How to get away with fraud: the successful techniques of scamming

How to get away with fraud: the successful techniques of scamming


File 20180803 41357 pb9hkr.jpg?ixlib=rb 1.1

Fraudsters use specific social engineering tactics to gain the trust of their victims.


Cassandra Cross, Queensland University of Technology

It is easy for those of us who have ignored emails from Nigerian princes or refused to transfer money on behalf of an online love interest to scroll past stories about scams, thinking it could never be us.

But so far this year, Australians have reported losing more than AU$76 million to all types of fraud, with phishing scams being the most prevalent. Given fraud has one of the lowest reporting rates, this is likely to be the tip of the iceberg.

From the outside, it’s difficult to understand how fraud occurs, and why some victims send large sums of money to offenders or take other drastic actions. It’s easy for a rational person to identify these situations as fraud.

Too often, we focus our attention on the culpability of victims in these situations. But it’s the offenders and their actions we should be focusing on. How exactly do fraudsters get victims to do such outlandish things?

Grooming the victim

In many cases, it’s a culmination of efforts that result in the victim sending money or complying with a fraudster’s request. Some offenders target specific victims and build a profile of them through online or offline tracking.

In other cases, the contact may start as random, but the fraudster will work hard to establish trust and build rapport.

Read more:
New ‘virtual kidnapping’ scam targeting Chinese students makes use of data shared online

There is research to support the concept of “hyperpersonal” relationships, or ones that are developed more intensely and quickly online compared to offline. Online communication lacks the non-verbal cues that could raise suspicions on the part of a victim.

Further, there is power in the written word. Several fraud victims I interviewed in my research told me they saved all their chat logs with their offenders from the first contact. Re-reading these conversations allows them to feel a deeper connection to the words – and the person sending them – compared to a verbal conversation.

By being persistent and patient with their contact, fraudsters raise few red flags when they ask a victim for money. Many victims come to believe the situation they are being presented with and the reason behind the request.

Social engineering techniques

Online offenders are also able to identify a weakness or vulnerability in a person relatively quickly and decide on the appropriate strategy to exploit this.

The use of authority to gain trust and compliance is commonplace. Offenders will take on the identity of a person or organisation and use this to threaten victims into submitting to their requests. Fear can be a strong motivating factor.

This is why so many people fall for phishing emails, or those that appear in our inboxes from a bank or government organisation. These emails say there is a problem and threaten a negative consequence (such as the closure or freezing of a bank account) if their instructions are not followed.

Read more:
The abuse tactics fraudsters use to break the hearts and wallets of those looking online for love

A sense of authority has been clear in the recent scams targeting Chinese students in Melbourne who have been tricked into staging their own kidnappings. The victims receive calls from the Chinese “police” or some other authority and are told there is a problem with their visa, or that they have been involved in criminal activity.

In order to prove their innocence, the victims are asked to send money. Or, they are directed to stage their own kidnapping, with the intention of extorting money from their families. The threat of deportation and jail time are powerful motivators for victims, who genuinely fear for their safety.

The use of scarcity – the idea of a limited offer – is another successful technique of fraudsters. By implying their request has a limited timeframe for response, or that the promised reward is limited in availability, they compel people to respond.

Examples of scarcity are commonly seen with lottery scams and sales frauds. Earlier this year, for instance, Scamwatch reported that fraudsters were advertising pedigree breeds of puppies for sale, often demanding money up front to cover transport or medical costs. Victims were duped out of over AU$300,000 in a single year.

Coercive control

The use of psychological abuse tactics by online fraudsters also helps to explain why they have so much power over victims despite a lack of physical proximity.

Richard Tolman, a professor of social work at the University of Michigan, identified nine techniques of psychological abuse used by offenders in situations of domestic violence. In an exploratory study, my colleagues and I were able to apply many of these to the context of fraud.

Read more:
Why we need to do more for the victims of online fraud and scams

In these cases, offenders employ abusive techniques in their communications to gain compliance at the beginning and maintain it throughout the fraud. In my research, several victims reported being verbally abused when they questioned the nature of the relationship or refused to send money.

Several victims felt the offenders were deliberately leading them to question themselves or their own judgement. This destabilisation is not exclusive to romance fraud and can allow offenders to exploit victims over long periods of time.

Fighting against fraud

The pervasive nature of these tactics is difficult to guard against. Most people do not believe they are vulnerable to fraud and are not aware how they could be deceived. Offenders rely on this.

There is also a strong stigma attached to falling prey to scams. Victims are often blamed for their own circumstances and losses. This exacerbates the suffering they’ve experience at the hands of the offender.

It’s important to raise awareness of the pervasiveness of this type of fraud and the methods used by offenders to target victims. Promoting a culture in which we can openly talk about fraud without judgement or blame is critical to achieving this.

After all, offenders rely on the silence of victims most of all to continue committing these crimes. In order to break through the silence, we need a better understanding of the techniques they use and more work to identify successful countermeasures and prevention messages.

Cassandra Cross, Senior Lecturer in Criminology, Queensland University of Technology

This article was originally published on The Conversation. Read the original article.

Posted in Uncategorized | Leave a comment

What if the companies that profit from your data had to pay you?

What if the companies that profit from your data had to pay you?


File 20180723 189310 am41gt.jpg?ixlib=rb 1.1

In the largest technology companies, the share of income going to labour is only about 5 to 15%.


Vincent Mitchell, University of Sydney

When it comes to digital privacy, there are plenty of organisations making money out of using your data – Google and Facebook are just two examples. But what if you were the one making the money?

What if those organisations profiting from your data had to pay you a share of that earning?

Read more:
If it’s free online, you are the product

This idea – raised in a recent article in Quartz – is gaining ground.

American author and law professor Eric Posner says data creation is labour, pointing out that in the largest technology companies, the share of income going to labour is only about 5-15%.

That’s way below the estimated 80% share that Walmart, for example, pays for labour.

So if you accept Posner’s theory that data is labour, then companies who make money from marketing your data are essentially getting labour for free. And it’s not only your personal data they exploit. It’s also the many hours of labour it takes to create social media content in the first place – and the hours we spend viewing and responding to the content made by others.

Working out what your data is worth

Despite the personal data industry generating some US$200 billion in revenue every year, data brokers give little, if any, money back to the providers of this asset.

Admittedly, valuing personal data isn’t easy.

Let’s take Facebook, for example. If we divide its revenue (US$40.7 billion in 2017) by the number of monthly active users (2.196 billion), then each user is worth US$18.53 on average.

Read more:
Your next social network could pay you for posting

You could think of this figure as the amount that your Facebook data is worth.

Of course, this is a very simplistic calculation. Even without using your data to target you with ads, Facebook’s size means it could still make money from advertising – just like any other media outlet. But it’s the targeting that helps Facebook dominate the digital advertising market.

Indeed, concerns about Facebook’s ability to continue to exploit personal data have likely contributed to Facebook’s recent drop in share price.

If you combine your Facebook data with the rest of your digital footprint, some estimate that an average US consumer could make up to US$240 per year. This amount could be much higher if you include other valuable data,  such as your purchase history, location, and financial information.

So our data could make us money.

Some companies already pay for it

Market research companies have been paying people for their data for decades.

Nowadays, YouTube pays creators for posts via AdSense. Opinion Outpost pays you for voicing your opinion. Swagbucks pays you to do everyday things on the internet. And Small Business Knowledge Center even pays you for your junk mail.

So if some companies are already paying for personal data, why isn’t everyone paying for it?

There are two main reasons for this.

First, our data are dispersed, fragmented and inaccessible. People who use ad blockers, “do not track” tools, and high privacy settings erode the quality of data that can be gathered about them. So each company with which they interact has only a small portion of their data, which can lead to errors in targeted marketing.

The holy grail of data integrity is when your data comes directly from you. This means it’s 100% accurate, comprehensive, and handed over with explicit consent.

Second, unlike other possessions, it’s hard for individuals to trade data. If data can’t be easily sold at the owner’s will, it’s difficult to extract value from it.

Read more:
7 in 10 smartphone apps share your data with third-party services

Companies such as the UK startup allow users to upload and store their data in a single app where they have control over it.

Others, such as the European Union-based Wibson, Singapore non-profit Ocean, and the US startup Datacoup, promise users the ability to trade their data with interested parties for money or credit.

The beginning of the ‘Internet of Me’ revolution

This philosophy of placing power over data back in the hands of the people it belongs to is embodied in the concept of the “Internet of Me”.

While still small, these startups represent a significant step in correcting the exploitation currently seen in personal data markets.

More accurate data should allow for better targeted advertising, more accurate credit scoring, improved market research, important training of AI systems, and even more personalised health care.

The ConversationFinally we might have fairer option when it comes to dealing with our digital data.

Vincent Mitchell, Professor of Marketing, University of Sydney

This article was originally published on The Conversation. Read the original article.

Posted in Uncategorized | Leave a comment

Self-employment and casual work aren’t increasing but so many jobs are insecure – what’s going on?

Self-employment and casual work aren’t increasing but so many jobs are insecure – what’s going on?

David Peetz, Griffith University

That casualisation and self-employment rates are not increasing is often trotted out to dispute perceptions that workplace insecurity is growing.

Read more:
Australian jobs aren’t becoming less secure

But retorts like this miss a few key points.

First, the real causes of growing insecurity aren’t the type of contracts people are on. While these things matter, the real causes of insecurity are the way organisations are being structured these days. This is designed to minimise costs, transfer risk from corporations to employees, and centralise power away from employees.

Second, aggregate data mask variations between industries.

Third (and least importantly) there are some measurement issues.

Reducing cost and risk

Large corporations want to minimise their costs and risks, avoid accountability when things go wrong and ensure products have the features they want.

This partially explains the dramatic increase in franchised businesses – the franchisee bears responsibility for scandals such as underpaying workers.

Other corporations call in labour hire companies to take on responsibility for their workers. This cuts costs and transfers risk down the chain – which means jobs are more insecure.

Some set up spin-offs or subsidiaries. Some just outsource to contracting firms.

Most people working for franchises, spin-offs, subsidiaries and labour hire firms are still employees. It’s more efficient for capital to control workers through the employment relationship than to pay them piece rates as contractors. That would run the risk of worker desertion or of shortcuts affecting quality.

Is casualisation the same as insecurity?

Even employees at the bottom of the supply chain might get annual and sick leave. Offering leave helps attract labour and might be cheaper than paying casual loading.

And there’s no need to hire someone on a casual contract if you can make them redundant when the work dries up — if, for example, you lose your contract with the main parent firm. If your firm can go bankrupt, then you often won’t even have to pay redundancy benefits.

There are also the measurement issues. The Australian Bureau of Statistics counts the number of “employees without paid leave entitlements”. People take this to mean “casuals”. On this measure, the share of casuals in the workforce has shifted little in a decade, after growing substantially earlier.

Read more:
FactCheck: has the level of casual employment in Australia stayed steady for the past 18 years?

If we take the liberty of labelling people without leave as “casuals”, then the number of “casual” full-timers grew by 38% between 2009 and 2017. Labour hire workers are usually casual full-time workers.

“Permanent” full-timers (those with annual leave) grew by just 10%.

On the other hand, some organisations have found relying on part-time casuals counterproductive, as workers had no commitment and became unreliable. Some large retailers now use “permanent” part-timers rather than casuals.

So-called “casual” part-timers grew by just 13% between 2009 and 2016. “Permanent” part-timers grew by 36%.

A lot of variation between industries and periods is hidden by aggregate figures. Franchising has grown in retailing. Labour hire in mining. Outsourcing in the public sector. Second jobs in manufacturing. Spin-offs in communications. Casualisation in education and training. Global supply chains send jobs overseas to low-paid, often dangerous workplaces in a number of industries.

The ABS doesn’t measure the precarity of work experienced by people who now work in franchises, spin-offs, subsidiaries or contractor firms. But as their continued employment depends on the fortunes of their direct employer, more than the firm at the top of the chain, precarity is real.

Read more:
Precarious employment is rising rapidly among men: new research

Underemployment has grown

Many “permanent” part-time jobs may be good jobs. But the continuing growth of part-time employment is linked to another form of insecurity – underemployment.

Between 2010-11 and 2016-17, the number of hours sought, but not worked, by underemployed people grew by 31%. This is five times the total growth in hours worked.

Large firms don’t even need to spin off workers to smaller business units to make use of underemployment.

There are other important sources of worker insecurity. In Australia, for example, firms can seek to have enterprise agreements terminated, or get a handful of workers to sign new agreements, to cut pay and conditions.

Some firms seek to put employees onto contrived arrangements that make them out to be contractors. Often that’s illegal.

The growing insecurity and hence low power of workers – even those with leave entitlements – helps explain why wage growth is stagnating.

Indeed, the successful “war on wages” may be the biggest sign of worker insecurity.

And what about the gig economy?

The gig economy, or more accurately the platform economy, is a big challenge to the employment relationship. This is because virtual platforms provide a new, cheap form of control that may replace the need for the employment relationship.

But there are still limits to the use of cost cutting and of platform control. The gig economy will grow, but it won’t overtake the employment relationship.

Gig work is one form of self-employment and we should remember that, overall, self-employment is not increasing. Self-employment declined between 2000 and 2014 in 26 countries for which data were available, and increased in only 11 (see chart below).


Changes in self-employment, 2000-2014, various countries.
OECD, Author provided


What’s more, even the relative importance of large firms in total employment is not decreasing. That’s probably because of another trend — the concentration of markets in the hands of those firms.

In short, large powerful firms are getting more powerful, but their directly employed workforces are not getting larger. The result is a lot of workers with insecure incomes and a lot of insecure small-business owners as well.

The ConversationThis means insecurity gnaws away, even while the employment relationship remains the dominant mode for deploying labour, and employment with leave entitlements remains its main form.

David Peetz, Professor of Employment Relations, Centre for Work, Organisation and Wellbeing, Griffith University

This article was originally published on The Conversation. Read the original article.

Posted in Business Investigations | Leave a comment

My Health Record: Deleting personal information from databases is harder than it sounds

My Health Record: Deleting personal information from databases is harder than it sounds


File 20180802 136646 tt4waq.jpg?ixlib=rb 1.1

Federal Health Minister Greg Hunt has announced that the My Health Record system will be modified to allow the permanent deletion of records.


Robert Merkel, Monash University

Since the period for opting out of My Health Record began on July 16, experts in health, privacy and IT have raised concerns about the security and privacy protections of the system, and the legislation governing its operation.

Now federal health minister Greg Hunt has announced two key changes to the system.

First, the legislation will be amended to explicitly require a court order for any documents to be released to a law enforcement agency. Second, the system will be modified to allow the permanent deletion of records:

In addition, the Government will also amend Labor’s 2012 legislation to ensure if someone wishes to cancel their record they will be able to do so permanently, with their record deleted from the system.

But while this sounds like a simple change, permanently and completely deleting information from IT systems is anything but straightforward.

Read more:
My Health Record: the case for opting out

Systems designed for retention, not deletion

The My Health Record database is designed for the long-term retention of important information. Most IT systems designed for this purpose are underpinned by the assumption that the risk of losing information – through a hardware fault, programming mistake, or operator error – should be extremely low.

The exact details of how My Health Record data is protected from data loss are not public. But there are several common measures that systems like it incorporate to greatly reduce the risks.

At a most basic level, “deletion” of a record stored in a database is often implemented simply by marking a record as deleted. That’s akin to deleting something on paper by drawing a thin line through it.

The software can be programmed to ignore any such deleted records, but the underlying record is still present in the database – and can be retrieved by an administrator with unfettered permissions to access the database directly.

This approach means that if an operator error or software bug results in an incorrect deletion, repairing the damage is straightforward.

Read more:
My Health Record: the case for opting in

Furthermore, even if data is actually deleted from the active database, it can still be present in backup “snapshots” that contain the complete database contents at some particular moment in time.

Some of these backups will be retained – untouched and unaltered – for extended periods, and will only be accessible to a small group of IT administrators.

Zombie records

Permanent and absolute deletion of a record in such a system will therefore be a challenge.

If a user requests deletion, removing their record from the active database will be relatively straightforward (although even this has some complications), but removing them from the backups is not.

If the backups are left unaltered, we might wonder in what circumstances the information in those backups would be made accessible.

If, by contrast, the archival backups are actively and irrevocably modified to permit deletion, those archival backups are at high risk of other modifications that remove or modify wanted data. This would defeat the purpose of having trusted archival backups.

Backups and the GDPR’s ‘right to be forgotten’

The problem of deleting personal information and archival backups has been raised in the context of the European Union’s General Data Protection Regulation (GDPR). This new EU-wide law greatly strengthens privacy protections surrounding use of personal information in member states.

The “right to erasure” or “right to be forgotten” – Article 17 of the GDPR – states that organisations storing the personal information of EU citizens “shall have the obligation to erase personal data without undue delay” in certain circumstances.

How this obligation will be met in the context of standard data backup practices is an interesting question, to say the least. While the legal aspects of this question are beyond my expertise, from a technical perspective, there is no easy general-purpose solution for the prompt deletion of individual records from archived data.

In an essay posted to their corporate website, data backup company Acronis proposes that companies should be transparent about what will happen to the backups of customers who request that records be deleted:

[while] primary instances of their data in production systems will be erased with all due speed … their personal data may reside in backup archives that must be retained for a longer period of time – either because it is impractical to isolate individual personal data within the archive, or because the controller is required to retain data longer for contractual, legal or compliance reasons.

Who might access those backups?

Data stored on archival backups, competently administered, will not be available to health professionals. Nor will they be available to run-of-the-mill hackers who might steal a practitioner’s credentials to gain illicit access to My Health Record.

But it’s not at all clear whether law enforcement bodies, or anyone else, could potentially access a deleted record if they are granted access to archival backups by the system operator.

Under amended legislation, such access would undoubtedly require a court order. Nevertheless, were it to be permitted, access to a deleted record under these circumstances would be contrary to the general expectation that when a record is deleted, it is promptly, completely and irrevocably deleted, with no prospect of retrieval.

Read more:
Opting out of My Health Records? Here’s what you get with the status quo

Time required to work through the details

In my view, more information on the deletion process, and any legislative provisions surrounding deleted records, needs to be made public. This will allow individuals to make an informed choice on whether they are comfortable with the amended security and privacy provisions.

Getting this right will take time and extensive expert and public consultation. It is very difficult to imagine how this could take place within the opt-out period, even taking into account the one-month extension just announced by the minister.

The ConversationGiven that, it would be prudent to pause the roll-out of My Health Record for a considerably longer period. This would permit the government to properly address the issues of record deletion, as well as the numerous other privacy and security concerns raised about the system.

Robert Merkel, Lecturer in Software Engineering, Monash University

This article was originally published on The Conversation. Read the original article.

Posted in Private Investigations | Leave a comment

It’s not about money: we asked catfish why they trick people online

It’s not about money: we asked catfish why they trick people online


File 20180724 194158 zeswib.jpg?ixlib=rb 1.1

Our likelihood of falling victim to catfish scams is increasing along with our screen time.


Eric Vanman, The University of Queensland

If you have engaged with internet culture at all in recent years, you have probably come across the term “catfish”, first coined in the 2010 documentary of the same name.

A catfish is someone who uses false information to cultivate a persona online that does not represent their true identity. This commonly involves using stolen or edited photos, usually taken from an unwitting third party.

Catfish will use this information to create a more appealing version of themselves, then engage in continued one-on-one interactions with another person (or people) who are unaware of the deception.




Read more:
Facebook is fighting social media identity theft in India, but it’s a global problem

Falling prey to catfish

In the 2010 documentary, Nev Schulman learns that a woman with whom he has developed an online relationship over nine months is actually fake. Another married woman (who originally claimed to be her mother) has used pictures from a model’s account to create the complicated, phoney relationship.

There have been several high-profile cases of catfishing reported in the media since then.

Singer Casey Donovan, in her 2014 memoir, wrote about a six-year relationship that turned out to be fake – in her case, the catfish even lied about her gender.

In 2011, NBA star Chris Andersen became embroiled in a catfishing scandal that ended in prison time for the catfish.

Then there is the popular MTV reality docuseries, hosted by catfish victim Nev Schulman himself. It is currently in its seventh season of “[taking] online romances into the real world”.

A complicated problem

Since 2016, the Australian Competition and Consumer Commission (ACCC) has collected and published data on dating and romance scams.

Its website provides detailed statistics of reported romance fraud in Australia, yet there is little information available about social catfishing – deception in the absence of financial fraud. There are also questions about the legality of impersonating someone who does not exist.

Read more:
A record $340 million lost to fraud in Australia, says latest ACCC report

Until these issues are resolved, there is no clear avenue to pursue for victims of social catfish. Victims may remain unaware of the deception for months or years – another reason catfishing often goes unreported – making it even harder to quantify.

The personality traits of catfish scammers

As smartphones and connected devices become ever more pervasive, the chances of falling victim to deception are increasing along with our screen time.

But what sort of person becomes a social catfish?

We have begun psychological research to investigate this question. In the past year we have recruited 27 people from around the world who self-identified as catfish for online interviews.

The interviews focused mainly on their motivations and feelings about their catfishing behaviour. Some of our key findings included:

  • Loneliness was mentioned by 41% of the respondents as the reason for their catfishing. One respondent said:

I just wanted to be more popular and make friends that could talk to me, some part of the day.

Others claimed that a lonely childhood and ongoing struggles with social connection were contributing factors.

  • Dissatisfaction with their physical appearance was also a common theme, represented in around one-third of responses:

I had lots of self-esteem problems … I actually consider myself ugly and unattractive … The only way I have had relationships has been online and with a false identity.

Another respondent said:

If I try to send my real, unedited pictures to anyone that seems nice, they stop responding to me. It’s a form of escapism, or a way of testing what life would be like if you were the same person but more physically attractive.

  • Some reported using false identities or personas to explore their sexuality or gender identity. For example:

I was catfishing women because I am attracted to women but have never acted on it … I pretend to be a man as I would prefer to be in the male role of a heterosexual relationship than a female in a homosexual relationship.

  • More than two-thirds of responses mentioned a desire to escape:

It could seem magical, being able to escape your insecurities … But in the end, it only worsens them.

  • Many reported feelings of guilt and self-loathing around their deceptive behaviour:

It’s hard to stop the addiction. Reality hit, and I felt like a shitty human.

  • More than one-third of participants expressed a desire to confess to their victims, and some had continued relations with them even after coming clean.
  • Somewhat surprisingly, around a quarter of respondents said they began catfishing out of practicality, or because of some outside circumstance. One said:

Being too young for a website or game meant I had to lie about my age to people, resulting in building a complete persona.

No simple solution

What does it take to become a catfish, and how should we deal with this growing problem? Unsurprisingly, our initial research suggests that there’s no simple answer.

Social catfishing seems to provide an outlet for the expression of many different desires and urges. Although not yet officially a crime, it is never a victimless act.

Read more:
Not all online catfish are bad, but strong communities can net the ones that are

As we move further online each year, the burden of harmful online behaviour becomes greater to society, and a better understanding of the issues are needed if we are to minimise harm in the future. From our small survey, it appears that catfish themselves aren’t universally malicious.

Psychologist Jean Twenge has argued that the post-millenial generation is growing up with smartphones in hand at an early age and are thus spending more time in the relatively “safe” online world than in real-life interactions, especially compared with previous generations.

Catfishing will likely become a more common side-effect for this generation in particular.

The next phase of our research is to learn what we can do to help both victims and the catfish themselves. We hope to recruit at least 120 people who have catfished so that we can develop a more thorough picture of their personalities. If you have been a catfish, or know someone who has, please contact us to participate in our research:

The ConversationThe author would like to acknowledge the contribution to this article of Samantha Lo Monaco, an honours student at the University of Queensland.

Eric Vanman, Senior Lecturer in Psychology, The University of Queensland

This article was originally published on The Conversation. Read the original article.

Posted in Uncategorized | Leave a comment