How easy is it for a scammer to fake stuff?

It’s a common question we get asked, and the answer is a resounding “very”.  Let’s take a few things and explain why they’re so easy.

A phone number – There is literally “an app for that” when it comes to spoofing phone numbers.  I made a video about a year ago showing my mobile phone being called by what appeared to be the White House.  If you haven’t seen it, here it is:

Email addresses – Now this one has multiple ways of being achieved, but can be done by something as simple as putting an email address into the name of the email account.  If I use as my name on a different account rather than an actual name, people would see that and assume it was coming from that address.  See, I said it was simple.

A photo – Image manipulation software has been around for years, with the most well known being Photoshop to the point that altered images are quite often referred to as having been “Photoshopped”.

A voice – Again, with nothing as complicated as a voice morphing app, you can change your voice to sound completely different.  Scammers love using them to sound female, and Slaphappy loves using it to sound like a chipmunk.

Webcam – The software to fool programs like Skype into seeing a different input as a webcam has been around for at least a dozen years now, and was one of my favourite tools back in 2006/2007 as part of my dealing with scammers from the Philippines.  Throw in some screen capturing software and you have the sextortionist’s toolkit.  It’s not rocket science, and it doesn’t take a master hacker to do it, no matter what the scammers say.

See, it’s not difficult.  Most of the tools have been around for years.  It doesn’t take a rocket scientist to fake stuff.  In most cases, all it takes is a bit of free software.

What can YOU do about scams?

Not everyone can set up a website, join a campaign or appear on TV talking about scams.  There’s a much simpler option out there, and that’s to simply talk about scams.  Talk about them with your family and friends.  It doesn’t cost anything, and if you don’t want to say you were scammed then you don’t have to.  “Did you see that program on TV?” or “Have you heard about that scam that’s doing the rounds at the moment?” is all you need to open up the subject.  Not everyone knows about scams, and someone who may know about one type may not know about another.  Discussing it may save someone you know from losing a fortune, so what’s stopping you?

Time to quote some Doctor Who.

Firstly, some quick background.  I discovered Doctor Who at the age of 5, and have been a sci-fi fan for the 40+ years since.  Every year, my wife buys me a Doctor Who calendar for my “office” wall.

On a seemingly unrelated subject, a question I’m occasionally asked when speaking to journalists is “Dealing with scammers every day must make you suspicious of people”, and they seem surprised when I tell them the answer is in fact quite the opposite.  If anything, it makes me want to trust people more.  I expect scammers to lie, and am never disappointed.  However, the people I deal with on a daily basis out in the “real” world shouldn’t be tarred with the same brush as the scammers in my eyes.  It may seem naive, especially given what I do, but assuming everyone is lying to me would make me bitter and twisted, and I refuse to let the scammers do that to me.

What does this have to do with the calendar?  Each month has a quote from the associated Doctor (first for January, second for February and so on).  This month’s quote comes from the fifth incarnation, and it goes like this:

“I think it does us good to be reminded the Universe isn’t entirely peopled with nasty creatures out for themselves.”

Words to live by.

Oh the glamour of it all!

Sometimes you’ll hear me talk on the radio about scams.  Sometimes it’s a simple matter of being called up on the phone to do the interview, but sometimes I’m asked to go to the local BBC studio.  That’s where the fun starts.  I’ve made no secret of the fact I live in South Wales, and the closest studio to me is the Swansea one.  Back last year I got to visit the London studio, and believe me it’s an entirely different experience.  That place is HUGE!  You have to be given a security badge with your photo on it before you can even enter the glass labyrinth inside.  With Swansea, unless you know exactly where the studio is, you’ll walk right past it.  It’s not exactly the most well marked place.  It’s also a shared building, so only the bottom floor is BBC.

It’s also worth pointing out that, depending on the time of day, it can take up to an hour to drive to it due to the traffic.  Yesterday’s journey took just over 50 minutes.  Once you find it, you press a buzzer on the outside door and someone will let you in and lead you the dozen steps to a tiny, windowless room.  Imagine sitting in something like this:

So there you are, in this claustrophobic box, staring at a row of sliders you can’t touch (though you can now adjust the headphone volume, which is a new feature) and with headphones on that let you hear the broadcast in one ear and your own breathing in another, waiting to be introduced.  They ask you to turn up 10 minutes before the interview is due, but if they’re overrunning, you can be sat there for 20 minutes or so.  Eventually you’ll hear a voice over the broadcast letting you know you’re up next.  The host talks about the story, introduces you and you get about 3 minutes to show what an “expert” you are to the listening public while making sure to get the site’s name out there as many times as you can.  After that, it’s time to leave and make the drive back home.  Two hours for three minutes of air time, and yet I will jump at the chance each and every time as it helps get the word out and warn people about scams, and that’s the most important thing.

Protection for fraud?

In the last months a lot of articles were published about the new General Data Protection Regulation (GDPR) and the effects on the way the Internet we knew will work after May 25.

We are reading “data protection for all individuals”, which means consumers of Internet products provided by companies having an online presence.

The GDPR attempts to solve a problem that has escalated over time: the lack of responsibility for personal privacy shown with each and every breach into a high profiled company site, ending with a dump of the clients personal details offered for sale on the dark web. Sadly, the solution is only a partial one where the real companies are expected to do more to protect their clients‘ privacy. Cases like Equifax or Ashley Madison and even Facebook are just recent examples of how bad the things may end up for a consumer when the company declines any responsibility. Under the new regulations, a real company can be fined for not respecting the privacy of its clients. But what about a fake company, active online, stripping their victims of any privacy while defrauding those victims?

The new regulation does not have a single section dealing with cyber-crime. There needs to be elements making it clear that there is no privacy for online fraud.

The consumer (average user of the Internet) is targeted on multiple fronts, starting with fake accounts set up on reputable companies sites, and ending with fraudulent websites. The fake characters and the fraudulent websites have something in common: both pretend to be something/someone they are not, while defrauding people who are unaware they are communicating with a fake online entity.

Fake accounts

Most of the reputable sites use disclaimers to avoid any responsibility in the case of a consumer defrauded from the usage of their services. Others (a small minority) are posting blacklists of fraudsters, including the details used to register the fake and fraudulent profiles (email addresses, phone numbers, IP addresses). There is no common way of dealing with these cases and most of the details of the fraudulent profiles and accounts are deleted without being preserved. Not saving those elements in a standard way makes it impossible to predict/prevent any fraud, and makes any cyber hygiene impossible in the online environment. Aggravating this, even if a reputable site removes a fake account of a fraudulent entity, other sites will be not aware about this, and that fraudulent entity can act and victimize consumers on another similar website. The fake accounts problem affects everything online; classifieds (e-bay, Amazon etc), social sites (Facebook, Twitter etc.), dating sites and even search engines or Youtube. The entire Internet infrastructure is corrupted and poisoned by fraudulent activities tolerated and ignored by the ones supposedly able to clean their own online space, but not doing it properly. Everywhere online, the user is asked to flag or report fake profiles, inappropriate content or abuse – in most cases that is the only way of removing badness. Many of these reports are ignored. What about the websites/platforms own responsibility? None. There needs to be clear rules about this area, and those rules need to be implemented in a uniform and consistent way. There also needs to be responsibility for the way someone is abusing the services provided for committing fraud, as well as accountability for the platforms allowing those fake profiles to use their services while defrauding other users if the reports are ignored.

Fake sites

The fake website problem is another fraud on a different level. A fake website is created based on lies; a lie about who the entity owning that site is, a lie about what that site is doing, a lie about what that site asks for, and/or has to offer.

Fake sites and domains come in all shapes and forms. Some are used in Advance Fee Fraud (AFF), some are mixing the AFF area with phishing, some are mixing AFF with spreading malware, and some are used for Business Email Compromise (BEC). While there are fake websites with malicious domains using fraudulent content to deceive, there are domain names with no content actively used in other fraudulent activities online (for example, domains created only for the email address).

Thinking logically, we would assume that once reported for being involved in cyber-crime, a fraudulent domain name will never be online again. The practice shows otherwise. Suspended by a registrar, the very same domain can be recycled after a while, sometimes even re-registered with the exact same registrar. In theory, the regulators assume the domain name would be used in good faith, but let’s be honest: how many real and normal people have a legitimate reason to use a domain name similar to a bank or company name, or even have their own FBI or DEA?

No Registrar, not even ICANN, keeps a blacklist of the domain names suspended for being used in fraudulent activities, nor a list of the parties serially abusing the domain name system while registering such domains. Those elements are never shared between Registrars, which would avoid a bad actor abusing the domain name system, while registering domain names. Those details are hardly ever shared with law enforcement, despite fraud being committed. This action may avoid the re-use of the same domain names for other frauds. This may also avoid the “bad domain history” problem for an honest person trying to buy a domain name in good faith, without having any idea what type of activity that domain was used for before. Again, basic cyber hygiene is totally ignored, and the reason is simple; to register a domain name, the registrant has to pay a fee. As long as the money is paid, no one seems to care about how valid the registration details are, despite policies pretending otherwise. Nobody seems to care about how “clean” the money is, if it is obtained from online fraud, or if the domain name is used to perpetrate more online fraud. It makes no difference. From the GDPR point of view, the bad actor registering fake sites used in fraud becomes a private person using the services provided by an online active company – ICANN and the Registrars.

Theoretical speaking, there are procedures to be followed for mitigating online fraud. Those procedures might look great, but as long as applying them is optional and inconsistent from one Internet services entity to another, the entire “due diligence” becomes a bad joke at the expense of consumers.

Recently, the bad joke expanded in a concentrated effort to hijack the EU new-to-be GDPR laws to the detriment of the consumers. The main area where these actions happen targets the online presence of domain names, regulated by ICANN, and more specifically the WHOIS (registration) details of domain names active online. For the“ public good“, the identities of people registering domain names will become hidden. There is no difference made between real entities and fake ones, natural persons and businesses. There is also no mention about the responsibility after reporting the domains used for fraud. There is no accountability for the groups having the responsibility of checking before the fake entities become active online.

Before the GDPR, it was possible to use a proactive approach to identify bad actors registering fake sites before a victim gets defrauded, and act on specific elements to get those domain names suspended. After GDPR, this action will be harder to do, and those basic elements will not be available anymore. A potential victim searching for a loan, checking a WHOIS for the company promising that loan, then seeing it was registered in Benin can avoid the fraud attempt. Another potential victim checking a potential business partner pretending to be in Europe, also on their website, while being registered in Nigeria can also avoid the trap. This will become impossible when there will be nothing to check effectively.

Online fraud costs society over a hundred billion dollars in losses each year. Online fraud creates a major disruption at all levels of society. Instead of a proactive approach meant to stop online fraud, we see only shields built to avoid responsibility. The ones paying the price are the regular users of the Internet, and their opinion doesn’t matter – they are only statistic quantities, justifying actions twisted to serve commercial goals.

An example:
Only one percent of cases reported to the UK authorities results in prosecution, yet less than ten percent gets reported. This means that only 0.1% of cyber-fraud cases are resolved. Or, to put it another way, 99.9% of cyber fraudsters are never apprehended and successful.

Some real statistics:
Less than 400 million domain owners protected, at the risk of more than 7 billion users by a group of countries making up less than 8% of the world’s population, denying over 92% percent some of their basic human rights. Commercial interests and political ego games are more important than the consumer protection.

The Internet is becoming an increasingly hostile territory for the regular user. There is decreasing trust in anything happening online, and more and more people are paying the price for regulators ignoring online fraud. That lack of trust in the online activities expands into the real world. It is time to bring the Internet back to what it was supposed to be; a safe place for the ones using it. The proposed GDPR implementation in WHOIS creates a lack of transparency, and denies regular users a valid option for doing due diligence to protect themselves. This is not the way to achieve the goal of privacy, nor consumer protection.

Why we need WHOIS, as simply as possible.

There are big changes going on right now that will affect how antiscam sites work, including ours.  What I’m going to do in this post is explain what they are, and what damage they’ll do.  WHOIS is one of the tools we use in investigating fake sites.  Go to your WHOIS site of choice, put in the name of the site you’re investigating and you’ll be given a list of such things as the details about who owns the site name, when it was created, how long the site name was paid for, what companies they used to create the site and so on.  For antiscam groups like ours, it’s the best way to help get the evidence needed to report and close a fake site as well as information on other sites owned by the same person.  The most important parts for us would be the location, phone number and email address of the person.  Now here’s where the problem lies.  A law has come in that will make viewing that information much harder, if not impossible.  Some of the information will still be available to view, but not the essential stuff.  Not the stuff that REALLY matters.  What it boils down to is that, very soon a scammer can create a fake site safe in the knowledge that getting it shut down will become a whole lot more difficult.  While we’re fighting with our hands tied behind our backs due to the new rules coming in, the scammers will continue stealing money from people with their fake sites.  If you see #WhyWeNeedWHOIS on Twitter, you know the reason why now.  At least you know the basics.  If you want to know more, keep an eye on here as Firefly is going to make a much more advanced post about it fairly soon from the point of view of someone who uses WHOIS on a regular basis to report fake sites used by scammers.

A statement regarding future media interactions.

I was hoping for our latest blog post to be about a great TV program we’d worked with the company on all about romance scams.  Unfortunately, that isn’t what I’m going to be writing about.  I haven’t seen more than about 3 minutes of the show, and the reason is very simple.  They got our name wrong on it.  Seriously, they managed to spell the word “scam” wrong on a program all about scams.  I was furious, as I’m sure you can imagine.  When we work with the media, the only request we make is that the site’s name is mentioned.  We don’t get paid for doing it, in fact there have been occasions when I’ve covered the costs of getting to the interview out of my own pocket.  All we ask for in exchange is that the site’s name is mentioned, and say as much on our media contact page.  That’s not too much to ask for is it?  Apparently it is, and it’s not the first time it’s happened either.  On a previous occasion (not with the same company I should add), the site didn’t get mentioned at all.  Now I’m not saying this happens all the time.  In fact most times things go fine, but even once is too often.  There have also been instances in the past where we’ve been misquoted, or facts and figures posted that were incorrect.  Sometimes the article is online, and we can request the mistakes be fixed.  Sometimes however, once it’s out there it’s too late to do anything about it.

Due to this we’ve come to a decision.  We will refuse interviews unless we have the guarantee we can see the finished item before it goes live to make sure it’s all correct.  We would rather walk away at the start than see an article published with misinformation on it, and mentioning us.  It’s not a decision we take lightly, but one we feel has to be done from this point on.  We apologise in advance, but I’m sure everyone concerned would rather see a factually correct article than one  trying to raise awareness about a subject that could potentially make it worse due to mistakes.

Sometimes it has to be done.

I don’t like having to publicly tell off another antiscam site, but sometimes, as the title says, it has to be done.  We have always given “free, non-judgmental help and advice” on our site, so to see another site refer to victims as “dumb” boils our blood.  Victims are not “dumb”, “stupid”, “greedy” or any of the other insults often hurled at them by members of the public, and we struggle every day to try and shake that perception of them.  To see an antiscam site use any of those words makes our blood boil.  These are people who should know better, but apparently some don’t.  When we it, we’re going to call it out.

Time flies.

It’s hard to believe it’s been six years since we paid our 10 bucks and bought the ScamSurvivors name for that first year to create this site.  Since then, so much has happened.  I thought I’d share some of the funnier or more unique stories from that time in this blob post, in no particular order.

In one of the earliest incidents, we were kicked off our shared host after our site was the victim of a DDoS attack so big it took down our site, the entire node we were on, and several hundred other sites who had the misfortune to be on the same node.  Luckily they gave us 24 hours to make a backup and move elsewhere.  Ever since, we’ve been on our own server with DDoS protection.  We still get attacked, but thankfully we’ve not been down due to one since.

We were however down for 3 weeks a few years ago after we moved to a new host and were given a server with a dodgy hard drive.  There was lots of hair being pulled out, but thankfully we managed to find another host and Frankenstein together the site from various backups.  Thankfully we’ve had no issues since then.

Around 3 months into our existence, we were threatened with a takedown request after the webmaster of a site decided to take offence at our posting images of the model his site worked with, despite our contacting him looking to work with him in raising awareness of scammers abusing stolen images of his client.  I won’t name names, but when I did some research it turned out that was available to buy, so I did and had it redirect to our site.  A few weeks later, the webmaster actually joined our forum and let us know that the scammer problem had become so bad that he’d put a scam warning on his site and a link to us in it.

Another time we had a threatening email from a company because an email from a scammer pretending to be them was posted on our forum.  They demanded we remove all mention of them, which I respectfully did.  I also posted up their emails to us in order to explain why we’d made such a move.  The odd thing is, that meant the three mentions of their name made by the scammer were replaced with almost 50 mentions of their name from their emails.  How did this one end?  With an apology from them and a “keep up the good work” message.

Most recently, a major company came to us looking to work with us in dealing with the scammers abusing their service.  I can’t name names, but suffice to say it’s a BIG name!

The past sis years have been – interesting to say the least.  Would I do it all again?  Most definitely.  Would I do it any differently?  Probably not.  Where would be the fun in that?


Comparing apples to oranges.

If someone had their car stolen, it would be ridiculous to treat them as if they’d been in a car accident, right?  Both involve cars, but they’re different beasts and should be treated as such.  Likewise, if someone is mugged by a drug addict, rehab isn’t where they need to be sent.  The media loves the phrase “sextortion” as a “cover all” name for a number of crimes, and we expect that.  The media also likes the terms “vigilantes” and “scamming the scammers”.  It’s a necessary evil we’ve come to live with.  The problems rise when law enforcement does the same.  There are at least three distinct crimes under the “sextortion” banner that are all similar insomuch as they involve the abuse of images or video of the victim (sextortion, webcam blackmail and revenge porn).  After that, they become different entities and should be treated as such.  Sextortion victims wouldn’t get the help they need on a revenge porn help site in exactly the same way a victim of revenge porn would find the advice on a webcam blackmail help site irrelevant.  We can see the differences between the three and treat them as such, so why can’t law enforcement?  They after all have people who are paid to help, while we are a small group of just four people doing this for free.  If we can do it with our limited resources, why can’t they?