Scammers: The problem gets worse.

For instance, in Belgium, the Financial Services and Markets Authority (FSMA) received 1,332 reports of fraudulent activity in the first half of 2024, a 44% increase compared to the same period in 2023. This rise is part of a broader trend, with 2,170 reports in 2023, nearly three times the number in 2017.

I personally went to the police recently because I had lost some identification, and while doing the papers with a nice officer, I heard THREE separate old ladies come in talk about the fact they had been a victim: two of fake purchases and one remote connect scam.

Three people in the span of 15 minutes. In a town with 10-20k people. If that sounds weird, it is. I was shocked.

That would mean that about 200-300 people are prey/victims everyday in my town?

Meaning that the first stat I gave is deeply wrong and underestimating the issue.

From the FBI's website you can gather some more information, as Europe is not known for centralizing data at all. In 2023, the FBI's Internet Crime Complaint Center (IC3) received over 880,000 complaints, with reported losses exceeding $12.5 billion. This marked a nearly 10% increase in complaints from 2022 and a 22% rise in financial losses.

In Europe, online scams are often reported to local or national police forces, financial regulators or bodies, or consumer protection agencies, but the data is not always centralized or consistently recorded for statistical analysis. Which is an issue in itself as it minimizes the problem.

Problem 1: False sense of security

I take care of my family's computers once in a while, and always come across the same issues... First and foremost is believing you're safe from anything. My grandma once told me, but I have McAfee... To which I responded, didn't he die in prison and try to go into politics?

While it has been bought by Intel, it is still widely accepted by security professionals that these programs are ransomware themselves (hard to uninstall or remove subscription, they also install 3 programs just to make sure). It also replaces the built-in Windows Defender which is obviously a better choice by default.

Real solutions:

VirusTotal for scanning

UBlock, AdGuard, NoScript, Privacy Badger, Facebook Container, WHOIS extension on Firefox

Keeping OS up-to-date and not installing any exploitable software

(Firefox is at the origin of much of documentation about JavaScript, being one of the most dangerous scripting languages for the public.)

Problem 2: Lack of awareness

When we ask me, how can I stay safe: I first recommend what is above, but secondly I always talk of intent and awareness.

If I ordered something online: I know I will have a conformation email that will be linked to a delivery tracking number. Yet, that doesn't mean I start clicking on the 1000 fake DHL, UPS, Postal emails that I get.

You see the 'intent' pattern making more sense, if I start interacting with scams even out of curiosity, well you're more likely to actually get entangled in them (even tho it is fun!)

If I'm paying for something, I'll use QR pay so that the 3rd party service can take care of securing my payment info and not reveal my information to the merchant site.

The problem is more important then ever today because, if I ask DeepSeek to copy an email from my bank, it will do so perfectly in less than 3 seconds which is a big issue (not for me, but for my grandma). I can also clone someones voice to make them say what I want, even emulate images/videos...

Real solutions:

Always always start from the fact that you owe nothing to anyone, you should initialize interactions and never the other way around. Don't hesitate to call an official number but not the one you got in an unverified email. Checking the source: Is it linked to a customer ID, Invoice or Order, did I initiate said service ?

Problem 3: Accountability

I'm revolted by today's system... I don't want to sound anarchist or anti-capitalistic, but I truly believe there is something deeply wrong with large companies that we give so much power and trust to, that then exploit this for financial gain, at the cost of the user's experience?

I will say they enable many great advancements, and should not only be seen in a bad light: "but the brighter the light, the darker the shadow that is shun."

If I search DHL, and 3 scams pop-up in the search results, obviously I can tell they are sponsored and have weird URLs but can my grandma tell ? Is Google an accomplice in this case?

Legally, the issue is that these websites are going to be registered in malta, virgin islands, etc

Which means there is little to nothing we can do (at a citizien level) but there is a lot that could be done at government level and even more on the regulatory side.

If Google (or any advertising giant: Taboola, Meta, X, etc) accepts this money, it creates a double or triple issue:

• Ad fraud

This is basically more impacting legit advertisers: meaning they get botted traffic, copy cats, click farms, etc. Harboring a noncompetitive landscape where legitimate advertisers are punished by scammers activities.

• Ill-intention

This is where the consumer gets ****ed, with simple scams as fake sites, phishing, or just plain illegal activities. This can be just for your money, or for access to your computer... The idea is the same you're getting bent-over.

This is intensified over industries where the "target" is deemed easily exploitable: Pets, electronics, tech support, romance, travel, finance, health, real estate, automobile and more.

One study from Brazil showed that out of the 16 billion $reais that were spent about 2 to 5 billion was from fraudulent activities. That's 10-30% of all ad spent, going towards scams.

Then these scams make more money then their legitimate counter-part and can re-invest in the same ad or modify it slightly.

But here is the catch: They compete with legitimate business, with nothing to deliver makes it an easier task! Imagine a normal marketer factoring in his margins, costs, etc

And his scammer counter-part doesn't need much of a business plan.

This is also exacerbated by seasons in the year. I own an online shop and just 2 months before Christmas I always see 2-3 copycats pop-up that will latch onto my ads to scam the 5% of customers that do not differentiate the URLs and look of my website.

I can try reporting it to Google or Meta, but yeah good luck with that! They are known for being very unresponsive towards reporting until there is enough volume. Recently they did have a bit of cleaning to do with copyrighted content and yet look how that turned out too...

Statista estimates that in 2021 the total estimated cost of frauds online was 65$B and that number is projected to reach 100$B by 2028.

Vulnerability

I'm a huge fan of KitBoga on YT, I think he does great work at making them look ridiculous, entertainment but also at education about the inner workings of some of these scams.

But mainly one thing is always the same: Targeting people who seem like an easy target.

Whether it's young adults with crypto meme scams or older people with fake websites...

Statistics from FTC.GOV show that "While older adults were less likely to report losing money to fraud, those 70 and over reported much higher median individual losses. The median reported loss was $800 for people 70-79, and a whopping $1,500 for those 80 and over."

This brings me nicely to my last point... And again not to sound pessimistic or paranoid... But there is no safe place. If I can easily find old passwords, email addresses, even sometimes physical addresses, phone numbers and more online... Well so can the "attacker" and with a little ingenuity and lack of attention from your part. The trick is done.

Even for us (about 30 year olds) who are born in all of this, we are now more likely to fall to some of these. Simply because the "threat" has more tools to create a decent looking website, to create these email templates, to call you with you relative's voice, anyways you get the idea.

Before it was harder to make something look official is what I mean.

A little green lock icon on the browser doesn't actually mean secure... It only means the traffic is HTTPS encrypted, yet when sent directly to an attacker, well... It's secure scamming...

More Solutions

I think one of the biggest changes we will see in the future is the mass adoption of open-source (or half-opened) technologies. Meaning our classical way of seeing Google as the search engine will be challenged, today you have alternatives like DuckDuckGo which aim to privide the same depth without the ads.

They are not fully open-source, meanignthat critical algos and partnerships can be kept away from the public, but the core philosophy is there: the extension to block trackers and their dataset of known malicious trackers are fully public on GitHub.

Truly open source: Searx, YaCy

This means that these are built-out in the open. With many eyes set on improving the code and the user experience, it means that it's hard to create a for profit back-door that introduces liability to the end-user (even a sense of community between user & dev). If you always have their best being as an intention, the perceived benefit will be quite high as it's not polluted by money in the traditional sense.

Instead they have donation models, basically "pay what you can" which is especially reliable way to monetize projects at scale, provided the community is giving and interested in the project.

I think this will be the same for many other things like social media and more software.

Problem 4: Outdated Standards

One more point I wanted to discuss is obsolescence... As we all know security is a bit of a weird race: you're perpetually CATCHING UP to threats, instead of pro-actively making changes that can avoid said threats. This means that when it comes to security measures we take need to be aligned with actual latest trends in cyber-security.

Belgium is not that bad of an example in this case, Itsme app which finally gives a secure way of handling personal information. They also have open documentation but you do need to apply for the API access.

Now another question becomes, system design... What are the rules to having access to said service, or integrating it? Can a malicious developer exploit something in this app?

By obsolescence I also meant, if a service is using a face picture along with an ID card but that both are easy to counterfeit, well then there is no real security measure in place. It's a smoke-screen, a false sense of security again.

Problem 5: Trackers

While this is the most discussed subject recently, there is still underlying issues to websites that are then hooked by other organizations. Meaning that if I have a web-shop (which I do) and want to stay competitive, I have to install a bunch of trackers that will help me do my marketing on advertising platforms. But this also gives a "backdoor" to this organization itself. Meaning that now you are being tracked by said entity on a totally unrelated site. They can then use this data of your interest to recommend you more of this type... (and perhaps scams).

While putting up consent banners seemed like the simple solution, well I think it's again just making the experience more annoying for the end-user, without actually tackling the problem. It's finding an easy solution to a much more complex problem.

Pointing fingers at a cookie banner, instead of naming the actual culprits. The same is true to even more malicious tracker code which can live rent free in extensions, or other software you've downloaded.

International Coordination

We have deep need for cooperation in terms of where the money is going, how to take down the ill-intended activity, reporting mechanisms that are outdated or simply inefficient.

Education of younger people and older generations on the subject and prevention.

Recovery and support systems for victims, psychology behind falling for scams.

How can AI be leveraged by individuals to detect scams instead of enabling them ?

The role of social media or major platforms in enabling sophisticated scams ?

How do we deal with cross-border scams and in their international nature how do account for traceability of said scams ?

Problem 6: Guilt & Shame

As we mentioned earlier, there is a problem with statistics on this subjects as it's common for victims to stay silent. Obviously having gone through something traumatic and feeling used, shame might kick-in and the victim will never even become part of the statistics.

This creates two problems:

One, they will not get the help they need and two, it's not even being reported to proper authorities.

For example, if you have viruses on your computer that got access to your accounts, and you don't take the necessary measures, well chances are you about to get scammed again... Making it a vicious cycle. And when reporting to the authority in question, they will make you fill out a piece of paper and likely have little to no follow-up.

Leaving you scammed, and still with the same issues as before. The main difference with common crime such as theft is the concept of "backdoor":

Meaning that if you didn't do the necessary (resets, virus scanning, extensions, etc) well you're in for another scam because they never left after the first!

In a traditional theft, the thief has to run and not get caught, the internet is a bit different in that sense. Where it's hard to get caught in the first place because of it's nature, experienced users can leave little trace and avoid repercussions.

Essentially what I want to share with this post is that while I can have as much hatred for scammers as I want, I also think a lot of the guilt falls back on ISPs, Email Service Providers, Payment Processors, Hosting providers, Advertising platforms, and more.

They have nothing to gain from blocking such activities as it's an essential part of their customer base today. The only one who stands to gain from this is regulatory and government bodies which are comically slow with technology.

Preventing "Two-clicks scams"

When I think of easy ways to get hacked I always have extensions in mind because well they don't live in your operating system (you didn't have to save and execute) you just pressed yes once and it's game over.

There is a way to "lock" extensions in Mozilla:

Open the browser type: " about:config "
Then xpinstall.enabled set to disabled

This will add one layer that you have to press enable again before adding extensions. While it's not perfect there is also a way to make this more permanent by using distributions folder.

Never ever download and run code from untrustworthy sources period.