Monica Whitty

Monica Whitty

The first externally-funded project to join the expanded RISCS community is the EPSRC TIPS-funded Detecting and Preventing Mass-Marketing Fraud (DAPM) project, led from the University of Warwick by Monica Whitty and including research collaborators such as Michael Levi (Cardiff), Awais Rashid (Lancaster), RISCS director Angela Sasse (UCL), Gianluca Stringhini (UCL), and Tom Sorell (Warwick), from disciplines as divergent as computer science, HCI, philosophy, international studies, cyber crime, and psychology. It also has numerous international partners from academia, law enforcement, government, and non-governmental agencies that provide practical experience and can use the results to change their approach. Whitty, who outlined the DAPM project in a talk at the October 2017 RISCS meeting, believes these partnerships will help produce results the project could never produce on its own.

The project focuses on the problem of cyber-enabled mass marketing frauds – such as Nigerian advance fee emails (previously seen via post), investment scams, work-at-home scams, consumer scams and romance scams. There are many different versions of these frauds that are tailored for different types of people, so the project’s challenge is to understand them in detail, including the methods criminals use to trick victims out of their money, the psychological characteristics of victims, their online behaviours, and the attempts users make to protect themselves from scams. The key goal is to take an interdisciplinary approach to detect and prevent victimisation from these cyber-frauds, drawing from such diverse fields as psychology, computer science, HCI, criminology and philosophy. Psychology’s role is identifying the persuasive and deceptive strategies employed by the criminals; computer science comes into play to identify these indicators in the text and pictures the criminals use.

What is interesting about these scams is that unlike phishing attacks, which are created and sent by strangers, these types of fraud depend on deliberately developing and then exploiting a relationship, whether that’s a romance, an investment, or charitable donations.

It’s easy to underestimate the frequency of this category of fraud. As Whitty points out, there are more victims of computer fraud than there are people whose homes are broken into. In 2015, the Office of National Statistics recorded 2.46 million online crimes, and the basis for presuming that these frauds are under-reported is very strong. Worse, she adds, about a quarter of victims are re-victimised, in part because the scammers share – or sell each other – the “suckers list”.

Whitty has been working in this area for over 15 years. Previous studies have sought to establish the characteristics of victims on the basis that knowing these should help prevention efforts. Characteristics such as impulsiveness, urgency, quick responses, and sensation-seeking, and addictive disposition all predict victimhood. The hope is not that identifying these characteristics will be enough on its own, but that doing so may help highlight points where victims can be brought out of the scam. Whitty has frequently accompanied law enforcement on visits to notify victims, and she has found it can be very difficult to make them fully accept what’s happened.

A new and recent discovery Whitty has found surprising is that people who read sites like Action Fraud or Get Safe Online, and Which? Magazine are actually more likely to be defrauded – and to become repeat victims. From interviews, Whitty believes this is partly because they find these sites cumbersome to understand. Moreover, the sites do not always provide “actionable” advice. In addition, their advice may be incomplete: Whitty believes that reporting agencies such as Action Fraud and ACORN need to provide enough information to victims to protect them from re-victimisation. As an example, an Australian investment fraud victim told Whitty that she assumed that the letter she received from the reporting agency contained everything she needed to know and that she now was safe. No-one told her she might now be on a suckers list, or that she should change the phone number she’d used to speak to the criminal, or that she should change the passwords she’d shared. So she has been a repeat victim and continues to be targeted, but until the interview with Whitty she didn’t understand why.

One aspect that Whitty has written about in depth is hyper-personal relationships (intense, trusting relationships that involve high levels of self-disclosure) that draw people in and establish trust. Here, the internet makes a difference, in that it has brought criminals the ability to control their victims in a more strategic way and develop trust to the point where even when the scam is exposed the victim cannot quite believe the relationship wasn’t real. Whitty argues that this is why it’s important to include ideas from many disciplines such as marketing and sales techniques and the gambler’s fallacy of the “near-win” (which has particular relevance in investment scams).

Part of Whitty’s work, therefore, has been to break down romance scams into a series of stages that may take anywhere from a week to two years to execute. Criminals are patient because they have plenty of victims to occupy their time. She has similarly broken down work-at-home scams, though these tend to proceed much more quickly..

Identifying these stages offers points for potential intervention. However, it also shows how important is to be careful with messaging. For example, potential victims are often told that if something is “too good to be true” it’s a scam. It sounds like rational advice, but often the “too good to be true part” begins later. In a work-at-home scam, it doesn’t seem to be too good to be true until perhaps three emails in, at a point when the victim thinks they’ve already checked that off. At Lancaster University, Awais Rashid and his team have done some work trying to find characteristics that would identify scam-baiters that is, people who waste scammers’ time by trying to present themselves as potential victims.

The DAPM project will also ask philosophical questions. How much, if any, responsibility should victims bear? How does that change when victims cross the line into criminality under a scammer’s influence? It’s easy to say they are responsible for their own actions, but in romance scams victims are following the script of what they believe is a normal relationship. That being the case, should they really be responsible for thinking it’s not real?

The research is also examining what practitioners are doing offline to prevent mass-marketing fraud victimisation. For example, DAPM is working with multiple groups in Southampton – including the council, the police, and the Silver Surfers, among others – to learn and evaluate what does and doesn’t work to prevent this type of crime. DAPM is also working with banks, as they are frustrated by seeing customers become victims and not knowing how to stop it from happening.

Another prior project, UNDERWARE (for Understanding West African Culture to Prevent Cybercrimes), focused on West Africa and particularly Nigeria because many crimes originate there or from Nigerian expatriates in other countries. What is emerging from that work is a different moral code about what is a scam – it’s considered permissible to scam people but not to steal from them, for example.

The question was raised as to whether the project was getting close to providing tools for others to exploit. Awais Rashid agreed that some of the work using Whitty’s psychological models is becoming highly accurate at detecting scams from profile attributes and processing images. For deploying this type of automation in practice, Rashid sees two main options: the tools could be deployed by service providers and site owners, or they could be given to users via a browser plug-in. The first case would require maximum precision and moderators to do the work. The second requires thought about how the user might use it, and the group would need to solve the problem of false negatives and mislabelling. Until the gap between the back end and end users has been bridged, the technology will not be ready. Meantime, there are many simple things that can be done about guardianship, and the project is talking to Action Fraud and Get Safe Online. In answer to a question asking if these tools could be used by scammers to train themselves to be more effective, Whitty agreed this is an issue and for that reason DAPM defers to law enforcement about what the project shares publicly.

Wendy M. Grossman

Freelance writer specializing in computers, freedom, and privacy. For RISCS, I write blog posts and meeting and talk summaries