(1) I have years of experience with it, AND …

(2) Those years have led me to conclude there has got to be a better way of accomplishing the goal, AND …

(3) I’ve invested a great deal of time identifying a better way, where “better” definitely includes “viable” but not necessarily “easy,” AND …

(4) I’ve persuaded a handful of security pros whom I deeply respect, that my “better” way is indeed better

Naturally I aim not to miss the mark here, so when I do or appears I do, I reckon it’s due to one or more of:

(a) Having so much to say, I have to say it in chunks e.g. The 9 Laws of Phishing, OR …

(b) I’ve lost objectivity from having thought about it so long, OR …

(c) I’ve simply missed the mark

It would be helpful for me if you could point out one or two posts that need clarification.

Excitedly waiting for some alternatives to SSL-Bribes.

I agree that Netflix credentials are boring in the grand scheme of things. But if I were a phisher that’s not what I’d be after if I sent a Netflix phish. I would just want you to click on the link and drop some malware your way before redirecting you to Netflix. Then I’d own you.

Anyway, I’ve spent half of ecommerce history working for an ecommerce powerhouse. We processed nowhere near the trillions that pass through a bank like yours each year, but it was plenty of billions. And PII is PII even if you can’t milk cash from it the minute you reel it in.

Phishing is about USING e-mail as a channel to dupe people into forking over their banking credentials. Sears.com credentials? Nope. Netflix credentials? LOL. Wells Fargo credentials? You betcha.

Tell you what — how about you go work for any company that stores other people’s money as a business, and then come talk to us about phishing, ok?