Scam Sites and the Scam Economy
When you find a scam website – or worse, fall for a scam – you’re not thinking about the people behind it. But the people who build scam sites and the companies that enable scammers are all part of a larger scam economy. In order to combat scam websites, we need an understanding of the forces behind them.
See Behind the Scenes of a Scammer Syndicate with Jack Whittaker for a complete transcript of the Easy Prey podcast episode.
Jack Whittaker is a Ph.D. candidate at the University of Surrey. He also helps run petscams.com with a group of volunteers. They track down pet scam websites on the internet and put up warnings. Ideally, they get petscams.com to rank higher than scam websites so they can help people avoid pet scam sites. Jack has joined us before to talk about pet scams, but he’s done a ton of work behind the scenes since then.
How Pet Scams Operate
Pet scams are a fairly simple scam. During COVID-19, there was an explosion in pet scams. People in lockdown wanted animal companions, and ended up on scam sites. Because of this, pet scams are becoming more well-known.
A pet scam is not having an issue with a pet you bought. It’s not a puppy mill, an illegitimate breeder, or buying a pet that turns out to be ill. It isn’t ordering a micro-pig and finding out several months later that it’s not micro after all. A pet scam is cybercriminals setting up scam sites, advertising their pets for sale extensively, and taking your money while never having any pets to sell in the first place.
What we’re dealing with is not a customer dispute; it’s cybercriminals who set up websites by the thousands.Jack Whittaker
A pet scam will have you pay a deposit on the pet. They’ll get you emotionally involved through tactics like asking you to name it. Then they’ll start adding more fees. Shipping fees, vet fees, quarantine fees, COVID injection fees, an attempt at blackmail for pet abandonment …. The fees keep coming until the victim runs out of money or realizes it’s a scam.
These kinds of scams are particularly awful because they get into people’s hearts as well as their wallets. And it’s not just the victim who is affected. Scam sites use logos from the International Pet and Animal Transport Association (IPATA), so their reputation is damaged. So are legitimate breeders whose websites are cloned for scams. And so are random people who just happen to buy a house at the address a scammer put on their scam site – Jack has heard of victims showing up, breaking windows, and even threatening innocent homeowners.
The People Behind Scam Sites
For his Ph.D. research, Jack chose to look at the people behind the scenes of scams. He got the opportunity to do a project on fraud enablement – the people who aren’t scammers, but allow or even help the scammers to run scams. He found that there is an entire economy set up around scams, fraudulent websites, and scam sites, both building the websites and laundering the money that comes through them.
There is an entire economy that exists that involves building fraudulent websites and laundering the money behind them.Jack Whittaker
For his project, Jack interviewed fourteen of these crime enablers. All fourteen were based in the African nation of Cameroon, in the northwest and southwest areas known as the Anglophone region. These enablers aren’t just building pet scam sites. They also build scam sites for Ukrainian charity scams, marijuana scams, COVID PPE scams, gun scams, and many other kinds of fraudulent websites.
Two Kinds of Scam Website Builders
There are two kinds of web developers who build scam websites. The first kind are part of the scamming syndicates that operate in Cameroon. They build scam sites as their role within the syndicate.
The second type do legitimate work as well as create scam websites. Some are teachers or lecturers at universities, or graphic designers, or freelance web developers. One scam website creator Jack spoke to was also an editor for a YouTube channel. Many of them prefer to treat it as a side job – they work their nine-to-five, then come home and build fake websites for crime syndicate clients.
No matter which type they are, all these scam website creators know what they’re doing is bad. Cameroon is notorious for scam sites. One interview subject told Jack that if you’re building a pet website in Cameroon, you know instantly it’s for a scammer. But for the web developers, the risk is fairly low. The police crackdowns are more focused on finding the scammers behind the websites. The police don’t care about the people building the scam sites.
Why Some People Build Scam Sites
Some of these web developers don’t want to make fraudulent websites and would rather have legitimate clients. Others prefer to work for scammers for the higher pay. But many people in Cameroon are being pushed towards cybercrime regardless of whether they’d rather do legitimate work.
Cameroon is in the middle of a civil war. Separatists in the Anglophone region are fighting against the government, causing havoc for people who live in the region. Electricity cut-offs happen frequently. Sometimes there are what’s known as “ghost towns” – a period of time where everyone has to say inside and risk being shot if they leave their houses.
During electricity cut-offs, web developers don’t have access to the internet to do their work or communicate with clients. If a legitimate client hires a web developer from the Anglophone region of Cameroon, they might not hear from them for days at a time due to lack of electricity. This was a common complaint that came up in Jack’s interviews. It’s hard to find and keep legitimate clients with unreliable power and internet connections.
In addition, the civil war has caused Foreign Direct Investment (FDI) to leave the region. Without foreign investments, there aren’t many legitimate clients left. For web developers who want to be able to support themselves and their families, the only clients left are scammers.
The Scam Economy
Some countries specialize in certain types of fraud. Nigeria and Uganda both do a lot of romance scams. Nigeria is also famous for Nigerian Prince scams, also known as 419 scams. Cameroon’s scam of choice is nondelivery fraud.
Pet scams specifically were the first scam in Cameroon. Nigerians living in Cameroon brought the ideas of the 419 scam with them, and Cameroonians liked it. A couple of university students had the idea of running the scam by “selling” pets that didn’t exist. They made a small fortune, and everyone jumped on the bandwagon.
When the civil war started, it massively accelerated scamming. Running scams is generally accepted in the Anglophone region, especially among the younger generation.
One man Jack interviewed worked for a syndicate that specialized in mineral and gold fraud. This was a very risky proposition, as it involved luring investors to Africa and then holding them for ransom. Compared to that, building scam sites is practically risk-free. The police are more interested in picking up scammers than the web developers building scam sites for them.
If you commit a murder, there’s only a 12% chance that you’re going to get away with it. If you’re a cybercriminal and you do it properly, you’re 97% guaranteed not to get arrested.Jack Whittaker
Passive Profits from the Scam Economy
Many scammers do their money laundering through the App Store. One person in Cameroon built an entire business around cashing gift cards received as payment for scams. He has a friend who is an app creator. When someone sends him a gift card, he uses it to make in-app purchases on his friend’s app. Eventually the money, minus the App Store’s cut, is processed to the creator as royalties. The app creator takes his cut of the money and sends it back to the person cashing the gift card, who then takes his cut and passes it on to the person who sent him the gift card in the first place.
Scammers are not the only ones who profit from a successful scam. App stores profit from scams because they get their cut when the money is laundered through in-app purchases. Domain registrars and hosting providers profit from scammers repeatedly setting up new scam sites to replace ones that were taken down. Jack calls these people and organizations who support and profit from scams without directly doing any scamming “passive enablers.”
Steps Towards Reducing Scam Sites
When it comes to technology, many people have an instrumentalist perspective: Technology is neither good nor bad, it simply serves the human using it. Jack prefers extension theory, which says technology extends human agency. He thinks technology can, in fact, be good or bad. And there are a lot of passive enablers who have helped support, and even profited from, scam sites.
There’s a lot of confusion about who makes sure new websites are legitimate and not scam sites. For a while, people thought it was ICANN. In 2018, though, ICANN released a blog post saying “We’re not the internet police.” It’s easy to say the onus is on the consumer to avoid falling for scams. But if that’s the case, how are we supposed to protect vulnerable people? Children are more and more online. With the COVID-19 lockdowns, some people had to use the internet for the first time. If we say internet safety is their responsibility, we’ve basically given up.
Jack thinks a good start would be stronger measures in app stores. For example, watching out for apps with only a few downloads but a lot of money going through in-app purchases. He spoke with a major internet company about this, and they had no idea this kind of thing was happening. They had all kinds of advanced analytics and reporting, but they just didn’t know what to look for.
Because this type of crime is such a niche type of crime, it needs experts.Jack Whittaker
Company education is going to be important to help solve this problem. When companies know what’s going on, they can use the tools they have to help combat it. Companies need to work with anti-scam groups to find out what they can do to help stop scam sites.
What Can Consumers Do?
What can consumers do about this? Unfortunately, not much. There has been limited attention to scams with small dollar amounts, and it’s not clear who is in charge of monitoring and removing scam sites from the internet. Right now, your best strategy to protect yourself is to learn how to identify scam sites and avoid being scammed in the first place. Once you get scammed, it’s very unlikely you’ll get your money back.
Try not to get scammed in the first place, because the moment that money hits a mule in the States or even someone in Cameroon, that’s it, you will never see that money again.Jack Whittaker
Some organizations are trying to do things like get scammers’ bank accounts shut down. Jack doesn’t work with them, but he thinks they’re doing great work. But there needs to be more investigative tools. The FBI has given more attention to volume crimes – stealing small amounts from many people – in recent years, but not as much as necessary. There needs to be a mechanism for investigating money mules especially.
A Success Story: Namecheap
Namecheap is a website where people can buy domain names. For a while, it was considered one of the largest facilitators of online fraud. A year ago, they decided to open a help desk for people to report scam sites. They collected the reports and began demolishing scammers.
Namecheap was previously known as a bulletproof registrar. Jack thinks the decision to open the fraud help desk was due to too many Twitter complaints. It got to the point where it was starting to damage the company, so Namecheap decided to do something about it.
Jack thinks Information Security professionals especially should be putting pressure on those companies. But all of us can report scam sites and complain to the companies that enable them. It may take some time for the company to get the message. But putting pressure on companies to do something about scam sites works.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
Start looking at all text messages you get with a wary eye! If this subject is new…[Read More]
Beware of any calls you get to talk about Zelle and fraud, even it's from your "bank."...[Read More]
Cybersecurity isn’t just for cybersecurity professionals or people who understand code. Employees at any level can let…[Read More]
As you watch your parents get older, it’s easy to begin to worry about them falling for…[Read More]