Online scams have become a global epidemic. Consumers worldwide lost an estimated $55 billion as a result of online scams. The social and emotional trauma cannot even be measured. In many countries online scams are the most reported type of crime such as in the UK where 41% of all reported crimes are now related to online fraud and 50% in Singapore.
Further, the loss is likely a gross underestimate as only 7% of all online scams are even reported. Because a mere 0.05% of all cybercriminals are caught, and new technologies like Deep Fakes and ChatGPT are making it increasingly harder for consumers and law enforcement to identify deceit, online scams will continue to grow and thrive.
Governments and security companies are largely focused on fighting the “Big Cybercrime” that target (large) corporates and national infrastructure. However, this ignores the fact that online scams are also harming consumers and diminishing their trust in the global digital economy which now represents 15,5% of global GDP. This is unacceptable, and more needs to be done to protect consumers worldwide.
At the 3rd Global Anti Scam Summit, on the 9th and 10th November 2022, 1,300 (virtual and physical) participants conceived 10 recommendations to protect consumers worldwide better from scams. This document summarizes these recommendations and is meant to inspire international institutions as well as national governments to take steps towards making the Internet safer for all.
1. Raise Consumer Awareness on a National level, Unified & Continuously
Why: In most countries there is no single, national approach, to raise consumer awareness about what scams are, how to protect yourself against scams, and how to report them. Campaigns are fragmented across government agencies and industries. The campaigns are often one-shot appeals, communicate different approaches, and often advise actions which are outdated and largely ineffective (like checking the SSL certificate or reviews). Their impact is usually not evaluated scientifically, and therefore, their impact remains unknown.
How: Several studies have been done to measure the effectiveness of anti-social engineering trainings. They emphasize the importance of interactivity (gamification), contact with the user, focus on a specific type of scam, and continuous education. A unified, national, continuous awareness building program is required based on international Best Practices, including education from primary school to elderly home, which have proven scientifically to have results, centrally funded in partnership with industry.
Who: A national Public Private Partnership set-up by the government, law enforcement, consumer protection, and financial, telecom, Internet and related industries seems a logical choice, as all stakeholders benefit from a safer use of the Internet by consumers and have “marketing power” to raise awareness jointly. A Best Practice here is the Friends Against Scams initiative in the United Kingdom, which has trained more than 1 million citizens using a very successful “Train the Trainer” approach.
2. Facilitate One National, Easy, Online Reporting Platform
Why: Worldwide, only an estimated 7% of all scams are reported. The causes differ. From a feeling of shame on the part of the victim who has been tricked. To not knowing where to report (like awareness building, scam reporting is often spread across multiple stakeholders). To believing that reporting does not make a difference or considered being too complicated. In many countries specific kinds of scams need to be reported to specific agencies (police, financial authorities, consumer authorities), online fraud cannot be reported online, or even not at all as the victim “should have known better”.
How: The FBI’s Internet Crime Complaint Center (IC3) and UK’s Action Fraud serve as organizations that demonstrate Best Practices for national reporting for fraud and cybercrime. While UK’s Action Fraud has been cited negatively in the news recently for poor execution and taking little “action”, Action Fraud has, together with CIFAS and UK Finance, made reporting cybercrime more accessible and has raised political awareness that online fraud has become the number one crime in the UK. The Federal Trade Commission and FBI have achieved the same result in the USA. With improvements always possible, in general the consumers in these countries can report online scams centrally and easily online. Easy reporting has several positive effects. Apart from empowering scam victims and make them not feel powerless, it also allows to quickly warn the audience about dubious sellers. Scam reports can quickly be turned into scam alerts, allowing service providers to close down sites and servers. The Dutch Police for example offers a list of dubious websites. Prior to formal prosecution, a website is added to this list after having received 3 formal reports.
Who: National Consumer Cyber Security Center of Police Anti-Scam Comment (see recommendation 6).
3. Set-up cross-organizational support to the fraud victims
Why: Scams are the only crime you fall for. The association with online fraud still is that the victim is to blame. However, it has become painfully clear that anybody can get scammed. The right scam just has to find the right person at the right moment. It is essential that not the victim is blamed but the criminal. Helping scam victims is not only humane but also needed to help victims become contributing citizens anew and prevent them from being targeted by scammers again as they end up on the “donkey lists” of cybercriminals.
How: Scam victims need to be given the same support as victims of any other crime at all levels (from municipalities to the national level) and from all perspectives (money recovery, social/psychological and technically, e.g. by offering free scam protection tools and limiting bank transfer options). A fraud support helpdesk can help victims find the right organizations regarding all aspects of the fraud and ideally not only directs the victim to the different providers but takes an active role in “going through the recovery process”.
Who: Here the national Public Private Partnership suggested in first recommendation, can take the lead if no victim support organization exists. In those countries where there is a victim support organization, it is recommended to broaden their charter and financial support. It is also recommended to use volunteers. Many scam victims who recovered, would like to help other victims rise again too. Best Practice are The Cyber Helpline initiative in the United Kingdom, Fraudehelpdesk in the Netherlands and IDcare in Australia.
Creating a Safer Internet
4. Develop Infrastructural Tools to Protect Consumers
Why: While raising scam awareness is important and helpful, recent research shows that increased awareness alone does not reduce victimization. Consumers can no longer be expected to identify all scams themselves. The rule “if it is too good to be true, it probably is” no more applies as scammers professionalize their tactics and new technologies like Deep Fakes and ChatGPT make it nearly impossible for even experts to identify the deceit. Tools and preventive measures are needed to offer consumers additional protection.
How: Several commercial tools are offered to warn, filter or block online scams. Some anti-virus companies such as F-Secure and Trend Micro offer a full suite of mobile and desktop scam protection. Likewise, an increasing number of schools and corporations integrate scam protection into their Internet filters using services of suppliers such as NetSweeper and DNSfilter. However, consumers are notorious for not using these products themselves, and often forget to update them, even if, in the rare case, they do purchase them. Protection on an infrastructural level is needed.
Who: National Consumer Cyber Security Center (see recommendation 6) can set-up scam protection on the internet infrastructural level to protect consumers in close cooperation with telecom and internet service providers. Example of Best Practices are the Belgium Anti-Phishing Shield and the Taiwan’s Anti-fraud browser. The European DNS resolver may be a future alternative to protect citizens in Europe.
5. Make Fraud Traceable Cross-Border
Why: The Internet is meant to facilitate global communication, not to anonymize it. While individuals have a right to privacy, companies do not, as they deliver products and services to consumers and businesses. Current GDPR legislation has been taken too far, protecting criminals more than the consumers for which it was intended. The principles of the GDPR and promoting an individual's right to privacy does not mean, giving criminals the ability to work in the shadows because there is no public information or data that can be used to help prevent or stop their criminal activities. Further, the main tenets of the GDPR are to protect consumers from companies and criminals harvesting their data without their knowledge and permission. This principle can coexist with a robust information exchange to prevent cybercrime.
How: We need a better balance between law enforcement and privacy protection. Existing GDPR legislation needs to be modified to draw a line between companies and persons. If you sell a service or product, you are a company, even though you may be a person as well. In the role of a company, it has to be clear who is selling a product or service, including direct ways to contact that entity. In practice this means the re-establishment of the WHOIS data (to be replaced by RDAP) to make the owner of a domain visible again. It however should not stop with a domain. The entire value chain needed to sell products or services, should enforce KYC and make transparent who is the offering party. This applies just as much for seller accounts on market places and social media, as knowing which organization shipped a package (sender origin especially is important in the identification of fake products) and seeing on your credit card slip which website and company actually took the money from your account.
Who: Each party in the value chain has its global industry association which can facilitate to make fraud traceable, e.g. ICANN for domains, Universal Postal Union for packages, International Telecommunication Union for text messaging, etcetera. If the industry does not take action, (inter)national legislation is the next logical step.
Improving (Inter)national Cooperation
6. Set up a Dedicated National Consumer Cyber Security Center
Why: The biggest complaint regarding UK’s Action Fraud, and, to a lesser extent FBI’s IC3, has been the lack of action. This is a general issue in most countries. While facilitating reporting, the general feeling is that little action is actually taken. In most developed countries, less than 1% of law enforcement is focused on tackling economic crime and agencies lack the digital skills to properly tackle digital crime.
How: Many countries have set-up a National Cyber Security Center to protect their national infrastructure and vital industries. Consumers’ interests and well-being have been neglected while deserving the same level of protection. To combat online scams effectively and efficiently a centralization of the very scarce cybersecurity resources and skills is essential. The organization could be part of the national police but, as many of the skill sets required overlap with those of the National Cyber Security Center, it is recommended to tie these organizations together. In addition, as commercial organizations are fighting to hire the same experts, it is recommended to include expertise from the commercial sector (banks, telecom operators, cybersecurity companies, etcetera). An excellent Best Practice is the Singapore Anti-Scam Command where all stakeholders sit physically together making it possible to nearly real time block bank accounts, phone numbers and IP addresses to protect Singapore citizens from scams.
Who: It is the role of the National Government to extend the charter of the National Cybersecurity Center or national police, or to set-up a separate entity focused on cybercrime targeting consumers, and make available the required resources. This unit not only receives all data concerning scams (recommendation 2) but can also build up the skills to investigate, prevent and enforce on a national level.
7. Establish a Global Scam Data Sharing Hub
Why: Cybercrime is borderless. Professional scammers mostly do not scam in their own region or country. Often, they disperse their activities across tens of countries to remain ‘invisible’ to local and national law enforcement. Only by sharing data on scams, can scam networks be identified faster.
How: The data on scams reported nationally, needs to be shared globally to find common threats and signals. This not only demands the creation of global data exchange standards but also the removal of barriers to share data. This is a sensitive and long process. On the short-term, sharing of non-private data such as IP addresses and domains related to scams is already possible. In anti-money laundering (AML) cases, privacy related data is already shared, although often via slow and cumbersome processes. The same importance given to ML crimes also has to be given to online scams. In addition, the data-sharing approval process has to be reduced from days, weeks or months, to minutes or a few hours as speed if of the essence both in AML as well as fraud cases. What is important is that the information is not limited to law enforcement but that Trusted Sources (banks, internet service providers, cybersecurity companies) have access to this data as well in order to report, identify or prevent fraud.
Who: Regional hubs could be FBI/FTC in the USA and Europol in the EU. Internationally, Interpol is already managing 19 police databases with information on crimes and criminals. Maintaining in addition, an aggregated database of reported scams, collected by the national cybercrime report centers, would be a logical choice.
8. Make Service Providers responsible & liable for fraud enablement
Why: Scammers use the Internet the same way as companies. They need domain names, servers, marketing channels, and payment platforms to commit their crimes. While all service providers suffer from being misused by cybercriminals, some providers allow misuse a lot more than others, due to their (cheap) pricing strategy and lack, or even complete absence, of Know Your Customer (KYC) processes. Naming and shaming has in the past proven not to be sufficient. Some providers simply do not care. Introducing even a minimal level of KYC can have a dramatic positive impact. The Danish Registry, DK Hostmaster, for example introduced the requirement to show an ID before being able to register a .dk domain name. As a result, the number of online stores suspected of intellectual property right infringements using a .dk name dropped 85% in just one year.
How: Make each service provider, be it a Registrar, Registry, Hosting Company, Social Media platform, Payment Method (e.g. gift cards), Cryptocurrency Exchange or other parties responsible and liable to prevent misuse of their platform. As with the NIS 2 Directive, each service provider can determine the level of KYC enforcement, however an objective standard is set for maximum misuse of their platform. For example, if 3% of all domains are considered malicious, companies that host 6% of malicious domains compared to their market share, can be held liable for the damages caused by their customers. Likewise, a social media platform that continuously is reported as part of the fraud chain, should be held accountable. This even goes as far as Internet of things (IOT): more and more consumers use IOT devices such as Alexa, smart fridges and others. Cybersecurity should be part of any Internet service offered.
Who: The Global Scam Data Sharing Hub will have the data to make transparent which Service Providers continuously are listed at the top of misused platforms. National law enforcement and consumer protection organizations can use the aggregated data collected by the Global Scam Data Hub as basis to bring Service Providers to court.
9. Allow Preventive Action (Warn, Block, Stop)
Why: Making service providers responsible also means giving them the liberty to act on (possible) misuse of their services by scammers, and make mistakes. Scams are not black and white. An online store which does not deliver products for six weeks and has a rising number of consumer complaints without any response may be a scam, or a single-parent with two day-jobs and a sick child. Service providers are not “Internet cops” but should act on signals if their platform seems to be misused.
How: Service providers should be given legal protection against liability by their customers, if following a clear procedure to prevent abuse. In case abuse is not 100% clear, three steps can be taken. 1) Warn the client of the possible abusing asset. 2) If the abuse is not stopped, or no (clear) response is given, the provider can block the user by either warning end-users (for example by using a “Red Screen” as Google and Microsoft already do for phishing and malware) or making the service temporarily not available. 3) Lastly, if again no action is taken by the owner of the abusing asset, the abusing service can be taken down entirely.
Who: The Service Providers can determine their own processes and standards and use their own Terms & Conditions to prevent liability. The stick to act is that they are made responsible for fraud enablement if they do not monitor and clean-up their own platform sufficiently (see recommendation 8). The carrot is having a reputation amongst consumers and other service providers that they are doing their best to make it safe for the public and their consumers.
10. Enact an International Scam Investigation & Prosecution Network
Why: Scammers work globally, often across multiple countries. In most countries (online) fraud is punishable but the penalties are often light compared to other crimes. Stealing a bike valued at $250 may result in a more severe punishment than stealing $250,000 from an elderly person via an online romantic scam. Some crimes like money mule-ing are hardly punished at all. Combined with the current low chances of getting arrested, cybercrime pays.
How: Each actor in the fraud chain should be punished more severely, including money mules and facilitators. Driving the “get a way car” after robbing a bank is also facilitating crime. Executive powers to apprehend criminals will always be on the national level. Some countries have already set-up a specialized court to handle the more technical cases of online scams. In the end, legislation and punishment for online fraud has to be unified across nations, to make sure that online scammers to not flee to those countries with little or no legislation pushing online scams.
Who: With the establishment of a global scam data sharing hub ((recommendation 7), a logical next step would be to use that data to identify the biggest scam networks and apprehend the king-pins behind them. Expand the charter of Europol, Interpol and related initiatives, to facilitate investigation and apprehension of scam networks in close cooperation with the National Anti-Scam Teams, is essential to Turn the Tide on Scams.