The attacker could be anywhere from your machine to your client's machine. It's possible that your own machine or your client's is infected with a packet sniffer or keyboard capture program. To get rid of that type of malfeasance, make sure you have an up-to-date antivirus tool on both sides of the connection. Also, because some antivirus tools don't check for spyware, also download and run the free Ad-Aware anti-spyware program from www.lavasoftusa.com to look for common spyware examples.
If your machine and your client's box is safe, the attacker could alternatively be on any network between you and your client. This could include your own neighborhood if you use a cable modem, your ISP, your customer's ISP, any other ISP through which the message travels or even your own client's network. The only way to eliminate that is to use an encryption package. I know you don't want to rely on such technology, but there is just no other way to prevent snoopers at ISPs. There are some relatively easy-to-use encryption programs available at a low cost, such as the Pretty Good Privacy program from PGP, Inc. Don't be intimidated by it. You can have it up and running in just a few minutes. Of course, both you and your client will have to have the same crypto program for it to work. However, that's a small burden compared to the peace of mind you'll get in knowing your traffic cannot be seen by the attacker.
For more info on this topic, please visit these SearchSecurity.com resources:
This was first published in March 2004