What's What with the Who's Who?
Who would be so foolish as to pay for inclusion in a Who's Who book that no one reads? Ben Rothke does a little gumshoe work and files this illustrated report.
By Ben Rothke
August 04, 2009 — CSO —
Times are tough and even the extremely resilient field of information security is suffering. There are plenty of articles covering the small things that you can do to enhance your resume and make yourself stand out from the field. These articles list tips from creating a presence on LinkedIn to adding new professional certifications, and more. Those who are desperate for a job will often load on these recommendations.
One thing that some people have done is to get their names in a Who's Who directory. Unfortunately, the world of who's who is a free-for-all in which I found there are few winners and countless losers.
I recently started getting a barrage of emails imploring me to sign up for various Who's Who registries. Perhaps that is the cost of having one's email address in articles on CSOonline. [Editor's note: Oh, sure, now it's our fault.] I ignored the emails, but after about the tenth email, I knew something was fishy. All of the emails similarly stated that if I did not reply within a few days, my entry would be at risk, along the lines of this example:
Something told me that while not based in Nigeria, this was a scam. It had all the makings of a classic rip-off scheme: from the various remailers and spam-type email addresses, to the variants of the names used, and more. Some of the messages were addressed to Dear , and others Dear Business Professional. But not a single one had anything that would indicate it was meant specifically for me.
Note the similar generic email from Emerald Who's Who. The email had the subject line with a typical sense of urgency of Third Attempt, you may still qualify for inclusion into the Who's Who. I don't recollect getting any of their previous email, likely due to the good spam filters in place.
Also, Emerald claims in the email that all data is encrypted and safely transmitted. But the reality is the data is sent via HTTP and not SSL; so much for Emerald security. Data submitted was pure port 80, and the protocol analyzer used found no SSL or encrypted traffic.
Google "who's who" and there are nearly 23 million hits. Who's Who itself refers to a reference book, generally containing biographical information about the persons included. It is important to note that the term Who's Who is in the public domain and is not a copyrighted term. Anyone can create their own Who's Who directory -- which explains why there are myriad variants of who's who books, and which also makes it an area ripe for scammers. In fact, you can spend all day reading about who's who scams at Ripoff Report.
ALSO SEE Mind Games: How Social Engineers Win Your Confidence
Most Who's Who publications are simply vanity publications, where the inclusion criterion is the person's willingness to buy the book, with the business model consisting of selling books directly to the people who are included.
Most people who pay to get their bio in a who's who are generally so enamored by the seeming honor to be included, that they fail to do the most basic due diligence about the offer. This fact, combined with their high-pressure tactics and the threat of an imminent deadline used by the telemarketers, creates a perfect storm for a scam.
When I got yet another email from Heritage Who's Who, in the spirit of accomplishment, I filled out the form. Two days later I got a call from Matt at Heritage who said he had a few questions about my application. Within a few minutes, Matt told me that he was proud to be able to congratulate me and that I was suitable to gain entry into the Heritage registry.
Tools and tips, stories and strategies, for building security awareness throughout your organization
9 infamous social engineers
3 reasons employees ignore security rules
Clean desk test: what's wrong with this picture?
Social media risks: the basics
Build an effective security awareness program
- Balancing Increasing Security Requirements with Decreasing Budgets
- Gain Control of the New Threat Landscape
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Data Loss Prevention Solution for Managing E-Discovery
- Enterprise Strategy Group: The Case for a New Data-centric DLP White Paper
- Data Loss by the Numbers
- Best Practices in Data Protection - Executive Summary
- The Gap Between the Threats and the Spend
- Aberdeen Analyst Insight: Does Your Enterprise Have a Dropbox Problem?
- M86 report proves water is wet
No disrespect toward M86 Security intended. I've used a lot of their research in the past and they are always a pleasure to work with. But the latest report they sent me represents a big problem I'm finding with these documents lately: They tell us nothing new. Therefore, they are not helpful.
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
- SECURITY WISDOM WATCH: Gee Whiz Edition
More Salted Hash with Bill Brenner
