Examples and rumours abound of companies being burgled by cyberfrauds, cyberspooks or cyber-mischief-makers. On June 26th America's Federal Trade Commission sued Wyndham Worldwide, a hotel group, alleging that security failures at the company in 2008 and 2009, had led to the export of hundreds of thousands of guests' payment-card account numbers to a domain registered in Russia. The FTC says "millions of dollars" were lost to fraud. Wyndham says it knows of no customers who lost money and that the FTC' s claims are "without merit". 　　Working out the cost of cybercrime is a devil of a job. The FTC and Wyndham are poles apart on their estimates of the effect of the credit-card thefts. Companies say they are under constant cyber-attack in ever more ingenious forms, but they are loth to say in public how often the raiders get through and how much damage they do—assuming that the breach is spotted. That suggests the damage is underreported. When they are speaking to the security services they may be more forthcoming, but will they be accurate? Companies might anyway have lost some of the business written off to cybercrime. In that case, Mr. Evans' s ￡800 million would be on the high side. 　　In a report by Britain's Cabinet Office last year, Detica, the software arm of BAE Systems, a defence company, put the cost of cybercrime to the country at a staggering ￡27 billion, or 1.8% of GDP. Businesses bore ￡21 billion, mostly because of the theft of secrets and industrial espionage. Lots of people doubted these numbers—including, it seems, the Ministry of Defence, which commissioned a study from a team led by Ross Anderson, a computer-security expert at Cambridge University. 　　The team's report, published this month, shies away from adding up totals, preferring to assess the costs of different types of crime in turn, but comes up with much lower figures—partly because it discounts Detica' s numbers for intellectual-property theft and espionage entirely, saying they have "no obvious foundation". Most of the cost of cybercrime, it concludes, is indirect, such as spending on antivirus software or other corporate defences. In other words, a lot goes on payments by one lot of businesses to another: the computer-security industry. 　　That may be inevitable. Cyber-attacks are happening more often and are becoming more precisely targeted. Greg Day, the chief technology officer for security in the European business of Symantec, a computer-security firm, says that for years cybercrime was more or less "random", as crooks looked for any holes they could find anywhere. In the past couple of years, however, they have chosen their corporate targets more precisely. Symantec observed virtually no targeted attacks before Stuxnet, a worm that attacked industrial-control systems, appeared in 2010. Last December it spotted an average of 154 a day. 　　The bad guys are increasingly using social media to try to find a way in, either by gathering intelligence or by befriending employees who may be tricked into opening an e-mail with nasty code within. People, a security-industry adage runs, are the weakest link. Training them to be careful may still be the best defence. [A] acquired by the computer-security industry. [B] speaking in public how much damage the cyber-crime does. [C] estimation of the effect of the credit-card thefts. [D] letting out the clients' payment-card account numbers. [E] Britain has invested a lot of money to prevent cybercrime. [F] spent on antivirus software or other corporate defences directly. [G] cybercrime is more purposeful than before.