Ducking ID fraud: An ABC for beating cyber-scammers

By Professor Fraser Sampson, former UK Biometrics & Surveillance Camera Commissioner

You know the saying: “If it looks like a duck, walks like a duck and quacks, it’s probably a duck. In the context of bar room blowhards and armchair professors, this ‘common sense’ motto is pretty harmless and even amusing. In the world of ID fraud, however, this attitude will not improve your life and is often critical to a scammer’s success.

The origins of the duck test are a bit vague. It’s an avian aphorism claimed by many people; several respectable sources credit it to American political figures in the post-WW2 period. Wherever it was hatched, the ‘duck test’ was used during the McCarthy era as a sure-fire way to spot a communist. Thankfully we now have more forensically reliable ways of verifying identity, if not political affiliation but the ‘I know one when I see one’ mindset remains stubbornly present. But the duck test is the fraudster’s best friend and can defeat even the most sophisticated biometric technology.

Tactics vary infinitely and become more elaborate every day, but there’s a tried and tested scamming recipe that involves the same basic ingredients: present a dilemma, create a sense of urgency and proffer a solution. For example, an email purporting to be from your bank that requires you to believe something alarming, do something to your cost, and do it very soon. An email that looks like your bank’s emails, sounds convincingly like their emails and is followed up by a phone call with someone who knows a lot about you and your account and who makes all the right noises. This tactic appeals to horse sense, relying on implied obviousness and the victim’s fear of looking foolish when anyone can see it’s genuine. In other words, the whole scam relies on you running the duck test – consciously or unconsciously – and deciding that all is as it appears to be. Quack!

Deceptively simple, this move is on page one, chapter one of scammer playbooks worldwide. In South-East Asia there’s a current scam that involves the victim having to make urgent contact with the police on a Zoom call. There they are, uniformed and earnest, relaying alarm from behind an authentic-looking desk with a plausible police station in the background. Immediate and expensive action is needed to avoid imminent dire consequences. Quack!

How to beat the duck test? Detectives used to be taught the ABC of investigating criminals: Assume nothing, Believe no one, Challenge everything. That approach created some significant problems when it came to interviewing victims who wished to report crime but, as a tactic for dealing with unsolicited messages, it has a lot going for it. Applied to unexpected demands the ABC means checking exactly what you know about the message, its author, its timing etc. rather than what you have assumed. It means suspending belief and taking nothing on faith alone. And it means challenging yourself: What does your bank say about this type of contact? Is it normal to be asked to do this? Have they tried to pre-empt your questions? Is there something or someone in the backstory that they need to explain away? The ABC makes for a more cynical world but there is a lot at stake from ID fraud, and a great deal of misery being caused, from online gambling and romance scams to sexual exploitation and people trafficking that ID biometrics alone will not solve.

Ducking the scam is not as easy as it sounds. Savvy people swear later that they ‘double-checked’ and looked for proof. But the ground between looking for proof and confirmation bias is narrow. The latter exists because we tend to see or seek evidence that supports our first theory (isn’t that a beak, surely those are feathers?) more than information pointing the other way. The part of you that stops short of hanging up and moving on is the part most vulnerable to confirmation bias. Distrust the part of yourself that refuses to delete immediately, the part that thinks you might just have run up an overdraft or forgotten to pay a bill; that’s the part the scammer is betting on.

When AI and deepfakes take hold, the duck test will become many times harder to resist. If you are in fact hearing the real voice of a relative on the phone beseeching you for urgent funds, for example, why would you question whether it’s a genuine message? You know your own kids when you hear them. But AI voice fraud and ‘vishing’ is already well-advanced. If scammers can convince colleagues that they’re in a live streamed meeting with their chief finance officer, as in one recent example involving millions of dollars, they can con you that you’re listening to a voicemail from a relative in need. Adopting the ABC approach may mean asking for a safe phrase (whether you’ve got one or not) and it may block a few genuine messages, but most scamming risk is in the engagement, the forming of a ‘relationship’.

In the AI age, your ABC may even reveal something because it looks (or sounds) too much like a duck, i.e. it’s simply too perfect to be real (ironically this means the technology would fail the Turing test, whereby you can’t tell that you’re talking to a computer).

In the new world of ID theft, anas cybercrimus is a pernicious and aggressive species. If an unexpected demand looks like a duck, is waddling and quacking, it’s probably not a duck at all but some malign creature hiding behind alarm and urgency, and offering a way out. Don’t be gulled (!).

About the author

Fraser Sampson, former UK Biometrics & Surveillance Camera Commissioner, is Professor of Governance and National Security at CENTRIC (Centre for Excellence in Terrorism, Resilience, Intelligence & Organised Crime Research) and a non-executive director at Facewatch.

Article Topics

deepfakes  |  digital identity  |  duck test  |  Fraser Sampson  |  fraud prevention  |  identity verification