Out of the incubator, into the frying pan

Take a moment away from the keyboard to just think for a second.

I want you to picture a scam victim.

Someone you would want to protect. Someone vulnerable. Maybe it's someone in your family.

What the data shows

According to the Canadian Securities Administrators’s (CSA) Investor Index Study a new trend emerged in 2024, one that shifted the meta of scam victims, if you will.

This survey data matches the findings of the 2024 Canadian Anti-Fraud Centre's Annual Report:

Reporting shows that individuals under the aged 50 are more likely to be victimized by fraud...

Individuals aged 19 and under are more likely to be victimized by fraud.

ID Fraud impacts all ages with those aged 30-39 victimized the most.

When I started this incubator program I didn't personally know any Millennial that wasn't hazed for leaving their computer unattended while at work or at a LAN party. As I would talk to more people my age, it seems that was not a ubiquitous experience for my generation.

As I was doing discovery conversations and talking to victims of scams/cybercrime, I didn't even clock that most of the victims I spoke to were my age or younger. I was so obsessed with focusing on protecting what I assumed was the more vulnerable generations (55+) that I didn't even look at my own data in front of me. One student I spoke with had gotten roped into this new trend of job scams, which tricked Canadians out of $17M last year.

A case study of a student victim: "Sam"

So how are these younger victims getting bamboozled? One victim I spoke with gave me some insights on these new scams:

"Sam" remembers being particularly stressed about finding a job. I can see the way Sam is drinking his coffee, that he is already a fairly high-strung young person (18-24). To picture him even more stressed about finding work made me worry for him. A few months before we spoke a professor with a .edu address reached out to him, offering him a teaching assistant position. They gave him an assignment to grade in order to test his skills, he thought this gig was just the right amount of easy money he could pull off and still continue working on his PhD.

In his own words, "because I wanted it so bad, I ignored all the red flags." These red flags couldn't have been any brighter, because after the initial grading assignment they asked him - "hey, you have an account with the Bank of Montreal (BMO), right?"

"Y-yes, I do?" Sam recalls feeling strange that they knew that about him.

"Okay we can pay you directly via cheque then" and in the following message they sent him a photo of ~$1,000 cheque. They instructed him to deposit the cheque and sure enough the amount appeared in his bank account balance. As far as he was concerned, it was weird but they were paying him for easy work, so why should that be his concern? Surely if this wasn't legit, the deposit wouldn't have worked.

This went for days, a quick easy assignment to grade, then another fat cheque to deposit. Before long, the professor said he had very important guests coming and asked Sam to go buy some gift cards. This student was not from North America, he had lived here for years, but never came across this scam. Sam was about $3,000 in gift card purchases before the bank called him notifying him that even though he saw the amounts appear in his account, those cheques were not valid. It's an exploit of the slow Canadian financial system where it takes 3-10 business days to validate the money is really in the accounts. His bank informed him that all the cheques he deposited were fraudulent, and he would not be getting any of that money back he spent on those gift cards. He was out $3,000 - but considering that the average dollar loss for Canadians is $18,071 (CAFC 2024). Sam got lucky, relatively speaking.

What (if anything) can be done?

While it's not in my power for banks to get better at validating payments, what we can do is intervene before the scammer reaches their potential victim.

Answer me this:

Is there a valid reason why an octogenarian should be getting an email with the words "crypto.com" in it? Or a BTC wallet address? What good could come from this?

For the parents out there, is there a good reason you would want your kids 18-24 year olds clicking on ".onion" links sent to them? If you're a cool parent, sure, but let's be real about who most parents are for a minute.

The root issue, to me, is that there are too many messages going into inboxes every day that have absolutely no business being received and gaining attention from the inbox recipient.

Every single Gmail user I spoke with raised similar concerns about the filtering. While it's true the default spam filters are good at catching the "Nigerian Prince" scams, it's clear that the default Gmail filters are not good enough to protect our vulnerable populations. Don't believe me? Go take a quick search on Hacker News for the keywords "Gmail spam filters" and tell me what you find.

What if instead of relying on Gmail's filters, we added our own custom filters to the user's inbox? The Gmail API supports adding keyword filters, there's even a neat CLI tool to do this now. The beauty of this solution is that unlike every solution on the market (SuperHuman, SaneMail, etc.), the expanded filtration approach does NOT require reading emails. We would not need to know who you've been perving with, only what you find unacceptable to appear in your inbox and our service takes care of it.

I tried this approach out myself over the past few months and it works better than I expected. I managed to rescue my @gmail address which is old enough to drink and has plenty of reasons to now that address has been in 28 different breaches according to HIBP. I no longer get notified of unwanted messages. The trick to making this work well is removing the "inbox" label and applying a more appropriate label based on the keywords. My once hot garbage inbox, it now looks like this:

Now is this approach going to catch every scam/hate/slop/spam message that comes your way? No, but it would offer a better baseline than where most people are today. A good portion of the people I interviewed don't use their inbox as designed. For these folks their inbox is thousands and thousands of unread messages in "a sea of crap" as one interviewee put it. Another person I spoke with mentioned she gets 500+ emails every day, most from real companies, but at this point it's impossible to find a signal through all the noise.

This filtration solution could help address this problem, all while maintaining the user's privacy.

The Ask

Coming out of this incubator program solo, I have a lot more respect for solo founders. Do I want to be one? H*ck no. There are so, so many things can go wrong in this domain that I would not consider it an acceptable risk.

That's where you come in friend. I don't care which country you're from or residing in. What matters is that you are interested in helping solve this problem and have experience building foundational systems (code and/or governance). While I love the Discord chat, I have no need for "talk-talk soldiers" as Heinlein phrased it in his book The Moon is a Harsh Mistress. I want to work with people that have built things the wrong way. I need the experiences that come from making business critical mistakes.

If you like what you've read so far and want to be part of this solution, please reach out to me at murdoc [at] communitycybercentre.ca with why you want to help. My goal is to get at least two cofounders to join the steering committee. In our first official founders meeting I'll present my findings and my first drafted business plan which includes who we plan on marketing to, and what we would charge for this service, and collectively, we decide what each of us would work on in order to make this filtration service one that provides real value, to the people who need it most.