This post is one I’ve had some trouble writing (which is part of why it took me two weeks). Not because it’s especially emotional or hits some soft spot of mine, but because it’s so huge it’s hard to know what to write about. This is definitely something that’s going to need follow-up, but I decided to go with a basic overview for this post, and I’ll do a deep dive into particular frauds or aspects in their own posts. So, yeah, if there’s an aspect you’d like to see more about, feel free to leave a comment.
There are many reasons people care about privacy, and why it’s important. It’s a basic human right, it’s necessary for civil engagement or revelation to be meaningful, having your personal space/information taken just feels icky. But one of the major ones generally revolve around protection from those who would use that information to harm you – oppressive government, intolerant people, or criminals.
The last is one that I think gets insufficient attention in the privacy space, for several reasons. It’s not especially sexy, and we generally view fraud victims as greedy or stupid so admitting that you’re vulnerable to fraud means saying you’re greedy or stupid, and the ways you protect yourself are largely the same ways you protect yourself against other threats (in terms of information control, anyway). But I think that’s wrong – fraud is a really big deal, it affects a lot of people directly and indirectly, and for most people it’s way more important than Facebook knowing if you have a foot fetish or not.
Defining fraud
(Just a quick note, I’ll be using the terms “fraud” and “scam” as more or less synonymous. This is not strictly speaking correct – “scams” are not necessarily criminal but merely any deceit with the intention of causing some behaviour, while “fraud” refers to certain legislatively-defined criminal acts – but the difference isn’t significant for our purposes today.) 1
Fraud is surprisingly hard to define beyond the very broad strokes. A lot of legislation uses terms like “deceit for the purposes of extracting money from the victim”, but that also includes a lot of things we wouldn’t usually define as “fraud” – shady-but-not-strictly-dishonest business practices, for one, like sites offering to source something for a fee that can be done elsewhere for free, or insurance that delays paying out until an interminable investigation has taken place where the insurance company will spend a lot of (yours and theirs) time trying to prove that one of the hundred exclusionary clauses in the policy apply. These are not, strictly speaking, fraudulent, but they absolutely rely on a degree of deception and dishonesty – the sites do note (in the fine print down the bottom, or maybe buried in their terms of service) that the cards can be gotten for free, and the insurance company does note that they have the right to investigate in cases of suspected fraud – but they distract so hard from that and try so hard to pretend that that won’t happen that you can’t really call it “fair and honest dealing”.
Then you have things like “payment protection insurance”. The thing about insurance is, it’s always a risk to the company – I can pay say $2,000 in premiums over a period of time, then turn around and make a claim for $100,000, and from the point of view of the company, they’re out $98,000. Insurance relies on most people paying more in than they get out. So obviously they’re incentivised to seek out “safe” customers – those who will very unlikely ever make a claim but reliably pay their premiums. This is not dishonest or unreasonable, but basic commerce, and I think most people who have thought about this for two seconds realise this, and engage in good faith. 2 But it does mean that each individual is making a “bad bet”, and the insurance company’s job is to convince them to make that bet. It’s not shady-but-technically-legal like the last category, but it’s still not what I could call “honest”, and does often rely on what I call deception-by-implication – the company doesn’t say that you’re very likely wasting your money, they just emphasise the “but what if?”, or imply that the person is currently “unsafe”, but buying their insurance will make them “safe” 3. But if we apply that “deceit for purposes of extracting money from the victim” standard, it’s not clear if it’s applicable or not.
Compare this with the “remote access” fraud – basically you get a call/e-mail from someone claiming to be from your ISP or Microsoft or Google or whoever, and they convince you to give them remote access to your desktop to deal with hackers or facilitate a refund on a fraudulent charge or whatever. Then they either blackmail money out of you, or claim that the refund went wrong and you need to refund their refund, or whatever. This is out-and-out fraud – I don’t want to say it’s morally worse than romance fraud (in my opinion it isn’t), but while that has the slightest trace of genuine connection there, this cannot be even slightly argued to be legitimate.
Some things are criminal, some are shady-but-technically-legal, and some are just normal business practices, and while we view them very differently, it’s not necessarily easy to draw a bright line and say “this is a fraud, this isn’t”. Even the same behaviour can move between categories depending on the place and time – the line between “false advertising” and “clearly hyperbolic or figurative language” is notoriously inconsistent between jurisdictions and over time, and the law might say one thing, but people might view things differently informally.
Victim blaming
Before I go into this, I want to spend some time talking about victim-blaming of fraud victims. The term “victim-blaming” has, like a lot of genuinely useful terms, been horribly mis-used over the last few years. But that doesn’t mean it’s not a real thing – people who fall for frauds are regularly described as “gullible, greedy or stupid”4, and this absolutely prevents people reporting that they have been defrauded, which gets in the way of both police action and understanding of how frauds work. To illustrate this, here is an excerpt from an actual interview with someone:
Interviewer: Hypothetically, if one of your children or if [wife] came to you and told you that they had responded to one of these emails and they had sent a lot of money, how do you think you would react to that?
Henry: I would probably blow my tool big time. I mean once it is done there is not much you can do about it. I would just say, you are an idiot, you are going to do your dough.
So this person explicitly said that if one of their loved ones came to them and acknowledged that they had been defrauded, their response would be anger towards the victim. Not sympathy, not gentle correction, not helping them to report it or feel better or recover the money or any of a number of helpful things, but explosive anger at the person who was a victim of a crime.
Let it not go unsaid – I disagree, strongly, with this characterisation. People who fall for frauds are no more to be blamed than someone who was physically attacked in the street, or had their system hacked. Yes, the risk factors are different, and it’s important to study these situations so we can prevent ourselves from being targeted in this way, including changes to our behaviour, but that does not necessarily follow that the people who were victimised did anything wrong, nor does it indicate anything wrong with their character. Yes, their behaviour was part of their risk exposure, but in the same way that me walking down the street with a limp doesn’t in any way mean I am to blame for someone beating me on the head with a pipe and stealing my wallet, them being concerned about being able to care for their sick relatives or wanting to rectify an erroneous refund, or pay their legal taxes, or any other things that are actively exploited by fraudsters doesn’t mean they are to blame for their victimisation.5
wrote about those who fall into conspiracy theories. Different topic, but I think the dynamic is similar to the point where you can basically search-and-replace “conspiracy theories” with “scams”:You are not immune to conspiracy theories. You have probably developed a false sense of security by encountering many dumb conspiracy theories and feeling no temptation to believe them. These theories were designed to trap people very different from you; others will be aimed in your direction. The more certain you are of your own infallibility, the less aware you will be, and the worse your chances. The ones that get you won’t look like conspiracy theories to you (though they might to other people).
When you run into conspiracy theories you don’t believe, feel free to ignore them. If you decide to engage, don’t mock them or feel superior. Think “there, but for the grace of God, go I.” Get a sense of what the arguments for the conspiracy theory look like - not from skeptics trying to mock them, but from the horse’s mouth - so you have a sense of what false arguments look like. Ask yourself what habits of mind it would have taken the people affected by the theory to successfully resist it. Ask yourself if you have those habits of mind. Yes? ARE YOU SURE?
I feel like this gets to the heart of frauds. Most people will bounce off most frauds very quickly, some people will fall initially for some scams but extricate themselves before they lose anything but time, and some will unfortunately lose quite a lot of time or information. It’s that that these groups are differing levels of intellect – smart people fall for cults all the time – but that people vary on their psychological vulnerabilities. What one person dismisses easily cuts right through another.
I like to think of them like allergies – most people can eat most foods without a problem most of the time, but some people will get a little sick from some in some cases – personally, if I’m stressed or haven’t slept, dairy upsets my stomach in a way it doesn’t normally. Other people can’t have dairy at all, and some may actually die if they have a single peanut. It’s not quite that some people are “stronger” than others – you can characterise it that way, but it’s not a very useful framing – but more that this particular thing happens to hit that particular person’s system from a particular angle, causing a certain outcome, in this case potentially a very serious one.
So, Average Bob gets the same kinds and amounts of scam attempts that the rest of us do, and he ignores them all, maybe has a bit of a laugh. But then his wife suddenly gets sick, really sick. The doctors are doing their best, but Bob is obviously upset that his wife is suffering. Then, he sees a flyer for someone who claims they can cure that sickness in a single afternoon. Bob normally ignores that stuff, he knows what his friends would say if he asked them, but… what if? He hears his wife sobbing from the pain, and he reaches for his phone.
While writing this post, I chatted to someone whose opinion I value highly about it, and they pointed out that comparing being mugged to being defrauded isn’t exactly the same thing – being mugged is a physical contest, while being defrauded is ultimately a psychological one. We understand “physical strength” as more-or-less uni-dimensional (an oversimplification of course, but more-or-less workable for most purposes), which just doesn’t apply to the dynamics of fraud. This doesn’t necessarily mean the person is “to blame” for being defrauded, of course, but we can’t simply pretend the two are the same. The way we think about them and defend against them is necessarily more complicated. 6
Types of fraud
There are a lot of different types of fraud, with a lot of subdivisions and hybrids and variations. I’m not going to be able to list them all, but I’m going to list some of the more common ones, and how privacy is implicated or involved in them.
Romance fraud
Romance fraud is not the most common type of fraud, but certainly the one that gets under my skin the most. In the simplest form, a romance fraud consists of the fraudster attempting to form, or promising, a relationship – usually but not always romantic or sexual – with the victim, in order to gain some benefit. This benefit can be direct – getting them to send you money being a common one – but sometimes it’s to get personal information to allow for identity theft, or to compromise a workplace or system. One notable subtype is pretending to be someone who the victim already has a relationship with – often a child or grandchild – and asks the victim to send them money because of an “emergency”. Sometimes it can take the form of engaging in sexual activity (either with the person or remotely by taking risque videos or photos), which is then used as blackmail material.
As with a lot of frauds, this has definitely migrated online, but has existed for years, even centuries. In the Book of Judges, Delilah was bribed by some local chiefs (who served Dagon, interestingly) to discover the secret of Samson’s strength, which she utilised her position as his lover to discover, which allowed the chiefs to overcome him and the Israelites. In Greek myth, Zeus transformed himself to appear as Alcmene’s husband (fathering Heracles in the process).
Like most frauds, romance fraudsters target vulnerable people, which is how the privacy aspect comes in most obviously. Let’s say you’re a part of a local singles group on Facebook, or even just have your relationship status set to “Single”. If that leaks and gets tied to your identity, all of a sudden you’re more likely to fall for their scam. Gender has a role – men are more likely to fall for a romance scam, but women are more likely to send more money if they fall, which suggests some strategic optimisation. It occurs over a long period of time, slowly building trust and wearing down defenses.
See, there’s a rather interesting dynamic at play. Flirting can be considered basically strategic violation of boundaries7 – in Western society we rarely touch strangers or even friends outside of very specific exceptions like shaking hands, but maybe you lightly touch your flirting partner on the shoulder, or give them a small gift like buying them a coffee, or send them messages. If reciprocated – that is, if the partner indicates that they are OK with that behaviour – then you escalate, until or unless you find a place where they indicate they are not comfortable, at which point either the flirting ceases or is simply paused for a time until both are comfortable. A lot of it is not explicitly discussed, but inferred through gesture and language choice. Viewed from the outside and described this way, it sounds really malevolent and insidious, and sometimes it can be! Abusive relationships often have the same thing, they push a little bit more, a little bit more, and the partner just gets used to it. Romance fraud has kind of the same dynamic – normal strategic violations, but with malevolent intension and harmful outcomes. It even involves emphasising things held in common, like past military service.
Investment scam
There’s a bit of a tendency among cryptocurrency enthusiasts to… overstate the current use case of either crypto generally, or their particular coin specifically. I like the idea of Monero and anonymous digital cash, don’t get me wrong, but it’s basically illegal where I live, and even more mainstream cryptocurrencies are very rarely accepted for anything I actually buy – I can’t pay my bills with Bitcoin, I can’t pay for my groceries in Monero, and the local fuel station doesn’t accept Ethereum. There is a university nearby that has a kebab shop with a “Bitcoin accepted” sticker, but I would bet a moderate amount of money that literally nobody ever does so.
Add in the sheer overabundance of coins available, and the explicitly speculative tone of many of them, and this is why a lot of people call cryptocurrency a “scam”. This is, I think, unfair in the general sense, but in specific cases, very often. The idea of a “low-risk/high-reward”, “get in on the ground floor” investment opportunity is the very essence of “investment fraud” – basically, someone reaches out, pushes people to invest in their new coin/real estate scheme/derivative market strategy, gathers the money, and vanishes. Sometimes the investment never existed at all, sometimes it technically did but had its value grossly over-stated, or the fraudster never had the rights to it at all, but the end is the same – the fraudster makes money, and the investors are out of pocket.
Of course, sometimes the coin itself is the scam – “buy my Blahcoin, it’ll spike in value over 100x, but time is limited!” – but more often the fraudster requests payment in crypto because it’s hard(er) to track than fiat, in the same way that black marketeers often prefer cash.
Investment frauds vary widely in their form and execution, but they all seek to target those who are financially desperate or fear becoming financially desperate. In his excellent documentary Lines Goes Up, Dan Olsen phrases it very well:
And that's how it draws in the bottom: people who feel their opportunities shrinking, who see the system closing around them, who have become isolated by social media and a global pandemic, who feel the future getting smaller, people pressured by the casualization of work as jobs are dissolved into the gig economy, and want to believe that escape is just that easy.
I think he over-states the case a bit, perhaps as a pushback against what he sees as the excessive and sometimes predatory hype particularly around crypto derivatives like NFTs, but I think he adequately captures the dynamic of investment scams – people who have few options turn to fringe options because it’s the only way they can see to keep themselves afloat or even – gasp!– get ahead. There are exceptions of course – Bernie Madoff notoriously targeted the rich and ultra-rich – but in general it plays on people’s emotions, which is just that much easier if, say, you have a seriously ill family member and your pension doesn’t cover their needs and the landlord has just jacked up your rent 30% because they can.
Legal extortion
I don’t care for this label of it, but I can’t think of a better one. I don’t mean to imply that this behaviour is actually legal, it explicitly is not, but it refers to the type of fraud where the fraudster (falsely) claims to be a legal entity like the tax office or police, and that the victim has done something illegal – say being behind on their taxes, accessing material which is ambiguously legal (or unambiguously legal but generally frowned on) like pornography and demanding payment of taxes or a fine to avoid arrest. Like most frauds, this is not new or unique to the Internet – people have been pretending to be (or actually be corrupt) government officials and demanding payment based on made-up or real facts for centuries 8. But the Internet has opened up new avenues for this – be it malware claiming to have detected child porn on your computer or redirecting you to child porn, or being able to infer traits about you from data breaches which can serve as blackmail material, criminal’s reach has grown exponentially.
What does this have to do with privacy?
I’ve been thinking a lot about threat modelling lately, particularly the kinds of threats people focus on when designing their threat model. My observation has been that there’s a lot of focus on governmental and corporate tracking and accumulation, and while I agree this is creepy – and data breaches make this a potentially significant concern – this is hard to square with things like abusive partners or stalkers, or fraudsters, or other threats that pose a clear and direct harm, in contrast to the more nebulous ickiness about Facebook gathering information about looking at shoes.
However, this is one way in which the two streams cross. Let’s use the example of romance fraud; obviously, people who are lonely or socially isolated are more vulnerable – social bonding is a very common, near-universal human need, and being deprived of it causes all kinds of physical and psychological health problems. So if a potential scammer ended up with, say, a list of e-mail addresses and personal information about people on, say, a social isolation forum, or maybe a dating app, it’s a good bet they’re probably going to have a better “strike rate” than random people in the world. Even more so if they have obvious things in common, like you both previously served in the military, and they use language which is consistent with that.
Scams aren’t a simple fire-and-forget. Oh, some are, for sure, but a lot are very strategic. Social engineering is a surprisingly complex and interesting field, and one that doesn’t get enough attention in the privacy “community”. This study describes four broad types of social engineering, seven attack vectors, and seven attack channels, for 39 possible combinations (after eliminating those that are obviously incompatible). This study found that if a communication comes from a friend’s account, people’s willingness to believe it goes up from 16% to 72%, so things like simply knowing who your friends are can be very helpful to attackers. The famous “Hi, mum” scam netted millions in the last year – I can’t find specific numbers, but it seems totally plausible that it was way more effective when sent to actual mothers, than random people, or even random women.
So the privacy implications are this: Facebook knows you are single. It leaks that in a data breach, or sells it, or whatever. Somehow that information ends up in the hands of a criminal. That criminal uses that and other information to pick the kind of attack that would work for you – a romance scam purporting to be from a gender you’re attracted to, using language that implies a common interest or background. They build up trust over innocuous conversations, indicating that “they” are struggling financially, which will eventually come to a head. This is done over web chat and phone calls, and maybe even in-person. You, who have at this point built up a lot of emotional investment, want to help this person. So when they talk about how they’re not sure how they’ll make rent, you offer.
We talk a lot about “phishing”, but slightly less well-considered are the risks of spear-phishing, which is basically phishing only with a targeted attack. Rather than sending thousands of e-mails out and running the numbers, spear-phishing targets groups or even specific individuals, working to increase the chances that they will fall for it by utilising specific information.
So what?
I wanted to focus on the techniques and that use by fraudsters, and how we can defend against them – but it’s way, way too big. There’s just too many, and they’re constantly evolving. So I instead opted to give a general over-view to start you thinking, and hopefully that’ll help. There’s a few take-aways from this post, and I’ll almost certainly do a follow-up on specific aspects I’ve touched on here. But for now, these are the main points, I think:
Fraud victims are not to blame or responsible for their victimisation, any more than me being beaten up by a mugger is in any way my fault. Yes, the dynamics are distinct, and the fact that the victim does engage in behaviour that harms them is important to bear in mind when considering one’s own risk profile – I can’t really stop someone hitting me with a stick, but I can have personal policies or measures in place to stop myself sending money or disclosing personal information or access to systems.
Fraud is complicated and multi-faceted, and basically every criminological work on the topic I have read has agreed that policing bodies do not give it enough attention. Maybe partly because it’s hard, partly because it’s less attention-grabbing than assault, murder or bank-robbery, partly because of the very real tendency towards victim-blaming.
Data breaches containing things like names, date of birth, ID numbers etc are more directly worrying since they can be used to steal your identity, have cards taken out in your name, and many others, but things like “interest” or “hobbies” can also be used by criminals to hurt us, albeit in different ways.
Vulnerability to scams or fraud is not uni-dimensional, but very complicated and shifts over time. Peoples financial and personal situations change, their experience grows in certain areas and withers in others, their values are different. All of these combine to make certain approaches work better or worse on certain people at certain times. Most will bounce off very quickly, some will go all the way – not because they’re stupid, but because the criminals are very, very good at their jobs.
As a result, to protect yourself? Do what we already do – be cautious of what companies know what, when you hear about a fraud make a real effort to learn about it and try to think how you might have fallen for it. Try to cultivate a degree of skepticism, and before you send any money make sure to confirm it’s legitimate (if that’s possible). If you think you might have been defrauded, report it! Even if the police aren’t helpful, information is gathered by criminologists which helps us understand it more. A lot of places have anonymous reporting systems in place – if nothing else, use them.
Despite this being a really, really long post, this is obviously extremely superficial. I absolutely intend to come back to the topic, and delve more deeply into specific aspects. If there’s any in particular you’re interested in, feel free to leave a comment and let me know.
(Fraud image taken from here, original artist found here, attribution here.)
I just want to briefly acknowledge some complexity I’m skipping over here. A lot of scammers – not all! – live in pretty poor countries or conditions, and for them this is one of the few ways they have to make money, feed their families, etc. And I’m well conscious of my position as a relatively (to them) wealthy person, dictating how they should be allowed to make a living in a context with very few alternatives. We use the example of stealing bread to feed your family, but in this case we’re all the bakers, criticising the thief. This is not to say that these criminals are any less wrong, or that we shouldn’t condemn these actions, but there is a complexity there I think is important to have in the back of your mind while engaging with these topics. Any time there is a tendency to say black-and-white statements about “this is bad” or “this person is doing wrong” is a flag to be cautious and thoughtful, even if the end behaviour is still the same.
I want to strongly distinguish this from what happens way too much, where people who want to hire a community venue for an event – say a park area for a picnic with their religious community, or a hall for a conference for a hobby community – have to buy “general liability insurance” or “public liability insurance”, which basically covers the organiser should someone be hurt or property damaged by the event. Rather than let the people look at the risks, judge their own exposure and comfort, and make a choice, they are forced, sometimes legally, to spend money on something that by definition is not worth it. But that’s politics, and a topic for another time.
Side tangent: something I’ve noticed – and this could just be my weird experiences – is a tendency for people to think that buying insurance somehow will prevent the Thing from taking place. Insuring your car will somehow prevent it being damaged or stolen. This is clearly a form of magical thinking, but it’s also encouraged by the language used by these companies – they “protect you/your family” or “keep you safe”, when that’s clearly wrong – they don’t have any influence over your car getting stolen or your kidneys shutting down, but if that does happen they’ll give you money. At best they mitigate the financial impact of the Thing, they don’t prevent the Thing happening
Side tangent: I remember for a job I had once, I had to do some cyber-security training. It was basic and dull, but broadly solid in the advice it gave. Anyway, after I completed it, I mentioned doing so to a co-worker, who said (I think this is a direct quote) “Yay, you officially have common sense”, going on to say that this standard is rarely met. Bear in mind that this job meant we ended up helping a lot of scammers steal a lot of identities due to poor institutional practice on the part of both government and corporate bodies like the one we were working for, but clearly it’s victims of scammers or hackers who are to blame, rather than this being a complicated and professional practice by skilled criminals.
This is further complicated given that in the West we tend to equate intelligence with moral worth in a way we just don’t do with physical capability in the same way, but that’s a whole other Thing.
True story: in between writing and posting this post, a story crossed my eyes about a scam in Australia targeting Chinese international students. The fraudsters pretended to be Chinese officials, and threatened to deport the students or to harm their families if the student didn’t pay ever-increasing “fines” or bribes or whatever. When the student inevitably runs out of money, they are forced to pretend to be kidnapped, making their families pay ransom to the fraudsters, recruiting the initial victim to assist in more frauds and scams.
Fantastic post Alan! Loved reading it.
There definitely is a kind of false assumption that if a person falls for some type of fraud or 'scam', they are immediately classified as gullible and susceptible and are 'looked-down upon' in a way. Because as an outsider and as someone seeing the final, big picture, people tend to believe that they would never fall for such scams themselves when that is absolutely not the case. As you wrote, specific circumstances can astronomically influence the rate by which anybody accepts anything: you are highly more inclined to consider tolerating harm, such as a criminal shooting you in the foot, when it appears that the only alternative is a more severe consequence, like being shot in the head or the chest, yet you would never accept getting shot in the foot in the first place. You'd also tend to believe that if you were the one who was getting shot, you'd find some elaborate strategy to escape unscathed or defend yourself when this is also probably not true for the average person, provided someone is pointing a gun at you.
This also ties back to falling for a scam being seen as your personal downfall and completely being blamed on you (which makes the victim less likely to report the crime or even talk about it).
It is true that getting scammed is partly the victim's fault because an adult is -supposed to be - entirely responsible for his actions. It is also true that, with more awareness or education, or by simply taking a step back, a person might have been able to recognize the situation that's going on and retreat. However people need to realize that these situations are not usually as simple as they sound, especially in targeted attacks. Responding logically to an emotional situation is very demanding to do when you're in a crisis - like someone promising a magic cure for a dying loved one - as doing this under pressure requires a lot of willpower, control, discipline and experience, especially as scammers tend to brutally play on our emotions and our thoughts once we let our guard down.
Everybody thinks differently, everybody has triggers where no logic or reasoning prevails, everyone has a weakness or a soft spot, and the scammer's job is to find that and exploit it as much as possible. To mitigate this it helps to be aware of your own limitations and weaknesses: what angers you? why does this person push your buttons? why did this movie make you cry? etc.
Privacy and particularly digital minimalism tend to help in these situations by making you proactive instead of reactive. You're not waiting for a scam to land in your inbox for you to flag it, you're making it harder and less likely for one to do so.
Would definitely love to read more about this, would also love to help making it happen, if that's okay with you.