My stint as a scambaiter

‘Aah miss, we need to work together as a team, because otherwise I will not be able to assist you.’

I’m on the phone with ‘John’, who says he works for HP customer support and is based in Miami, Florida. He’s keen to help me install my printer, for an £89 fee. We’ve been speaking for 20 scrupulously polite and deferential minutes.

He has tolerated my slow repetition of all his instructions back to him and my meandering small talk. He has persevered in respectful silence as I spent minutes turning on my computer and then hunting for my glasses so I could see the screen. 

One reason the conversation is going so slowly is that neither of us is telling the truth. John's not an HP employee, but a scammer. And I'm not (quite) as technologically incompetent as I'm putting on. 

Instead I'm doing something I’ve spent a decade warning everyone against: engaging with a scam caller and giving them my time and attention. 

But I’ve done it with the benefit of specialist knowledge, advice and safeguards – which I’ll explain in a minute. So please, don’t try this at home.

Time-wasting for a good cause

My conversation with John was the culmination of several months learning about scambaiting. It's a world that encompasses all sorts of tactics, but one is simply wasting a scammer's time.

The note of irritation creeping into John's voice suggested my efforts were paying off. 

Crucially, I was pretending to follow his instructions without actually doing any of them. He has asked me to download AnyDesk, a remote viewing program, and read out a unique ID that would allow him to take control of my laptop – and ultimately ransack my bank account. 

Instead I used a random number generator to create a number of the right length, then subtly changing it by one or two digits each time he demanded I read it out again.

Eventually, he ended the call in bemusement, claiming there must be a technical problem and promising he’ll call me back in half an hour. That call never came.

I’m unsure if he suspected me; more likely, ‘John’ thought I was too incompetent to be worth his time. However, the copycat HP support website I’d lifted his number from does go offline very shortly after the call.

• Find out more: The evolution of the tech support scam 

Why scambaiting has taken off

Last year our Which? Scam Action and Alerts Facebook group was electrified by posts about scambaiting. Many members shared ways they’d toyed with scam callers. Some described relatively benign methods such as putting on a child-like voice and offering to fetch an adult, then leaving the caller hanging.

Far more alarming was the suggestion of blowing a whistle down the phone – something that is reputed to cause hearing damage (a woman was fined in Germany in 2012 for doing this to a telemarketer). 

Aside from any legal implications, this is unethical. Not all scam callers have a choice, both poverty or coercion can be factors, and being cruel won’t stop their next call. 

Research from the website scams.info found that wasting the scammer’s time was by far the most commonly tried tactic, tried by 64% of scambaiters surveyed, while 29% mocked or deceived the scammers and 10% hacked the scammers.

The allure of scambaiting is understandable. In a world of constant scam attempts, and with very few fraudsters being prosecuted, turning the tables (or feeling as if you are) can be both cathartic and entertaining. 

But it can put you at risk – particularly when done impromptu in response to a suspicious call. For a start, you might not be dealing with a scammer: the NHS often uses withheld numbers when contacting patients, for instance.

And if it is a crook, they could respond by abusing you, targeting you with more calls and – at the extreme end – identity theft and malware. 

There’s also the spectre of having your voice cloned and used for other scams; reportedly, only three seconds of audio are required. As a frequent Which? podcast guest my voice is already a matter of public record, but this isn't true of most people.

Treating inbound calls with suspicion, disconnecting if in doubt, and checking claims with trusted contact details is a tried-and-tested approach. 

Even when done in a planned way, and armed with the right tools, the dangers of scambaiting cannot be ignored. Also, some aspects of it, like hacking, have the potential to land you in legal hot water.

Lessons from a viral prankster

Becky Holmes, author of Keanu Reeves is Not in Love With You and The Future of Fraud, rose to prominence during the pandemic for her comedic approach to romance scammers. 

Her Twitter (now X) account @deathtospinach was targeted by romance scammers posing in a variety of traditionally masculine occupations including soldier, pilot or offshore oil rig worker. 

Eventually, this morphed into attempts by bogus celebrity accounts impersonating stars such as Brad Pitt and Keanu Reeves. Holmes found fame – and an accidental new career in counter-fraud education – documenting her chats with them. 

One of her viral pranks was to panic the scammer by pretending she’d flown out to wherever they claimed to be, showing tickets and airport snaps as proof. What makes her unusual is that most scambaiters are male (72%, according to research by scam.info).

She describes her modus operandi as seeing ‘how much silliness I can get away with’. She also never makes the first direct move. At most, she will follow an obviously fake celebrity account and wait to see if a private message comes in. For this reason, she’s still unsure whether she considers herself a scambaiter. 

She explains: ‘When I started messing around with these scammers, I didn’t know that it was called scambaiting. For me, it was just amusing myself in lockdown.’

As interest has surged and Holmes’ expertise has grown, her approach has become much more cautious. She rarely posts pictures of herself as she’s conscious they might be stolen. Her X account is now devoted purely to scam awareness, while her account on Facebook is locked down and hard to find.

Holmes has become increasingly concerned about well-meaning but flawed amateur scambaiting attempts. She explains: ‘A lot of people end up educating the fraudsters by saying, “Oh, no, an English person wouldn’t say that.” Fraudsters learn a lot from people playing around with them while unaware of the damage they could be doing.’

Fear of these amateur attempts has impacted her own activity: ‘I used to post a couple of times a week; it’s now once a month. One reason for this is because I was getting so many people messaging me with screenshots saying, “Oh, look, I’m doing what you’re doing.” And I was thinking, “Oh god. You’re doing it on [your] Facebook so they’ve got access to all this stuff.”

‘Secondly, they’re teaching them by saying to them: “I know you’re from such-and-such a country because they say this.” I feel like I’m balancing a bit of a line now where I don’t want people to risk their own security trying to have as much fun as I have.’

First in Which? Money magazine

This story first appeared in Which? Money magazine. Join for reviews and investigations, plus 1-to-1 guidance from our experts.

Join Which? Money

Only £49 per year

Risks and reprisals

The BBC’s Bafta-winning Scam Interceptors takes the fight to scammers and their victims, with ethical hacker ‘Jim Browning’ reverse-engineering his way into the scammers’ machines and exposing them using their own webcams. This also enables presenters Nick Stapleton and Rav Wilding to contact the victims and attempt to break the scammer’s spell in real time.

Stapleton regularly spends weeks away intensively filming series of the show and, concerned for the safety of his wife and dogs, has installed an alarm system and panic button. He fears he’s considered a potential ‘feather in the cap’ for scammers, and has been on the receiving end of scams specifically tailored to him (a practice known as ‘spear phishing’). 

The most convincing was a fake copyright infringement message about a Facebook video he’d posted. Sent to his private email address, it contained a link to a beautifully animated (but fake) ‘Meta for Business’ support page. 

He was suspicious, but the spell was only fully broken when he was asked for his password.

As for Browning, scambaiting has replaced IT as his full-time job. His work has generated his own momentum; the 10 phone numbers he uses for this work are now on so many so-called ‘suckers lists’ that he receives constant scam calls without looking for leads. 

It’s a slick operation; the numbers all exist on the same physical phone (via internet calling technology) so he doesn’t need to tote multiple phones around. He uses multiple fake identities, and a voice changer (his distinctive Northern Irish accent has been recognised by scammers before). 

He also runs a ‘virtual machine’ – a virtual cloned version of his laptop – he allows scammers access to this while his device stays safe. Scam Interceptors, now in its fifth series, contains many euphoric moments where victims are successfully persuaded to disengage from scams in real time. But in a minority of cases, the scam can’t be stopped. Stapleton describes some ‘very very low moments where we’ve been trying for hours to get through to someone and haven’t been able to stop them’.

He doesn’t mention receiving any death threats, but his co-star Browning has received them, as has Becky Holmes. It sounds traumatic, but neither reported any real sense of fear or credibility about these threats.

Bot or not?

Mindful of Holmes’ warning about educating fraudsters, I decide to play my own scam call relatively straight, pretending I believe the scammer and acting accordingly, never breaking the fourth wall for that tempting ‘gotcha’ moment. It makes for a less amusing recording, but the approach works; I do manage to keep them talking for almost half an hour before they give up.

Whether timewasting attempts are actually useful depends at least in part on whether the scammer is human or a bot, and how you are communicating. A human scammer operating via WhatsApp could be conducting several different conversations at once, and a bot can conduct many more. 

Baiting could still be worthwhile if used by someone with a high profile, to educate the public. But in either case it’s labour intensive: for every minute I waste of the scammer’s time, I also use one of my own. 

One firm I spoke to, AVIEL Intelligence, is using artificial intelligence (AI) to disrupt scammers at scale. Its AI chatbots and voice agents engage scammers to the point at which they hand over the details of the bank account the victim should pay. AVIEL then reports these to its partner banks, who take enforcement action – shutting them down or blocking payments to scammers as appropriate. It currently works with TSB plus several other UK banks.

YouTube scambaiter Kitboga also harnesses AI: he built a ‘bot army’ of AI voice agents in order to scam the scammers. By deploying lots of these at once, he can tie up a whole scam call centre by targeting all the scammers at the same time.

Scammers can of course deploy this technology too; Holmes said she had encountered romance scammers that were clearly bots. But both she and Browning said that even where scams start with AI, human fraudsters then step in to close the deal, as that part of the process is too lucrative to risk automating. Both said that’s likely to continue.

Given what I’ve learned, I’m unlikely to spend much of my own time snaring scammers in the future; it’s simply too labour-intensive. An AI voice agent that could battle fraudsters while I sleep sounds tempting. But in the meantime there’s plenty I can do to protect potential victims – much of which you can do too. 

Talking about the scams I’ve encountered or read about to friends and family – particularly the vulnerable people in my life – is much more satisfying than spending the day in conversation with crooks. Even if a scammer isn’t caught, reporting scam attempts helps the authorities warn others and shut down scam websites, adverts and phone numbers. 

Report scams to Report Fraud (previously called Action Fraud), the cybercrime reporting centre for England, Wales and Northern Ireland: visit reportfraud.police.uk or call 0300 123 2040. In Scotland, report to Police Scotland by calling 101. 

And please help us spread the word about new threats by using the tool below to share your scam story.