OPW INTERVIEW -- May 16, 2007 -- Scammers are a proverbial pain in the neck for internet dating and social networking companies. Over the next ten days I’ll list five interviews on your least favorite subject matter. These will be slow news days while I’m at the Asian Internet Dating Conference. Nelson Rodriguez is CEO of LoveAccess, along with TogetherChristian.com and MatchRanger.
What kind of scamming do you encounter?
Primary scamming comes in three flavors. The first flavor is the typical Nigerian Ghana. Over the last 6 months to a year, they’ve changed tactics. They say they are either a traveling businessman and they’re overseas or they’re a young girl overseas. They befriend people and instantly fall in love with their target. Then there’s the tragic event that occurs. Their mother’s very sick back in the States and they don’t have enough money to go travel back or they were coming home from work and they were mugged and had their rent money stolen and they’re going to be thrown out by their landlord.
The second set of scams is where they’re basically trying to find targets for mail drops. The scammer will make up some story where they are traveling abroad and they have an important package, something happened (e.g. their laptop failed) and they need to get it delivered, and they need someone they can trust that can sign for it and forward it over to them wherever they are. (The merchant ships the laptop before discovering the purchase was made off a stolen credit card. The forwarder sends the laptop on to the scammer in Nigeria, etc. The forwarder may be liable for the laptop).
Then there’s the Russian mail order bride scammers, which fall into two distinct groups. There’s the one set where a girl will string “x” number of men along at one time, befriend them, talk to them on the phone, instant message them, then the tragic event occurs where they need some financial assistance. Then there’s actually a second set which is quasi-legitimate. There are actual dating agencies in Russia who charge top dollar, I mean ridiculous amounts of money, for these Russian women to find them American men. So basically the girl comes down to the dating office and signs up for whatever service and the agency then goes and floods all the dating sites with their profiles to get the correspondence going immediately to their Yahoo or Hotmail addresses. So the girl pretty much doesn’t know anything about where this person was contacted. They go to the office, because most of them don’t even have computers, open up their Hotmail account and they correspond back and forth. So the dating agencies in Russia use our dating sites to basically spam everybody to try and get a few leads for these girls.
The majority of scammers are just looking for money. And then the other form of abuse we encounter, which is not a scam per se but still a problem for us, where our site is used for credit card verifications. What happens is, they want to buy something at a Best Buy or Circuit City or something and these guys need to make sure that when the transaction goes through its perfect the first time around. So they’ll basically just run credit cards on us first before they go make their big purchase. This is a problem for us. We end up voiding the transaction if we catch it in time but the sad part is there’s no mechanism to be able to report to Visa or Mastercard or Amex that this is a very suspicious transaction and we believe that this credit card could be compromised. There’s no recourse for it. So there is no repercussions for them to use us. That’s really problematic because if we get enough of those we could lose our merchant account.
Have you encountered much in the way of affiliate scamming?
There’s always some scam they’re trying. And even the affiliate scamming guys have gotten really, really good. Before they would just go at it with a brute force method and all of a sudden make 500 accounts in one day. Now they’ll make 2 or 3 accounts every day and they’ll spread them out over the day. The CPA’s that we have to pay these days is very significant. Any affiliate program we use we pretty much have to assume we’re going to have to write off 10% to 15%.
Is that worthwhile for them?
Yeah I mean look if you make 10 profiles a day you know its $40 a day in commissions times 30 and, especially overseas, $40 a day turns into a lot of money. So like I said it’s not that hard, it takes a matter of 2 minutes to make a profile and they’ve gotten very, very, very good at doing it.
How much worse has scamming gotten and how serious of an issue is it?
I don’t think the levels have really changed much. It’s always been just a part of the business that you deal with. But as a percentage of the business as a whole it’s actually very small. You figure maybe 5% or even less of the profiles are fraudulent but that small percentage causes a lot of headache because in order to catch the 5% you have to scan the 95% to make sure everything is good and that’s what adds to all the operational overhead that we get. It’s very frustrating to catch that 5%.
Beyond the financial effects the scammers have, how do they affect your site’s reputation?
Oh it’s terrible. People send us customer service emails, ‘well I’m thinking about upgrading but I don’t know if this person is real or not.’ It’s not good for a business if the consumer isn’t confident what they’re getting is legitimate. Then it becomes very problematic because let’s say the person upgrades and then we catch the scammer, they’ve upgraded and the account they were trying to contact is basically banned, and these people are frustrated. They get very upset and then question anything and any kind of contact throughout the whole site. It leads to a full loss of confidence. If you’re getting let’s say five emails today and three of them are coming in from scammers, any reasonable person is just going to assume that all of them are fraudulent and basically you’re going to sign off the site. It hurts both sides and ultimately we’re the main losers here. It’s definitely a big problem.
We’re offering matchmaking services and doing background checks and that’s been very, very effective in keeping the scammers away. Most of them won’t come through but a couple of them have tried. They still try. They’re very, very aggressive and they’re always looking for new creative avenues.
You have to remember one thing with these guys, this is how they make their living. They have nothing to do all day long except try to figure out how to beat the system, work around it, and look for any holes in the armor. So they have every single advantage while we’re at a complete disadvantage. I’m focused on building services and quality into the site, not trying to figure out how to stop scammers.
How much time does it take from your teams day?
We have one person who manually reviews each and every single credit card transaction. And then we have a couple of people that review every single profile that comes through the system. Like I said, as they get better they slip through. You can only be so proactive and then you have to be reactive and wait for customer feedback. They’ll say, “Hey there’s something with this profile, check it out.” And then you can go in there. We’re always at a disadvantage waiting to react rather then trying to nip it in the butt before it becomes a problem.
How can the industry work together to combat scammers?
We could have some sort of common database that we can run like a hash on say an email address and IP address or something and compare it against the database and say, this IP address and this email address have made 40 accounts on 20 different dating sites today. But still it’s a lot of work. While valuable who wants to spend the money and time to do it.
How high on the priority list should it be for the industry to stamp out this problem?
It’s a daily priority for us. It’s built into operations. Like I said if it affects 5% of the business it’s not that ‘big’ of a problem. But is it a top priority? Of course it is, it always has to be. We have to work Saturday and Sundays because those scammers realize that on the weekends we were staffed less. So they would start working much harder on Friday nights and Saturday mornings to try to get some mileage out ahead of us, until Monday morning. We had to put on weekend people.
Educating our members about online dating scammers is an important component of our customer service policy.
Posted by: Janet Reiss | May 16, 2007 at 08:54 AM
The solution to this problem is for the dating industry to work together on a common shared system. The gaming/casino industry shares a database on known cheats and criminals. They realized it was in everyone’s best interest to share this data.
I challenge anyone in the online dating industry to dispute the fact that sharing data on scammers is not good for everyone. And please don't say "this isn't a problem for me. Maybe it is just your site". I am an active online dater and I see these scammers everywhere. Even on the "big" sites.
Furthermore I will personally commit my time and resources to a common solution. If a lowly little 2 million member site like onlinebootycall.com can make this commitment. Surely big sites like yahoo, match, true, etc. can make the same commitment?
Just think of the satisfaction that would come from banding together to squash these pests. That is unless they are smarter than we are…
Questions, comments, concerns?
Michael Ramsbacker
CTO - www.onlinebootycall.com
Posted by: Michael | May 16, 2007 at 01:12 PM
Michael,
What do you see as some viable common solutions for the industry?
Thanks,
James Houran, Ph.D.
Online Dating Magazine
Posted by: James Houran | May 16, 2007 at 01:58 PM
"I challenge anyone in the online dating industry to dispute the fact that sharing data on scammers is not good for everyone"
I think the fact that it clearly breaks US, UK and Canadian law may have something to do with it.
Casino's are not based in north america so they don't have to follow our rules.
Posted by: Markus | May 18, 2007 at 07:55 PM
I have seen this strategy, combined forces, work combating fraud in other industries. At iovation I'm working with fraud managers across the globe. Watching them share reputation of confirmed fraud activity does help them stop more fraud.
While simply hashing the email address and the IP address might have some measure of success, it will not be a long-term solution. Because, all the fraudster has to do to defeat it is to use a different email or IP address.
To do this right, you must deploy a sophisticated device identification technology. And to avoid any privacy law issues, this technology must not collect any personally identifiable information. You will also need an enterprise class back-end database that can sustain the complex model of the web of associations that is naturally created each time the end-user logs into an account from a PC. Then, in order to share reputation, somebody has to serve as the aggregator hosting the data of your combined forces.
Posted by: TheFraudKahuna | May 18, 2007 at 08:25 PM
I agree that simply grabbing/scrubbing IP addresses is not an effective long-term solution.
Creating databases of 'suspected' scammers is definitely not easy to do as Markus suggests "is a clear privacy violation and who knows what other laws as it pertains to each country."
Scammers move fast enough that the effectiveness of a collective DB would help, but more trouble than it's probably worth (never mind ownership, and membership requirements).
Now I'm new to the dating industry (damn competitive) and maybe this has been tried or it's simply not feasible, but I used to work at an ISP and know that the carrier does burden some liability.. especially if they knowingly allow/aware illegal activities to happen on their networks.
In my short tenure in running a date site, it seems that especially the 'Nigerian Scam' that the same providers (portable IP blocks, satellite, wireless, others?)carry 95% of the illegal activity.
I see that RIPE.net (hundreds of search engine links about the same RIPE IP blocks being a key culprit) provides scammers the internet access to get their work done. Over and over again dating site owners are complaining about having to block huge IP ranges for traddic originating from RIPE. (I'm sure RIPE is one of hundreds)
From a legal perspective (for example), would an ISP not be found liable if you could show that they were previosly aware of the problems and did not take any measures to stop scammers from using their neyworks/services to conduct illegal activity?
I see dating sites spending hundreds of millions to acquire new customers, yet is anyone effectively dealing with their 'security' issues?
Before you say yes, I've done searches on the "same usernames" on 99% of competitive sites and there are numerous instances of bad sign-ups (some usernames have been there for years in some cases and use the same description).. So no one site is really 100% protected from this problem.
I would like to see the big dating sites that have the money to ..
1) document all incidents
2) collect extensive IP information to what providers are guilty of consistently providing the network access behind the scams
3) research any/all historical incidents, mentions in search engines, actual fraud cases and to what 'awareness of the problem is already realized' by the different providers
At some point, a provider must be held liable in who they sell their IP address blocks to... I note tracking people down in an internet cafe is NOT going to work...
You need to attack the source that is ultimately monetizing/profiting in the illegal activity. You sue the ISP from the top (telecom company, network providers) down to local or regional reseller.
Has this been tried? Do the larger dating sites have their legal departments already contact the same problematic network providers? Is this old news or is it simply not possible?
I don't care what you say, there is NO ISP on this planet that enjoys getting a court order or facing huge potential international lawsuits because their network was the access point for illegal activity. For example : If a provider is found with child pornography on their servers, you better believe they move fast to remove it (no matter what country they live in) ...
If the same ISPs are found (especially with historical precedent) of knowingly having criminals doing bad things using their services, could they not be at risk legally?
There is no DB that can effectively protect us. They'll find a new way to get at your valuable memberbase every single day because internet fraud is a multi-billion dollar industry! There's plenty of monetary incentive involved and no DB (no matter what tiered technology you provide) is going to stop the criminals.
I've got 300 members, so it's easy to check the IP of each new sign-up - but for you big guys.. That has to be costing ya alot of money no?
Is it not worth a call from your legal department to pass on a detailed report to all of the offending telecom providers?
Anyway I realize that this only addresses one of the fraud types, but using a similar approach will definitely work across the board - Sue the rich telecom providers and watch them tighten it up!
Am I crazy or has any dating site ever initiated these conversations already? If so, keep doing it every week and remind them that their networks are illegally profiting from crime and not protecting the public from these criminals.
The big dating sites and the established dating industry must realize the collective benefits of organizing a legal effort to stop the problem at the network level. $$$$
Posted by: LonelyBloggers | May 18, 2007 at 10:07 PM
Sueing ISPs will not work. An ISP can not monitorize their clients activity unless they have a court order. Then, how could they find out that user X or Y is scamming some sites?
Well... if you notify the ISP, providing time and IP address, the ISP can easily find our that the client is Mr. X. But, the ISP will not block a paying client... I can assure you of this.
Posted by: Zoltan | May 19, 2007 at 04:09 AM
I would encourage you to look beyond IP addresses and start looking into device identification as a whole. It only takes me about 3-seconds change my IP address and revisit your site from a new geolocation/ISP (if few seconds longer if I really want to cover my tracks). If you want to chase a ghost, go right ahead.
Posted by: TheFraudKahuna | May 19, 2007 at 01:32 PM
I'm going to get flak for this, I'm sure, but if a site has figured out how to prevent 99% of all scammers from harassing its members, why would it share how it is doing this with the competition?
I understand the argument that scamming taints the entire industry, however, wouldn't this be a competitive advantage to keep its methods secret?
Posted by: Sam Moorcroft, ChristianCafe.com | May 20, 2007 at 10:10 AM
That is true, any site who develops a proprietary fraud technology and lowers their fraud rate would have a competitive advantage. However, you might consider what's happening over at the Merchant Risk Council http://www.merchantriskcouncil.org/. Your friends in eCom are finding that sharing fraud best practices and combining forces is a winning methodology. You might also want to evaluate the products that have emerged to help them combat these frauds.
Posted by: TheFraudKahuna | May 20, 2007 at 09:59 PM
Sharing a common database with banned IP addresses and perhaps usernames will be a good start to combat this problem.
Device authentic solution is not fool proof either as it relies on the specific machines previously being used for fraud and spamming. Culprits can easily use a different machine by simply going to an internet cafe.
So in short there is no perfect solution at this stage but we have to start from somewhere. Remember, solutions are refined over time. This may also involved lobbying the governments to make ISP responsible.
We at Club Intimate will be happy to share our banned IP list if other dating site owners are interested. If interested please drop us an email using our webmaster email address.
Posted by: Arshad Khan | Jun 05, 2007 at 06:03 AM
We talked about shared effort at iDate Miami 06. I still think it has merit -- somethings are easy to share and don't get into proprietary info.
At Cupid.com, we only advertise in the US and Canada, so we block IPs known to be from any other foreign country. We use http://ip-to-country.webhosting.info/node/view/6
for this data.
Also, I have no need to allow anyone who wants IP anonymity on my site, so we also block all IPs known to be associated with TOR, The Onion Router.
Commercial anonymizing services will gladly block their members from access your web site if you send them a request.
IPs are easy to change. MAC addresses can be spoofed but that is a good idea I hadn't thought of. But as soon as you block someone, you alert them of the need to change. The only thing that seems to limit scammers is time. So when considering a scammer strategy, devise methods that let them waste time without letting them know that they've been identified. They will learn that your site doesn't convert for them, and they will be motivated to try elsewhere.
Posted by: Steve Bywater | Jun 05, 2007 at 08:33 AM
Used to justify their inexcusable actions in taking advantage of people for their own gain. I agree that the people who fall for these are pretty much always stupid people.. sometimes they are merely elderly, mentally challenged or generally bewildered.. that's not in debate.. The point is it doesn't justify capitalizing on their stupidity...
Posted by: scoremore | Oct 19, 2010 at 10:40 AM
It is hard for small businesses to work together, there is a natural reluctance to do so. There are legitimate dating businesses in Russia and Ukraine who share the same problems of fraud.
In my opinion the international dating business is reaching something of a crisis point and I wrote a report called 'Death of a Russian Bride' about what I have seen. The rprot can be found here: http://andrewwilsonnews.com and there are ongoing discussions in forums across the internet but in particular here: http://ruadventures.com/forum/index.php/topic,13322.0/topicseen.html
Check them out! Thanks.
Posted by: Andrew Wilson | Jan 21, 2011 at 09:38 AM