Tales of a Scam Baiter: Tips and Tricks of the Trade

August 6, 2024
Kitboga
Scambaiter and Improv Artist

I began this adventure of calling scammers with the hope that even if I spent fifteen minutes with a scammer that they wouldn’t spend those fifteen minutes with someone's grandma. I have had the opportunity to make a lot of scammers angry over the years and together, we can figure out ways to make them even angrier. 

It began in 2017 when I watched a YouTube video about tech support scams and I realized that if I, as a millennial in the tech world, hadn’t heard about this, then people like my parents or grandparents wouldn’t have a clue and could easily fall for it. It became my calling and today I want to share some tips and tricks with you to help make you and your loved ones safer.

The Back Story - From Curiosity to Scambaiter 

When I started, I didn’t need a lot of technology. I could take a phone call and knew enough about virtual machines to feel comfortable letting a scammer connect to my computer. Eventually my friends suggested I stream my calls on Twitch, and it grew from there. 

As time went on, things became more complicated, and I had to build out technology. I created fake bank accounts, a fake Google play store, worked with AI, and partnered with companies like Kraken. We built our own fake bitcoin environment, built a team and created anti-scam software. I have different “characters” and use different voices depending on the scam. We have folders with hundreds of images that we use when communicating with scammers such as pictures of gift cards or cash. We even have fake wire confirmations. Whatever the scammer might ask for, we have it.

A chart with colorful arrows and textDescription automatically generated with medium confidence

I’ve talked to tens of thousands of scammers over the years. Everything from IRS scammers, fake pop-up virus scammers, pig butchering, and romance scams. I even married the Nigerian Prince. It’s given me a unique perspective because I become the victim. I get hooked and must figure out how the scam works and how to become the perfect victim. I “hack the scammer’s brain” to get as much intel as I can. 

Isolation, Dependency & Urgency: The Tactics Used by Scammers 

Through years of scambaiting, my tactics have evolved as much as the scammer tactics have – but I’ve noticed three things stand true to bait people in. 

1. Isolation: Alone on an Island

Scammers want to keep the victim isolated and make sure they’re alone. They use tactics like telling people that if the bank finds out what’s on their computer, they will go to prison. They are instructed not to talk to anyone or give other reasons why they may be withdrawing money, such as the purchase of a vehicle. 

They’ve gone as far as telling victims that someone at the bank is a hacker and they are involved. In investment schemes they’ll tell the victim not to share it with their family because they will also want a piece of the pie. Or not to tell the bank because they could get taxed heavily.

Tip: If it doesn’t feel right, it probably isn’t. If what you’re doing becomes secretive, ask yourself if that seems reasonable or odd. There is no situation in which you should be instructed to not speak with your financial institution or family members.

2. Mr. Scammer, You’re My Only Hope

The scammer wants to look like the hero or the expert and convince the victim that they are the only one that can help them. In the case of the virus pop-up, if a victim were to mistype a website or click on a wrong ad, a pop-up appears that looks scary and makes loud sounds. The victim feels they have obviously done something wrong. They are presented with a phone number for “Microsoft Windows Support”, which will take them directly to the scammer.

They are now on the phone with whom they believe to be a support representative that is helping them with whatever virus they have downloaded. At this point, they allow the scammer remote access to their computer to fix the problem and all they see is a blue computer screen with a message not to restart the computer and nothing else.

A blue screen with white textDescription automatically generated

From the victim’s perspective, they’re in the right hands. Something terrible is happening and they trust this person.

Our team built a tool that would make this screen transparent so we could watch what the scammer was doing behind the scenes. While the victim sees the blue screen, assuming this support representative is helping them remove a virus, the scammer is actually trying to steal money. They will apply for loans, buy gift cards, go to different crypto exchanges and search internet browsing history, all while the victim is trusting them to fix their computer.

If the victim saves passwords in their browser (which is not recommended, instead use a password manager), the scammer can look at all the saved passwords. The entire time the screen is hidden, the scammer is acting as the victim, taking all their money.

Tip: Do not allow someone to remote into your computer. You can download the Seraph Secure tool to prevent remote access on your computer. Never call a support number on the screen, go directly to Microsoft or any other site to ensure you are calling the correct number. Many times you can navigate away from the page that is leading you to believe you have a virus on your computer. If you have a tech issue, take it into a store.

3. Act Now or Forever Hold Your Peace

One classic tactic of scammers is to create a sense of urgency with their victims. The last thing a scammer wants is for the victim to take the time to think and possibly realize it’s a scam. They want you to act fast and think later. Whether it’s protecting an account, claiming a prize or taking advantage of some opportunity, the scammer wants victims to feel the sense of urgency that they must act quickly before it’s too late.

The grandparent scam is a great example. A scammer calls pretending to be the grandson or granddaughter on the line. They usually sound panicked and are in some type of trouble, perhaps going to jail unless the grandparent sends money to rescue them. Scammers are now using voice cloning, a technology that can remove accents, add accents or even speak in other languages. They use this technology to sound like the grandchild, making this scam even more convincing.  

The only caveat to the sense of urgency is pig-butchering, which tends to flip the script. It’s more of a slow play. The scammer wants to earn someone’s trust, they get them on a fake platform, manipulate the charts and graphs so it appears they are making money, and then the scammer takes it all. 

Tip: Take your time and think through any conversation, promotion, or call. Hang up and call someone directly to verify information. If you’re told you have a limited time, it’s not worth it. And if it’s too good to be true, it probably is.

How Do We Fight Back?

1. Education and Open Discussion

A big part is education. Whether it’s educating our lawmakers, customers, or the public. We need to all work to come up with solutions and bring things to peoples’ attention. We have a connection with a particular police department, and they do community outreach. They will go to retirement centers or libraries and give talks about scams and what to look out for. 

Scammers are using legitimate platforms, and they use repetition. They must register their domains, host a website, use bitcoin ATMs, and remote into a victim’s computer. They keep using the same tactics. So, think about this when it comes to your own platforms and what roadblocks could be put in place.

2. Stop Victim Shaming

It’s unrealistic to think that anyone can keep up with the plethora of scams out there today, all of the tactics used, or be knowledgeable about when or how a scammer is going to target them or a family member. It’s a full time job. When we shame someone for becoming victims to a scam, they are less likely to report it. Victims often feel guilty, ashamed and embarrassed. If someone comes forward to tell you that they have been a victim, don’t blame them. This is an opportunity to give them resources to help them recover from a scam.

3. Protect Yourself and Loved Ones

My team built a remote connection tool that would create a pop-up and not allow someone to install a screen connect client. You could put this on a loved one’s computer and receive a text if such a tool was attempting to install. We want to get this out to as many people as possible. We have some law enforcement groups using it to clean victim’s computers. There was one victim that had hundreds of different connections on their computer. 

Steps need to be taken to detect scams in real time for phone calls. My team is talking about developing such a tool. However, it’s a delicate balance of privacy versus security. If done appropriately, it could be a great tool. 

 

If you have wanted to submit a scam to Kitboga, you can find his submission form here. You can also check out his keynote speech and full AMA session from the Fraud Fighter Virtual Summit!

Subscribe to our Blog!

Please fill out the form below:

Related Articles

Getting started is easy

See first-hand how Unit21
can help bolster your risk & compliance operations
GET a demo