Online scams have become a global epidemic. Consumers worldwide lost an estimated $55 billion as a result of online scams. The social and emotional trauma cannot even be measured. In many countries, online scams are the most reported type of crime such as in the UK where 41% of all reported crimes are now related to online fraud, and 50% in Singapore.
Further, the loss is likely a gross underestimate as only 7% of all online scams are even reported. Because a mere 0.05% of all cybercriminals are caught, and new technologies like Deep Fakes and ChatGPT are making it increasingly harder for consumers and law enforcement to identify deceit, online scams will continue to grow and thrive.
Governments and security companies are largely focused on fighting the “Big Cybercrime” that target (large) corporates and national infrastructure. However, this ignores the fact that online scams are also harming consumers and diminishing their trust in the global digital economy which now represents 15,5% of global GDP. This is unacceptable, and more needs to be done to protect consumers worldwide.
Last November, 1,300 (virtual and physical) participants collectively formulated 10 recommendations to enhance consumer protection against global scams. This document summarizes the recommendations and is meant to inspire international institutions as well as national governments to take steps toward making the Internet safer for all.
1. Raise Consumer Awareness on a National Level
Why: In most countries there is no single, national strategy, to raise consumer awareness about what scams are, how to protect yourself against scams, and how to report online fraud. The campaigns to educate and increase knowledge on fraudulent schemes are typically fragmented across government agencies and industries. These initiatives often assume the form of singular, one-shot appeals, lacking uniformity in approach, and often advise actions that are outdated (like checking the SSL certificate or consumer reviews). Their impact is usually not evaluated scientifically, and therefore, their impact remains unknown.
How: Several studies have been conducted to measure the effectiveness of anti-social engineering training. They emphasize the importance of interactivity (gamification), contact with the user, focus on a specific type of scam, and continuous education. A unified, national, continuous awareness-building program is required based on international Best Practices, including education from primary school to elderly homes, where the results are scientifically proven, and centrally funded in partnership with industry.
Who: Establishing a national Public-Private Partnership (PPP) with participation from government, law enforcement, consumer protection, financial, telecom, internet, and related industries represents a rational course of action. This approach offers advantages for all stakeholders by promoting a safer internet usage environment for consumers and harnessing collective “marketing power” to enhance awareness. Notably, the Friends Against Scams initiative in the United Kingdom represents a best practice example in this domain. This program has trained over one million citizens using a highly successful “Train the Trainer” approach.
2. Facilitate One National Online Reporting Platform
Why: Worldwide, it is estimated that only 7% of all scams are reported. The causes vary. From a sense of shame on the part of the victim, to not knowing where to report a scam (like awareness building, fraud reporting is often spread across multiple stakeholders). Similarly, many victims feel that reporting does not make a difference or is too complicated. In many countries certain types of scams need to be reported to specific agencies (police, financial authorities or, consumer authorities) and, online fraud reporting is not available. The sad reality is that many victims are not able to report a scam as authorities refuse to record the complaint citing that the victim “should have known better”.
How: The FBI’s Internet Crime Complaint Center (IC3) and UK’s Action Fraud are organizations that demonstrate Best Practices for national reporting of fraud and cybercrime. While UK’s Action Fraud has been cited negatively in the news recently for poor execution and taking little “action”, Action Fraud has, together with CIFAS and UK Finance, made reporting cybercrime more accessible and has raised political awareness that online fraud has become the number one crime in the UK. The Federal Trade Commission and the FBI have achieved the same result in the USA. In general, the consumers in these countries can report online scams centrally and easily online, although further improvements in the reporting process are always possible.
Easy reporting has several positive effects. Apart from empowering scam victims, it also provides a platform for victims to quickly warn others about dubious sellers. Scam reports can quickly be turned into scam alerts, allowing service providers to take down sites and servers. The Dutch Police for example offers a list of dubious websites. Prior to formal prosecution, a website is added to this list after having received 3 formal reports.
Who: National Consumer Cyber Security Center of Police Anti-Scam Comment (see recommendation 6).
3. Set-up cross-organizational support for fraud victims
Why: Scams are the only crime you fall for. The association with online fraud still is that the victim is to blame. However, as scammers become more advanced in target acquirement, technology, and criminal methodology, it has become painfully clear that anybody can get scammed. The right scam just has to find the right person at the right moment. It is essential that the victim is not blamed but the criminal. Helping scam victims is not only humane. It is essential to help victims become contributing citizens anew and prevent them from being targeted by scammers again as they end up on the “donkey lists” of cyber criminals.
How: Scam victims need to be given the same support as victims of any other crime at all levels (from municipalities to the national level) and from all perspectives (money recovery, social/psychological and technically, e.g., by offering free scam protection tools and limiting bank transfer options). A fraud support helpdesk can help victims find the right organizations regarding all aspects of the fraud and ideally one that not only directs the victim to the various providers but also takes an active role in “going through the recovery process”.
Who: National Public Private Partnership suggested in our first recommendation, can take the lead if no victim support organization exists. In those countries where there is a victim support organization, it is recommended to broaden their charter and financial support. It is also recommended to use volunteers. Many scam victims who recovered, would like to help other victims rise again too. Best Practices are The Cyber Helpline initiative in the United Kingdom, Fraudehelpdesk in the Netherlands and IDcare in Australia.
4. Develop Infrastructural Tools to Protect Consumers
Why: While raising scam awareness is important and helpful, recent research shows that increased awareness alone does not reduce victimization. Consumers can no longer be expected to identify all scams themselves. The rule “if it is too good to be true, it probably is” no longer applies as scammers professionalize their tactics. New technologies such as Deep Fakes and ChatGPT make it nearly impossible, even for experts, to identify the deceit, let alone consumers. Tools and preventive measures are needed to offer consumers additional protection.
How: Several commercial tools are offered to warn, filter or block online scams. Some anti-virus companies such as F-Secure and Trend Micro offer a full suite of mobile and desktop scam protection. Likewise, an increasing number of schools and corporations integrate scam protection into their Internet filters using the services of suppliers such as NetSweeper and DNSfilter. Infrastructure-level protection is necessary due to the fact that consumers often fail to use and update these products if they buy them at all.
Who: The National Consumer Cyber Security Center (see recommendation 6) can set up scam protection on an internet infrastructure level to protect consumers in close cooperation with telecom and internet service providers. Examples of Best Practices are the Belgium Anti-Phishing Shield, Quad9, a Swiss not-for-profit DNS resolver, and Taiwan’s Anti-fraud browser. The European DNS resolver may be a future alternative to protect citizens in Europe.
5. Make Fraud Traceable Cross-Border
Why: The Internet is meant to facilitate global communication, not to anonymize it. While individuals have a right to privacy, companies do not, as they deliver products and services to consumers and businesses. Current General Data Protection Regulation (GDPR) has been taken too far by, protecting criminals more so than consumers, despite the original intention. The principles of the GDPR and promoting an individual’s right to privacy should not provide criminals with the ability to operate in the shadows. In effect, the stringent GDPR laws reduce access to public information and data that can be used to help prevent or disrupt criminal activities. Further, the main tenets of the GDPR are to protect consumers from companies and criminals who harvest their personal data without the individual’s knowledge and permission. With relevant changes to the GDPR, this principle can coexist with robust information exchange to prevent cybercrime.
How: A more effective balance is required between law enforcement and privacy protection. Existing GDPR legislation should be modified to distinguish between companies and persons. If a service or product is sold, the data is corporate, even though the person operating the company or providing the product or service is an individual. In the role of a company, it has to be clear who is selling a product or service, including direct ways to contact that entity. In practice, this means the re-establishment of the WHOIS data (to be replaced by RDAP) to ensure the owner of a domain can be identified.
However, this should not stop with a domain. The entire value chain needed to sell products or services, should enforce KYC and make transparent who is the offering party. The same holds true for both seller accounts on marketplaces and social media. Likewise, it is crucial to be able to identify the organization that shipped a package (sender origin especially is important in the identification of fake products) and to see the website and company name that debited your account on your credit card statement.
Who: Each party in the value chain has its global industry association which can facilitate making fraud traceable, e.g. ,ICANN for domains, Universal Postal Union for packages, International Telecommunication Union for text messaging, etcetera. If the industry does not act, (inter)national legislation is the next logical step.
6. Set up a Dedicated National Consumer Cyber Security Center
Why: The biggest complaint regarding United Kingdom’s Action Fraud, and, to a lesser extent FBI’s IC3, has been the lack of action. This is a general issue in most countries. While facilitating reporting, the general consensus is usually little action is taken. In most developed countries, less than 1% of law enforcement is focused on tackling economic crime and agencies lack the digital skills to properly combat digital crime.
How: Many countries have set up a National Cyber Security Center to protect their national infrastructure and vital industries. Unfortunately, consumer interests have been neglected when they should be provided with the same level of protection. To combat online scams effectively and efficiently a centralization of the very scarce cybersecurity resources and skills is essential. We suggest that the organization be part of the national police but, as many of the skill sets required overlap with those of the National Cyber Security Center, we also recommend that the allocated organizations be tied together in a kind of fusion center. In addition, as commercial organizations are fighting to hire the same experts, it is recommended that experts from the commercial sector (banks, telecom operators, cybersecurity companies, etcetera) are included as well. An excellent Best Practice is the Singapore Anti-Scam Command where all stakeholders sit physically together making it possible to block bank accounts, phone numbers, and IP addresses in real-time to protect Singapore citizens from scams.
Who: It is the role of the National Government to extend the charter of the National Cybersecurity Center or national police, or to set up a separate entity focused on cybercrime targeting consumers, and make available the required resources. This unit not only receives all data concerning scams (recommendation 2) but can also build up the skills to investigate, prevent and enforce on a national level.
7. Establish a Global Scam Data Sharing Hub
Why: Cybercrime is borderless. Professional scammers mostly do not scam in their own region or country. Often, they disperse their activities across tens of countries to remain ‘invisible’ to local and national law enforcement. Only by sharing data on scams, can scam networks be identified faster.
How: The data on scams reported nationally, needs to be shared globally to find common threats and signals. This not only demands the creation of global data exchange standards but also the removal of barriers to share data. We recognize that this is a sensitive and long process. In the short-term, sharing of non-private data such as IP addresses and domains related to scams is already possible. In money laundering (ML) cases, privacy related data is already shared, although often via slow and cumbersome processes. The same importance given to ML crimes must also be given to online scams. In addition, the data-sharing approval process has to be reduced from days, weeks or months, to minutes or a few hours as speed if of the essence both in ML as well as fraud cases. What is important is that the information is not limited to law enforcement. Trusted Sources such as banks, internet service providers, cybersecurity companies requireaccess to this data as well in order to identify or prevent fraud.
Who: Regional hubs could be FBI/FTC in the USA and Europol in the EU. Internationally, Interpol is already managing 19 police databases with information on crimes and criminals. Maintaining in addition, an aggregated database of reported scams, collected by the national cybercrime report centers, would be a logical choice.
8. Make Service Providers responsible & liable for fraud enablement
Why: Scammers use the Internet the same way as companies. They need domain names, servers, marketing channels, and payment platforms to commit their crimes. While all service providers suffer from being misused by cybercriminals, some providers allow misuse a lot more than others, due to their (cheap) pricing strategy and lack, or even complete absence, of Know Your Customer (KYC) processes. Naming and shaming has in the past proven not to be sufficient. Some providers simply do not care. Introducing even a minimal level of KYC can have a dramatic positive impact. The Danish Registry, DK Hostmaster, for example introduced the requirement to show an ID before being able to register a .dk domain name. As a result, the number of online stores suspected of intellectual property right infringements using a .dk name dropped 85% in just one year.
How: Make each service provider, be it a Registrar, Registry, Hosting Company, Social Media platform, Payment Method (e.g., gift cards), Cryptocurrency Exchange or other parties responsible and liable to prevent misuse of their platform. As with the NIS 2 Directive, each service provider can determine the level of KYC enforcement, however, an objective standard is set for maximum misuse of their platform. For example, if 3% of all domains are considered malicious, companies that host 6% of malicious domains compared to their market share, can be held liable for the damages caused by their customers. Likewise, a social media platform that continuously is reported as part of the fraud chain, should be held accountable. This even goes as far as the Internet of things (IOT): more and more consumers use IOT devices such as Alexa, smart fridges and others. Cybersecurity should be part of any Internet service offered.
Who: The Global Scam Data Sharing Hub will have the data to make transparent which Service Providers continuously are listed at the top of misused platforms. National law enforcement and consumer protection organizations can use the aggregated data collected by the Global Scam Data Hub as basis to bring Service Providers to court.
9. Allow Preventive Action (Warn, Block, Stop)
Why: Making service providers responsible also means providing them with the liberty to act on (possible) misuse of their services by scammers. Scams are not black and white. For example, an online store that does not deliver products for six weeks and has a rising number of consumer complaints without any response may be a scam. However, in reality, it could also be a single-parent with two day-jobs and a sick child. Service providers are not “Internet cops” but should act on signals which indicate that their platform is being misused.
How: Service providers should be given legal protection against liability by their customers, if following a clear procedure to prevent abuse. In case abuse is not 100% clear, three steps can be taken.
Warn the client of the possible abusing asset.
If the abuse does not stop, or no (clear) response is given, the provider can block the user by either warning the end-users (for example by using a “Red Screen” as Google and Microsoft already do for phishing and malware) or making the service temporarily unavailable.
Finally, if the issue continues to be unresolved and no action is taken by the owner of the abusing asset, the abusing service can be taken down entirely.
Who: The Service Providers can determine their own processes and standards and use their own Terms & Conditions to prevent liability. The driver for Service Providers to act is that they are made responsible for fraud enablement if they do not monitor and improve their own platform sufficiently (see recommendation 8). The benefit for Service Providers is having a reputation amongst their clients and suppliers that they are doing their best to make the Internet a safer place for consumers.
10. Enact an International Scam Investigation & Prosecution Network
Why: Scammers work globally, often across multiple countries. In most countries (online) fraud is punishable but the penalties are often light compared with other crimes. Stealing a bike valued at $250 may result in a more severe punishment than stealing $250,000 from an elderly person via an online romantic scam. Some crimes like money mule-ing are hardly punished at all. Combined with the current low chances of getting arrested, cybercrime pays.
How: Each actor in the fraud chain should be punished more severely, including money mules and facilitators. Driving the “get away car” after robbing a bank is also facilitating crime. Executive powers to apprehend criminals will always be on the national level. Some countries have already set up a specialized court to handle the more technical cases of online scams. In the end, legislation and punishment for online fraud must be unified across nations, to make sure that online scammers to not flee to those countries with little or no legislation pushing online scams.
Who: With the establishment of a global scam data-sharing hub ((recommendation 7), a logical next step would be to use that data to identify the biggest scam networks and apprehend the kingpins behind them. Expanding the charter of Europol, Interpol, and related initiatives, to facilitate the investigation and apprehension of scam networks in close cooperation with the National Anti-Scam Teams, is essential to Turn the Tide on Scams.