Scambaiters: vigilante cybercrime fighters who mean well but do more harm than good
The popularity of scambaiting communities clearly shows there is a public desire for more action against online fraud, but they also show how such communities can go down the wrong path if left unsupervised.
Cybercrime has risen enormously during the pandemic, with the likes of phishing and ransomware attacks now at endemic levels. Despite the increase in cybercrime, prosecutions are negligible, with jurisdictional boundaries a particular obstacle to overcome if cybercriminals are ever to be prosecuted.
In the United States, for instance, the only real agencies that can do this are Homeland Security Investigation and the FBI, both of which face significant challenges in getting suspects extradited to the US to face prosecution. This is despite broad support from the likes of Interpol.
Even when extradition treaties exist, there is no guarantee that they will occur. For instance, British hacker Lauri Love had his extradition to the US for trial quashed on account of his mental health.
While such affairs bring to mind high-stakes international crime, the same is largely true with online fraud, with a report from Which? Revealing that 96% of reported fraud cases go unsolved. These crimes, which include phishing and romance scams, have attracted the attention of vigilantes who are attempting to fight back.
The civilians, who loosely identify as “scambaiters,” seek to spot scammers and disrupt their activities, especially when official channels have failed to result in convictions. Which? highlight some of the tactics used by the scambaiters, including creating a form of honeytrap to attract fraudsters.
Recent research from the University of Surrey shows that while these tactics can be effective, they are certainly not without controversy. Indeed, the study shows that some communities are so bent on revenge, that they reward scambaiters not just for catching fraudsters, but also humiliating or even causing harm to the scammers.
The study reveals that most scambaiting tactics do little more than waste the fraudster’s time, perhaps by answering a never ending stream of questions or tricking them into performing a range of pointless tasks.
The idea is that by keeping the fraudster occupied, they’re prevented from carrying out their intended crime.
On the next level up, scambaiters can strive to elicit particular outcomes, such as extracting particular information about the fraudster, such as their name or bank details, which are then reported to the authorities. Sadly, however, the tactics of scambaiters don’t stop at these relatively benign activities.
Going too far
If scambaiters left things there it would probably be a relatively harmless activity, but the researchers reveal that this is unfortunately not the case. They cite a popular online community for scambaiters, called 419eater, which has nearly 2 million discussions on its forum since it was created in 2003. As the name suggests, the original purpose of the site was to fight back against 419 email scams, in which people are promised a large bounty in return for a small payment upfront.
The community incentivizes scambaiters via a system of virtual trophies that can be collected and displayed in the signature beneath one’s posts. These hunting trophies are often quite harmless and can be secured for things like capturing a photo of the fraudster.
Other trophies are far less benign, however, and can be gained by causing harm to the scammer.
For instance, a trophy called yin yang is earned by getting the scammer to have a permanent tattoo. The pith helmet trophy is earned when the scammer is encouraged to take a 200-mile round trip (or more) in pursuit of their prey.
To secure these trophies, the scambaiters use many of the social engineering techniques that are commonly deployed by cyber criminals themselves. For instance, the researchers highlight approaches such as forging documents and the invention of various fictitious scenarios to fool the scammers.
The community has not only attracted criticism for its encouragement of dubious techniques, however. It has also received criticism for its apparent encouragement of racism. The study finds, for instance, that many of the scammers being targeted by the community are from West Africa, and this results in high levels of racial prejudice, with the community seeming to reward racist acts rather than condemn them.
The wider scambaiting movement has grown in recent years with a number of popular YouTube channels promoting scambaiting in general and indeed their own efforts at it.
For instance, Jim Browning has achieved notoriety because he uses hacking methods to break into the offenders’ computers to transfer incriminating files to his own devices. Not only is his behavior largely tolerated, he was even featured in a BBC documentary on the topic.
The researchers argue that if such vigilante activities are to be stopped then the state needs to do more to lead the way in tackling online fraud. Success to date has been limited. For instance, in 2011, the National Crime Agency in the UK has been operating the Cyber Specials scheme, which recruits volunteers with special computing skills to work as special constables and tackle these kinds of cases. Thus far, however, the takeup has been modest, with a recent review showing that few police forces were using this role to help tackle cybercrime.
The popularity of communities like 419eater clearly shows there is a public desire for more action against online fraud, but they also show how such communities can go down the wrong path if left unsupervised. State bodies need to do a better job of channelling that well-meant energy in the right direction so that online fraud is effectively tackled.