Scambaiting – The dangers and (possible) benefits of wasting a scammer’s time

You may know Mark Rober for his YouTube videos pranking mail thieves or training squirrels to get through a maze.

Recently however, the YouTuber decided to prank scam callers in what is best described as a co-ordinated sting operation.

The video was the culmination of months of work collecting information about the scammers and their operations. The video sees the hiring of undercover agents to infiltrate scam call centres in India and while it gets tense, the work done by Rober, Jim Browning and Trilogy Media saw an illegal call centre in Kolkata, India, busted.

As of time of writing, the video above has 37 million views which is incredible, but upon seeing how popular this video became, we grew concerned.

Our concern stems from the fact scambaiting, can be dangerous.

What is scambaiting?

Scambaiting is the act of reaching out to a scam call centre and wasting its time. The idea behind this is that the more time spent wasting the scammer’s time, the less time they have to scam an unwitting individual.

The practice is incredibly popular online with several streamers and content creators having found success by baiting scammers.

Thankfully, many of these creators are responsible and warn users. However, the temptation of taking up the mantle of vigilante and scambaiting can be hard to push back when you’ve received your fifteenth spam call before 10am.

So how dangerous is scambaiting? That question is a tough one to answer given the variety of scams but the prevailing advice from experts we spoke to is that scammers are a wily bunch and engaging with them is dangerous.

We spoke with cybersecurity expert Duane Nicol at Mimecast, an email security and cyber resilience firm, as well as senior vice president of content strategy at KnowBe4 Africa, Anna Collard, to find out more about scambaiting.

“Scammers are often experts at deception and extraction. They are trained to get as much information as they can about a target. The longer you engage with them, the more information you give them and the better their subsequent attacks will be,” explains Duane Nicol, cybersecurity expert at Mimecast.

This is likely why so many scam baiters use voice modifiers, virtual machines, and services that allow them to change the phone number the scammer sees. As much as scambaiting is about wasting time, self preservation is just as important.

“When dealing with these scams, we need to remember that ultimately the other person on the line is a criminal who may resort to unethical behaviour to get back at you,” explains senior vice president of content strategy at KnowBe4 Africa, Anna Collard.

While it may seem like fun to emulate well known scambaiters the next time you get a spam call, the advice from experts is to not engage with scammers at all.

“They already have some personal information about you and it is not hard to obtain much more detailed information thanks to massive data breaches such as the TransUnion data leak recently. There have been cases where criminals retaliated by publishing victim’s contact details, harassing them with constant robo-calls or even worse falsely reporting them to the police in an attempt to elicit an emergency response action,” Collard told Hypertext in an interview.

Can scambaiting be useful?

While many scambaiters will justify their actions by saying they are wasting the scammers time so they can’t scam others, we don’t buy it.

Scam call centres are monolithic organisations and wasting the time of a single scammer is a literal drop in the ocean.

That having been said, scambaiting isn’t completely useless.

A paper titled Exploring the voluntary response to cyber-fraud: From vigilantism to responsibilisation, published by Mark Button and Jack Whittaker in 2021, looked at how vigilantes are fighting cybercrime.

Note, the use of “vigilante” is being used rather loosely here as both Whittaker and Button say the actions observed are different from classic vigilantism.

The paper proposes there have been two waves of vigilante cybercrime fighting spurred on by a lack of response from law enforcement. The first wave saw individuals highlighting crimes that authorities either didn’t have the resources to pursue. This wave saw many pedophile hunters rise to prominence online.

The second wave is what we are experiencing now where rather than confronting offenders, vigilantes are using technology and their resources to disrupt the operations of ne’er-do-wells and highlight them for the world to see.

The third wave is yet to happen but Button and Whittaker propose a future where authorities and citizens work together. As the paper points out, cybercrime is a global problem and no one police unit can address the problem. By bringing scambaiters into the fold, the potential for policing the halls of the internet improves significantly based purely on the fact that there are more eyes looking for wrong-doers.

While this is aspirational and couldn’t happen, it may be something lawmakers want to consider.

What you should do when a scammer calls

So we’ve ascertained that scambaiting is not the best idea, especially if you aren’t fully aware of the dangers, so what should you do when you encounter a scammer?

First off, spotting a scammer isn’t always easy. Remember, these folks could have access to a trove of stolen data. Worse still, they could have access to your social media and as such they can tailor their scam to target you directly.

“None of the service providers proactively reach out to consumers to ‘help patch a security flaw’ so any communication to that effect should be considered with utmost suspicion. If you’ve been approached by someone purporting to work at Microsoft, for example, who wants to ‘help you patch a security flaw’, it’s 99.9% likely that you’re dealing with a scammer,” Nicol tells Hypertext.

The best advice we’ve seen is to hang up the call, search for the company online, skip past the paid advertising (which scammers have been known to use) and contact the company directly.

“Scammers try trigger your emotions to suppress critical thinking. In fact many of these scams count on you acting without thinking,” Collard tells us.

“As soon as you realise you are dealing with a scammer, it’s best to terminate all communication and ensure you didn’t click on anything they sent. You may want to keep a copy of the emails or chat messages as evidence and report it to the affected institutions as well as the police. Above all, don’t play with fire by trying to mess with the scammers,” the SVP adds.

As pointless as it may seem to report the incident to local authorities, it’s something both Collard and Nicol recommend doing.

“With the introduction of the Cyber Crimes Act, South African law enforcement authorities also have new powers to investigate and prosecute cybercrime, so be sure to report scammers to police,” says Nicol.

You should also contact the South Africa Fraud Prevention Service should you be concerned about identity theft.

Beyond that, if a scammer is using another company’s name, report it to that company. Brand reputation is immensely valuable and companies will likely address the matter if their name is being improperly used.

The easiest thing you can do, however, is speak out.

If you’ve encountered a scam caller, post about it on social media, let your friends and family know. Knowledge and awareness are incredibly important tools in the fight against cybercrime and you don’t need to be a scambaiter to participate.


[Image – CC 0 Pixabay]



About Author


Related News