(13 Minute Read)
16 July 2024 / Written by Joe
<aside> 🗞️ TL;DR. Responding to Meta’s keynote presentation at GASS 2024, we provide an evidence-backed counter narrative that highlights Meta’s deficiencies in policing their platform:
</aside>
👆 The cover photo of this YouTube video shows me at the Global Anti-Scam Summit Europe three weeks ago. You can’t see it but my heart is beating at about 150 bpm as I’m about to speak in front of a packed conference hall. But as those who know what I look like can see it’s not me up there on stage. I’m actually the shadowy figure on the right looking somewhat ominously on from the audience as I prepare to ask a question of the actual presenter.
The reason for my increased heart rate at the time someone snapped this picture is the topic of this post. That reason wasn’t that 25 minutes previously I’d been running with a heavy suitcase through sun-drenched downtown Brussels after a public transport crunch extended my morning journey from 20 minutes to 40 🤦♂️. Neither was it that I’m not the most comfortable public speaker and standing up in front of packed plenary rooms at conferences generally isn’t my zen place. The reason for my increased heart rate is the talk I’d just watched: “Fraud and Scams: How the adversaries are shifting” given by Nathaniel Gleicher, Head of Security Policy at Meta Platforms. In the 20 minutes leading up to the moment captured above I was being consistently niggled by a building narrative that I found, well, kinda hard to stomach. The cumulative effect of each point made to support this picture of how scams manifest had irked me to the point of getting up there and questioning the narrative on offer from Meta.
What was it about the talk that got my sceptic-eyebrow raising muscle well and truly overworked 🤨? It was, in fact, a skillfully delivered talk and the speaker said lots of things that you’d hope the person heading up Meta’s anti-scam teams would say. He knew his audience which spanned various industries, but most pertinently included regulators, banks and governments from across the world. And he delivered his message very adeptly, Mr Gleicher is an excellent speaker. That said, strong presentation skills often pull attention away from content - there’s nothing like a charismatic speaker to cast a spell over an audience, evaporating their scepticism before deftly sprinkling in some questionable assertions that fly under the radar of an entertained crowd. I’d recently seen too much of the reality of scams on Meta to contrast to the story being told and so wasn’t particularly receptive and, to take a concept a bit out of context, my WTFs per minute were troublingly high.
So what did Meta actually say?
Well, for the first 5 minutes or so I was frantically downing coffee and croissants in the foyer having arrived late after my transport snafu, so I wasn’t there to see 🙈 (thanks GASA and YouTube for recording!). But when I found a spot at the back of the plenary room the speaker was introducing the five-stage ‘scam attack chain’ shown below, commenting that an adversary-focussed approach is essential in combating such scams.
Meta’s view of the Attack Chain for fraud as referenced in their GASS Keynote, presenting a view of scammer activities moving from first (left) to last (right).
The speaker highlighted the challenge that scams often move across technology and product boundaries and no single party gets to see the whole end-to-end chain. So far, so sensible. Next, the talk covered which parts of this attack chain Meta themselves see (steps 2, 3 and a little bit of 5) and which parts only other organisations see, the point being that incompleteness of visibility makes it hard to combat unilaterally. Cue my eyebrow raising. Though I couldn’t quite put my finger on my objection I wasn’t quite buying this worldview. On reflection, I identified what the issue was. The above graphic and the speaker’s associated talking points strongly distort where the real harms occur.
Here’s a very different perspective from my team and I. We are busy building a technology stack which follows this exact attack chain for one of the most devastating scam types: the long-play investment scam. This is often referred to as ‘pig-butchering’. Our technology gives us a previously hard-to-obtain vantage point on the different stages of the attack chain, their importance and the places online where they are and are not happening. The graphic below shows our view on the attack chain for long-play investment scams, in this case the increasingly common crypto scam.
The attack chain as we see it for long-play investment scams. I’ve modified the width of each stage to more accurately reflect the reality of how we see the importance of each one.
And here’s where the problem is. The core of the problem in the investment scam case is step 3: Engage. In investment scams, engagement is a long and personal process that transforms mildly interested but often naive consumers into emotionally and financially compromised victims under a spell that’s near-impossible to break. It often starts with social media ads and next moves to messaging apps where the most harmful steps occur. This long-term abuse happens on multiple messaging apps, but the most popular that we see day in day out (a whisker ahead of the notoriously abuse-tolerant though less ubiquitously used app, Telegram) is WhatsApp, owned by Meta. Consider the selection of WhatsApp group screenshots we’ve taken below 👇
A selection of WhatsApp groups used for financial grooming and investment scams. Includes fraudulent impersonation of the following brands and investment experts: Morgan Stanley, eToro, Oaktree, Brian Kent (Generation Investment Management), Martin Wilson (Merril Lynch).
They show clear financial grooming happening at considerable scale. The technology that my team and I are building is currently identifying just a tiny slice of financial grooming groups currently active on WhatsApp, but we’ve observed more than 30 first-hand in the last month. It’s difficult to say with certainty the real number of such groups (we’re working on this!), but one or two orders of magnitude larger than what we’re seeing seems reasonable.
So returning to the talk, it becomes much clearer why the speaker's choice of emphasis on what happens outside of Meta’s platforms seems misplaced. In fact, I’d suggest that, for investment scams at least, a solid majority of the attack chain’s most critical steps are in fact on Meta’s platforms, and there’s a lot they can do to address it.