Being a cybercrime journalist and researcher has some accidental side-effects, like being targeted by cybercriminals themselves. A few months ago, some malware spammers described previously on my blog decided to manifest their gratitude by putting my private email address in the "reply-to" field of a malware email campaign. As a result, I got about 2,000 unsolicited answers from campaign targets, mostly unaware that they were not contacting the real sender of those malicious messages. Many of them were actually totally unaware that the message they had received was fake and contained malware. Some even asked me to resend the malware as it was blocked by their AV product. Despite dealing with cybercrime victims daily for the last seven years I was surprised by most of the reactions and realized how little we, as the security industry, know about the average Internet user's ability (or rather inability) to identify threats online. I read those 2,000 messages, analysed and classified victims' answers and wanted to share my findings. The key takeaway - we have to train users, but at the same time we shouldn't count on them properly reacting to Internet threats. We need to build solutions that will protect the users, without their knowledge, sometimes against their will, from their ability to hurt themselves in the worst possible way.