With few safeguards in place to protect you and me from gift card scams, some people are filling in the gaps.
Four years ago, Jim Browning decided he'd had enough. Like so many of us, he gets incessant calls from scammers, disrupting his day with efforts to trick him into giving them money. But instead of just being annoyed and ignoring his phone, Browning chose to fight back.
He began to study scammers' tactics and learned that many of them rely on the same script and use most of the same remote control software tools. And he used his skills working on computers by day to program a virtual PC -- think of it like a safe and secure copy of a machine running in an app on his real computer. Once a scammer connected with his virtual PC, thinking they'd found another victim, Browning would pretend to struggle with his internet connection as he quietly took remote control of the scammer's computer.
"They think nothing's gone wrong," he says.
From there, he'd download their data, including lists of victims, notes and personal files. He'd also use that connection to the scammer's computer to listen to their conversations through the phone app they use, sometimes following, and interrupting, a scammer in real time trying to cheat someone. So far, Browning estimates he's disrupted more than 1,000 scams, spending up to 12 hours per week on the task. Before our chat, Browning was consoling a victim he'd just alerted of another scam he was tracking.
"I'll never know for sure exactly what the impact of what I'm doing is, but I think it's still worth doing," he said. "Even if the police do nothing, which they mostly do, I'm doing something."
He has his work cut for him. The world of online scams has exploded in recent years -- in April, a Harris Poll survey of 2,000 Americans commissioned by the app Truecaller found one in three people said they'd fallen victim to a phone scam, and more than half of them said it happened on more than one occasion. The lost money equates to an estimated $29.8 billion last year, a staggering jump from the $19.7 billion Truecaller estimated for 2019. The scope of gift card fraud, where scammers trick people into buying gift cards and handing over the numbers, is especially difficult to pin down because many victims don't report the crime. They're often embarrassed, and unlike identity theft, where there are strong consumer protections in place, there's almost no way to get their money back.
"They don't really know who's holding onto these gift cards," said Mark Roberts, who helped co-found the startup Leverage in Southern California nearly two decades ago. Back then, the company encouraged people to register their gift cards through his service. In exchange, the site would help people track, manage and swap the cards with other users. The retailers he worked with were aware of gift card scams even back then, Roberts added, but it was small enough that "they mostly didn't really care."
Read more: Gift card scams are growing, and retailers aren't doing much about it
Now the fraud has gotten so big that some people's righteous anger has boiled over into action. Over the past couple of years, a growing cohort of scam baiters have found success using YouTube and other video sites to share their exploits. Attracting millions of subscribers, they lure unsuspecting scammers in, waste their time, take their files and disrupt their operations. Browning and other scam baiters have attracted so much attention that even though many scammers seem to know their names, they also know they're scraping just the tip of the iceberg. But if they can disrupt even a fraction of the frauds out there, Browning says, anyone keeping a scammer distracted means protecting another victim.
"I consistently stop scams nearly every single day," he says.
Browning began uploading videos to YouTube initially as an easy way to provide evidence to internet service providers and law enforcement. He'd highlight the scams using screen recording software to show how the scams work, with a methodical commentary in his low, strongly accented voice. He hoped his proof would spark internet disconnects and police raids. But over time, he attracted more than 3.5 million subscribers, with notable jumps since the pandemic.
Not all scam baiters follow Browning's formula. One who calls himself Kitboga uses a voice modulator to make himself sound like one of several personalities he's created. Some of the most popular videos on his YouTube channel, which has more than 2 million subscribers, stars the character "Matilda," an elderly woman who shares running commentary about her life to scammers convinced she's an easy mark. Meanwhile, she slowly wastes their time during her fictional journeys across town, made complete with Kitboga's various background noises of driving a car, riding a bicycle or walking around a store. She once even got "married" to a scammer over the phone.
Kitboga publishes highlights on his channel, but the actual phone calls can go on for a long time. Once, he kept a group of scammers going through 1,500 phone calls that added up to 36 hours as he played not just Matilda, but also a store clerk, a customer service agent at a bank and even another scammer. "I genuinely hope you enjoy their misfortune as you learn about the tactics these scammers use to try to manipulate what they thought was an 87-year-old woman," he said in an introductory video.
The videos from Browning are more serious. They sometimes include him emailing victims on the scammers' lists to warn them. In others, he's called victims in the middle of the scam, hoping to warn them off. He's also learned how the robocall software that scammers use works and changed the outgoing message. "This is an automated message being sent from scammers from India. They were going to try to scam you by claiming that you would get a refund from your computer maintenance company," his new recording said. "Please do not mention that I have changed their message, but if you would like to waste their time you can speak to the scammers by pressing '1' on your telephone keypad."
Browning said he's been surprised at how cruel some of the scammers can be, taking advantage of disabled people on the other end of the phone line or deleting a victim's family photos if the scam falls apart. Some of the scammers have opened up to Browning in videos, telling him they feel they have no opportunity to make money legally.
"It's incredibly frustrating," he said. And rarely do the authorities he tells about scam call centers respond to his messages, making him feel as though "it's an almost tolerated crime."
Read more: Are you being scammed? Here's how to know and what to do
While scammers use all manner of lies to manipulate their victims, many of them have attempted to give themselves an air of legitimacy by saying they work for Microsoft.
So many scammers pretended to work at Microsoft that when the tech giant created a website in 2015 for victims to alert the company about these frauds, it quickly grew to 13,000 reports a month. "And that's just the people who found the reporting site," said Mary Jo Schrade, an assistant general counsel at Microsoft who oversees the company's digital crimes unit for Asia.
To track down some of the scammers, Microsoft used internet search technologies to scan for popups across the web that might use its trademarks or include references to a scam. As Microsoft's engineers researched how the scams worked, they learned that sometimes a call center of scammers in India partnered with someone in the US who would handle banking and money laundering. "We started to be able to build cases," she added, with about 40 cases notched so far, all including raids of call centers. Over time, the company's efforts seemed to be having an effect, with reports dropping to about 6,500 per month these days.
Just as other organizations have noted, Microsoft began to detect scammers shifting to gift cards. That's in part because Visa, MasterCard and other credit issuers had made it harder to open accounts to accept money from victims, Schrade said. "It gave the scammers an air of legitimacy that they could take credit cards, but also there was a tracing ability of where the money's going," she added.
The company has also tried to help educate potential victims, with some success. It learned that the conventional wisdom, that elderly are the primary targets, is wrong. In one survey, across 16 countries, Microsoft found that people from Gen Z and Gen X were more likely to fall for scams than older people. Schrade said some of the reason may be that so much education about detecting frauds is focused on the senior community. "The message needs to be broader," she said.
A couple decades ago, Western Union faced a similar problem to gift card scams, when criminals abused its money transfer network to defraud people of hundreds of millions of dollars.
Back then, many inside Western Union "didn't consider the fact that we had an obligation to protect people," said Dan Marostica, who's worked for the company for 31 years. As with gift cards today, the fraud Western Union saw was only a fraction of the total activity on its network. But it added up fast.
A Federal Trade Commission investigation found that between 2004 and 2015, Western Union's databases showed at least 550,928 complaints of fraud-induced money transfers, totaling more than $632.7 million. Additionally, the FTC said the company failed to offer easy ways for all victims to report fraud.
"In numerous instances, Western Union has failed to take timely, appropriate and effective measures to mitigate fraud in connection with its processing of money transfers sent by consumers," the FTC added.
Consumer advocates said what happened next may provide a path forward for the gift card industry. As part of a settlement with the FTC in 2017, Western Union agreed to investigate every complaint. The company would also repay customers if the company or its employees failed to follow procedures.
Marostica took over as Western Union's head of consumer protection about a decade ago, when fraud was at its peak, and has since helped overhaul its systems. Among the changes is a computer program that's tracking money transfers in real time, searching for suspicious activity. The program also improves its search capabilities each time Western Union uncovers a new fraud. Last year, Western Union said it counted a record low in reported consumer fraud.
Western Union has also expanded its education efforts, Marostica said. It's bought online advertisements for popular search results that might lead to scams and instead pointed people to educational material it's created to identify a scam in the future.
"Having something at the point of sale that says, 'Hey, don't fall victim to fraud' is less likely to work than getting to a victim before they get to the call," Marostica said.
TeamViewer is learning that lesson too. The company, whose remote desktop software exploded in growth amid the pandemic, has tallied more than 2.5 billion installations since its launch in 2005. On any given day, there are at least 45 million connections running on its service. And the number of connections during working hours has tripled.
Like other companies whose tools are being abused by scammers, TeamViewer and its smaller rival AnyDesk have learned that merely warning customers isn't enough. Scammers just tell victims "you don't have to worry about that" and convince them to click through, said Felix Mann, AnyDesk's director of brand and communications. Scammers like the remote desktop software because it's often quick, it's easy to set up and it comes in a free version.
To fight back, TeamViewer started adding security features and required that anyone using its free app be running one of the latest versions.
About a year ago, the company also started an anti-scam program similar to Western Union's. The internal tool, which the company said is one of many it's developed, watches the connections on its network to see if they exhibit traits of known scam techniques. For example, one suspicious account might be connecting with many newly activated customers in another country.
"There was a learning curve," said Romain Pradelle, who helps lead TeamViewer's security team as well as those devoted to trust and safety. The new system, which launched in the spring of this year, is now applied to all people using its software, with few apparent false positives.
"In the end, it makes a connection hard to take place for the bad guys," Pradelle said, adding that TeamViewer used to be one of the most popular screen-sharing apps among scammers, and now it's among the least.
AnyDesk is planning to launch a similar anti-scam tool next year, it said. And it's partnering with its rivals to share tools and technology so that scammers don't keep jumping from one platform to another.
"The problem is not going to go away," Pradelle said. "If we lower the guard, it's going to come back. So we're going to keep on with our efforts."
Western Union, TeamViewer and other companies were able to fight fraudsters in part because they're able to identify things like who's performing the scam and where a potential victim may be located. You have to provide photo ID to send or receive money with Western Union, and TeamViewer collects information to help identify different computers on its network.
Gift cards, by comparison, are nearly untraceable. You can walk into a store and anonymously buy a gift card using cash. And anyone holding the gift card typically can use it anonymously too.
"As a retailer, you don't know if you're accepting a fraudulent gift card versus a real gift card," said Julie Fergerson, head of the Merchant Risk Council, a nonprofit that helps educate and train online fraud and payments professionals. A retailer may never know who bought a gift card if it was purchased with cash and may never know who a victim gives their gift card to because it could be laundered through any manner of resale sites before being used at the store.
Part of what makes gift cards so appealing among customers, though, is how easy they are to buy.
The Retail Gift Card Association recommends retailers make changes to fight scams anyway. It's suggested changing how gift cards are made so it's harder for thieves to copy numbers still on the rack, stealing the money once they're activated by someone else.
The association has also recommended better training for cashiers, helping them to identify potential scams and quickly intervene when they suspect it -- for example, a customer who seems anxious while attempting to buy thousands of dollars in gift cards.
"The gift card industry as a whole -- including retailers -- wants consumers to have positive experiences with our brands," the Retail Gift Card Association wrote in an e-mailed response to questions. The organization said it regularly works with law enforcement and sends regular suggestions to store owners about how to better spot and fight scams before victims finish buying cards.
It also said retailers know that whenever a customer is defrauded, they associate that experience with the retailer. "There are no mandates in place regarding whether or not retailers must give consumers their money back, but the vast majority of retailers understand that negative brand experiences affect their customers and bottom lines," the association said.
Still, the gift card industry may face even more challenges in the not too distant future. Scammers may start using information floating on the dark web stolen from companies, credit bureaus and hotels to further coerce people into their scams.
"If they have an identity profile, they can just start quoting you stuff, 'I don't need to verify your Social Security number, I already have it,'" said Brett Johnson, a former fraudster who at one point made it to the Secret Service's most wanted list in the mid 2000s.
Now a cybercrime consultant, Johnson said social engineering is the reason online crime continues to succeed. It's only a matter of time before fraudsters find a way to make more money by targeting their scams with personal information about us, instead of randomly calling thousands of people in hopes of finding someone who will listen to them. "We're going to see this happen," he said.
However the scams change, Browning, the YouTuber, is likely to continue tracking them. He hasn't moved to YouTube full time yet, he said, in part because the money he makes from ad revenue on the videos isn't consistently high enough to replace his day job. "It makes enough to make it worthwhile," he said. Browning is considering uploading videos more regularly, though.
As for the subjects of his videos, Browning noted that police raids of scammer call centers seem to have fallen as COVID pushed so many people, including the scammers, to work from home. But recently he saw one scam group rent out rooms in a hotel so they could work together while still socially distanced.
"I'm probably at the top of an iceberg," he said. "I can't see an end point."