Navigating the maze: reporting online fraud

Blog post
Related Themes: Blogs, Cybercrime, Fraud

Navigating the maze: reporting online fraud

Just before Christmas I started getting letters for an online discount retailer, let’s call them, that wasn’t their name but you get the idea[1].

The letters were from customers who had bought goods (mostly household electrical items) online, but not received them. From what I could gather[2], the pattern seemed to be: shopper pays for item at bargain price; shopper gets email saying that due to huge demand’ the item is out of stock and they could either have a refund (in a few working days), or wait and receive the item a few weeks later at a further discount most plump for the latter. In either case, when nothing more happens, the shopper sends an email but gets an undeliverable’ message; shopper then finds the postal address for on their website and writes asking for their money back. Except that it isn’t their address, it’s my address misspelled slightly, but next to a big Google map with an arrow pointing to my house! Meanwhile, someone has run off with all the money and I’m left with a stack of letters on my doormat, ranging from the polite to the decidedly irate. is very bright and very shiny; the merchandise sparkles, the prices are enticing. The site has a sniff of the homemade about it, but in this day and age of eBay trading and cottage e-entrepreneurialism perhaps that doesn’t mean anything. I’d like to think I’d have had my suspicions but it would be arrogant to say I definitely wouldn’t have been taken in. As well as my address (which I can only assume was plucked at random), it has a funny looking phone number (which a bit of online research suggests is a Portuguese Vodafone) and a convincing looking Terms and Conditions page, which includes two warehouse addresses for customer returns etc (this turns out to have been copied, in its entirety, from a reputable online retailer). So it’s a scam, people are losing money, I’m getting unwanted post, and as happened a few days after Christmas disgruntled victims could start turning up on my door-step. I need to do something about it.

Where to begin?

I probably know a bit more about how law enforcement works than most, but I’m not entirely clear where to start. I decide to do three things.

1. I contactAction Fraud, they give me a reference number, they take a report and tell me they can’t act on every case they get told about. They advise me to contact Citizens Advice and to check my credit score.

2. I contact the reputable retailer who also had their details used; they may be aware of the scam in which case I need them to know my address is not that of a fraudster if not, they might know better than me how to sort this out. They are grateful and say they will look into it, but I hear nothing more.

3. On the advice of a colleague I use theNominet WHOISservice to see what I can find out about It doesn’t tell me much, no names, another address (also on my street, and almost certainly picked out of thin air too), the domain name has been registered for less than a year and is hosted by a well-known commercial provider. I give them a call. They are very American and very breezy, they direct me to an abuse reporting form on their website, none of the options seem to be quite right for my situation, but I fill it in anyway. I ask them to take the site down it won’t help those who’ve lost money, but it should prevent any more people being conned (at least until the fraudsters pop up somewhere else) and (most importantly for me) it would get my address offline.

A maze with many entrances and many signposts

In the days before Christmas theCitizens Advicehelpline was experiencing an exceptional level of demand’ I submit an online report and wait. They email me back the next day saying that, as this appeared to be a criminal matter, they had passed a report toTrading Standards, who may or may not decide to contact me. They also advised me that, as the matter related to misuse of personal data, I should contact theInformation Commissioner’s Office(I did, they said they would adjudicate in the case of a dispute, but because there was no way of starting one there wasn’t much they could do).

A few days later I received a call from my local Trading Standards team; they took some details and said they would send a report to theNational Fraud Intelligence Bureau (NFIB)who might investigate and might be able to get the site taken down (although, I was told, this would only happen as part of a biannual cull and would depend how high up their kill-list’ it came). They also suggested that I could make my local neighbourhood police team aware (I did, they told me I was doing the right things, that they do regular patrols in my area and to call 999 in an emergency?!), and thatNominet’s Disputes Resolutions Servicemight be able to help (they couldn’t, and referred me back to Action Fraud, Trading Standards, the police and the domain name registration company).

A resolution of sorts

About a week after I submitted the online form, I received a generic email from the US hosting company stating that they had suspended the offending site’s domain name “for violations of our Universal Terms of Service”. Sure enough was no more, and my address was no longer presented to the world as that of dodgy dealer. Result! Well, sort of.

Some reflections (based on this experience alone)

  • As a victim of online fraud (and I guess, although I lost no money, I was one) the best route through the system wasn’t clear. Action Fraud may well be a good first door to knock on, but mostly because they can give you a case reference number which you’ll need when you knock on others.
  • Behind most doors, one of the first things you find is a signpost suggesting others you might try. Both for my own sake and (to some extent) as a citizen, it seemed that the conscientious thing to do was to follow every lead I was given. That amounted to quite significant leg-work.
  • The customer service’ standards throughout the (State) system were relatively impressive. Each gatekeeper responded promptly and professionally; all tried hard to be helpful’ and to offer suggestions. Several even asked me to fill in surveys rating their speed of response and helpfulness. Added together this amounted to a substantial, if distributed, infrastructure to deal with’ reports like mine although other than direct me around the system and submit reports to each other, I don’t think anyone actuallydidanything.
  • The impression I formed was that the part of the system at the centre of the maze, that actually had any power to act (which was locate in, or accessed through, NFIB), was protected by numerous guardians, ante-chambers and one-way doors information could pass in, but very little would come out. The decisions made (or not made) and the actions taken (or not taken) by those in the centre were inaccessible, unquestionable and unknowable.
  • The best chance of practical resolution seemed to lie outside of the State apparatus, whether with web-hosting companies or the credit companies who (I assume) refunded some of those who lost money. But this is a second-rate resolution without redress, without justice and without any obvious element of victim care or future prevention.
  • The victim or suspicious citizen is compelled to become an amateur cyber-sleuth to try and work out what is going on. I’m sure I wasn’t the only one around that time putting into a search engine or doing some digging into the addresses, phone number and other leads on the site.
  • It occurs to me that this common behaviour might offer opportunities to enable some online collective efficacy’. If those investigations had led each of us to a safe’, officially sanctioned, online space where we could have established contact, posted warnings, asked questions and shared information (as began to happen when I emailed some of those whose letters I picked up), it’s possible that we could have brought about a speedier and more satisfactory conclusion. In addition, others tempted to make a purchase might have been forewarned and, potentially, law enforcement could have made use of the links and connections we had made.

As with any online space where information is exchanged and trust is inferred, a forum like the one I’ve suggested would need to be carefully thought through to guard against infiltration or misuse it is also not clear who would provide it however, in a maze where, despite the cordial reception, the inner sanctum is kept well off limits, a place where visitors can find each other and exchange knowledge, tips and advice, would seem like a welcome additional resource.

The Police Foundation is currently undertaking research onImproving the local response to Fraud.


[1]I’ve checked and there is no real website called (legitimate or otherwise), any similarity to any actual website is unintended and entirely coincidental.

[2] I’ve checked thelawand I reckon I had a reasonable excuse’ for opening the letters.