There is a company that kinda does this with online gambling.

Basically has you signup for a bunch of online casinos to get the sign-on/referral promos, but say you're an undercover "tester" for the casino.

Best I can tell, they'll ask you to open up a fresh bank account and coinbase account and they'll fund your buy-ins through USDC that you withdraw yourself. Casinos generally require some amount of play to get the bonus/commissions, so you're "testing" the functionality by playing slots (or they just takeover or remote-coach you on doing it). For sports, it's easy to coordinate off-setting bets that cancel each other out in aggregate at a slight loss. When spread across accounts, this won't be detected.

They probably earn some referral fees on the coinbase and bank account signups too.

It seems you do get paid for the work: they appear too above-board to have virtually zero victim complaints (like actual corporate year-ends on UK's Companies House, corps, mgmt that seem to be real people) and the fraud is just against the casinos. They'll subtly suggest you keep some payment at some of the casinos to withdraw or play, because if you play, the referrer often gets a cut of your losses.

Nice way to get "natural" looking signups and geographically diverse signups that are hard to detect.

I got an invite on Linkedin, and I had a bit of trouble trying to figure out the scheme, so there you have it. Didn't do the "interview" but it was surprisingly polished. Big money in gambling and Customer Acquisition Cost is huge.

I still don't understand the scam here - if they're giving you money, and you're losing it to the casino on slots, how do the scammers make money?

The get a bonus for referring users (get $100 if you sign someone up that plays for xxx) and signing up (get $100 if you sign up and play for yyy) to the platform. The platform wants to attract gamblers but instead is getting people ‘doing a job’ that are probably significantly less sticky. Is that illegal or just against the T&Cs of the platform? Im not sure.

I’m not sure how this makes money overall though since the reward money has to be balanced at the population level so the platform always comes out ahead. I suspect there’s an element of getting the employee to gamble with their own money with promises to pay that don’t materialise.

Overall the platforms play a numbers game. Pay $200 to get a new customer, because, on average each customer makes them $200 + y. But there's a toooon of variability.

They know, and expect, on x% they won't make that $200 back. This scheme structured itself on increasing that x% and being low-volume enough for platforms to not catch on or redefine their acquisition programme.

And if you are that real customer that will provide that y, you're going to sign on the platform with the big bonuses.

There was some forum post by a platform's "loss officer" looking for info on this scheme. They suggested anyone taking part was "money laundering", but money laundering is a pretty broadly worded offence. The responses weren't sympathetic to an online casino complaining about losing money on more signups.

Thanks that makes a lot more sense.

Hindsight? When I test our app, I don't use my CC, I ask the company for one or for mock data that would pass through the production system. I would never use my personal information to tie my personal finances to my employer for a work task. That's just setting yourself up for problems like your friend found.

The trick here was that of course my friend did not use her own sensitive bank information to ask for the loan - she asked for test data, and the company provided her with data. What she did not realize is that the data they fed her were things she had created in her own name earlier in the scam. For example, she opened a bank account in her own name quite early, after some trust was built. The data she used for that didn’t seem that sensitive to her, and she made sure the account was not a paid one and so on. And she was right - that account in itself was not what screwed her over. Days to weeks, and dozens of assignments, later when she applied for the loan, the test data they provided to her upon her request were partly from that opening of a bank account. So from her perspective it was a competely new flow to test for an existing customer - the bank - with test data provided. They even changed the login data a bit so that it looked like a different account. Since this was framed to der as a test as close to reality as possible it didn’t seem off that the „test account“ showed her her own name.

From the perspective of the bank it was an existing, verified customer applying for a loan. This was a really, really clever bit of social engineering.

I'm sorry this happened to your friend. It's surprising that the requisite data for her to open a bank account was not considered too personal. I opened a bank account not long ago and it felt like they wanted to know every vague thing about me. It's a good reminder to set safeguards so that routine does not desensitize you to dangers.

It makes me wonder how the scammers transfer the money out, because that all feels traceable. Was she able to find a way out?

So the thing is - when you start at a new company you also need to submit all kinds of personal data - to the company you are starting in. I am a bit fuzzy on the details here but I think the data needed to open a bank account might be the same.

She handed it all over to the police and they are on it now. I, too, hope that the money can be traced.

I don't understand. What prevented the scammers from just performing all the same operations she performed using the data they had about her? They could have her run some gateway on her laptop so all network access would appear to come from her IP address. Is there some offline interaction that is required to open an account?

For the same reason people who steal credit card numbers sell them rather than use them, why illegal drug distributors don't sell to users directly, and mob bosses don't rob people: They can probably do the same thing at the same time with multiple people, and it reduces their risk exposure. If 10 different people open up a bank account with stolen credentials, the bank has to detect fraud 10 different times. If one person opens up 10 bank accounts with stolen credentials, they're way more likely to catch onto a subtle pattern.

plausible deniability? why commit the crime yourself when you can have someone else do it for you? also, the loan would probably only be offered to a US citizen while the scammers were most likely not.

after reading about it, it sounds like a pretty good operation

Also if the bank requires any KYC process, she'll probably go through with it thinking that it's part of the "external test."

Maybe specifically to make it more shameful to make it less likely to be reported?

What makes it even _less_ likely is not bringing in a third party at all.

I too do not understand the angle here vs the crooks just doing it themselves.

If you don't bring any 3rd party, that mean more direct exposure for yourself

I can only guess, but my best guess is that one crucial part is performing the ID validation, which involves joining a video call with a company that partners with the bank.

Same.

Expedia asked me to test production ticket booking flows using my personal credit card.

It was a flow where you can use a special code to book a refundable ticket. I asked what happened if I forgot to refund it in time, or if something went wrong.

"Don't forget!"

I asked for a corporate card to test with and was denied. I refused to ever input my personal card. I think the team lead said I could use his, but I refused to use anyone's actual, real card.

I was young at the time, and I'm glad I saw the red flags quickly enough and left.

Considering how much personal data you have to give to a legitimate employer, seems like the scammers just invoked a lot of unnecessary effort in making the applicant fill out the loan paperwork themselves.

Difference might be in voluntarily making bank account and applying for loan and impersonating person. One might be punishable as criminal offence, other as minor scam (not sure about proper legal terms). Also in certain jurisdictions it makes sense as different police units investigating certain crimes and scammers might be connected.

You probably don’t need ask anyone as I’ve found these almost always work in practice:

https://developers.bluesnap.com/reference/test-credit-cards

I think about this a lot - wouldn't it be super easy to just pretend to be offering a job that pays a tiny bit more than most might expect, then steal all the personal data you inevitably hand over for employment reasons?

It seems like a market ripe for exploitation

For Swedish citizens, most of that data is already public. Addresses and everything. Exactly which data do you envision causing problems? It's not as if you can draw money just by knowing someone's bank account number.

I was asked for a copy of my passport for several of my last jobs (in Sweden).

Worryingly, during Covid, a photo of a password was accepted as complete identification in many places (outside Sweden, domestically we have much better electronic ids).

So there is definitely some useful non public data you can steal.

During COVID in my personal experience, a lot of financial institutions waived things like coming into a branch or getting a notarized signature. Also in my experience most things have gone back to where they were before.

As another comment notes a lot of information is either public or widely disseminated, eg in the US my address is public on the voter rolls and I give out my checking account number every time I write a check.

To do so fraudulently seems like a really good way to go to jail, though, no? And, as a requirement to hold your business account, the authorities know where to find you to put you there should the need arise?

Of course. But that's what were discussing here right, ways people might commit fraud. If people can popup businesses for fake, fraudulent jobs, I wouldn't think this kind of fraud is out for them either. And in some jurisdictions, being hard to trace as a business beneficiary is actually not difficult.

It surprised me when I ran a small business my bank didn't even require me to file the signatures up front. I just typed in peoples IBAN, the amount, and got it. They never asked for paperwork ever. Naturally, I didn't commit a crime, but I'm surprised with the trust.

So, yes, keep your IBAN secret, it can be enough for someone with criminal intent.

Nope. Ripe for exploitation; rife with exploiters. Two different words for two different concepts.

> Way later she was asked to apply for a loan, and she did. Of course she did not provide any personal details, but the data the company provided to her - but given how much time had passed she didn’t realize that these data were from the bank account she had opened in her own name.

I’m confused about this. What information, if not her own, was used to acquire the loan? All of loans I have applied for (which is admittedly single digits over the course of my life) required my personal info. If she didn’t use hers for the loan, why did they need her at all after the bank account was set up?

She opened the bank account and applied for the loan at separate times. So she wasn't aware that the loan being applied for was related to the bank account previously made.

I understand that part of it.

This is the line that is confusing me:

> Of course she did not provide any personal details

How are you getting a loan without providing personal details? I’m not aware of an institution that will give you a loan by just providing a bank account number. It seems to be based on the description that the only data that wasn’t personal was the bank account.

Exactly. From her perspective, she had Task A: open a bank account for client SomeBank, performed that task and way later had Task B, apply for a loan at SomeBank. It's not at all suspicious to perform those tasks for the same customer, and the "test data" given to her looked legit (it's because they were the actual data from Task A)

I still don’t get it. Presumably there’s more information needed to apply for a loan than a bank number, such as name, DOB, and address (and maybe SSN or other personal ID, depending on country). What data was used for that?

The bank presumably already has that from the KYC on the open account.

I'm assuming that's the clever bit. The scammers got the victim to apply using their own personal data by hiding that fact behind the account number.

This doesn’t make sense to me either. Even when opening a new CD at an existing bank it asks me to confirm the address on file.

I guess it’s possible the scammers scoped out banks and found the shitty ones with inadequate practices…

At least in the US that seems highly unlikely, specifically because of KYC.

Thanks for this story, and for mentioning the key point

> at this point the trust level was high

As your story demonstrates, this is really what these scams hinge on. It's scary sometimes how easily we can come to trust something.

(on an unrelated note, I setup Monarch (Mint replacement) a couple days ago, which of course requires giving them financial credentials just so they can pull transaction history...)

> the scam was set up in a very sophisticated way

What I don't understand is... where the hell are the police on this stuff? Checking account fraud is ridiculously easy to pull off - if you know an account number, you can steal an arbitrary amount of money from a checking account. Why isn't it more common? Because the U.S. treasury department comes down like the wrath of God on people they catch doing it. Of course scammers are trying to set up scams and take advantage of people in various clever ways. We're _supposed_ to have police who make things very, very unpleasant for the people who do so, but as far as I can tell, they don't even care.

This is like a modern version of the red headed league

A buddy of mine got the exact same "recruiter" cold-call message. Luckily we sniffed out the scam but I can totally understand why someone wouldn't pick up on it.