Coaxing Cops To Tackle Cybercrime? There's An App For That
Cybercrime is booming, and victims are often at a loss about where to get help.
In theory, Americans should report the crimes to the FBI, via its Internet Crime Complaint Center. In practice, the feds get hundreds of thousands of complaints a year, and have to focus on the biggest cases.
But the other option, calling the police, can seem even less promising.
"They didn't even respond," says Gregg Bennett, whose loss of 100 Bitcoin was described in an earlier NPR story about SIM-swap scams.
He says he called his city's police department soon after discovering the theft, but concluded it was a dead end.
"They have no ability to look up something like this," Bennett says. "It certainly is not local — this is not a local issue."
It's conventional wisdom that cybercrime is too technical and too international for local police to handle. But as daily life becomes more digital, so does everyday crime, and some police say they can no longer avoid wading into the world of phone spoofers, crypto-currencies and hijacked cell phone numbers.
"If somebody walked into the precinct holding a bloody handkerchief to their head and said, 'Somebody hit me over the head and took a thousand dollars out of my wallet,' you'd have five cops running out to find the guy,'" says Nick Selby, a former police detective with extensive cyber security experience.
"[But] if they come in and say, 'Some scammer took a thousand dollars from me,' [police say] 'Ooooh, you've got to call the FBI!' That's crazy. That's the old way of thinking."
As the NYPD's director of cyber intelligence, Selby ran a pilot project in the final months of 2019 to try to teach officers a new way of thinking.
The purpose of the Cyber Investigative Standards Pilot was not to train NYPD's thousands of patrol officers to understand the technical ins and outs of cybercrime the way Selby does. "That's not going to happen," he says. "Geeks don't scale!"
But a police department can scale up technology, and that's where Selby saw a potential solution.
He designed an interactive application for officers' phones, meant to guide them through interviews with cybercrime victims to make sure they get the right technical details.
If the right details get to detectives quickly enough, they stand a better chance of tracking the culprits and, in some cases, recovering stolen money by stopping bank transfers or intercepting shipped cash payments.
For the app to work, though, Selby says it has to reflect the latest intelligence on cybercrime scams, which evolve constantly.
"He wanted an application that could be easily updated," says Raven Zachary, a technology entrepreneur and friend of Selby's who volunteered to write the app's code. "Or he'd see a new case and say, 'We have to ask this series of questions differently in the app.'"
During the pilot, Selby and an NYPD officer Luis Sayan trained officers in a section of Queens how to use the app. Sayan is a 15-year patrol veteran without a cyber-security background.
"Which is why I picked him for this," says Selby. He wanted someone with "patrol cred" teaching the officers, so they could see one of their own handling cybercrime.
Sayan and Selby also followed up on cases that officers had taken reports for, to study how they did, and which details they might have missed. The cases are what Selby calls "cyber-enabled," meaning they're not the pure computer crime cases or corporate hacking that the FBI specializes in; instead, they're the old-school scams that happen to rely on technology, such as spoofed phone numbers or email.
Take the case of Karen Smith, a retiree who was bilked out of $1,300 by someone pretending to be her priest asking for a charitable donation. The scammers, communicating by text message, knew enough about her to be convincing. When Selby and Officer Sayan re-interviewed Smith at her senior center in December, they found out why.
"I had written something in the church bulletin," Smith says, "and said, 'for further information call Karen' and (listed) my phone number. And all these church bulletins are online!"
"Ah... ha!" Selby says, making a mental note. PDFs of newsletters on church websites are full of the kinds of personal information useful for customizing a con. It could become a pattern in these crimes, and might be something to include in the app.
They follow up on another, very different kind of case in Brooklyn. A soft-spoken young man invites them into his apartment and tells them about the phone he sold online. The purchaser never paid, and then discovered it still contained intimate videos of the previous owner and his ex-girlfriend.
"My heart dropped," he tells them, when the scammer threatened to post the images on Facebook and Instagram, unless he paid $1000. NPR is not naming him because of the nature of the crime.
He refused to pay, and the videos appeared online. Then, the blackmailer started impersonating his victim, asking friends and family for the money.
"For some reason, he felt like a $1,000 was going to change his life," he tells them.
Facebook took the videos down, and Officer Sayan tries to reassure the victim that the lack of recent messages from the blackmailers is a good sign.
"He probably just gave up," he says.
The young man agrees, but laments that the incident has complicated his efforts to get his girlfriend back. Sayan laughs sympathetically, saying "Give it some time."
Outside, Selby says the original crime report went to officers who haven't yet been trained on the app, and they missed some opportunities. For one thing, the victim would've been stopped from decommissioning his phone remotely.
"It would have been nice to know where that phone is, to ask T-Mobile where it is," Selby says. "That day, he hadn't yet turned off the phone, he was on Facebook — there's many things [we could have done.] The longer time goes on, the harder it is."
Besides looking at individual cases, the pilot project also delved into NYPD's huge store of crime statistics. Cyber-enabled crimes hadn't been counted as a separate category, but by using certain keywords, Selby separated them out and found they constitute a far larger class of property crime than, for example, auto theft.
Those statistics have made an impression in NYPD headquarters, downtown. Selby's analysis shows New Yorkers lost more than $300 million to cyber-enabled crimes in 2019, an estimate that takes into consideration the low reporting rate for this class of crime.
Deputy Commissioner John Miller, who runs the department's intelligence and counter-terrorism operation, says he was also surprised by what the Pilot has revealed about the victims.
"We look at cyber crime as your typical victim is going to be an older person who is less sophisticated and technology easier to scam less computer savvy," he says. "But what we found in the study is 62 percent of the victims are under the age of 50. Fifty-one percent of them are under the age of 40. Thirty-two percent of them were under the age of 30.
"So what we're seeing is these crimes are affecting digital people who live in a digital age, who think they know their way around the digital block."
The biggest surprise, though, is what the statistics from the pilot say about the criminals. Local police have long assumed cybercriminals are unreachable, scamming Americans long-distance from places like Nigeria and Ukraine.
That's not what Selby is finding. "A whole lot of it is knuckleheads from the Bronx," he says.
When officers they've trained pursue these cyber-scams, Selby says the evidence often leads to New Yorkers. In one recent case, they followed up on a "jail and bail" scam — in which fake police contact a mark, claiming a family member has been arrested and needs money for bail and legal fees — and he says NYPD officers found it was being run by members of a violent local gang called the Trinitarios.
"Sixty percent of the time, these guys are local, regional or domestic," he says. That number includes people in the U.S. on behalf of international scammers, often as "money mules," to help transfer stolen funds. He says when he tells local cops that there may be a culprit within reach to arrest, they tend to become more interested in cybercrime.
"And this is something we don't know, but it's something we're interested in looking into: Is the reduction in street crime commensurate with the rise in cyber-enabled crime? I think yes," says Selby.
Still, it's not enough simply for patrol officers to get the right information. The detectives also need help from someone with the latest technical expertise — someone like Selby. That becomes apparent when he and Sayan swing through a cramped detectives' room in another Queens precinct and one of the detectives, Giselle Cabrera, complains about the recent wave of SIM-swap phone piracy.
"In the beginning we were getting all these cases where people were saying that they were — they shut off the phones — and then they went in to their accounts, and, like, how is that even possible?" she asks.
Sayan tells her there are things police can do in those cases: "If we have enough time, if you contact us within two or three hours, we can probably stop that."
Meanwhile, Selby is at the desk of another detective, Patrick Roach, explaining how scammers in one of the Roach's cases used SIM-swap to leverage credit card fraud.
"They bought a new phone, charged it to your victim, and when they bought the new phone he said, 'Give me a new SIM card, too.' So now the perp is getting all the victim's texts." By intercepting the texts, Selby says, the scammer can parry the anti-fraud responses from the bank.
"Get it?" he asks Roach. The detective does, but he's also exasperated by the scammers' constant technical innovation.
"It's very complicated. They're always a hundred steps ahead of us. And to have someone who knows more about the cyber stuff than I do, it's a huge help," Roach says.
It's also expensive help. Police departments may be able to improve how patrol officers collect this information, but it's hard for them to keep the kind of specialized talent that helps investigators keep up with high-tech crime.
Nick Selby is a case in point. As the pilot ended in December, he left the NYPD to take a cyber security job in the private sector. An offer he couldn't refuse, he says — though he'll keep consulting with the department on a volunteer basis, in hopes of getting more cops comfortable with their new cyber reality.
Copyright 2020 NPR. To see more, visit https://www.npr.org.