Delicate Slopes: Navigating Fraud Enforcement & Privacy Concerns for Third Part Involved Efforts

Scam-fighting is a complex undertaking that requires a delicate balance between upholding existing privacy standards and ensuring that law enforcement and regulatory bodies are equipped with the tools to combat fraudulent actors and online scams. Law enforcement professionals face significant structural and perceptional challenges when procuring essential investigative data, furthering the gap between effective enforcement, mitigation, and prevention.

Exploring the factors below helps underscore some of the most persistent issues that complicate the efficacy and efficiency of enforcement and offers insight into elements that can contribute to a more cohesive path forward for all.

 Complicating enforcement factors include:

1. Jurisdiction

A core concern lies in jurisdictional issues; in many cases, illicit actors utilize services that originate beyond the scope of the target country to conduct operations, knowing it will delay law enforcement efforts. Scammers now know the importance of layering their communications, using efficient financial and data laundering methods, and how to bury other scam components to create a complex web that serves as a diversion tactic and —all too often–as an effective barrier point.

Approaching foreign agencies or corporations to garner cooperation and collaboration is a complicated endeavour; if a country refuses to engage, for example, law enforcement typically ends up waiting for Mutual Legal Assistance Treaties (MLATs) to be completed, which can take months or even years to secure. By this point, case data is often considered too old to be fully actioned, and illicit actors have had more than enough time to drain any accounts that may have otherwise had the potential for fund recovery.

When other countries choose to cooperate and offer assistance in gathering crucial investigative data, for example, through collaborative cross-border actions between U.S. and Canadian agencies, we have seen an effective ability to ‘bridge the gap’ and successfully pursue prosecution.

Establishing long-standing relationships and/or Memorandums of Understanding (MOU) can be extremely effective at facilitating the collection and exchange of data across jurisdictional lines. What remains the largest challenge to these efforts, however, is the more broad —and certainly important– concern of privacy and the tenuous slope that comes with allowing external agencies to access data beyond their parent territory. Establishing a network of ground rules in an MOU ahead of time, without needing an MLAT, may serve as an effective counter to such concerns.

2. Time

As mentioned above, the time disparity involved in getting actionable data serves as a significant hindrance to effective law enforcement and deterrence. In many cases, investigators are left waiting on judicial authorities to secure evidence, which allows the scam to progress and puts enforcement efforts further behind a rapidly moving (and fast to disappear) target.

In Canada, data collection time frames can—and often do—exceed a 30-day turnaround, reducing the ability to secure crucial evidence like IP addresses or user account data, which suspects can easily delete. To gain a position of proactive prevention, deterrence, and enforcement, we must find an effective measure to balance the need to protect privacy standards by requiring judicial processing while speeding up the timeframe in which this is achieved.

Failure to do so remains one of the biggest opponents of protecting against extortion, the continued victimization of vulnerable parties, and a continuing vulnerability point in overall security networks.

3. Concept of Privacy and Account Ownership: The Cost of Failing to Act

There is no denying the imperative nature of privacy protection in today’s landscape. The threat of doxxing, data brokering, and identity theft poses an extreme risk to individuals and corporations alike. Thus, it is no surprise that privacy is frequently at the forefront of counterarguments regarding legality and liability concerns regarding the disclosure of data to law enforcement.

Corporate legal teams, for example, often petition the wording of judicial data orders to provide the narrowest scope of information possible. It is understandable (and perhaps even venerable) for a company to wish to protect itself and/or its client base. However, the refusal to effectively communicate with law enforcement and reach a shared understanding of what data is necessary to satisfy an order results in greater risks to all.

Reducing the ability to collect essential investigative evidence to cyclical squabbles over validity and accessibility hinders the ability of law enforcement and regulatory boards to ensure effective enforcement and prosecution of illicit actors. In the same vein, it should be said that there is a shared burden on law enforcement agencies to equip their members with the ability to effectively communicate why account data is required and to what extent it will be used, both for judicial and corporate-facing measures.

Another serious point of concern is corporations' frequent unwillingness to take actionable measures against bad actors identified by law enforcement throughout the course of their investigation(s). All too often, companies argue that the account in question is the user's private domain, and thus, they cannot ‘interfere,’ even when presented with viable evidence. This refusal to sanction illicit actors and the absence of any real penalty for failing to do so allows fraudsters to operate with little fear of reprisal and continue to (re)target at will.

While the injuries inflicted by scam victimization are–sadly–less readily visible than the harms committed by other actors for whom corporations are willing to uphold sanctions, they are no less atrocious. Individuals targeted by scam networks are left feeling a profound sense of shame and vulnerability, and the financial harms rarely stop at one person; promising families are ripped apart, homes are lost, and, in multiple cases, lives are lost to suicide. It’s crucial to note that these are only the immediate harms tied to fraud. Such concerns don’t even begin to address the illicit web that ties such activities to larger-scale criminal activities like funding narcotics networks, human trafficking, and even terrorist efforts.

With this somber reality in mind, it is exceedingly negligent to allow known bad actors to continue to access their accounts (or, in another context, their killing grounds) with such alarming ease.

The Challenges of Protection and Deterrence Will Persist

Scamming remains a unique methodology with an unrelenting ability to adapt, restructure, and retarget at an extremely rapid pace. This is, in part, due to its roots in social engineering and the exploitation of human vulnerabilities. Scams and financial fraud as a whole have long since moved past rudimentary efforts that predominantly target ‘easy’ victims. Law enforcement professionals and regulators now face robust criminal networks that walk, talk, and operate like the sophisticated dark-market enterprises they have evolved into.

The evolving nature of financial crime means that there will likely be an ever-fresh struggle when it comes to effective prevention and enforcement. Our understanding of threat assessment and mitigation efforts must center around efficacy, adaptability, and efficiency to keep pace with the extreme pace with which criminals shift their efforts. So, too, must inter-agency and cross-jurisdictional abilities increase, while still keeping a close focus on the importance of upholding necessary privacy measures.

There is, however, one key component that all actors can embrace to affect sustainable change and prevention: education.

As the foundation for any form of risk management, law enforcement professionals, corporate actors, and private individuals must share the responsibility of protection by diligently spreading awareness. Knowledge is power, and with criminals embracing emergent technologies like AI, LLMs, and more to exploit victims, we must be vigilant in continuously spreading awareness.

The threat threshold is higher than ever before; we can help to reduce the pool of potential victims by spreading awareness regarding the following key education points:

• Scams target all walks of life, age and academic capabilities.

• Teens and the elderly remain two vulnerable populations and are among the highest at risk for suicide after falling victim

• Teens are at particular risk of being targeted for sexual extortion in addition to financial threats.

• Points of contact/victimization continue to expand, with social media, online gaming platforms, fraudulent text messages, and emails all opening doors for scammers.

• Cryptocurrency scams are expansive and allow bad actors to extract and launder large amounts of currency from victims to overseas financial institutions.

• Law enforcement professionals need to be aware that cross-jurisdictional efforts can yield effective results. We must evolve past an “out of country, out of responsibility” mentality.

At the corporate level, risk management teams and cyber professionals must conduct routine monthly assessments and ensure all employees understand the importance of compliance. The latter is most often effective when done in an engaging manner that connects high-level policies with personal examples that drive an ethos of collaborative and collective responsibility over obligation. Law enforcement agencies are typically more than happy to help businesses facilitate this kind of education, as investigators understand that awareness is one of the strongest tools we have for deterrence.

Embracing the Path Forward

Scammers—or, as they should be recognized, illicit financial actors—are no longer an emergent threat that only affects a small subpopulation of our society. Financial fraud inflicts devastating harm upon individuals and businesses en masse while simultaneously exposing dangerous vulnerabilities in our security networks. To lay a better path forward, we must understand the full nature of this threat and treat it accordingly.

From a law enforcement perspective, we must be prepared to navigate the complexities of inter-jurisdictional efforts while pushing for internal and external education that empowers both regulatory and judicial branches to work effectively–and efficiently.

Finally, from the perspective of social responsibility, the time has come for each of us to embrace our positions as guardians through the spreading of awareness and continuous advocacy, enacting change by refusing to accept the current ‘status quo’.

About the Authors

Brian Mason is a Constable and fraud investigator with Edmonton Police Service. Brian’s work involves identifying and linking scams to large-scale transnational organized crime syndicates and broadening the understanding of the scope and severity of financial crimes. He has demonstrated experience in identifying and supporting victims of romance and investment scams and remains dedicated to promoting advocacy and awareness across multiple platforms. 

Meghan Mason is an analyst and communications consultant with a background in political science, sociology and marketing. She brings a unique perspective to anti-fraud efforts, and maintains a strong interest in geopolitical trends, IR, cybersecurity, and various elements of global securities.