Every minute of the day, somewhere in the world someone is being defrauded online. The media, the ordinary people and experts use different names for the same problem. If it happens to a business, it’s called online fraud. If it targets a state it is called cybercrime. If that targets a regular Internet user it is called a scam.

We all agree that fraud is a crime. The rest is a matter of semantics …

The malicious parties committing fraud are also known by various names. If they are targeting a business, they are called hackers. If they are targeting a state they are called cybercriminals. If they are targeting an ordinary person they are called scammers. The same party targeting a bank with the exact same malicious activity as consumers, will be considered a fraudster by the bank, but will be called a scammer by the media for targeting consumers.

We have laws against fraud, online or not, and the commercial arena invests billions each year to prevent being victimized while also proactively mitigating online threats. We also have laws against cybercrime, governments are investing billions each year to protect their interests, their institutions and their integrity. When it comes to average people defrauded online, we have a system where victims are blamed for being a victim and and that is where it ends. If the victim is lucky, there might be a recognition of the abuse, but hardly any chance of justice or restitution unless you are a famous person. The laws might apply, but it appears not implemented in the same way.

We have people so specialized in the online crime arena, that the average Internet user cannot even begin to understand what they are talking about when they are talking about online crime. Not understanding the experts leaves the victims feeling inferior and even less willing to communicate with the others or even the experts. Most of the experts are talking from a commercial or governmental interest arenas. Victims of Advance Fee Fraud are not part of that arena. Ironically most of the experts do not even understand the convoluted details of Advance Fee Fraud.

We have financial systems in an online environment trying to shift responsibility for risk and loss to anyone else if possible, instead of implementing valid options to avoid and prevent online abuse and fraud. We see the same blame shifting paradigm at the providers of online services.

On the other hand, we have non-recognized, yet knowledgeable people, trying to warn others and save them from fraud by exposing online fraud. This is done in to promote consumer protection. Sadly, their good intentions are not enough most of the time. They cannot do more than to expose the cyber fraud, while proactively reporting it to those whose services are abused and attempting to escalate such cases to the appropriate authorities after a fraud incident. By then consumer protection is too late and we are trying to pick up the pieces after failed protection.

In this equation we have the law enforcement authorities established to protect their citizens from any form of abuse and usually failing because of issues having nothing to do with their mission, facing jurisdictional problems, lack of resources or verifiable information for online crimes. Then other factors intent on protecting their finite capacities comes into play, the typical ‘loss above or below’ a certain amount, statistically known  most serious and most reported threats, while other less reported online fraud slips between the cracks. In the meantime they are forced to deal with physical world infractional events that needs to be solved.

Basic online badness


Using the Internet to acquire somebody else’s money in illegitimate ways can take many forms. We encounter malware infecting the victim’s computer and encrypting it for ransom, or getting access to their content without the victim’s consent or knowledge, with the intention of reusing that content to defraud the owner of that computer, their network or friends.

In phishing we encounter a malicious link or email impersonating a real entity with the purpose of harvesting login credentials like passwords, usernames or similar authentications we use to identify ourselves to an online service, compromising our email address, our online profile on a social platform, our bank account, our credit card details or any other of our online activities.

Then we encounter Advance Fee Fraud; a lie based on the idea of offering something that doesn’t exist with the victim having to pay upfront to obtain it.

We have clear statistics for malware and phishing. Yet when it comes to Advance Fee Fraud, nothing is clear. While we may have a generally accepted definitions of it, many of the elements used in  Advance Fee Fraud are incorrectly labeled as phishing. Many of its elements are not even recognized as fraud, rather considered social engineering. It is one of the most under reported areas of online fraud and where consumers have the least protection. There is no standard accepted procedure for dealing with Advance Fee Fraud and prosecuting, nor concerted efforts to stop  it, despite growing annually for more than two decades and being an entry level crime for later serious threats.

Background for confusion


Using words without knowing their meaning can only confuse people and it’s maybe a good time to  clarify this mess. We all use common terms, but we understand different things when using them. We’ll consider the term hacker.

In the real life, hacking was initially the ability of a person to mess about with something in a way to investigate it, improve it or give it a new purpose. It was neither good nor bad. Online hacking was a progression of real life hacking, messing about with the new technology.

Later a portion of hackers evolved into a movement fighting for the freedom of information and for the right of knowing what states and corporate entities tries to hide from them. It was done by gaining access to computers or networks and then viewing and copying data without the intention of destroying it or maliciously harming the computer. Sharing that information publicly was the purpose of the hacking. The perception of hacking as good or bad, depended on the type of information exposed and who was exposed in it. This was a subjective view. Obviously this was a threat to any state and made illegal.

At the same time, hacking extended into finding vulnerabilities in programs and reporting those vulnerabilities to avoid the program getting under malicious control. Allowing hacking became accepted in advanced forms of protection, counting on the help of independent people testing online platforms, interfaces or programs to identify any potential vulnerability before someone will use it maliciously.

On the opposite side there are crackers, using their technical skills to gain access to a computer or network with malicious intent, from spreading viruses or malware to stealing money or information that can be sold further for stealing money.

In and between we find the script kiddies, wanna-be hackers fooling themselves that they are hackers by obtaining software created by someone else, and using it without having any idea how the software really works.

The conflict between hackers and corporations or states resulted in hackers being labeled as bad. Even parties trying to expose flaws for better security were targeted and sometimes still are, for the embarrassment they may create. Media played a major role in this conflict creating stereotypes, either good or bad, likewise societal views on who was exposed. It took some time until the roleplayers understood the difference between various types of hackers. The final decision was more or less to work with the good hackers to stop the bad hackers. Only after this point did the media paint a different picture in the public mind. Now it was about so called “white hats” being the IT sec wizards trying to do good, and the “black hats” as the bad ones trying to harm. The damage was already done in the collective mind, unable to understand all this confusion or to make any distinction between white and black, simply using the term hacker in the negative way.

The players


Let’s look at the ones defrauding victims online and named in different ways.

Far away from this entire conflict, the scammer is usually someone without any technical skills, whose only skills are deception, holding out false promises and asking to be paid in advance for it.  The promises can be prizes, money or even fictitious love and promises of a future together. The money he steals can be used in two ways. The stupid scammer lives a lavish life, wasting the money in a bling-bling lifestyle meant  to impress others. The smarter one, while also splashing out, will use some of the stolen money to invest in something he doesn’t have to refine his fraud; knowledge and help. Where can he buy that from? From the ones knowing how to abuse the online environment to their advantage, the black hats.  

The Advance Fee Fraud seen today would be near impossible without the entire infrastructure built and created with money obtained from fraud. Stolen money is being used to pay  for fake sites used in fraud, while stolen credit cards are used to register/validate profiles online. Many of these stolen credit card details are purchased with stolen money. This money is paying for bulletproof hosting (where these providers self-blind to the numerous reports they receive) where fraudsters keep their fraudulent websites alive. This stolen money is buying privacy for the fraudster while he exposes victims details online, easy to be found by anybody knowing where to look for it and allowing further abuse of those victims. The stolen money is being used to pay for SEO campaigns, sometimes allowing fraudulent presences to be better positioned in the search engines results as the real entities. In certain countries, stolen money pays for bribes needed to keep the culprits out of jail. Fraud may even fuel a large portion of a community’s economy.


The playground


An important part of our lives is spent online. Internet commerce thrives in the good and the bad. The regular innocent Internet user is the main testing ground for anyone able to gain enough information and use it to achieve proposed goals.  

On one side of the screen we have the victim, usually alone and operating a computer, mobile phone or, to use the new phrase, Internet of Things device, without knowing exactly how that device works but  having an expectation of it working properly. He does not understand the various levels that can be compromised, rather simply trust other specialists to take care of that.

On the other side of the same screen are entire crowds of malicious parties trying to steal his money, his identity or abuse the target in some way.  

The victim may have anti-virus software able to protect him from malware or phishing, but sadly there is no software able to protect him from Advance Fee Fraud.

Internet users are the main source of identities and credentials stolen to be reused for stealing more. They are the silent majority, victims of online abuse, learning from bitter experiences that complaining will do them no good and will not solve the problem. There is no one out there to protect them despite trying to protect themselves. Even so, they share their details with other entities for online services. When an online platform, corporation or a state institution database is breached, the information stolen is that of Internet consumers using those online services.

Common internet consumers have become the training ground for cyber criminals. They are the first receivers of the phishing links when they are asked to click and confirm their login details. They are the first ones receiving documents infected with malware, dragging their devices into infrastructures of infected devices called botnets, used in more advanced types of cybercrimes. They are the testing ground for all kind of lies and pretenses. If the tests are working on them, the bad actors confidently expand the targets to higher paying targets. Typo-domains so long used against consumers are now extremely problematic in Business Email Compromise (BEC) targeting businesses with great success.


The alliance between the scammers and black hats found the average Internet users can be used and abused as pawns to protect their own anonymity and safety. Romance scams victims may receive a death sentence after being deceived into smuggling drugs, online fraud victims end up in jail after being unwitting money mules and somebody trusting the internet to find a job may be arrested for reshipping stolen goods bought with stolen money and credit cards. Innocent unwitting consumers are the pawns in criminal money laundering initiatives.

The public reaction is almost predictable, blaming and shaming the victim for believing a lie, making the victim responsible for the fraud no victim was ever asking for.  Many a time companies and even the authorities partake in this.


Behind the sceneS


The victim might be alone while communicating with a scammer, but the scammer is not alone. He is a member of a fraud syndicate. The syndicate has a whole infrastructure controlling resources and elements needed for a successful scam. The victim is profiled and analyzed prior to the fraudster starting to “work” the victim. The ring leader pays for the scripts the main scammer uses, pays for the phone numbers, mobile or VoIP. He provides the names and locations of the people receiving the stolen money for money laundering. Many of the recipients are actual victims themselves as mentioned before, having no idea they are using their real identities while laundering money for the fraudsters. The ring leader decides on domain names and pays for the domain names used to perpetrate the fraud,  also paying the ones creating websites for those domains – enter the faker maker.

The faker makers is the technical person that does everything needed to keep the required websites active, from registering the domain name, setting up email accounts, hosting and creating the website to rehosting it if the site gets suspended.  This is the real story that makes the scam succeed, that hardly ever gets told.

We have two main types of domain names used in Advance Fee Fraud:

  • Email only domains having no content:
    These domains are used for the deceptive email address such a domain can provide. The domain will typically have no matching online content, or when a party goes to the domain name in their browser, it will redirects to another legitimate website (often one being spoofed). The main deception is based upon the choice of domain name that would appear in the target victim’s email box. Any further potential online redirection after this is opportunistic to further the deception in the fraud attempt by creating a false sense of association.


  • Domains used for content:
    The content may be stolen from one or more websites, may impersonate the company it was stolen from or be stolen as a crime of convenience. However the content may be totally bespoke as well, yet deliberately deceptive nonetheless. The choice of domain name is a good indicator of intent. A totally unique name for a loan company with a domain name with the word loan in it, would be an example of common loan scam usage. Tactics may be used to hide the content from the casual passer-by. The content may be hidden in folders with an empty or blank landing page. Likewise sub-domains such as login.bad-domain.tld  as opposed to the generic bad-domain.tld may be used. The victim is sent a link in communications to the malicious website, not unlike phishing.


Fake banks


The fake bank is  used in all types of online fraud. There are two types of fake banks:

  • Fake Persona Accounts
    These are ones where the victims is asked to go and verify the “existence” of money the scammer claims to have or have access to and wants to share with the victim. These are typically used for fake accounts of dead person where the victim is asked to be next of kin of this person, or also commonly for the accounts of fake characters used in romance scams asking their victims to help them with the guarantee of a payback.


  • Personalized Accounts
    Here an account is created in the victim’s name, sometimes after being asked to create an account at the fake bank. This is used for  receiving money the scammer promised to deliver and a fictitious amount is entered into a mock accounting system to create the illusion this is real money. This usage is typically seen in lottery scams, inheritance scams, loan scams or typically where the victim expects a payment during a business transaction. An excuse always exists as to why the fraudsters can’t use the victim’s own account and a new one has to be created at the fake bank.


Fake suppliers


These fake sites impersonate a wide range of suppliers, from parties claiming to sell pets, electronic goods, though drugs and fake documents like visas and passports, to high priced items like agricultural equipment, properties, gold and precious stones.  Many of the underlying items used as bait to defraud and the methods used to target consumers, allows us to guess the origin of the fraudsters with amazing accuracy.


Fake couriers


The fake sites impersonating couriers are used in all types of online fraud. It might be used in a job scam where the victim needs to receive visa and work permit, a non-delivery scam with a victim waiting for a product bought online, where the victim believes they will receive a parcel from a loved one. In all the cases involving fake couriers, the victim will receive a link to a tracking page and login details to check the parcel status. Typically this is personal victim data entered into a mock courier database. The courier is typically used to extract more money from the victim using a myriad of excuses, also leading to impersonation of the authorities,  blackmail and extortion.


Fake authorities


Domain names  impersonating the authorities are a major part of Advance Fee Fraud and can be found in various shapes and forms, from domains impersonating law enforcement in various countries (FBI, Interpol, Homeland Security, DEA) to the United Nations, Red Cross, Embassies and lawyers. These type of sites are used mostly in recovery scams, but also in other types of scams and are meant to confirm to the victim the “legality” of the fraudster’s financial requests, many times using coercive methods. Typically the law enforcement domains will not have online websites, rather being used for email only purposes.


There will hardly ever be a single scammer dealing with a victim, nor a single fake site used. Once a victim pays up, another request follows.


We see harvesting campaigns disguised in attempted romances, https://www.scamsurvivors.com/forum/viewtopic.php?f=11&t=67919.
We see email only domains used in romance scams originating from East Europe – https://scamsurvivors.com/forum/viewtopic.php?f=17&t=42053, some having the same domain owner (registrant) as hundred of other domains, already blacklisted for spreading malware. As we can see, sometimes these may spoof well known email providers like GMail to deceive potential victims.


Cases of fake sites used for a single type of scam are the exception and not the rule. Following a complaint from a victim searching for a loan online,  we uncovered a nest of over 200 fraudulent linked domain names operated from Benin, West Africa, targeting mostly victims in Europe: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=56357. After the initial nest was reported and the domain names suspended, the fraudsters moved fast to create a new nest of domains: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=66895.


Mostly, what we see are fake sites used with the same victims while the fraud moves ahead. A military romance scam starting on a dating or social site will lead to a fake delivery company for example. Researching a military romance scam defrauding a victim, we identified a Nigerian fraudster whose online activity goes on since 2004, despite of all the legal ways and reports used to stop him, 314 fraudulent fake sites on our last check: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=61335. This party is also using many domains registered with fake registrations claiming to be European, getting privacy protection in the new GDPR implementation, yet living in Nigeria in reality. Of late he’s been using .EU and .CA domains for his infrastructure.


In some other cases, a romance scam will lead to fake banks. Researching a scam attempt involving a fake bank, we end up with a nest of 196 fraudulent domains and websites used in online fraud orchestrated from Nigeria: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=51755.

We saw web-developers from Ghana creating fraudulent domain names for Advance Fee Fraud: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=51584.


We saw a domain used as a Keybase botnet controller, having the same registrant as few fake sites used in Advance Fee Fraud: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=49809.


We see escrow scams operated from Eastern Europe: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=67221 and https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=68767. Then we see escrow scams associated with rental scams: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=65951.

There are cases of job scam domains (searching for money mules or agents for reshipping stolen goods) originating from East Europe and registered with stolen identities. Some of these domain names are used for spreading malware: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=52014. This party has been at it since 2012, each time using another stolen identity to register hundred of new malicious domains in waves.


We saw supplier scams originating from the Cameroon: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=52804  and https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=64402.


Sometimes, the fraudsters creating the fake sites are also impersonating fake characters in romance scams: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=61730.  


Sometimes the people involved in the registration process of domain names are actively involved in the Advance Fee Fraud.


A Nigerian reseller living in Malaysia and targeting victims in Asian was reported at  https://scamsurvivors.com/forum/viewtopic.php?f=6&t=50138&start=20. He had his reseller account suspended due to continuous fraudulent activities, only to thereafter twice more obtain reseller accounts facilitating the same exact fraud, each wave of attacks requiring mitigation. This facilitator moved to another “tolerant” registrar providing blanket proxy protection. This fraud wave saw over 17,000 known victims targeted.


Another Nigerian living in Malaysia and targeting victims wordwide was exposed at https://scamsurvivors.com/forum/viewtopic.php?f=6&t=50348. His sites were mostly fake oil companies where the fake characters used in romance scams claimed to work, fake banks where the same fake characters pretended to have their bank accounts while spoofing real banks, showing their victims they have enough money to pay back the money they are asking for, and fake courier companies. He was reported for the first time in 2007. In 2014,  he managed to become an Internet domains reseller for various Registrars. As a reseller, he was abusing his reseller position, altering his scam site registration details, trying to cover his tracks.


There are cases of so called web-developers not only creating fake sites but also coordinating the frauds: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=58291. The Decyber gang has been active since 2010. Last year, their portfolio included close to 500 fake sites. In the initial stage, they were impersonating banks and courier companies. Some of the fake banks created were using made up names, while others were impersonating real banks all over the world. In the more recent years, the fake sites maker portion of this group expanded their activity from various forms of Advance Fee Fraud to binary options fraud, phishing and also malware.  


Another case we researched, following complaints received from victims, shows how a Nigerian scam syndicate uses fake sites impersonating real owners of various US real estate companies while targeting US victims, while also simultaneously running romance, gold and loan scams: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=67741.


The above are all only cases reported to us by victims or potential victims. Knowing how many consumer forums are actively exposing Advance Fee Fraud, we can say that the research we do is only scratching the surface. A closer look at an Advance Fee Fraud case can show how developed the fraudulent infrastructure abused is.


Victims complaining to us are also reporting the cases to their local law enforcement authorities. They are contacting their banks, showing how they got defrauded. Banks usually say the victims were negligent and there is no way they can recover the money they lost.


We, and forums similar to us, are reporting frauds and the perpetrators in an easy way for anyone searching for that information to find before being too late. Victims of identity theft are warned about having their identity stolen and used for Advance Fee Fraud. The fake sites discovered are reported to the Registrars with the needed proof showing how they are used to defraud victims online. Bank accounts used in Advance Fee Fraud are reported to the banks as money laundering information.  

In most of the cases there is little or no feedback from authorities.

Defrauding innocent victims online under false pretenses is not just a scam, it has a legal name, fraud. Orchestrated crime needs to be punished. Advance Fee Fraud is slipping through the cracks in an online toxic environment, eroding trust daily.  Advance Fee Fraud is seen as the funny Nigerian Prince, not recognized as a danger at the same level as phishing or malware, yet it holds the exact same danger for consumers and later when evolved, commerce. Advance Fee Fraud requires the threat recognition it deserves. Without acknowledging it as such, there is no awareness or willingness to prevent it, attack it, estimate its effects or even evaluate its magnitude and growth. Statistics are mere assumptions based upon willing victim reports, those brave enough to face ridicule and blaming.

Currently we are seeing formal legal procedures to mitigate bank spoofs being described as phishing, when it’s not. This also disavows much similar abuse. This causes confusion for the investigator and consumers trying to understand what is happening. Advance Fee Fraud desperately needs consistent definitions and formal recognition as an abuse threat not only undermining the integrity of consumers and the internet, but also as one undermining basic human rights.

We need consistent definitions and terms of reference. Without that, we are living in different worlds, pretending to speak the same language, but unable to understand what the other is talking about.