Black Hat Tariffs – The Black Hat Taxes on consumer Internet companies are on the rise

Web sites are spending more than a quarter of their time fighting bad guys

Consumer Internet companies are spending more and more mindshare from the engineering and the executive teams to thwart bad guys, rather than actually improving their product. This is a really big problem. The Black Hat Tax is costing consumer Internet companies billions. And the cost of this tax, as a percentage, is much worse than what offline brick-and-mortar shops pay to invest in security and anti-fraud measures.

In May 2006, I made mention of the Black Hat Tax, in which most consumer Internet sites have an inherent time, resource, and mindshare tax of roughly 25% due to scamming, phishing, hacking, and government requests. And this drainage has gotten worse two years later which is extremely troubling.

A great example is PayPal. As PayPal matured, they fought an intense battle against fraudsters, one of the most consuming issues within the company. Now with PayPal being a legitimate financial institution, you expect lots of attempted fraud. But this is now the norm for most sites.

Companies in the dating or social networks space are increasingly spending their time thwarting bad guys. Dating sites, for instance, face an exorbitant number of scammers. The classic “my husband is beating me here in Moscow, please send $2000 so I can buy a plane ticket and escape” still ensnares many unsuspecting men. There are scam factories in the Philippines and other places that have thousands of people, paid on commission, working to rip-off unsuspecting dupes in this way. And while buyer beware should reign, caveat emptor is not in the lexicon of the barrage of customer service emails.

Spam is becoming increasingly common on social networks. I’ve received more MySpace friend requests from strippers and pornographers than real requests. In fact, MySpace just sued and won a $230 million judgment against some of the world’s biggest spammers. This is in addition to people actually hacking into your site (but that is a whole other cat-and-mouse game). Facebook, Twitter, and blog comments are also prime attractions for spammers.

All these little, annoying things consume time … and not just the time of customer service people, but time of the company’s executives and engineers as well. The Black Hat Tax exceeds 25% for most consumer Internet companies right now, with some approaching 40%. That means that 25% of your engineering and management time is about preventing fraud or dealing with these annoyances. That is one onerous tax!

In the side conversations at the Founders Brunches, it seems that all the attendants talk about is the black hat tax. One key item of note is invite/email deliverability. Many B2C companies go viral by convincing current users to upload their address books and email their friends. You can do all the viral tuning you want, but if your emails are getting blocked by someone’s spam filter, they are not going to see your genius. As a result, social network execs spend an inordinate amount of time on email deliverability.

Review sites like Yelp, Digg, and TripAdvisor have thousands of people trying to game the system. Better reviews on TripAdvisor can equate to hundreds of thousands of dollars in additional annual income. Getting your article Digg’ed could mean a huge spike in readership and pageviews. And what’s interesting is that it’s been estimated that almost half the reviews on some of these sites are fake.

Another strain on time are government or federal requests. An IT person at a social network can be consumed for three days with a government request for information on someone promoting pedophilia.

While it’s troubling to note that the nefarious characters are getting more sophisticated, thousands of sites are working feverishly to implement best security practices. But all that the bad guys need is to find just one hole.

(special thanks to James Currier for pointing out the Black Hat Tax to me two years ago)

6 thoughts on “Black Hat Tariffs – The Black Hat Taxes on consumer Internet companies are on the rise

  1. Steve

    In a book called “security metrics” by Andrew Jaquith, he suggests the cost per employee for security (programs/appliances/expertise) is $196 as of 2002. It’s common jargon in the security consulting field.
    My question to you, your article has a bunch of points that are very reasonable. What do you suggest we do with the info?

  2. John Underwood

    Totally agree… We had fraud at rogomo within a few weeks of launch. As a transaction site, we can at least implement more aggressive sign up tactics to verify user identities (like up front credit card AVS check). Real identities in turn keep most people honest, and make it easier to involve the authorities for the rest. But for free consumer sites (myspace, yedda, etc.) who can’t possibly demand identity verification, the challenges are much greater.

  3. John Smith

    Underpinning your message are large percentages, so …
    what is the evidence for them?
    What data are they based on?
    What exactly was measured, by whome, and how?

  4. Alex6411

    I feel the main problem is there isn’t any real law enforment not fighting hackers, unless you are big biz. Smaller sites don’t have a chance.


Leave a Reply