Fraud has reached “epidemic” levels in the United Kingdom over the past 12 months, costing up to £190 billion a year and constituting what the Royal United Services Institute has called a “national security threat” in need of an urgent institutional response.

But it is clear that the police are struggling to keep pace with fraudsters. A 2018 Which? report found that an estimated 96% of fraud cases reported to Action Fraud go unsolved. And with scams seemingly on the rise, 54% of which involve the internet, the problem of online fraud appears to be getting worse.

There are romance scammers forming bogus online relationships with their victims, pet scammers setting up thousands of websites selling animals that do not exist, and phishing scammers using fear and urgency to obtain sensitive personal information from victims.

In response to the growing threat of online fraud, volunteers have taken the matter of policing scams into their own hands, with some forming vigilante groups of “scambaiters” who seek to identify and disrupt scammers where police forces have failed.

But while scambaiters may be effective in reducing online fraud, our study has shown they are also controversial, with some communities rewarding scambaiters who humiliate or inflict harm on scammers. On closer inspection, this form of vigilante justice may actually do more harm than good.

What is scambaiting?

The most basic form of scambaiting sets out to waste a scammer’s time. At a minimum, scambaiters attempt to make scammers answer countless questions or perform pointless and random tasks. By keeping a scammer busy, scambaiters claim they are preventing the scammer from defrauding a real victim.

Play

Scambaiting may also be conducted with a specific purpose in mind. Sometimes scambaiters attempt to obtain an offender’s bank account information, for instance, which they then report to a financial institution. But there are other, less benevolent motives in the scambaiting community.

Thousands of scambaiters are organised on the 419eater forum, which describes itself as the “largest scambaiting community on earth”, with over 1.7 million forum threads. The forum was first established in 2003 to tackle the growing issue of 419 emails – a scam that promises people huge sums of cash in return for a small upfront fee.

419eater provides a particularly interesting case study because members are incentivised and rewarded for their scambaits through a unique system of icons, regarded as trophies, that they can obtain in their profile’s signature lines.

Hunting trophies

These trophies can be fairly benign. Some icons are awarded for exceptionally long scambaits, or for securing a photo or video of the scammer. But other trophies may cause lasting damage to an offender’s physical and mental wellbeing.

The yin yang trophy symbol, for example, represents an offender getting a permanent tattoo. Given that those targeted are often located in some of the poorest communities in West Africa, this exposes the offender to a greater risk of HIV transmission.

Another more sought-after trophy is the pith helmet. This is awarded when an offender travels a minimum of 200 miles on a round trip, which may result in the offender being stranded and therefore forcing them to take desperate measures to return home.

To get offenders hooked into performing these tasks, the scambaiters will use a number of social engineering techniques (just like the scammers themselves) such as by inventing fictitious scenarios, forging documents, or by bringing in multiple scambaiters when a concentrated effort is required.

If one examines some of the scambaits on 419eater in greater depth, it is easy to see why scholars have criticised the forum for its face-value racism. One scambait, for example, resulted in an offender dressing up as the fictional character Curious George, with a hired monkey. Sections of the 419eater community appear to treat their predominantly West African targets with racial prejudice and the community seems set up to reward rather than condemn these acts.

Scambaiting has also received a recent boost in popularity, with YouTubers like Jim Browning now promoting their own scambaiting activities. Jim Browning’s techniques are controversial because he hacks offenders’ computers to transfer files to his own computer and yet they are seemingly tolerated. Browning was even the focus of a recent BBC documentary series.

Play

Scambaiting can also be dangerous, especially for those who are new and inexperienced. Scammers have previously employed a retribution technique known as “swatting” in cases where they have encountered a scambaiter. Swatting involves an offender making a hoax call to a police department in an attempt to elicit an emergency response from the police. In some instances, victims of swatting have been killed.

Fighting fraud responsibly

So scambaiting appears both controversial and risky. But voluntary responses to online fraud need not be this way. For instance, the primary author of this article, Jack, helped set up Petscams.com, an organisation that attempts to deal with the growing number of pet scam websites and uses a disruption approach as opposed to the confrontation tactics used in scambaiting.

Petscam.com volunteers have created a database of fraudulent pet and shipping websites and have joined the US Federal Trade Commission’s consumer sentinel network that provides a facility through which volunteers can report phishing websites.

Our research also suggets that state-led initiatives could play a more prominent role in tackling online fraud. Since 2011, the National Crime Agency in the UK has run a scheme, using “Cyber Specials” with relevant skills to volunteer as special constables. Yet the uptake has so far been poor, and a 2019 review found that 16 police forces and three regional units weren’t using volunteers to tackle cybercrime.

Voluntary initiatives like 419eater have shown there is an appetite from the public to tackle scams. If state bodies can harness them in a more ethical and effective way, we may be able to better address the epidemic of fraud currently sweeping the UK.

Jack Mark Whittaker is a PhD Candidate, Criminology (Cybercrime) at the University of Surrey. Mark Button is a Professor of Security and Fraud at the University of Portsmouth.

This article first appeared on The Conversation.