Nigerian Letters scenario. Nigerian letters are one of the most lucrative forms of online scams. Between 1-5 % recipient’s actually reply with varying degrees of involvement (Cukier, Nesselroth and Cody 2007). These letters operate like many other typical advance fee frauds. The victim is convinced to pay a fee in advance in order to obtain a large amount of money. Typically, the target receives an e-mail from an insider or alleged official representing a foreign government or agency. Often he or she is asserted that there are unclaimed funds that are being held in customs or at a bank. For cooperation, the victim is promised a percentage of the funds if further fees and payments are provided. After payment, the scammer claims that just one more fee must be processed before the funds can be released, so the victim is urged into paying more and more money. Sometimes the story involves the victim setting up an account in Nigeria and transferring money, which, on top of everything, could be charged with fraud for passing stolen checks. The scammers convince the victim of their authenticity by providing fake Nigerian government documents. If the process advances and the victim already invested a lot, the scams can become extremely dangerous, because the victim believes the big reward to be only a few steps away, and is therefore eager to make his investments pay off. If the victim realizes that he has been deceived, the scammer often tries to contact the victim again. This time he uses another fake identity and pretends to be a law enforcement officer from the FBI or the Nigerian EFCC. The official will assure that the victims’ stolen funds have been recovered, but in order to get the money back, he convinces the victim to pay processing fees to get the lost money recovered and the scam starts again.

Dating and Romance Scam scenario. Online social networks and especially online dating websites are used to develop personal, romantic or sexual relationships with like-minded people. Fraudsters try to earn the trust of their victims by enticing them with romantic promises and emotional manipulation. Scammers often use images of models from modelling pages, stealing the identity of others (Rege 2013). They are targeting single men and women who are willing to pay them for their fraud. This sort of online relationship can be a very intense experience, since the actors get in touch with their victims as frequently and closely as possible by using multiple communication channels like e-mail, Instant Messaging etc. Misled individuals pay for translation fees, medical bills or visa fees. The “Lazarevs” for example were a husband and his wife, who scammed more than 1.500 men and extorted more than USD 1,5 million in the period of 2000-2002. They used several aliases to lure men from Australia, New Zealand, Canada, the United States and other countries. When these men wired funds, the Lazarevs stopped communication. Police found detailed biographical information for at least 70 victims when they were apprehended. Lovebots like CyberLover and FlirtBot (CyberLover 2010; FlirtBot 2010) are artificial intelligence software programs and one of the latest developments in dating and romance scams. Lovebots operate in chatrooms and dating sites and lure victims into sharing personal data or visiting malicious websites like webcam sites. They can operate without human intervention and victims often cannot distinguish these bots from a human being. They offer a variety of romantic profiles, easily configurable dialog scenarios with preprogrammed questions and tailored interaction to chatroom user responses.

Lottery Scam scenario. The lottery scam is a very common application of advance fee fraud and affects a large number of e-mail users (Kerremans K. et al 2005). This fraud begins with an unsolicited e-mail or phone call claiming that the addressee is the lucky winner of a lottery. When the recipient responds to the fraud message, the scammers ask him or her for bank account information, for transfer charges or processing fees. After the money is delivered, the scammer either disappears or asks for further funds.

Current prevention mechanisms include blocking IP addresses associated with specific countries, such as Nigeria, preventing bystanders’ access to multiple popular platforms. Many sites offer strategies such as screening for patterns of scammer behaviour and deleting their profiles immediately. In particular, e-mail detection algorithms offer protection against receiving scams and spam mails, whereas groups of scam baiters aim to prevent and catch scammers. Both these groups of preventing mechanisms are detailed in the following:

Scambaiting.  Scambaiting stands for luring Internet scammers into a trap and involves wasting their time, exploiting their resources and raising awareness about online fraud. Baiters try to convince the scammers that they are the perfect innocent victims and appear as a particularly profitable target. They often use a fake identity for this purpose. The scambaiters organize themselves on various Internet platforms like thescambaiter.com, 419eater.com or scamorama.com (Thescambaiter 2017; 419eater 2017; Scamorama 2017). On these platforms, they exchange information about current scams and share their stories within the community (Zingerle and Kronman 2013). Scambaiters do this for a variety of reasons. They can be classified into different categories:

• Scam alerters, which warn and supervise vulnerable individuals and groups by providing information about online fraud. Several websites and forums provide information for potential victims. They therefore prevent damage and raise awareness about advance fee fraud and other scams.
• Trophy hunters that consider the process of baiting the fraudsters as trophies. A trophy is the evidence of a scammer believing in the fake story plot or a time consuming and painstaking task that interrupted the scammers workflow. It can be some kind of documentation like a photo, recorded audio or video, a filled out form, a fake bank check, sometimes even hand crafted objects. It can involve emotional and physical punishment by humiliating and torturing scammers and posting the proof on scambaiting forum sites with the aim of gaining prestige or seeking vengeance.
• Website reporters identify fake websites of scammers, which often mimic real businesses. The baiters achieve this for instance by linking DNS entries to scammer databases, then documenting any illegal activities and reporting their findings to the hosting provider to get the websites removed or banned. A well-known Internet community dedicated to stopping these activities is called Artist against 419 (Artists against 419 2017), which hosts one of the world’s largest databases of fraudulent websites.
• Bank guards target scammers who use bank accounts in their payment procedures, e.g. charity scams, by reporting bank accounts or leading the scammers to lose money. By documenting and reporting criminal activities to bank officials, they monitor account transactions, freeze accounts and inform local law enforcement.
• Romance scam seekers pretend to fall for the scammers flirtation and manipulation. They document and disseminate the scammers practices on forums like scamdigger.com. They also try to track down the person whose photos are used in the scam and block the scammer from creating more fake profiles on dating websites.
• Safari agents try to persuade the scammers into leaving their working space, so it becomes physically impossible to continue the illegal activities by encouraging them to travel a minimum distance of 200 miles or cross the border into a neighboring country. This way, the scammer is kept busy with harsh travel conditions and cannot keep up with the daily work. In May 2006, a well-documented safari ended with two scammers being sent from Lagos, Nigeria, to the violent and desolate Chad-Sudan border. Once there, they were to meet a rich reverend who promised them their funds and additional compensation for their exhausting travel. The scammers were in contact with the scambaiter several times after leaving Lagos. They crossed the border into Sudan and then went missing. This documentation provoked several discussions within the community about scambaiting ethics. Inbox divers hack into the scammers email account and warn potential victims or report ongoing criminal activities. They obtain and share a very personal insight, like passwords, faked documents, scamming practices or chat conversations with fellow gang members.

E-Mail Detection. Current e-mail detection approaches perform fairly well in identifying spam and phishing in unsolicited e-mails. Common e-mail detection tools are ClamAV (ClamAV 2017), an anti-virus tool with the purpose to detect malicious software embedded within emails, and SpamAssassin (SpamAssassin 2017), which uses a set of rules and a Bayesian classifier to determine if a message is spam or not. Several approaches exist for identifying mass-generated malicious e-mails: Authentication based approaches validate that an email was sent by the advertised e-mail address and therefore prevent scammers from spoofing a valid domain name for malicious purposes. They authenticate the sender to the receiver, blocking malicious actors from stealing the identity of a trustworthy person or institution. SPF, Sender-ID and DomainKeys are the predominant e-mail authentication approaches in use today (Amin 2010).

Contextual approaches are very effective for identifying spam. They check the e-mail content against a set of rules or heuristics and assign a probabilistic score to the presence of certain keywords or phrases. Machine learning and hash based techniques are often applied to obtain a higher accuracy in classifying an e-mail as legitimate or illegitimate. Rules can be established using words or phrases commonly found in scam messages. Bayesian and Random forest classification techniques are the most explored classification techniques for e-mail filtering.

Characterization approaches focus on e-mail characteristics like arrival times, e-mail size and number of recipients which provides information about the actors sending the e-mail. Spam traffic differs from non-spam in network traffic and other behavioural characteristics. Tools like “SpamFlow” (SpamFlow 2017), a classifier based on network transport layer properties, exploit the fact that spammers, in order to send large quantities of email, need to leverage large numbers of resource constrained hosts.

Reputation based approaches maintain lists of previously classified senders, categorizing them into “good” and “bad”, or calculating a level of trust through relationship linkages. Examples for list based reputation filtering are whitelists, blacklists and DNS-based Real-time Block Lists. Tools like TrustMail allow users to assign a reputation rating to people they know and share the knowledge about trustworthy and malicious senders, so other users are able to categorize unknown senders through a network of relationships.

Resource consumption based approaches actively increase cost to senders by increasing the use of resources, like network bandwidth or latency. Spammers then need more time and resources to send the same number of e-mails. Unsolicited email is still ultimately delivered to some recipients, but spammers are not able to send the large volume of email they would normally send without constraints. To be effective, emails have to be flagged as spam early to significantly impact sender resources. To name an example, HashCash is a system that requires senders to solve a cryptographic puzzle to send email to a particular recipient. This puzzle requires computing time on the sender-side to be solved.

Current e-mail filters work fairly well with conventional spam and phishing messages because it is easy to detect mass generated emails sent to millions of addresses, but they do not work as well with targeted malicious emails, which single users or small groups in low volumes and are tailored specifically to the recipient and designed to appear legitimate and trustworthy.