Fraud guides are supposed to protect potential victims by alerting them to common schemes and instructing them on measures they should take to protect themselves. But in the upside-down, inside-out world that is the Internet, “dark web” sites provide information, support and illicit goods to hackers and other criminals. In that vein, Terbium Labs recently reported on an abundance of fraud guides which are actually intended to educate the crooks, giving detailed instructions on how to exploit weaknesses in security to hack networks, obtain financial information and steal identities.

Terbium found that most of the guides were relatively useless, but a minority provided effective tips on how to compromise networks and disrupt antifraud protocols. These guides cover subjects that include:

• Account takeovers
• Phishing
• Counterfeit documents
• Stolen credit cards

Often, the guides offer case studies on specific companies. For instances, a “Bank Drop Creation Guide” details how a hacker can create a phony bank account at each of nine specific financial institutions. Some of the most dangerous tips inform hackers on how to persuade a bank employee that the fraudulent account they’ve created is legit.

The first step for business owners and consumers to protect themselves is to understand that hackers prize certain types of personal information. These include email addresses, which allow phishers to personalize their scams and track down their target’s full name as well as his/her social media accounts. Passwords, frequently used usernames, Social Security numbers and dates of birth also comprise top-tier data.

When it comes to financial data, hackers relish payment card info and display a clear preference for credit cards over debit cards. Although credit card numbers are relatively easy to obtain, issuers have robust protocols in place to defeat fraud. Thus, hackers concentrate their efforts on maximizing theft before their fraudulent purchases trigger any alarms.

Given this reality, what steps should you take to protect your interests? As a consumer, you can reduce your risk by recognizing and deleting suspicious emails that request identifying information. Forwarding those emails to the FBI and the company the hacker is impersonating is also helpful in the long term. You must only disclose financial information on sites that provide SSL certificate authentication and encryption. But even with innocuous-seeming information, such as your email address, you should only share your info when necessary.

As a business owner, you have a duty to protect your customers’ data and can be held liable for their losses if you inadvertently transfer their data to a bad actor. You must consult experts to build a data security system that addresses your specific risks and update your system periodically. A good guide is the European Union’s security requirements under the General Data Protection Regulation. Although the U.S. Congress hasn’t enacted sweeping data security measures, the GDPR is the direction in which all governments are headed, including several states here in the U.S. Your company must also take steps to train all employees who handle client data on the pertinent security policies and procedures.