Advance Fee Fraud – more than a problem of semantics

Every minute of the day, somewhere in the world someone is being defrauded online. The media, the ordinary people and experts use different names for the same problem. If it happens to a business, it’s called online fraud. If it targets a state it is called cybercrime. If that targets a regular Internet user it is called a scam.

We all agree that fraud is a crime. The rest is a matter of semantics …

The malicious parties committing fraud are also known by various names. If they are targeting a business, they are called hackers. If they are targeting a state they are called cybercriminals. If they are targeting an ordinary person they are called scammers. The same party targeting a bank with the exact same malicious activity as consumers, will be considered a fraudster by the bank, but will be called a scammer by the media for targeting consumers.

We have laws against fraud, online or not, and the commercial arena invests billions each year to prevent being victimized while also proactively mitigating online threats. We also have laws against cybercrime, governments are investing billions each year to protect their interests, their institutions and their integrity. When it comes to average people defrauded online, we have a system where victims are blamed for being a victim and and that is where it ends. If the victim is lucky, there might be a recognition of the abuse, but hardly any chance of justice or restitution unless you are a famous person. The laws might apply, but it appears not implemented in the same way.

We have people so specialized in the online crime arena, that the average Internet user cannot even begin to understand what they are talking about when they are talking about online crime. Not understanding the experts leaves the victims feeling inferior and even less willing to communicate with the others or even the experts. Most of the experts are talking from a commercial or governmental interest arenas. Victims of Advance Fee Fraud are not part of that arena. Ironically most of the experts do not even understand the convoluted details of Advance Fee Fraud.

We have financial systems in an online environment trying to shift responsibility for risk and loss to anyone else if possible, instead of implementing valid options to avoid and prevent online abuse and fraud. We see the same blame shifting paradigm at the providers of online services.

On the other hand, we have non-recognized, yet knowledgeable people, trying to warn others and save them from fraud by exposing online fraud. This is done in to promote consumer protection. Sadly, their good intentions are not enough most of the time. They cannot do more than to expose the cyber fraud, while proactively reporting it to those whose services are abused and attempting to escalate such cases to the appropriate authorities after a fraud incident. By then consumer protection is too late and we are trying to pick up the pieces after failed protection.

In this equation we have the law enforcement authorities established to protect their citizens from any form of abuse and usually failing because of issues having nothing to do with their mission, facing jurisdictional problems, lack of resources or verifiable information for online crimes. Then other factors intent on protecting their finite capacities comes into play, the typical ‘loss above or below’ a certain amount, statistically known  most serious and most reported threats, while other less reported online fraud slips between the cracks. In the meantime they are forced to deal with physical world infractional events that needs to be solved.

Basic online badness

 

Using the Internet to acquire somebody else’s money in illegitimate ways can take many forms. We encounter malware infecting the victim’s computer and encrypting it for ransom, or getting access to their content without the victim’s consent or knowledge, with the intention of reusing that content to defraud the owner of that computer, their network or friends.

In phishing we encounter a malicious link or email impersonating a real entity with the purpose of harvesting login credentials like passwords, usernames or similar authentications we use to identify ourselves to an online service, compromising our email address, our online profile on a social platform, our bank account, our credit card details or any other of our online activities.

Then we encounter Advance Fee Fraud; a lie based on the idea of offering something that doesn’t exist with the victim having to pay upfront to obtain it.

We have clear statistics for malware and phishing. Yet when it comes to Advance Fee Fraud, nothing is clear. While we may have a generally accepted definitions of it, many of the elements used in  Advance Fee Fraud are incorrectly labeled as phishing. Many of its elements are not even recognized as fraud, rather considered social engineering. It is one of the most under reported areas of online fraud and where consumers have the least protection. There is no standard accepted procedure for dealing with Advance Fee Fraud and prosecuting, nor concerted efforts to stop  it, despite growing annually for more than two decades and being an entry level crime for later serious threats.

Background for confusion

 

Using words without knowing their meaning can only confuse people and it’s maybe a good time to  clarify this mess. We all use common terms, but we understand different things when using them. We’ll consider the term hacker.

In the real life, hacking was initially the ability of a person to mess about with something in a way to investigate it, improve it or give it a new purpose. It was neither good nor bad. Online hacking was a progression of real life hacking, messing about with the new technology.

Later a portion of hackers evolved into a movement fighting for the freedom of information and for the right of knowing what states and corporate entities tries to hide from them. It was done by gaining access to computers or networks and then viewing and copying data without the intention of destroying it or maliciously harming the computer. Sharing that information publicly was the purpose of the hacking. The perception of hacking as good or bad, depended on the type of information exposed and who was exposed in it. This was a subjective view. Obviously this was a threat to any state and made illegal.

At the same time, hacking extended into finding vulnerabilities in programs and reporting those vulnerabilities to avoid the program getting under malicious control. Allowing hacking became accepted in advanced forms of protection, counting on the help of independent people testing online platforms, interfaces or programs to identify any potential vulnerability before someone will use it maliciously.

On the opposite side there are crackers, using their technical skills to gain access to a computer or network with malicious intent, from spreading viruses or malware to stealing money or information that can be sold further for stealing money.

In and between we find the script kiddies, wanna-be hackers fooling themselves that they are hackers by obtaining software created by someone else, and using it without having any idea how the software really works.

The conflict between hackers and corporations or states resulted in hackers being labeled as bad. Even parties trying to expose flaws for better security were targeted and sometimes still are, for the embarrassment they may create. Media played a major role in this conflict creating stereotypes, either good or bad, likewise societal views on who was exposed. It took some time until the roleplayers understood the difference between various types of hackers. The final decision was more or less to work with the good hackers to stop the bad hackers. Only after this point did the media paint a different picture in the public mind. Now it was about so called “white hats” being the IT sec wizards trying to do good, and the “black hats” as the bad ones trying to harm. The damage was already done in the collective mind, unable to understand all this confusion or to make any distinction between white and black, simply using the term hacker in the negative way.

The players

 

Let’s look at the ones defrauding victims online and named in different ways.

Far away from this entire conflict, the scammer is usually someone without any technical skills, whose only skills are deception, holding out false promises and asking to be paid in advance for it.  The promises can be prizes, money or even fictitious love and promises of a future together. The money he steals can be used in two ways. The stupid scammer lives a lavish life, wasting the money in a bling-bling lifestyle meant  to impress others. The smarter one, while also splashing out, will use some of the stolen money to invest in something he doesn’t have to refine his fraud; knowledge and help. Where can he buy that from? From the ones knowing how to abuse the online environment to their advantage, the black hats.  

The Advance Fee Fraud seen today would be near impossible without the entire infrastructure built and created with money obtained from fraud. Stolen money is being used to pay  for fake sites used in fraud, while stolen credit cards are used to register/validate profiles online. Many of these stolen credit card details are purchased with stolen money. This money is paying for bulletproof hosting (where these providers self-blind to the numerous reports they receive) where fraudsters keep their fraudulent websites alive. This stolen money is buying privacy for the fraudster while he exposes victims details online, easy to be found by anybody knowing where to look for it and allowing further abuse of those victims. The stolen money is being used to pay for SEO campaigns, sometimes allowing fraudulent presences to be better positioned in the search engines results as the real entities. In certain countries, stolen money pays for bribes needed to keep the culprits out of jail. Fraud may even fuel a large portion of a community’s economy.

 

The playground

 

An important part of our lives is spent online. Internet commerce thrives in the good and the bad. The regular innocent Internet user is the main testing ground for anyone able to gain enough information and use it to achieve proposed goals.  

On one side of the screen we have the victim, usually alone and operating a computer, mobile phone or, to use the new phrase, Internet of Things device, without knowing exactly how that device works but  having an expectation of it working properly. He does not understand the various levels that can be compromised, rather simply trust other specialists to take care of that.

On the other side of the same screen are entire crowds of malicious parties trying to steal his money, his identity or abuse the target in some way.  

The victim may have anti-virus software able to protect him from malware or phishing, but sadly there is no software able to protect him from Advance Fee Fraud.

Internet users are the main source of identities and credentials stolen to be reused for stealing more. They are the silent majority, victims of online abuse, learning from bitter experiences that complaining will do them no good and will not solve the problem. There is no one out there to protect them despite trying to protect themselves. Even so, they share their details with other entities for online services. When an online platform, corporation or a state institution database is breached, the information stolen is that of Internet consumers using those online services.

Common internet consumers have become the training ground for cyber criminals. They are the first receivers of the phishing links when they are asked to click and confirm their login details. They are the first ones receiving documents infected with malware, dragging their devices into infrastructures of infected devices called botnets, used in more advanced types of cybercrimes. They are the testing ground for all kind of lies and pretenses. If the tests are working on them, the bad actors confidently expand the targets to higher paying targets. Typo-domains so long used against consumers are now extremely problematic in Business Email Compromise (BEC) targeting businesses with great success.

 

The alliance between the scammers and black hats found the average Internet users can be used and abused as pawns to protect their own anonymity and safety. Romance scams victims may receive a death sentence after being deceived into smuggling drugs, online fraud victims end up in jail after being unwitting money mules and somebody trusting the internet to find a job may be arrested for reshipping stolen goods bought with stolen money and credit cards. Innocent unwitting consumers are the pawns in criminal money laundering initiatives.

The public reaction is almost predictable, blaming and shaming the victim for believing a lie, making the victim responsible for the fraud no victim was ever asking for.  Many a time companies and even the authorities partake in this.

 

Behind the sceneS

 

The victim might be alone while communicating with a scammer, but the scammer is not alone. He is a member of a fraud syndicate. The syndicate has a whole infrastructure controlling resources and elements needed for a successful scam. The victim is profiled and analyzed prior to the fraudster starting to “work” the victim. The ring leader pays for the scripts the main scammer uses, pays for the phone numbers, mobile or VoIP. He provides the names and locations of the people receiving the stolen money for money laundering. Many of the recipients are actual victims themselves as mentioned before, having no idea they are using their real identities while laundering money for the fraudsters. The ring leader decides on domain names and pays for the domain names used to perpetrate the fraud,  also paying the ones creating websites for those domains – enter the faker maker.

The faker makers is the technical person that does everything needed to keep the required websites active, from registering the domain name, setting up email accounts, hosting and creating the website to rehosting it if the site gets suspended.  This is the real story that makes the scam succeed, that hardly ever gets told.

We have two main types of domain names used in Advance Fee Fraud:

  • Email only domains having no content:
    These domains are used for the deceptive email address such a domain can provide. The domain will typically have no matching online content, or when a party goes to the domain name in their browser, it will redirects to another legitimate website (often one being spoofed). The main deception is based upon the choice of domain name that would appear in the target victim’s email box. Any further potential online redirection after this is opportunistic to further the deception in the fraud attempt by creating a false sense of association.

 

  • Domains used for content:
    The content may be stolen from one or more websites, may impersonate the company it was stolen from or be stolen as a crime of convenience. However the content may be totally bespoke as well, yet deliberately deceptive nonetheless. The choice of domain name is a good indicator of intent. A totally unique name for a loan company with a domain name with the word loan in it, would be an example of common loan scam usage. Tactics may be used to hide the content from the casual passer-by. The content may be hidden in folders with an empty or blank landing page. Likewise sub-domains such as login.bad-domain.tld  as opposed to the generic bad-domain.tld may be used. The victim is sent a link in communications to the malicious website, not unlike phishing.

 

Fake banks

 

The fake bank is  used in all types of online fraud. There are two types of fake banks:

  • Fake Persona Accounts
    These are ones where the victims is asked to go and verify the “existence” of money the scammer claims to have or have access to and wants to share with the victim. These are typically used for fake accounts of dead person where the victim is asked to be next of kin of this person, or also commonly for the accounts of fake characters used in romance scams asking their victims to help them with the guarantee of a payback.

 

  • Personalized Accounts
    Here an account is created in the victim’s name, sometimes after being asked to create an account at the fake bank. This is used for  receiving money the scammer promised to deliver and a fictitious amount is entered into a mock accounting system to create the illusion this is real money. This usage is typically seen in lottery scams, inheritance scams, loan scams or typically where the victim expects a payment during a business transaction. An excuse always exists as to why the fraudsters can’t use the victim’s own account and a new one has to be created at the fake bank.

 

Fake suppliers

 

These fake sites impersonate a wide range of suppliers, from parties claiming to sell pets, electronic goods, though drugs and fake documents like visas and passports, to high priced items like agricultural equipment, properties, gold and precious stones.  Many of the underlying items used as bait to defraud and the methods used to target consumers, allows us to guess the origin of the fraudsters with amazing accuracy.

 

Fake couriers

 

The fake sites impersonating couriers are used in all types of online fraud. It might be used in a job scam where the victim needs to receive visa and work permit, a non-delivery scam with a victim waiting for a product bought online, where the victim believes they will receive a parcel from a loved one. In all the cases involving fake couriers, the victim will receive a link to a tracking page and login details to check the parcel status. Typically this is personal victim data entered into a mock courier database. The courier is typically used to extract more money from the victim using a myriad of excuses, also leading to impersonation of the authorities,  blackmail and extortion.

 

Fake authorities

 

Domain names  impersonating the authorities are a major part of Advance Fee Fraud and can be found in various shapes and forms, from domains impersonating law enforcement in various countries (FBI, Interpol, Homeland Security, DEA) to the United Nations, Red Cross, Embassies and lawyers. These type of sites are used mostly in recovery scams, but also in other types of scams and are meant to confirm to the victim the “legality” of the fraudster’s financial requests, many times using coercive methods. Typically the law enforcement domains will not have online websites, rather being used for email only purposes.

 

There will hardly ever be a single scammer dealing with a victim, nor a single fake site used. Once a victim pays up, another request follows.

 

We see harvesting campaigns disguised in attempted romances, https://www.scamsurvivors.com/forum/viewtopic.php?f=11&t=67919.
We see email only domains used in romance scams originating from East Europe – https://scamsurvivors.com/forum/viewtopic.php?f=17&t=42053, some having the same domain owner (registrant) as hundred of other domains, already blacklisted for spreading malware. As we can see, sometimes these may spoof well known email providers like GMail to deceive potential victims.

 

Cases of fake sites used for a single type of scam are the exception and not the rule. Following a complaint from a victim searching for a loan online,  we uncovered a nest of over 200 fraudulent linked domain names operated from Benin, West Africa, targeting mostly victims in Europe: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=56357. After the initial nest was reported and the domain names suspended, the fraudsters moved fast to create a new nest of domains: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=66895.

 

Mostly, what we see are fake sites used with the same victims while the fraud moves ahead. A military romance scam starting on a dating or social site will lead to a fake delivery company for example. Researching a military romance scam defrauding a victim, we identified a Nigerian fraudster whose online activity goes on since 2004, despite of all the legal ways and reports used to stop him, 314 fraudulent fake sites on our last check: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=61335. This party is also using many domains registered with fake registrations claiming to be European, getting privacy protection in the new GDPR implementation, yet living in Nigeria in reality. Of late he’s been using .EU and .CA domains for his infrastructure.

 

In some other cases, a romance scam will lead to fake banks. Researching a scam attempt involving a fake bank, we end up with a nest of 196 fraudulent domains and websites used in online fraud orchestrated from Nigeria: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=51755.

We saw web-developers from Ghana creating fraudulent domain names for Advance Fee Fraud: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=51584.

 

We saw a domain used as a Keybase botnet controller, having the same registrant as few fake sites used in Advance Fee Fraud: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=49809.

 

We see escrow scams operated from Eastern Europe: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=67221 and https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=68767. Then we see escrow scams associated with rental scams: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=65951.

There are cases of job scam domains (searching for money mules or agents for reshipping stolen goods) originating from East Europe and registered with stolen identities. Some of these domain names are used for spreading malware: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=52014. This party has been at it since 2012, each time using another stolen identity to register hundred of new malicious domains in waves.

 

We saw supplier scams originating from the Cameroon: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=52804  and https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=64402.

 

Sometimes, the fraudsters creating the fake sites are also impersonating fake characters in romance scams: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=61730.  

 

Sometimes the people involved in the registration process of domain names are actively involved in the Advance Fee Fraud.

 

A Nigerian reseller living in Malaysia and targeting victims in Asian was reported at  https://scamsurvivors.com/forum/viewtopic.php?f=6&t=50138&start=20. He had his reseller account suspended due to continuous fraudulent activities, only to thereafter twice more obtain reseller accounts facilitating the same exact fraud, each wave of attacks requiring mitigation. This facilitator moved to another “tolerant” registrar providing blanket proxy protection. This fraud wave saw over 17,000 known victims targeted.

 

Another Nigerian living in Malaysia and targeting victims wordwide was exposed at https://scamsurvivors.com/forum/viewtopic.php?f=6&t=50348. His sites were mostly fake oil companies where the fake characters used in romance scams claimed to work, fake banks where the same fake characters pretended to have their bank accounts while spoofing real banks, showing their victims they have enough money to pay back the money they are asking for, and fake courier companies. He was reported for the first time in 2007. In 2014,  he managed to become an Internet domains reseller for various Registrars. As a reseller, he was abusing his reseller position, altering his scam site registration details, trying to cover his tracks.

 

There are cases of so called web-developers not only creating fake sites but also coordinating the frauds: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=58291. The Decyber gang has been active since 2010. Last year, their portfolio included close to 500 fake sites. In the initial stage, they were impersonating banks and courier companies. Some of the fake banks created were using made up names, while others were impersonating real banks all over the world. In the more recent years, the fake sites maker portion of this group expanded their activity from various forms of Advance Fee Fraud to binary options fraud, phishing and also malware.  

 

Another case we researched, following complaints received from victims, shows how a Nigerian scam syndicate uses fake sites impersonating real owners of various US real estate companies while targeting US victims, while also simultaneously running romance, gold and loan scams: https://www.scamsurvivors.com/forum/viewtopic.php?f=17&t=67741.

 

The above are all only cases reported to us by victims or potential victims. Knowing how many consumer forums are actively exposing Advance Fee Fraud, we can say that the research we do is only scratching the surface. A closer look at an Advance Fee Fraud case can show how developed the fraudulent infrastructure abused is.

 

Victims complaining to us are also reporting the cases to their local law enforcement authorities. They are contacting their banks, showing how they got defrauded. Banks usually say the victims were negligent and there is no way they can recover the money they lost.

 

We, and forums similar to us, are reporting frauds and the perpetrators in an easy way for anyone searching for that information to find before being too late. Victims of identity theft are warned about having their identity stolen and used for Advance Fee Fraud. The fake sites discovered are reported to the Registrars with the needed proof showing how they are used to defraud victims online. Bank accounts used in Advance Fee Fraud are reported to the banks as money laundering information.  

In most of the cases there is little or no feedback from authorities.

Defrauding innocent victims online under false pretenses is not just a scam, it has a legal name, fraud. Orchestrated crime needs to be punished. Advance Fee Fraud is slipping through the cracks in an online toxic environment, eroding trust daily.  Advance Fee Fraud is seen as the funny Nigerian Prince, not recognized as a danger at the same level as phishing or malware, yet it holds the exact same danger for consumers and later when evolved, commerce. Advance Fee Fraud requires the threat recognition it deserves. Without acknowledging it as such, there is no awareness or willingness to prevent it, attack it, estimate its effects or even evaluate its magnitude and growth. Statistics are mere assumptions based upon willing victim reports, those brave enough to face ridicule and blaming.

Currently we are seeing formal legal procedures to mitigate bank spoofs being described as phishing, when it’s not. This also disavows much similar abuse. This causes confusion for the investigator and consumers trying to understand what is happening. Advance Fee Fraud desperately needs consistent definitions and formal recognition as an abuse threat not only undermining the integrity of consumers and the internet, but also as one undermining basic human rights.

We need consistent definitions and terms of reference. Without that, we are living in different worlds, pretending to speak the same language, but unable to understand what the other is talking about.

Protection for fraud?

In the last months a lot of articles were published about the new General Data Protection Regulation (GDPR) and the effects on the way the Internet we knew will work after May 25.

We are reading “data protection for all individuals”, which means consumers of Internet products provided by companies having an online presence.

The GDPR attempts to solve a problem that has escalated over time: the lack of responsibility for personal privacy shown with each and every breach into a high profiled company site, ending with a dump of the clients personal details offered for sale on the dark web. Sadly, the solution is only a partial one where the real companies are expected to do more to protect their clients‘ privacy. Cases like Equifax or Ashley Madison and even Facebook are just recent examples of how bad the things may end up for a consumer when the company declines any responsibility. Under the new regulations, a real company can be fined for not respecting the privacy of its clients. But what about a fake company, active online, stripping their victims of any privacy while defrauding those victims?

The new regulation does not have a single section dealing with cyber-crime. There needs to be elements making it clear that there is no privacy for online fraud.

The consumer (average user of the Internet) is targeted on multiple fronts, starting with fake accounts set up on reputable companies sites, and ending with fraudulent websites. The fake characters and the fraudulent websites have something in common: both pretend to be something/someone they are not, while defrauding people who are unaware they are communicating with a fake online entity.

Fake accounts

Most of the reputable sites use disclaimers to avoid any responsibility in the case of a consumer defrauded from the usage of their services. Others (a small minority) are posting blacklists of fraudsters, including the details used to register the fake and fraudulent profiles (email addresses, phone numbers, IP addresses). There is no common way of dealing with these cases and most of the details of the fraudulent profiles and accounts are deleted without being preserved. Not saving those elements in a standard way makes it impossible to predict/prevent any fraud, and makes any cyber hygiene impossible in the online environment. Aggravating this, even if a reputable site removes a fake account of a fraudulent entity, other sites will be not aware about this, and that fraudulent entity can act and victimize consumers on another similar website. The fake accounts problem affects everything online; classifieds (e-bay, Amazon etc), social sites (Facebook, Twitter etc.), dating sites and even search engines or Youtube. The entire Internet infrastructure is corrupted and poisoned by fraudulent activities tolerated and ignored by the ones supposedly able to clean their own online space, but not doing it properly. Everywhere online, the user is asked to flag or report fake profiles, inappropriate content or abuse – in most cases that is the only way of removing badness. Many of these reports are ignored. What about the websites/platforms own responsibility? None. There needs to be clear rules about this area, and those rules need to be implemented in a uniform and consistent way. There also needs to be responsibility for the way someone is abusing the services provided for committing fraud, as well as accountability for the platforms allowing those fake profiles to use their services while defrauding other users if the reports are ignored.

Fake sites

The fake website problem is another fraud on a different level. A fake website is created based on lies; a lie about who the entity owning that site is, a lie about what that site is doing, a lie about what that site asks for, and/or has to offer.

Fake sites and domains come in all shapes and forms. Some are used in Advance Fee Fraud (AFF), some are mixing the AFF area with phishing, some are mixing AFF with spreading malware, and some are used for Business Email Compromise (BEC). While there are fake websites with malicious domains using fraudulent content to deceive, there are domain names with no content actively used in other fraudulent activities online (for example, domains created only for the email address).

Thinking logically, we would assume that once reported for being involved in cyber-crime, a fraudulent domain name will never be online again. The practice shows otherwise. Suspended by a registrar, the very same domain can be recycled after a while, sometimes even re-registered with the exact same registrar. In theory, the regulators assume the domain name would be used in good faith, but let’s be honest: how many real and normal people have a legitimate reason to use a domain name similar to a bank or company name, or even have their own FBI or DEA?

No Registrar, not even ICANN, keeps a blacklist of the domain names suspended for being used in fraudulent activities, nor a list of the parties serially abusing the domain name system while registering such domains. Those elements are never shared between Registrars, which would avoid a bad actor abusing the domain name system, while registering domain names. Those details are hardly ever shared with law enforcement, despite fraud being committed. This action may avoid the re-use of the same domain names for other frauds. This may also avoid the “bad domain history” problem for an honest person trying to buy a domain name in good faith, without having any idea what type of activity that domain was used for before. Again, basic cyber hygiene is totally ignored, and the reason is simple; to register a domain name, the registrant has to pay a fee. As long as the money is paid, no one seems to care about how valid the registration details are, despite policies pretending otherwise. Nobody seems to care about how “clean” the money is, if it is obtained from online fraud, or if the domain name is used to perpetrate more online fraud. It makes no difference. From the GDPR point of view, the bad actor registering fake sites used in fraud becomes a private person using the services provided by an online active company – ICANN and the Registrars.

Theoretical speaking, there are procedures to be followed for mitigating online fraud. Those procedures might look great, but as long as applying them is optional and inconsistent from one Internet services entity to another, the entire “due diligence” becomes a bad joke at the expense of consumers.

Recently, the bad joke expanded in a concentrated effort to hijack the EU new-to-be GDPR laws to the detriment of the consumers. The main area where these actions happen targets the online presence of domain names, regulated by ICANN, and more specifically the WHOIS (registration) details of domain names active online. For the“ public good“, the identities of people registering domain names will become hidden. There is no difference made between real entities and fake ones, natural persons and businesses. There is also no mention about the responsibility after reporting the domains used for fraud. There is no accountability for the groups having the responsibility of checking before the fake entities become active online.

Before the GDPR, it was possible to use a proactive approach to identify bad actors registering fake sites before a victim gets defrauded, and act on specific elements to get those domain names suspended. After GDPR, this action will be harder to do, and those basic elements will not be available anymore. A potential victim searching for a loan, checking a WHOIS for the company promising that loan, then seeing it was registered in Benin can avoid the fraud attempt. Another potential victim checking a potential business partner pretending to be in Europe, also on their website, while being registered in Nigeria can also avoid the trap. This will become impossible when there will be nothing to check effectively.

Online fraud costs society over a hundred billion dollars in losses each year. Online fraud creates a major disruption at all levels of society. Instead of a proactive approach meant to stop online fraud, we see only shields built to avoid responsibility. The ones paying the price are the regular users of the Internet, and their opinion doesn’t matter – they are only statistic quantities, justifying actions twisted to serve commercial goals.

An example:

http://www.dailymail.co.uk/news/article-5570959/Just-one-100-crimes-web-ends-conviction.html
Only one percent of cases reported to the UK authorities results in prosecution, yet less than ten percent gets reported. This means that only 0.1% of cyber-fraud cases are resolved. Or, to put it another way, 99.9% of cyber fraudsters are never apprehended and successful.

Some real statistics:
Less than 400 million domain owners protected, at the risk of more than 7 billion users by a group of countries making up less than 8% of the world’s population, denying over 92% percent some of their basic human rights. Commercial interests and political ego games are more important than the consumer protection.

The Internet is becoming an increasingly hostile territory for the regular user. There is decreasing trust in anything happening online, and more and more people are paying the price for regulators ignoring online fraud. That lack of trust in the online activities expands into the real world. It is time to bring the Internet back to what it was supposed to be; a safe place for the ones using it. The proposed GDPR implementation in WHOIS creates a lack of transparency, and denies regular users a valid option for doing due diligence to protect themselves. This is not the way to achieve the goal of privacy, nor consumer protection.

Let’s stop pretending.

We live in a world of double standards.  When a woman is raped, there will be voices blaming her for the clothes she wore or for her way of being.  “She was asking for it”.  On the other hand, if the woman is a celebrity, there will be enough fuss for society to do something about it and punish the culprit, even if the law can not do it.  If an old man gets beaten black and blue on the street by a gang of drunken youngsters, there will be voices blaming him for being in the wrong place at the wrong time, and maybe doing something to antagonize his agressors.  If someone gets his wallet stolen in a crowded place, there will be voices saying “it was his fault”  or “he was careless”.  At the same time, if a theft affects a big company or a public figure, you will see all the legal authorities jumping in and trying their best to solve the case and punish the culprit.  The perception changes only if the victim is someone you know and care about, but who cares about an ordinary person except the family and friends circle?  How many people even know if their friend or family member was a victim of such events?

It’s easy to judge things you don’t understand.  An online fraud is an aggression ending in theft.  Any online fraud is a mental rape of the victim.  Despite claims of having a social system build to punish this type of actions, that system works perfectly in a single direction: finding excuses for doing nothing.  Instead of support and help, all the victims get is blame.

The real world and the scam world are parallel universes, with enough connections forcing changes from one to another.  The lack of victim protection in the real world created a scam world where every fraudster knows he can do whatever he wants without being punished.

When it’s about online fraud, everybody remember only the funny things showing how stupid the scammers are.  If the scammers are so stupid, what do you call someone really believing their lies?  We have an ignored equation here.  For every stupid scammer making people laugh, there are thousands of others learning from that one stupid scammer’s mistake. Even that stupid one will be not doing it if there is no money he can earn from it.  In his society, each successful scammer is a model – as long as he is not caught.

In Malta a few days ago, a magistrate judging a get-rich type of scam said in court: “You must be an imbecile to invest in these scams. The law ends up defending imbeciles,” (…) “ I want to tell these people to be careful and not come to us after getting bitten.”

According to a study recently made by Barclays, “the average UK adult is a victim of fraud twice in their lives and will have been targeted 11 times in the past year.” (…) ” The words “stupid” and “angry” are commonly used.” (…) “Victims of fraud reported feeling stupid (31 per cent), victimised (23 per cent), helpless (13 per cent) and gullible (12 per cent). As a result, the effect online fraud has on a victim’s life is profound as over half (52 per cent) kept it a secret from their friends and family. Furthermore, a quarter (25 per cent) didn’t confide in their partner and five per cent actually ended up splitting up, following the scam.”
Online fraud costs society over a hundred billion dollars in losses each year.  Online fraud creates a major disruption in all the society levels.  Instead of a proactive approach meant to stop the fraud, we see only shields built to avoid responsibility.

In the real world, the banks will say they educate their users to prevent them from being victims and they have no legal obligation to return victim losses if that victim decided to pay a frauster.  Online patforms like social, professional or dating sites have huge disclaimers forcing their users to accept that the site has no responsibility if anyone gets scammed on their platforms.  Law enforcement will usually say they have no jurisdiction overseas, and since the victim is in one country and the scammer in another one, there is not much they can do.

In the scam world, the infrastructure of online fraud – fake profiles, virtual phone numbers, email addresses, fake sites – expands because there are no valid and functional mechanisms in place to stop fraudsters from using it to their own advantage.  For every cent an online fraudster gets, there is a real person losing it. Again, we are talking about over a hundred billion dollars, with the amount increasing year after year.

There is an entire paralel “industry” of pretend organisations, agencies and so called private detectives groups offering help and support only if the victim can afford to pay for it.  With few exceptions, this is just another scam on a victim who might have already lost everything and is desperately searching for a way to solve the problems the fraudsters left them with.

Most of the online frauds are never reported to anyone.  Firstly, because society abandoned the victim and there is nothing left for that victim to recover – blame and shame will never do any good to no one.  Secondly, because the ones indirectly helping the scammer to defraud victims will do nothing to stop the ways the fraudsters use for leaving their victim peniless.  In time, this situation will backfire and we will have more and more victims paying the price for a society that is so busy pretending that it has forgotten its basic meaning: defend their citizens.  From a legal point of view, an unreported crime means there is no crime – easy to pretend no one needs to do anything about it.

The victims of online fraud are part of a silent community, while each unreported online fraud will give the scammer what he needs: time to develop and grow until a level when he not only learns how to hide better, but also how to defraud better.  Keeping quiet about it only aggravates the situation.  Until society and its so called defending mechanisms will work properly – if that ever happens – the victims have just one way of solving the problem: speak. Remember that the scammer you don’t expose today will create more victims tomorrow.  If we stop pretending that we are not victims and talk about it, in time maybe others will be able to do so as well.