Who Scams the Scammers? What We can Learn from Fraud Vigilantes

You’re probably already familiar with some of the folks who spend their days fighting fraud. For example, fraud analysts at e-commerce companies who do battle against scammers, or businesses like Sift Science that are using innovative approaches to cut down on fraud. But there’s a shadow industry of fraud fighters who are also working quietly on the front lines.

These fraud vigilantes don’t work for businesses or e-commerce sites; they often aren’t even paid for their work. They’re modern-day Robin Hoods, scamming the scammers and fighting fire with fire. Here’s what we can learn from five of the most successful and audacious fraud vigilantes.

1) Google Maps Spam Fighters

Fake reviews are more common than you think. About 1 in 3 reviews you encounter online is fraudulent. And despite Google’s reliance on machine learning technology to weed out fraud, Google Maps has not been spared. Fraudsters use fake reviews to promote their own businesses, drive customers away from competitors, and sabotage other companies’ reputations. There’s even an organized contingent of black hat SEO (search engine optimization) experts who make a living writing fake reviews, paying others to write them, or porting real reviews from sites like Yelp. Other fraudsters use bots to write numerous fake reviews in rapid succession.

This behavior is problematic for several reasons. For one, it’s against the Google Maps terms of service. But more importantly, fake reviews can drive customers away from legitimate businesses. When Maps users find themselves navigating to a business that doesn’t exist, they’re less likely to use Google Maps in the future. And even if the business does exist, how can customers trust reviews if they’re powered by lies?

The Vigilantes Strike Back

Fortunately for Google, there’s a volunteer army fighting fake reviews on the front lines. CNBC caught up with Tom Waddington and Mike Blumenthal, who are among the most prolific. Waddington spends hours contributing information about Google Maps listings and reporting spam. He’s even built a marketing business to help people learn how to use Maps to promote their business effectively (and honestly).

Blumenthal, who’s been writing help guides about Google Maps for the past decade, works alongside Waddington. Using a tool that allows him to mass-report networks of linked, fraudulent accounts, Blumenthal has helped eliminate tens of thousands of fake reviews. He estimates he’s spent about 1,200 hours on Google forums answering users’ questions and offering sage advice.

What Can We Learn?

Sites like Google Maps, which rely on UGC (user-generated content) to drive their business, have a secret weapon: their users. Since content is posted so quickly, it’s hard for a team of moderators to weed out the fraud in real time. But by enabling users to flag suspicious content, you grow your team of fraud fighters exponentially.

2) White Hat Hackers

Like viruses lurking in our bloodstream, websites often have vulnerabilities they don’t know about. According to WhiteHat Security, hackers can easily exploit unsafe web applications to gain access to a website’s code. Web pages are usually developed by non-IT teams, who ignore data-flow architecture that can jeopardize users’ PII (personally identifiable information). Fraudsters can take advantage of this architecture to inject malicious code into a web app’s output. Businesses and websites don’t often screen their sites for vulnerabilities, so they don’t discover the vulnerability until a fraudster exploits it.

The Vigilantes Strike Back

Luckily, white hat hackers are on the case. Ethical hackers like those at HackerOne trawl websites looking for vulnerabilities. When they suspect a site might be vulnerable to attack, they conduct penetration testing to see if they can get in. If they’re able to exploit a loophole in the site, the bug bounty hunters then contact the site administrators to tell them about the vulnerability.

Some hackers can’t resist using more tongue-in-cheek methods to get in touch with websites about security vulnerabilities. Take a recent example from the world of cryptocurrency. Cryptocurrency transactions are recorded on a public, decentralized ledger called the blockchain. To access data on the blockchain, people use sites called BlockExplorers; Etherscan is the most popular BlockExplorer for the cryptocurrency Ethereum. And last month, a hacker accessed Etherscan through a site vulnerability and added a pop-up to the site displaying “1337,” hacker lingo for “you’ve been hacked.” While the hack didn’t compromise the funds of any Etherscan users, it easily could have…if the hacker hadn’t exposed the vulnerability.

What Can We Learn?

No one is immune to cyber threats. Even businesses that invest in advanced fraud prevention solutions can make missteps. To pretend otherwise is to invite attack — so don’t pretend otherwise! Keep an open mind, even if a white hat hacker has some fun at your expense.

3) eBay Robin Hood

Not unlike other sites that rely on UGC, eBay is regularly flooded with content fraud. In a common scam, a seller advertises a high-ticket item like a car, but says potential buyers can’t view it before purchasing. The seller promises that the buyer’s money will be secured in escrow or a holding account until the buyer is satisfied with the purchase. Of course, the purchase never materializes, and the buyer loses money.

As these schemes have grown more prevalent, eBay has continued to lose customers at a shocking rate. And eBay is too inundated with fraud to keep up. Their content moderation teams struggle to keep up with the content fraud deluge.

The Vigilantes Strike Back

Thanks to Buster Jack and his fellow vigilantes, the scammers are getting a taste of their own medicine. According to The Telegraph, “Buster Jack” is a UK-based guy, but that’s all we know about him. Jack leads a band of twenty-five eBay users who regularly search the site for telltale signs of fraud — usually an expensive listing with a bare-bones description and no image.

To scam the scammers, Jack and his band start by pretending to be interested in a fraudulent listing. They then string the fraudster along — by email, to create a paper trail — promising outlandish amounts of money for the eBay listing. Their goal? To nab the fraudsters’ bank account info. Once that’s done, Jack and the vigilantes send banks up-to-date intelligence on fraudulent accounts. Jack estimates he’s helped close around 350 fraudulent accounts, preventing £2 million in fraud.

What Can We Learn?

Despite advances in fraud-fighting technology, social engineering continues to dominate. Fraudsters rely on a vulnerability that fraud-fighting apparatuses struggle to catch: human fallibility. The only way to confront social engineering is to educate users and employees — or to send up a Bat-Signal for Buster Jack.

4) Scam Survivors

Online dating is a fast-paced world. Over 75,000 dating sites exist worldwide; every day, 3 million messages are exchanged on Zoosk alone. In a typical romance scam, a fraudster feigns romantic interest in their target, then asks the victim for something: usually money, email passwords, credit card information, or a passport.  And when each victim stands to lose around $10,000, the stakes are high. It’s not just broken hearts; it’s broken wallets too.

The Vigilantes Strike Back

In an interview with The Sun, Wayne May explains that he administers a site to help romance scam victims and potential victims. May’s site is essentially a database of fraudsters’ email addresses. When a user suspects they’ve been chatting up a fraudster, they can send May a message through the site. May then runs a check on the potential fraudster’s email address to see whether the address is associated with a known scammer.

Online dating is a massive industry, so May’s fraud-fighting operation is equally massive. His site has been up and running since 2012, and receives about 9,000 unique visitors a day. Many victims and would-be victims claim they would have given up on online dating altogether if not for May and his database.

What Can We Learn?

Educated users are good for business! Businesses can earn their users’ trust by protecting their information, but also by empowering users to keep themselves safe. Customers are more likely to return to your site — and to tell their friends about it — if they’ve had a positive user experience, and that includes not falling victim to fraud.

5) Shiver Metimbers

The Nigerian prince scam is the oldest trick in the book (quite literally; Nigerian prince scams are older than Nigeria). So-called 419 Scams, which are named after the section of the Nigerian criminal code devoted to this type of fraud, are particularly common. These fraudsters spam unwitting victims with heart-wrenching stories, promising untold fortunes if the victim wires them a sum of money. Victims are sometimes left penniless.

The Vigilantes Strike Back

As Wired reports, British vigilante “Shiver Metimbers” is turning the tables on the scammers. Metimbers and his team of scam-baiters, which numbers in the tens of thousands, have taken a page out of the Nigerian prince playbook. Metimbers and company send enticing emails to known fraudsters, plying them with stories as elaborate as the scam’s namesake.

But there’s one key difference: Metimbers’ scams are ridiculous. Promising untold riches, Metimbers has compelled fraudsters to construct elaborate wood carvings, send embarrassing selfies, fly across the world, and… well, this:

1. You will need to gather a large FISH and a FULL loaf of BREAD.
2. You will need to sit in a chair.
3. You will need to place the FISH on your HEAD.
4. Hold the loaf of BREAD to your mouth and make it look like you are going to eat it.
5. Now get a colleague to take a photograph of yourself in this pose.

Metimbers has even persuaded a fraudster to have the words “Baited by Shiver” tattooed on his body. Of course, the prize money — $46,000 — never materialized.

What Can We Learn?

Don’t make Shiver Metimbers angry.