As online fraudsters run amok, U.S. response is lagging
It was a bank teller who first noticed something was wrong, recalls Ken Westbrook, a retired federal employee. His 86-year-old mother had been to her bank to pick up the latest in a series of cashier’s checks she was sending to online fraudsters who had convinced her on telephone calls from overseas that her account was at risk from hackers, and that she must move her retirement savings to keep them safe.
“The teller must have realized something was going on and she told my mother to talk with someone, discuss this with her family,” Westbrook told Newsweek.
After his mother contacted them, he and his brother were able to get the delivery of the last check stopped. But most of his mother’s life savings were already gone, and she’d joined the 2.6 million Americans who reported falling victim to fraud last year. Younger Americans are more likely to be victims, but older victims, such as Westbrook’s mother, suffer much larger losses.
The losses across all age groups in 2022, according to the Federal Trade Commission, were $9 billion—a five-fold rise in three years and the equivalent of what Americans spend in Black Friday sales. Yet those numbers capture only part of the problem since according to the Justice Department, only about 15 percent of victims report their losses.
Because of that underreporting, the FTC reckons actual losses last year were at least $20 billion. And they could be as high as $137 billion, depending on the assumptions you make about how low the rate of reporting is, the agency explained.
But the United States is lagging other Western countries in measures to stem the epidemic, with fewer steps taken to counter fraud and not as many resources to back them up, less coordination between government agencies and with upcoming regulatory changes that could even make life easier for fraudsters, according to consumer advocates, local prosecutors and technology experts.
“Nobody is in charge of this problem,” said Kathy Stokes, the director of fraud prevention programs for the AARP, America’s biggest lobby group for seniors. “Other countries, like the UK, are light years ahead of the United States in understanding the scope of the problem and the need for a whole of society solution,” she told Newsweek.
Fraud as a national security threat
In the United States, responsibility for preventing and prosecuting fraud is split between multiple agencies.
The FTC has authority to protect consumers from fraud and brings civil actions against scammers and the middlemen that enable them; the Justice Department – FBI and U.S. attorneys – investigates and prosecutes federal crimes such as money laundering or wire fraud; the FCC regulates the telecom and internet providers exploited by fraudsters; and multiple agencies have regulatory oversight of banking.
One recently retired federal law enforcement agent said there was less coordination at the local level in combating fraud than there was with the joint task forces tackling terrorism or drug trafficking for instance.
But the Department of Justice denied that there has been a lack of coordination and said that the different agencies all played their part.
“We take an all-tools approach to combatting transnational elder fraud schemes,” Arun Rao, Deputy Assistant Attorney General for the DoJ’s Consumer Branch told Newsweek via email, “Complementary roles are played by law enforcement, who can apprehend and deter perpetrators, and civil authorities, who can quickly shut down scheme infrastructure. We are in constant communication with all relevant agencies that have a role in halting and deterring transnational fraud.”
The FTC declined to make anyone available for interview or respond to written questions.
But critics of the U.S. response say that other countries are tackling the threat in a more holistic manner, even if there is only limited data from abroad so far to show whether their strategies are having a significantly greater impact than measures in the U.S.
In May, the British government published its new anti-fraud strategy, saying the scale of online scams “threatens our national and economic security.” The strategy centers on a massive enforcement push: 400 new investigators and a pledge to use the nation’s spy services to “relentlessly pursue fraudsters wherever they are in the world” and move from reactive law enforcement to proactive “intelligence-led disruption” of organized fraud gangs.
But the strategy, although led by the Home Office, Britain’s interior ministry, also involves more than a dozen departments, agencies and regulators, working together on policy issues as diverse as slowing bank payments, regulating internet advertising and banning caller ID spoofing. And it relies on partnerships with the private sector – banks, telecom providers and technology platforms such as social media sites and messaging apps.
Cutting the fraud “kill chain”
Fraudsters exploit the huge and highly automated technology infrastructures developed for legitimate ecommerce concerns: Using platforms such as social media, messaging services and targeted ads to find their victims; communication channels including email, telephone call centers and mass SMS messages to groom them; and ultimately the banking system, or cryptocurrency exchanges, to transfer their money.
This year, Gallup added scams to their annual survey of Americans’ experiences of crime. The results show that:
Eight percent of American adults, 21 million people, say they personally were the victims of a fraud in the past year where they were tricked by scammers into sending money or providing access to a financial acount.
That makes fraud the fourth most common form of crime experienced by Americans behind identity theft (11 percent), vandalism and theft (9 percent each).
But victims of fraud were much less likely to report it than were victims of ID theft, vandalism or theft.
Lower income Americans are disproportionally victimized. 12 percent of Americans with less than $50,000 annual household income had been scammed in the last year, twice the rate for those with $100,000 or more.
Each of those steps offers an opportunity to stop the fraud, but that may only work if the regulators and law enforcement in every sector are on the same page and working together.
Westbrook’s mother was originally hooked by a pop-up ad on her computer that wouldn’t go away. Accompanied by a loud alarm, it warned her that her computer was infected with a virus and directed her to call a U.S. telephone number to get help.
“From the moment she called that number, my mother was lost,” Westbrook said. “She was in the hands of an organized criminal gang who were skilled at psychological manipulation.” Newsweek is withholding her name and the amount of her losses at her request.
The U.S. numbers on such pop-up ads are routed to call centers used by the scammers, mostly in India or other South Asian locations, according to the FBI. Consumer advocates say it’s done using technology and business processes designed to help banks and other companies outsource their telephone customer service overseas.
When the fraudsters called Westbrook’s mother from their call center overseas, her caller ID gave a U.S. number consistent with their impersonation, first of Microsoft and then of her bank, Westbrook said.
The border wall around caller ID
In Britain, such calls would likely have been blocked. The British telecom regulator now requires British phone providers, both landline and mobile, to identify and block calls that are spoofing caller ID data. Calls originating from a foreign number that carry a British caller ID are automatically blocked.
It’s part of a series of measures the government there has introduced as part of its national anti-fraud strategy.
Britain’s Online Safety Bill passed this year, for example, imposes a legal duty on the largest and most popular social media platforms and search engines “to prevent paid-for fraudulent adverts appearing on their services.”
And other countries have joined the UK in imposing regulatory requirements on telecom, technology and financial services companies, to prevent their services being exploited by criminals.
In Singapore, the government has proposed a framework under which banks and telecommunications companies would share liability for consumer fraud committed using SMS text messages, known as smishing attacks.
The framework is designed to incentivize banks to move to more secure forms of second factor authentication and telecom providers to ensure better authentication of SMS messages.
Singapore’s telecom regulator has already enforced a registration program for mass SMS providers. Phone companies in Singapore are currently required to label text messages from unregistered mass text senders as “likely scam,” and will soon be prohibited from delivering them at all.
In Australia, the telecom regulator reported a 72 percent decrease in consumer fraud complaints after it instituted a similar blocking regime.
Caller ID spoofing is possible in the U.S., according to experts, because the system has become trivial to manipulate since the advent of voice-over-internet-protocol calling, such as Skype. And because the U.S. regulator the FCC has avoided placing blocking requirements on U.S. telecom providers, the way Britain, Australia and Singapore have on their phone companies.
Instead, it has introduced a mandatory technical framework called STIR/SHAKEN which requires U.S. telecom providers to authenticate caller ID data and ensure its integrity as the calls pass from one network to another between the caller and the recipient.
Jonathan Frost, a former City of London police fraud specialist who became the director of technical collaborations for the nonprofit Stop Scams UK and is now an independent consultant, compared the FFC’s efforts to building a border wall.
“As with any border, there are smugglers, companies that provide a way into the U.S. phone network and a [U.S.] caller ID number for essentially any bulk caller that pays. As a result, Americans will continue to receive authenticated calls which are basically spam,” Frost told Newsweek.
Prosecutors: In search of the million-dollar fraud case
Enforcement is also a challenge for U.S. authorities, according to prosecutors and the retired federal agent.
The Justice Department says in its annual report to Congress on its efforts to combat elder fraud and abuse that it brought nearly 300 criminal and civil actions against more than 650 defendants who collectively stole more than $1.5 billion.
By the Justice Department’s own reckoning, that number means the majority of the $3.1 billion annual fraud against elders goes unprosecuted. In many jurisdictions only the most manageable and immediately prosecutable cases are picked up, said the retired federal agent.
Investigators and prosecutors face a frustrating paradox they told Newsweek: Local authorities lacked the resources and jurisdiction to investigate transnational organized fraud, but the amounts lost by victims were almost never enough on their own to interest federal authorities.
“The dirty word in this fraud game from a prosecution standpoint is thresholds,” said Scott Pirrello, a deputy district attorney for San Diego County, California, who leads the DA’s Elder Abuse Unit.
“For a federal agency to open an investigation, they are looking typically for million-dollar cases.” In online fraud cases, by contrast, he said, “we’re talking about devastating losses to our seniors in often the tens or hundreds of thousands of dollars,” but still below that million-dollar threshold.
The FBI said elder fraud was a priority for the bureau, but did not make anyone available for interview by Newsweek, and declined to answer written questions about their thresholds for investigations or how many cases they opened each year.
Because most of these frauds are orchestrated from abroad, “these are very resource intensive investigations” for local authorities, Pirrello said, “and in most cases, they lead immediately outside of their jurisdiction, and often to other continents.”
The irony is, he added, is that pulling on the thread of a single case frequently leads to a multitude of other victims, whose losses can quickly reach the threshold to interest federal authorities. To bundle cases like this together, Pirrello helped found the San Diego Elder Justice Task Force, bringing together local and federal law enforcement.
“We will connect the dots between victims and aggregate them, so that our $300,000 case locally becomes one of a dozen or more that we can demonstrate are all connected, making it actually a several million-dollar case in losses. And then hand them off to the FBI and the U.S. Attorney’s Office to investigate these networks outside of our local jurisdiction,” Pirrello said.
Follow the money, to a dead-end
But even federal agencies have no investigative authority or prosecutorial jurisdiction outside of the U.S., where the masterminds of these scams typically operate. To get round this, Pirrello said, the Elder Justice Task Force exploits the fact that, because it is easier to con victims into sending money to a U.S. bank account or a U.S. address, the fraudsters rely on U.S. based accomplices to realize their ill-gotten gains. “Those are the targets that we can reach in our investigations,” Pirrello said.
It’s a classic follow the money strategy.
But follow-the-money strategies limit the impact of law enforcement actions, according to Frost, the former City of London police fraud specialist.
“The way modern fraud works, particularly when it’s perpetrated over the internet,” he said. “Following the money does not lead you to the criminal. It leads you to the money launderer.”
And the problem there is that money launderers are replaceable fixers, whose value to the criminal masterminds behind the scenes is precisely that they insulate them from prosecution.
“The money launderer is the point where the money trail vanishes into darkness,” said Frost.
Powering investment fraud to hockey-stick growth
And those focused on a follow-the-money strategy have to start to follow a different kind of money now.
Cryptocurrencies such as Bitcoin are digital assets that can be moved instantaneously around the globe, the transaction irreversibly recorded in a huge collective ledger known as a blockchain. The exchanges, trading platforms and other places where they are bought and sold remain largely unregulated and beyond the reach of U.S. law enforcement. And cryptocurrencies have for several years now been the terrain of fevered financial speculation.
These three factors have made cryptocurrency the wild frontier of online fraud, according to experts and prosecutors.
The fastest growing crypto scam is known as “Pig Butchering,” a translation of the Chinese term “sha zhu pan.”
“It signifies the intent of the perpetrators to devour their victims [financially] from snout to tail, to leave not one penny left,” Santa Clara County, California, prosecutor Erin West told Newsweek. Victims are hooked, typically during an apparently accidental encounter online, and then lured into a relationship, often over several months. It’s a process the scammers liken to “fattening” the pig, since it requires an investment of time. The payoff comes when the victim is enticed into a cryptocurrency investment scheme, and the pig can be slaughtered.
“It is a masterful, calculated, highly manipulative scam that combines the elements of a romance fraud with a get rich quick con in a way that ends up hitting all the synapses in the human brain,” West said.
Amid the recent explosion of online fraud, investment-related schemes such as pig butchering stand out for their hockey-stick growth, according to FTC figures: In 2019, there were fewer than 19,000 reports of such scams, and total losses were less than $182 million. By last year, losses had increased by more than 2,000 percent, to over $3.9 billion, reported by more than 106,000 victims.
Because cryptocurrencies are designed be moved and traded online, there’s less need for a U.S.-based network. Fraudsters can steal the money directly, West said, and move it instantaneously beyond the reach of U.S. authorities.
“I realized it was unlikely that our task force was going to go over there with handcuffs and make arrests,” she said.
Santa Clara County, California, Deputy District Attorney Erin West is interviewed during the Massachusetts Attorney General’s 2023 National Cyber Crime Conference at the Sheraton Hotel in Norwood, Mass on April 26. West has pioneered efforts by U.S. prosecutors to recover cryptocurrency funds stolen in so-called “pig-butchering” scams. Courtesy Erin West
Follow the money, with a twist
But cryptocurrency transactions, while immutable and instantaneous, are traceable, West said, and her office had already developed expertise in tracking fraud proceeds across the blockchain. She also had a mandate from her boss, Santa Clara County District Attorney Jeff Rosen, to innovate and take risks.
“Everybody wants to stop when they see that money go overseas, because they think there’s nothing they can do. But we decided to try something,” she said.
That something was a twist on the classic follow the money strategy: Follow the money … and ask for it back. And in trying it, she’s blazed a trail that her fellow prosecutors, at both the local and the federal level, are following.
Last year, West’s office traced more than $240,000 conned from a 30-year old software engineer they identified only by the initials ASR. According to court documents filed in May last year, the trail ended at two accounts on the cryptocurrency exchange Binance.
“Binance specifically does not have a U.S. presence,” said West, “because they don’t want to be subject to U.S. regulation,” so the warrant prosecutors got from a Santa Clara County judge had to be sent via email to the company’s Cayman Islands HQ.
Nonetheless, she recalled, “Binance complied. Binance said, ‘Yeah, we will take that dirty money off our platform, and we will give it to you [to return to the victims].'”
Binance says on its website that it “works with law enforcement to prevent criminals from benefiting from their ill-gotten gains.”
“We have always held Binance to the highest standards,” Binance spokeswoman Jessica Jung told Newsweek via email, “even if we don’t have a [legal] obligation, because it’s the right thing to do and protects users’ interests.”
Since last summer, West’s office has successfully returned more than $2.6 Million in scammed funds to victims using this technique. And that’s just a start. West has been holding online training sessions for investigators and prosecutors all over the country.
A federal case unveiled in August used the same technique to seize $112 Million, more than half of it associated with a single Binance account.
Jung said that Binance last year fulfilled or assisted with over 47,000 requests from law enforcement all over the world.
And it’s not just Binance. Last week Tether, the third largest cryptocurrency, announced that it had frozen 37 crypto wallets with a combined value of $225 million, “linked to an international human trafficking syndicate in Southeast Asia responsible for a global ‘pig butchering’ romance scam,” following a months-long investigation with the U.S. Justice Department. Tether’s claims could not be independently confirmed and the Justice Department declined to comment.
Will instant online payments turbo charge fraud?
But a huge change to the architecture of U.S. banking this year could have a seismic impact on fraud, according to advocates, making instantaneous money transfers possible from conventional bank accounts, just like they are from crypto platforms.
In July, the U.S. Federal Reserve announced that it had created a real time payment backbone, which U.S. banks could use to offer, for the first time, instant online payment services to their customers —a huge potential boon for businesses and their customers.
The change was likely to highlight the problem of online fraud, said Frost, the former City of London fraud specialist.
“In my experience, the introduction of ubiquitous real time payments is when people really begin to sit up and pay attention to fraud because it makes it easier and faster for them to lose money,” he said.
In Britain, new rules from the Payments Systems Regulator will require banks to accept liability for authorized but fraudulent payments next year, much as credit card companies currently do in the U.S., Frost said.
Prosecutors fret that, absent such regulations in the U.S., the introduction of instant payments will turbocharge victims’ losses and contribute to the surging fraud.
“The question,” said San Diego Deputy DA Pirrello, “is are we are as a people willing to give up some convenience in our financial decision making in order to secure our money?”
took 15 years to get an answer to that question in Britain, Frost said. “It wasn’t until eight years after the introduction of real-time payments by British banks that consumer advocacy groups launched a campaign to demand change. And it took another seven years for the UK to be on the cusp of mandatory reimbursement for the victims of scams,” he said.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.