We need to get far more serious about organized cyber-crime scamming

Great Debates
1

The Economist Magazine had a cover story on 8 Feb 2025 entitled Scam Inc. Organized crime associated with cyberscams extracts $50 billion per year from American citizens. Cybercrime rivals the illegal drug industry in size. Scammers have taken over governments: scamming might constitute about half of Cambodia’s GDP. Unlike the drug industry, it is more of a network than a hierarchy. In fact scam operations have been found in Africa, Eastern Europe and even the Isle of Man. They are growing in sophistication and branching out from pig butchering.

The Economist also has an eight-part podcast where they interview law enforcement, victims, former scammer employees (some of them brought in via fraud and threatened with torture if they underperformed).

One cybercrime victim was a CEO of a small bank in Kansas that he collapsed in 2023 by shifting millions of personal, church, and bank dollars over to a fake crypto app. He is now serving a 20+ year sentence for embezzlement. Skilled professionals are being hired to run these scams and they are branching out into malware. It’s an industry, and the range of victims is far wider than it was a decade ago.

Just as the military needs to shift resources to drone warfare, so the US should shift funds away from drug law enforcement to scam abatement. China made a locally popular film about scamming - Hollywood should do the same. The media needs to cover this more. Consumer Reports and Wirecutter need to review crypto companies, identifying which ones are not 100% scam. (Yeah, yeah, the best of them are scammy, so what?) Scam baiters need to be deputized and subsidized. Bluesky and Twitter-X should run ad campaigns warning about the scammers that are ubiquitous at their websites and how they operate. Someone should set up another cybersecurity website, but focused on the public rather than corporate professionals. They could start by absorbing Brian Kreb’s blog. We need to up our game.

Like drugs, there are supply and demand side approaches. At least nobody wants to lose their savings to a crypto scam, unlike illicit drugs which many enjoy until they don’t.

We have an anti-scam thread in the pit, but I think a scam-news/scam-policy thread is warranted.

We could also post questions here like, “What is pig butchering”?

2

Start by putting some legal responsibility on telecom providers. As far as I can tell, they do nothing to protect their customers from scammers.

3

The only way that would work is if the companies could monitor the actual content. I doubt that’s even remotely possible.
Governments need to actively seek out and crack down on scammers.
Notice that the hotbeds of scamming also feature corrupt governments.

4

China has taken the lead in protecting their citizenry. The Philippians had a mayor, later determined to be from China, who ran a very large scam operation in her town. They arrested her, she escaped, she was captured, she is now facing trial. But in Myanmar and Cambodia scammers have basically bought the government, to an extent far exceeding that of any narco trafficker. So this is very hard work.

Telecoms have dragged their feet with spam phone calls. They need tighter regulation. For example, call numbers can still be spoofed: that shouldn’t happen so easily. Pig butchers typically rely on What’s App and the like. They should be countered with honey pots, which would also serve to monitor the effectiveness of anti-scam policy. The fight needs to be multi-pronged, because we’re dealing with skilled and highly adaptable businessmen.

I would emphasize a mixture of honey pots and public education. “Just Say No”, was ridiculous and there’s only so much drug treatment can do, but as I wrote earlier nobody wants their bank account emptied. Again though, do everything, try everything.

Aerial bombardment?

5

I just got a text from the Philippians telling me I needed to pay a FasTak toll I incurred recently. I am in California where we have FasTrak but my area code is Washington state. They are getting very sophisticated. The international number was the only thing that tipped their hand.

6

What was the actual wording?

7

I blocked and deleted so I can’t tell you the exact wording. I was in LA near toll roads on the date noted and in a vehicle without a FasTrak flex tag so it was remotely conceivable that I had incurred a toll.

ETA:

Here is a sample I found online:

I don’t think mine had the words bayarea in the link. I’m impressed because if they thought I lived in WA, they would have referenced “Good to Go” as the toll authority.

8

My area code is Florida. I live in Pennsylvania. Three times this year, I have received a text message saying I needed to immediately pay a Florida Sunpass toll.

Even if I hadn’t noticed the bad spelling and odd grammar, or been put off that rather than a clickable link the instructions said to copy and paste the web address, I don’t own a car and have never had a license.

The only scams that bug me are e-mails which list my beloved as the sender and promise pics in the title. I always click to open those and read them. In general, the sender’s e-mail address is not one I have ever heard of. There is some brief text and a hyperlink.

My beloved does send me e-mails with attached images from time to time. She always uses one or two e-mail addresses, both of which are in my contact list. The wonderful images are always attached and I don’t need to click a hyperlink to view them.

So, I have never clicked on the link in of these spam e-mails. However, I always check to be sure they are not the real thing before I delete them.

9

Philippians

To think that a First Century religious community could be a center of such scum and villainy.

10

BTW, to protect yourself as much as possible, enable MFA on every account you can and try to use non-SMS methods. SIM swapping is happening all the time. Once swapped, the bad guys have your MFA method.

But I agree with OP. It is getting out of control and more needs to be done to crack down on this.

11

Those damn Philippians. The Corinthians are even worse.

Agreed, SMS is not secure. Also, all major US banks and financial institutions require it. Sure, Vanguard allows you to link through a Yubi-key but you can’t turn SMS off. So that defeats the purpose: if the bad guys can use your SMS, it doesn’t matter whether you use a Yubi key or not.

A straightforward solution would permit the user to choose Google Authenticator and turn off SMS. But no major US financial institution allows that. This has been an issue for literally years.

Interactive Brokers is an exception: they turn off SMS if you install their app. But their app isn’t open source, so that creates another attack vector which I’m not knowledgeable enough about to evaluate.

Directory of 2 factor authentication policies.

ETA: T-Mobile employees propositioned via text message to help with SIM swapping at $300 a pop. Sounds like an underpayment to me: they need to unionize! :slight_smile:

ETA2: Alternatively, SIM security could be beefed up. I don’t know the ins and outs of that.

12

SMS MFA is still better than no MFA. Password only protection is the worst. And yes, I wish the banks would modernize.

I’m not sure how universal across the carriers this is, but you can do some form of SIM locking or require a PIN to move the SIM.

And just like SIM locking, freeze your credit at all the credit agencies.

And use unique passwords at each site.

13

Lack of bitcoin would make it a lot harder for the bigger scams.

I have to confess, I got caught up in a scam. The guy was pretty good. Got me rushed to thinking some arm of the popo was falsely after me, and all I needed to do was get down to the police station and sort things out. Oh, and by the way, pay the $1,500 fine so they could clear me and refund the money. And my cheapskate lizard brain finally kicked into high gear when my handler, who stayed on the line to make sure I didn’t get pulled over on the way to sort this out, directed me to a grocery store and I was at the kiosk to feed in cash to the bitcoin account.

I like to think I’m reasonably intelligent, experienced, and wise to the ways of the world. Yet, hook, line and almost sinker at the supermarket kiosk with the cash. Thank you lizard brain that has saved me from myself more than a few times over the past 6 decades!

Getting rid of untraceable money laundering at the supermarket would make cyber crime scams more difficult.

14

“All phone calls should be traceable with a court order.”

This would help, though it would further drive scammers to third world environments. It would also seriously compromise the functionality of VPN. Let’s run with that:

“All phone call and internet traffic should be traceable with a court order.” I mean, same as above given VOIP. I strongly suspect that this implies an intrusive overhaul of communication protocol. Let’s run with that:

:“All internet traffic above a certain threshold should have its origins and chain stored somewhere at least temporarily.” Moreover, any origination outside of the US or Canada (or other trusted countries) should be flagged so that the receiver knows that the communication is potentially suspect.

“All landline phone numbers should permit texting.” Not sure how much this would help, but the potential to attach keyboards to business telephones might facilitate call monitoring and tracing.

“US telephone numbers should permit extensions after you hit the # sign.” Irrelevant to this discussion, but I’m on a roll. We should create the potential to upgrade telephone handsets and blunt the need for ever more area codes.

15

Nonviolent direct action: there are 2 companies that provide telephone answer bots for your scambaiting needs.

Robokiller is the most well known, but they only work with mobile devices:

Jolly Roger works with mobile or landline. It appears to be fully customizable, complete with whitelists and blacklists.

https://jollyrogertelephone.com/

I watched a You-tube vid made by a hacker who infiltrated a tech support scam operation from India: he even captured closed circuit TV shots of the 4-7 member office. Judging from the spreadsheets he downloaded, the organizers paid their workers a small fraction of what they harvested. So while anti-spam bots are a great idea, they are only one tool among many.

16

Why don’t we focus on teaching people, from an early age, to not give their money to strangers over the phone? No, your grandson, uh, John, that’s it, isn’t in some third world jail, no you don’t owe money to Florida easy pass, and even if you did, make them bill you in paper. No, your bank account hasn’t been robbed and you don’t need to give the nice man on the phone your password. And that nice sounding woman in Australia that wants you to invest $47M of your bank’s money in crypto isn’t in Australia and most likely isn’t a woman!

When I was a kid, every time the phone would ring, my dad would say “Don’t give out any information!” It may have become repetitive, but it is still good advice! He was a man ahead of his time.

17

My Dad used to say, “I don’t respond to telephone solicitations.” How do you know who is on the other end? You don’t. Also, those who send nonsense over the mail can be charged with mail fraud. The best defenses are layered on top of one another; good habits are the foundation.

There should be public service announcements: when in doubt, hang up, look up, call back.

Also, if google is cold calling you, it’s not google. If Microsoft is cold calling you, it’s not Microsoft. Even if they are reporting a hack.

Admittedly, some organizations are large enough that they won’t have immediate records of when they call you. They need to step up. Some of them might if hang up, look up, call back becomes standard procedure. Which it really should.

18

This is one of those things that’s a big deal for me, and I don’t understand the indifference.

If every person in this country had to fend off an attempted physical attack three times a week it would be a crisis, but that’s about how often I get a scam attempt.

I get it that’s it’s hard, it’s international crime, most scammers are overseas. But it’s not impossible, when the scams actually kill someone they manage to find them and extradite them from Nigeria. Law enforcement could do more if they had more resources, but they’ve basically decided that the best way to combat the epidemic is through victim-blaming.

The amount of scams that originate on social media is staggering and these platforms could do a lot more. I would start there.

I once, as part experiment and part wishful thinking, reported around 100 scam Facebook groups. Most of these were celebrity scammers.

I used discernment in what I reported, I didn’t report any group that called itself a fan page ( even though those are scambait ), I only reported groups that purported to be official groups and giveaway groups…ie Elon Musk Official Tesla Giveaway Group.

One feature of these groups is that pretty much every day the fake celebrity will post something to the effect of “What happened, baby? I love you and miss you, why did you block me? Is it the age difference? I don’t care, I love you.

I know that plenty of old ladies whose family finally convinced them that Elon or Keanu isn’t going to marry them backslides upon seeing these posts.

I also made the mistake of commenting “It’s a scam” on a few posts. This led to me receiving a deluge of messages from recovery scammers who told me that if I’d been scammed they could help recover my money. I reported the pages of those accounts, too.

I also reported a series of ads that purported to be from the official accounts of major airports, selling unclaimed suitcases for $9.99 each. The comments were filled with shill accounts that claimed they had received suitcases filled with expensive electronics and cosmetics.

Everything I reported did not violate Facebook’s community service. They really don’t care at all.

And WhatsApp is even worse, most of the Facebook and Twitter stuff has the ultimate goal of dragging you over to WhatsApp, which is where the real scamming takes place. Don’t even get me started on the WhatsApp investment groups that specialize in stealing your life savings plus everything you can beg, borrow or steal.

It’s way easier to stop these scams before they start than it is to pull people out of them. I recently read the story of someone whose mother was getting scammed by a fake celebrity. They actually arranged for their mom to met the real celebrity, who told her gently but firmly that he hadn’t been talking to her, he didn’t love her, that she had been scammed.

It seemed to work at first, but the scammer reached her again and convinced her she missed the “signals” he sent during the meeting, and she went back to sending him money……sigh…

19

Are scam vics idiots? @Mangetout has argued, and I agree, that scammers target vulnerabilities. Some of it is age related. Often the vic is going through a personal crisis. Etc. I don’t consider myself wholly immune to that. Everyone ages for example.

But scammers have gotten better over the last few years. As I noted in the pit thread, scammers are successfully targeting much wider demographics. A recent briefing in the Economist magazine starts as follows:

The CEO of a small bank in Kansas, a former chairman of the Kansas Bankers Association and a former officer of the American Bankers Association, Shan Hanes knew all about the risks of online fraud. As a family man and part-time pastor at a local church, he was not the type to do anything reckless. As a shrewd investor, he had no need for get-rich-quick schemes. In fact, he had made a lot of money trading cryptocurrencies. But he was having all sorts of administrative trouble repatriating the money from Asia and needed some extra cash to sort out the paperwork and bring his millions home.

Within about six months, Mr Hanes had transferred to anonymous crypto accounts not only his own savings and the money he had set aside to pay for university for one of his daughters, but also his church’s reserve funds and some $47m belonging to Heartland Tri-State, the bank he ran. The bank’s losses were so severe that it became one of only five banks to fail in America in 2023. Yet even after the FBI swooped in and Mr Hanes was charged with embezzlement, he struggled to accept that he had been duped. He is now serving a 24-year prison sentence.

That a bank manager, of all people, could be fooled on a scale sufficient to bring down a bank is a sign of how sophisticated and far-reaching online scams have become. The days of patently false emails from supposed Nigerian princes are long gone. As our new eight-episode podcast, “Scam Inc”, describes, online fraudsters have become rich and powerful enough to corrupt entire governments, turning whole countries into the cyber-scam equivalent of narco-states. Scam operations can be found all over the world, from Myanmar to Mexico. The global proceeds of online fraud are probably more than $500bn a year, estimates Martin Purbrick…

So yeah, we need to get serious. In a more stable political environment this would receive greater focus. China is probably making the most effort to address the problem.

20

Coincidentally, a piece in this morning’s paper about elaborate scams:

I did notice some months ago on Facebook some videos purportedly of UK celebrities touting … ED treatments… Since among others there was David Attenborough, plausibility was obviously limited and they didn’t seem to be around for long - but the technical verisimilitude of the voice and mannerisms was striking