‘An evolution in organised crime’: How to spot the online scammers and stay safe
When Dr James McPherson reached out with the prospect of transferring him millions of pounds, Steve Boggan just couldn’t refuse the chance to expose the murky underworld of online scams
When you’re playing cat and mouse with a fraudster – and with all your savings at stake – it is difficult not to imagine him rubbing his hands together, perhaps from excitement in a west African bedsit or from cold in a dank Russian basement.
I suspect my con man, James, is African because of certain phrases he uses but I can’t say for sure.
“My name is Dr James McPherson,” he wrote to me in an email just two weeks ago. “I am from United Kingdom, Auditor, Head of Computing department of (Lloyd [sic] Bank Plc UK) here in our branch UK. I am 55 years of age, happily married.”
He goes on to say that he has access to a bank account containing “£35,500,000.00” whose owner and entire family – luckily for me – have been killed in a plane crash. He wants to move this money through my bank account in order to prevent “greedy politicians” from getting their hands on it. In return, I will get half – £17.75m.
“This transaction is very safe and 100 per cent risk-free,” he assures me, before adding: “THIS TRANSACTION MUST BE KEPT TOP SECRET.”
This attempt at extracting my bank details for the purposes of fraud would be laughable were it not for the fact that some people actually fall for such scams – and for dozens of others like them perpetrated either face to face or, more often in the computer age, over the internet, anonymously, viciously and ruthlessly.
In the UK – and particularly during the pandemic – the incidence of fraud has been rising alarmingly. According to the National Fraud Intelligence Bureau the number of reports of fraud rose from 203,928 in 2015-16 to 326,958 in 2019-20. In cash terms, the cost of such crime has risen by one-third in just three years, to £143.1bn.
However, according to the Office for National Statistics (ONS), only a fraction of frauds are ever reported because victims are often too embarrassed, depressed or frightened to do so. When this fact was taken into account in the ONS’s 2019 Crime Survey for England and Wales, the number scammed by fraudsters was estimated at 3.8 million – that’s more than one in 20 of us having our financial, and sometimes psychological, wellbeing affected by fraudsters.
“In our society there is an awful lot of focus on violent crime and people being physically injured – and rightly so – but in the fraud space the misery is tantamount to a violent attack,” says detective chief superintendent Mick Gallagher, head of the Metropolitan Police’s Central Specialist Crime Command.
“Fraud has probably been the untold source of suicides, depression and people living out their old age in poverty when they should have been comfortable. Whilst fraud is seen by the public as a white-collar crime, actually it’s not; it is carried out by ruthless individuals against some of the most vulnerable people in our society, without any emotion whatsoever because they can remain invisible and don’t have to come into contact with the people they are harming.”
Nobody is immune from fraud, and if you check the “Junk” folder in your email account, you will see that your service provider automatically intercepts fraud attempts aimed at you, every day. And today, this is where the overwhelming majority of fraud takes place; online.
“Over three decades, I have seen an evolution in organised crime,” says DCS Gallagher. “Back in the Eighties organised criminals were seen as being armed robbers, people running into banks with shotguns. Then, sentencing for armed robbery became huge - people were getting life sentences.
“We then saw criminals moving into drug trafficking because it was considered safer by the crooks. Then, because the sentences handed out for drug trafficking were increased, criminals diversified into fraud. And from there we have seen a gradual movement into online fraud in the cyber and IT space. The rewards can be astronomical and the risks are far lower. If you’re in the crime world to make money, criminals are hitting on this to avoid taking physical risks, and anyone can be a target.”
Organisations such as banks and online payment systems such as PayPal will never send you emails asking you to update your details via a link
If you don’t want to become the victim of a scam, it is best to be aware of them and how they work. Never has the expression “Forewarned is forearmed” been so apt. The first question, then, is: what is fraud?
For our purposes, scams are covered by Section 2 of the Fraud Act – fraud by false representation. That is, separating you from your money by lying, a process criminologists call “social engineering”. According to the online security company Webroot: "Social engineering is the art of manipulating people so they give up confidential information.
“The type of information these criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software that will give them access to your passwords and bank information, as well as giving them control over your computer.”
The Metropolitan Police has produced a must-read guide called “The Little Book of Big Scams” that contains a crucially slightly different definition of social engineering as: “‘The clever manipulation of the natural human tendency to trust’, and it is this natural inclination that criminals take advantage of. Usually, the criminals’ aim is to prey on people’s emotions and get them feeling rather than thinking. This could either be a sob story or preying on people’s greed.”
So, what kinds of frauds are out there, and what can you do to protect yourself?
Computer fraud
Most modern frauds involve computers and the internet. A minority of these – described as “cyber-dependent” – don’t rely on manipulating you or gaining your trust. They involve gaining access to a company’s or individual’s systems in order to steal data, install viruses and even take control. If someone gains access to your computer, they can harvest your passwords, get into your bank, order goods in your name, apply for loans, all without involving you personally.
This doesn’t involve social engineering – manipulating you personally – and is best avoided by using reputable anti-virus software, creating strong passwords, changing them periodically and always installing the updates your computer suggests for you. And if you receive emails from entities that look respectable, asking you to click on a link or download an attachment, always take a look at their full email address first – if it bears no resemblance to the organisation it purports to be, don’t click on the link or download. It probably contains the virus that hackers use to take over your computer.
Organisations such as banks and online payment systems such as PayPal will never send you emails asking you to update your details via a link. Keep your details and passwords up to date only through the bank or company’s website, never by clicking on a link in an email – that will simply redirect you into the fraudsters’ arms. To learn more about how to avoid this, check out the Met’s “Little Book of Cyber Scams”.
According to Action Fraud, the City of London Police department that gathers reports of fraud, about 84 per cent of all online crime is what is called “cyber-enabled”. That means that computers help them to spread scams far and wide, but people and their “tendency to trust” are needed, too. Most of the following frauds are cyber-enabled.
Advanced fee fraud
These involve criminals convincing victims to make upfront payment in order to receive goods, services or financial gains that don’t exist. They will often involve a degree of pressure, of telling you that you must act quickly in order for something good to happen or to avoid something bad happening. Don’t be pressured; take a step back; contact a friend or relative and talk it through with them. Such scams include:
• Recruitment fraud: While hundreds of thousands of people have been losing their jobs during the pandemic, recruitment fraud has become one of the most prevalent – and cruel. It involves crooks posting non-existent jobs on legitimate recruitment websites. Applicants are interviewed by the fraudster (or someone they have tricked into thinking they are working in HR for a real company) and told that they should pay for courses to top up their experience levels; or that they need to improve their CV; or that they have to get a Disbarring and Disclosure Service (DBS) criminal record check.
The fraudsters refer applicants to websites that can provide all these services. Jobseekers then pay for them, but the websites are fake, none of the services appear and their money – sometimes hundreds of pounds – is stolen.
According to SAFERjobs, a not-for-profit organisation set up by the Met police to tackle fake jobs fraud, reports of such scams are up 65 per cent since last year.
In order to protect yourself, be suspicious of jobs that require no or low qualifications and high salaries. Check out the website of the company offering the “job” to see if it contains real contact details and phone numbers, and look up their name at Companies House. If they were set up very recently, be suspicious.
And if you’re directed to websites offering CV or DBS services, don’t use them; find your own. Legitimate DBS services are listed by the Home Office here.
Similar advanced fee scams involve:
• Lottery fraud, where you’re told you’ve won a prize but need to pay an administration fee for your winnings to be released. Remember – if you didn’t enter a lottery, you can’t have won it.
• Rental fraud, where you’re asked to pay upfront rent for a property that the fraudster doesn’t own or which might not even exist. Use a reputable rental agency and never be pressured into giving money to a stranger.
• Clairvoyant or psychic fraud, where the fraudster predicts something significant is about to happen to you. Alarm bells should ring when you’re asked to pay for the details.
• Fraud recovery fraud, where a gang that has already defrauded you poses as an organisation that can get your money back for a fee. Always be suspicious of unsolicited offers of help where money is involved.
The fraudster will ask the victim to move away from the dating website and start emailing personally
• Inheritance fraud, where scammers contact you to say you have inherited a large sum of money but that you’ll need to pay for their services in order to release it. Ask for details of who they are. Real solicitors appear on this register. Even if their name is listed, call their law firm’s telephone number and ask to speak to the solicitor to ensure they’re not being impersonated.
• Work from home fraud, where fraudsters offer you the chance to work from home, after you’ve paid a fee for business leads or for a website to be set up. The promise of well-paid work is always attractive, but if you need to pay something first, it’s probably a scam.
Being a victim of any of these – and dozens more like them – can be costly and upsetting, but perhaps none more so than romance fraud, where a fraudster (or possibly one of a team operating 24/7) uses a dating website to build up a trusting relationship with a victim… before asking for money.
“The fraudster uploads a fake profile with a picture stolen from, say, someone’s Facebook account,” says Dr Martin Graff, a lecturer at the University of South Wales’ School of Psychology. He specialises in the psychology of online romance. “He might describe himself as a colonel in the army and say he’s in Afghanistan – they have to establish a reason early on why they can’t meet you in person.”
The fraudster will ask the victim to move away from the dating website and start emailing personally. This is because this kind of fraud is often perpetrated on lots of victims at the same time – and so if someone complains and the site takes down the fraudster’s profile, the victim – now communicating on his or her own email account – will be unaware of the risk.
“A relationship is built up, but before long, the fraudster will ask for money,” says Dr Graff. “The person may say his pay hasn’t come through or he needs money for a flight home. Someone else might say a relative has had an accident and they need money to visit them in hospital. The thing is, it starts small but then grows. It isn’t unusual for people to lose thousands of pounds – they think they’re in love and so they feel they should respond positively to requests for help. I know of one case where a woman remortgaged her home in order to help the person she thought loved her. She lost £250,000.”
To avoid this, keep all communication passing through the dating website and immediately end contact with anyone who asks you for money. Check their profile to see if it appears on other social media sites and run their picture through reverse-image software such as TinEye. This lets you upload a photograph and then scours the internet to find and identify the person in the image. If it appears with a different name to the one you have, you’ll know your “date” is lying to you.
I used this technology to good effect with my scam artist, James McPherson. He was committing West African letter fraud, also known as 419 fraud as it is in breach of Section 419 of the Nigerian criminal code. These scams follow the same pattern – an “official” contacts you and says he has access to a huge sum of money that he needs to move out of the country or out of a defunct bank account. He’ll cut you in but first you need to provide all your bank details, name, address, signature and so on.
If you comply, he will either use all the information you give him to raid your bank account, set up loans in your name, obtain credit cards in your name and so on. He may also try to gain advanced fees from you – he needs to fly to a meeting to have the funds released; he needs a hotel when he gets there… could you send money to cover this?
I once interviewed a victim who paid for a new suit for his co-conspirator, then an expensive watch – because the scammer supposedly wanted to look the part for a big meeting.
“It started with something small but then he asked for more and more, and once I was in deep, I just kept going in the hope that there would be a big pay day at the end of it,” he told me. “Of course, there wasn’t and I was left thousands of pounds out of pocket.”
I replied to James suggesting I was wary and asking for some kind of ID to prove who he was. Back came mocked-up pictures of a business card and a fake Lloyds Bank staff ID. I ran the picture on the ID card through TinEye but there were no results, so I checked to see whether Dr James McPherson had a profile on the professional networking site LinkedIn. He did – but there were several things wrong with it.
First, it had been set up during the time I had been stringing my fraudster along. Second, in his profile, James McPherson described his role as an internal auditor, but when I pasted this description into Google, I found he had lifted it wholesale from a Cayman Islands Monetary Authority publication.
And third, when I ran the picture on the LinkedIn profile through TinEye I got a positive ID… for Lord Michael Ashcroft, billionaire and former chairman of the Conservative Party. My fraudster, it seems, either has a sense of humour or is breathtakingly stupid.
Scam artists can put items up for sale that don’t exist. You pay your money but receive no goods
So, I emailed him back asking what he needed me to do next.
Courier fraud
This takes several forms but generally involves fraudsters cold calling a potential victim claiming to be from the police or the victim’s bank. Taking social engineering to extreme levels, they say there is an ongoing investigation into corrupt bank staff or police and that the victim’s account is being targeted. The victim is then asked to remove all the cash from their account so it can be either put into a “safe” account or taken away as evidence for fingerprinting. And a courier is sent along to collect the cash.
In some cases, victims have been asked to hand over their cut up bank cards and then asked to reveal their PIN. They reveal it, thinking it is of no use because the cards have been destroyed. But they can still be used for purchases over the phone with the PIN. In other cases, victims have actually been taken to their bank and told to withdraw all their savings to prevent “corrupt” bank staff from stealing it. The “detectives” then take away the cash as “evidence”.
Hundreds of vulnerable people – often elderly – have lost many thousands of pounds to this scam.
It is highly unlikely that a bank or police officer would ever cold call you in this way or involve you directly in a real investigation. However, if someone claiming to be any kind of official calls you, then ask who they are and tell them you will call back. Use a different phone if you can, and never use the number they give you – get their number from their organisation’s website and for the police, dial 101.
Almost all social engineering requires a degree of pressure or urgency. Don’t allow yourself to be pressured and tell the “banking official” or “police officer” that you need time to discuss the situation with a friend or relative first. If they continue to try to pressure you, hang up.
Computer software service fraud
This involves you receiving a call from crooks claiming to be from a computer software company or your broadband provider. They will tell you they have detected a problem on your computer and they can fix it for you.
They ask you to download a “remote access tool”, a piece of software that allows them to take control of your computer in order to repair it. But once you do this, they can access and download all of your data, including stored passwords and all your personal information, photographs and videos. They can also load viruses and malware onto your computer that will allow them to continue to monitor it after they have gone away.
Sometimes, they ask for a fee for this and once you give them your bank or credit card details, they use these to commit further fraud.
Before the onset of the coronavirus pandemic, this type of fraud was rife but then it tailed off. Some experts believe this is because it was being perpetrated wholesale from call centres, often located in India, and these were forced to temporarily close because of Covid-19 restrictions. Inevitably, they will return.
A real computing software company would never call you out of the blue and ask for control of your computer. If somebody does, then hang up. You can get more guidance on all forms of cybercrime from the Met, here.
Auction website fraud
Scam artists can put items up for sale that don’t exist. You pay your money but receive no goods. If you do this following the auction site’s rules, you can be reimbursed, but fraudsters will often suggest to buyers that they move away from the site and continue a negotiation via email. Once they do that, you lose your protections.
They may also contact you if they see that you have placed a bid on an item but not been successful in the auction. They will say that they are the seller and that the successful bidder pulled out, and then ask if you would still like to buy the item privately. If you do this, and provide your bank details, you could be defrauded and, again, you will have no protection from the site.
To avoid this, stay on the auction website, check the seller’s previous reviews and don’t always believe there are goods just because there are pictures. You can run those through TinEye to see whether they are original, or whether they’ve been used before.
This article is by no means a complete guide to fraud – unfortunately, there are too many to record here. But understanding these few should help you to be aware of when someone is trying to scam you. There is no one piece of advice that will definitely prevent you from falling victim to fraud, but there is one that comes close, and it is from DCS Gallagher.
“If something looks too good to be true,” he says, “it probably is.”
The £17.75m I was promised clearly fell into that category but I continued to string my scammer along anyway. He sent me a “Fund Transfer Application Form” which I was to fill in and email to Lloyds, though this was sure to have been a fake email address that would have gone straight to him. Among other details, it asked for my bank’s name and address, my account number, my full name, occupation, address, telephone numbers and signature.
I didn’t fill it in. Instead, I wrote back to James telling him I was a journalist and asked how many people had fallen for his scam, whether his choice of Lord Ashcroft was deliberate and why he had given the game away by lazily cutting and pasting his job description from the Cayman Islands Monetary Authority.
Finally, I asked: “Does your mother know you do this for a living? Is she proud of you?”
But he didn’t answer.
You can get more useful information on fraud from these sources: met.police.uk/littlemedia