SHOULD YOU SCAM THE SCAMMERS?
These people do
The email begins: “Dear beneficiary, we have this day received an instruction from the United Nations and World Bank to credit your account with compensation funds of $2million. Please send us the activation fee of $120”.
You’re not fooled, of course, but many are. Every year, hundreds of thousands of victims respond to emails like this, contacting the senders as requested and then handing over fees to “release” windfalls that don’t exist. The only real beneficiary is the scammer, or the crime boss who employed him.
Their crimes are devastatingly successful. According to Get Safe Online ( www.getsafeonline.org) and the National Fraud Intelligence Bureau (NFIB), scams cost UK PC users £11 billion last year – and that’s just the official figure. Plenty more cases of online fraud go unreported because victims, unsure of where to turn, say nothing to the authorities.
But some computer users are fighting back. A growing army of anti-scammers is setting out to sabotage scams by posing as victims, then playing the scammers at their own game. We spoke to these so-called ‘scambaiters’ to discover what happens when you scam scammers and to spell out the risks for anyone wanting to follow their example.
Play with a straight bait
‘Straight baiting’ is when you pose as a victim in order to collect information about a scammer. Ring the number in a scam email – making sure you can’t be traced (see next section) – and play it straight. The scammer will follow a script designed to extract money from you, perhaps by asking you to send cash to a specific account or online banking service. Record the call or write down everything that’s said, and then post the script on a scam-exposing website such as Scam Survivors ( www.scamsurvivors.com, see screenshot above) or Scamwarners ( www. scamwarners.com). Now if someone receives a similar email, they can enter its details into a Google search, find your report and avoid being scammed.
“Getting the information out there is the number one way to disrupt scammers,” Scam Survivors founder Wayne May told us. “Collect the email address, the script, and any fake documents they try to scam you with. Put all that stuff out there so other people can be warned.”
You may even be able to reveal the criminals’ personal details. “It is possible,” insists Wayne. “We’re not hacking, just looking for clues. For example, a scammer might include the same phone number he used to create his Facebook account, so you just search for it in Facebook and there he or she is.”
Official advice is to pass all information to the police, using the Action Fraud website ( www.actionfraud.police.uk). “If you’re going to do this a lot, get a relationship going with the police,” former policeman and Get Safe Online spokesman Tony Neate told us. “Scammers are arrested, regularly. When they’re caught, they’re caught big time.”
Ensure you’re anonymous
If you respond to a scammer using your actual details, the best that can happen is you’re added to a ‘suckers’ list’ – a database of potential targets held by scammers that’s then bought, sold and shared on the dark net.
In the very worst-case scenarios, being on such a list might not only risk your bank account, but potentially your life. Wayne May is now one of the UK’S most prolific scambaiters, but when he started 12 years ago he made a serious schoolboy error. “At first I’d just reply using my own email,” Wayne told us. He quickly changed his tactics. “I created a new email account with a fake name and an untraceable phone number, then used it to join online guestbooks.” That got him added to various suckers lists, so the scams soon started rolling in.
Even though he hid his identity when responding to scam emails, it didn’t take long for Wayne to start receiving death threats, and a shocking threat of sexual violence against his elderly mother. The Scam Survivors site itself is constantly under attack as well. It’s regularly hit by DDOS attacks, designed to make it inaccessible to the public – a reminder that there’s significant overlap between scammers and hackers.
If you’re tempted to try scambaiting, make sure you can’t be tracked. Never use your real name or phone number. When responding to an email, use a disposable address from a free service such as Trashmail ( https://trashmail.com).
Wayne also calls scammers using Skype, which now supports proxy servers such as Hide My Ass ( www.hidemyass. com/proxy) and VPN tools such as Tunnelbear ( www.tunnelbear.com). The basic versions of these services are free. Visit www.snipca.com/24822 to learn how to use Skype with a proxy.
Wayne May isn’t his real name, by the way – sensibly he uses a pseudonym. It helps him in the endless battle against scammers.
Waste their time
“Straight baiting is essential, but I do also love just messing with scammers,” Wayne explained. And so to stage two of scambaiting – keeping them talking. The internet is packed with examples taken to hilarious extremes (see box right). But behind the laughs, there’s no doubt that time-wasting is a valid tool anyone can employ to disrupt crime.
“We get together as a group in Skype and take it in turns to make calls,” Wayne said. “We go through contact numbers we’ve been given. No plans, just see what happens.”
Calls regularly turn into elaborate scams against scammers. “Firefly (another member of Scam Survivors) and I pretended to be husband and wife arguing about who should get the money,” Wayne told us. “We convinced the scammer I’d just shot her. He said he’d call the United Nations and I was going to die in prison. I told him the police were at the door, and hung up.”
So far, so juvenile. “We tried calling him back, and the number didn’t work. So anyone else who tried phoning him wouldn’t have been able to get through either. We were having fun with it, but we also kept him away from real victims.”
Scambaiters evolve their methods to thwart the latest types of scam. Scambaiter Lewis Hopkins, for example, is a dab hand at fooling ‘tech-support’ scammers (see box top right and screenshot above). Meanwhile, Wayne May appears at online-dating conferences to offer advice on dealing with ‘romance fraudsters’.
Even scammers who create phishing sites have met their match in Wayne and his team. “We contact the site hosts, give them evidence the scammers are breaking the terms of service, and get the fake sites shut down.”
Is scambaiting worth it?
No security experts we spoke to said they’d be tempted to scambait. It’s simply too dangerous. “This is serious organised crime,” says Tony Neate. “A lot of scambaiters have been threatened with violence and even murder. You may think you’ve hidden your identity, but it’s too easy to make one mistake.”
Tech-security consultant Graham Cluley agrees. “If you are particularly successful at wasting scammers’ time and depriving them of their ill-gotten gains, they might take delight in making your life a misery.”
“Drawing a bad guy’s attention to yourself seems foolhardy,” says malware researcher Simon Edwards. “We don’t know anything about them.”
Despite the warnings, Wayne and his Scam Survivors team aren’t about to stop. “Obviously it’s risky,” Wayne said. “But we deal with victims as well. Victims of extortion scams come to us saying, ‘I will kill myself’. There is a very serious side to what we do.”
Ultimately, though, he also advises caution. “Don’t jump in without knowing what you’re doing. Never tell a scammer they’ve been baited. The main thing is to collect information about a scam, then share it with the authorities and use it to warn others.”