but it conveys the ideas I wanted to share. I’ll have more on cybercrime, cybersecurity, and marketing for retailers in coming issues.

Anyhoo, that’s all I’ve got for you this week. I’m suffering from a cold I picked up on my trip last week (wah) so I get a nap now before my next meeting. Sniff.

More next week.

Best to ya,

Amy

P.S. As I mentioned in issue 9 ¾, I’m working on my YouTube channel. What’s there now is 39 videos. What’s “behind the curtain” in unlisted videos that equal about 300 hours or more of client training and live triage calls with clients since some time in 2019. However, I can’t show the old stuff. I have promised anonymity to all past clients. When I drop a name it’s a pseudonym, because I don’t market myself on clients’ successes. So many of them used me as a secret weapon (their words). There are some client testimonials on the YouTube channel. And I plan to get more testimonials in the future. Right now I’m mapping out the future of the channel. As always, more to come!

Always feel free to reach out with ideas or comments.