Part 6: Dot-Con follow up

I’ve been getting some great feedback about this series of blogs.  Much thanks to everyone who has been reading them and passing along links to friends.

As part of this investigation I talked to someone at the FBI about ic3.gov and other things people can do when they fall victim to these types of scams.  Here were his thoughts.

1. Report the crime.  This could be entering your information at ic3.gov, going to your local police, contacting the website where the fraud was initiated (if it was initiated through a particular website) or all of the above.  If you don’t report the crime, then there is no chance law enforcement will catch the criminal.  And, if the perpetrator is caught, the only possibility of you getting restitution (in the unlikely event there is restitution), you definitely won’t get restitution unless you report it.  Whatever you do – don’t try to take these criminals down yourself.  By continuing to interact with these people you are only putting yourself more in harms way.  Let the experts – law enforcement – do their jobs.
2. Have appropriate expectations.  Finding and prosecuting these criminals takes time.  It could be years before you hear anything about this.  I know victims want more immediate retribution, but unfortunately, that is extremely rare.
3. [This may be the most important one.] If law enforcement follows up with you later about additional details or needs you to sign a form that you were victimized, PLEASE help them.  There are too many cases where the perpetrator finally goes to trial and because it is years later, law enforcement isn’t able to get victim cooperation.  Don’t let the hard work of the law enforcement agents go to waste!

As I mentioned earlier, I’m hoping to put together an initiative to get the word out about what people to do once they’ve been victimized online.  I’m hoping to work with the APWG, the NCSA, and maybe getsafeonline.org to make this happen.  Please let me know if you want to participate.

Hopefully this series has gotten you thinking about what it is like to be a victim.  I think it is critical that we, as online crime fighters, maintain the perspective of the people for whom we are fighting.

April 1, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Social engineering, Trust | Fraud, law enforcement, Online Fraud, Phishing, victim | 1 Comment

Part 5: Dot-Con – Online fraud from the victim’s perspective

My previous posts described Paul and Scott, the scams they fell for, and the things they did to try to get help.  In talking to Paul and Scott, I came to realize that I had very little understanding of electronic crime from the victim’s perspective.  I have spent my professional life trying to thwart these online criminals through policies and technology, driven by the belief that it was the right thing to do.  But hearing the frustration, tedium, and finally hopelessness that Paul and Scott have endured because they were fooled by schemes that were very convincing and seemed legitimate has reawakened the purpose of my pursuit.  More than I ever I want to stop these scams.

At the moment, my main concern is this: the bad guys have found a loophole in the system that allows them to exploit people like Paul and Scott and get away with it.  By keeping the final “take” for each victim relatively low (within $10k or so), and by having geographically diverse victims, the bad guys make it extremely difficult for law enforcement to determine when there might be a mass crime spree taking place.

In talking to someone from the FBI, it sounds like it is generally believed the bad guys aren’t targeting the low dollar amounts to stay under the radar.  But, since the amounts in these cases are low, they do tend to go a bit more under-reported/under-investigated than the higher dollar amounts.  There are groups within law enforcement that not only collect the data from the victims (through ic3.gov), but also link that data to more prolific online fraud networks like botnets, spam rings, etc.  This is great news!

So, there are places to report this: ic3.gov.  I don’t think law enforcement usually spends much on marketing, so that might be why the message about this site isn’t out there.

What I’m wondering has two parts.

1) Is ic3.gov the best place to report these types of crimes?  Are there other such databases/aggregators?

2) Whatever place is the best – can we get the message out about how to respond to this type of fraud?  Just because law enforcement doesn’t have a marketing budget, doesn’t mean the message can’t get out there.  Maybe we can help.

If anyone out there knows has thoughts on these questions, I’d be very interested to hear them.  I’m going to start exploring this topic further.  I’ll be soliciting help from my friends at the Anti-Phishing Working Group (APWG) to do this, but if any of you out there would like to participate in this quest, please let me know.  I think the questions above are fundamental to moving the fight against online fraud forward.

March 30, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Prevention, Social engineering, Trust | law enforcement, Phishing, scams | 3 Comments

Part 4: Dot-Con – Online fraud from the victim’s perspective

In previous posts I described Paul and Scott, two innocent people on different continents who were both victimized by online (and somewhat offline) scams. As a reminder, Paul fell for an inheritance advance-fee scam and Scott was victimized as an eBay power seller by a drop-ship scam.

Once they realized something was wrong, here’s what they did to try to rectify the situation.

Since Paul was in a different country from where the scam was purported to have taken place, he was at a loss as to how to proceed. He figured his local law enforcement wouldn’t be interested in a case that was for a fairly small amount and was outside of their jurisdiction. He wanted to contact the police in London, but was not sure how to do that. So, he saw my email address in association with electronic crime and reached out to me for help. After I spoke to him he did go to his local law enforcement office. They said they’d get back to him.

When I heard about Paul’s case, I contacted some of my friends. One explained that law enforcement in England has to prioritize their cases and anything below $100k in loss doesn’t make the cut. Another gave me the email address of some law enforcement people in Paul’s country. Paul emailed them and never heard back. Someone suggested he report the fraud to www.ic3.gov where it could get aggregated with other scams. He did that. I also asked a friend at the FTC to send something to the analogous organization in Paul’s country. He did, but we didn’t hear back. Finally, we went to the local police. They say they are working on it, but the case doesn’t seem promising.

By the time I talked to Scott he had contacted “every law enforcement agency he could think of”. He had talked to his local law enforcement, the FBI, and the Canadian authorities (since the money was picked up in Canada). He told me he had walked through his story numerous times with each of them. He had saved all of the documentation and was able to show it to them to help them track down the criminals.

In addition, Scott had done some sleuthing of his own. He had called Western Union to find out whether the money had been picked up and, if it had, where. They told him it had been picked up in Canada. He had called the newspaper to see if they knew any more about the advertiser only to be told that the newspaper realized it was a fraudulent ad and that they weren’t going to get paid.

March 25, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Social engineering, Trust | Fraud, ic3, Investigation, law enforcement, Online Fraud, scam | 4 Comments