KEMBAR78
Scam Chat Bot | PDF | Social Media | Popular Culture & Media Studies
0% found this document useful (0 votes)
529 views23 pages

Scam Chat Bot

Uploaded by

Елена О
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
529 views23 pages

Scam Chat Bot

Uploaded by

Елена О
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

ScamChatBot: An End-to-End Analysis of Fake Account Recovery

on Social Media via Chatbots

Bhupendra Acharya§ Dominik Sautter§ Muhammad Saad Thorsten Holz


CISPA Saarland University X (formerly Twitter) CISPA
arXiv:2412.15072v1 [cs.CR] 19 Dec 2024

Abstract established their portfolios to engage with their customers and


Social media platforms have become the hubs for various offer useful services such as technical support, dispute reso-
user interactions covering a wide range of needs, including lution, and discounts. As such, social media platforms have
technical support and services related to brands, products, or invariably paved the way for convenient interactions between
user accounts. Unfortunately, there has been a recent surge in businesses and customers for service requests and resolutions.
scammers impersonating official services and providing fake A popular manifestation of this interaction is online technical
technical support to users through these platforms. In this support, where customers report issues about accessing their
study, we focus on scammers engaging in such fake technical social media accounts or cryptocurrency wallets and expect a
support to target users who are having problems recovering resolution service from their business counterparts. Users typ-
their accounts. More specifically, we focus on users encoun- ically send these requests to the official profiles of the relevant
tering access problems with social media profiles (e.g., on business by making public posts and expecting a response
platforms such as Facebook, Instagram, Gmail, and X) and from their customer service. However, there is an inherent risk
cryptocurrency wallets. The main contribution of our work is in publicly posting such requests on social media, exposing
the development of an automated system that interacts with users to scams [1, 2]. Any user can impersonate an official
scammers via a chatbot that mimics different personas. By business representative and offer fake technical support to the
initiating decoy interactions (e.g., through deceptive tweets), customer. In fact, this form of social engineering attack has
we have enticed scammers to interact with our system so that significantly increased in recent years, and it is colloquially
we can analyze their modus operandi. Our results show that called Technical Support Scam [3–7].
scammers employ many social media profiles asking users This type of support scams can be launched under any pre-
to contact them via a few communication channels. Using a text as long as a user is seeking online support and a scammer
large language model (LLM), our chatbot had conversations offering help by falsely claiming to be an expert. Across all
with 450 scammers and provided valuable insights into their scam typologies, the end goal is to gain the victim’s trust and
tactics and, most importantly, their payment profiles. This au- lure them into making a payment or surrendering sensitive
tomated approach highlights how scammers use a variety of information that can be monetized. Although technical sup-
strategies, including role-playing, to trick victims into disclos- port scams have been ongoing since the early days of social
ing personal or financial information. With this study, we lay media, their prevalence has significantly increased in recent
the foundation for using automated chat-based interactions years [5,7] especially targeting cryptocurrency users and users
with scammers to detect and study fraudulent activities at operating multiple social media accounts. This trend is not
scale in an automated way. surprising, as cryptocurrencies have gained significant popu-
larity due to the support of cryptocurrencies by some of the
major online payment platforms, including PayPal. Moreover,
1 Introduction with the increasing number of social media platforms, users
with accounts on multiple platforms often experience account
In recent years, social media platforms have emerged as pop- access issues due to lost passwords or account takeovers.
ular communication instruments for information exchange,
In this paper, we focus on these two scam typologies and
opinion sharing, news gathering, and advertisement. Realiz-
deploy techniques to uncover technical support scammers.
ing the potential of social media becoming a one-stop shop
Our proposed detection method is inspired by a recent work
that caters to all such needs of its users, popular brands have
by Acharya et. al [8] where they conducted a deception study
§ Both authors contributed equally to this research. to bait scammers into revealing their identity. Their method-

1
ology involved requesting technical support through tweets, X Profiles Scammers
and upon receiving a response from the scammers, engaging 2
Honeyposts
with them through messages. Despite their methodology be-
ing highly effective, it had several limitations that could be 1 4
improved to perform a more comprehensive study of the scam
life cycle. In particular, the work [8] heavily relied on manu- Chatbot
3 Tweet Generator
Generator Tweet
Chatbot
ally crafted messages during the scam engagement process,
which reduced the scalability of their proposed system.
In this paper, we address the limitations and propose a
more scalable and robust system that leverages more refined Scam Filtration

techniques to engage with scammers and gain deeper insights


into the scam life cycle. With the rise of ML-based tools Figure 1: ScamChatBot: An overview of our system, which
and Large Language Models (LLMs), we use the most ad- consists of three main components: i) Decoy scammers which
vanced tools, ensuring efficiency and avoiding redundant ef- generate baiting tweets, ii) automated engagement which per-
forts. More specifically, we use LLMs to craft human-style forms a conversation with scammers via a chatbot, and iii)
messages that are perceptually more believable and possess a tracking and correlation, which provides scammer’s detail by
higher propensity of trapping scammers. We introduce Scam- tracking payment profiles and user social media profile data.
ChatBot, a composition of automated techniques designed
to trap technical support scammers targeting cryptocurrency losses, thus mandating the adoption of countermeasures and
and social media users. In Figure 1, we provide a high-level a necessity for more comprehensive works in this direction.
workflow for ScamChatBot which consists of three main com- In the measurement period between the last week of
ponents. The first component involves crafting baiting tweets November 2023 and the end of March 2024, we generated
(called honeyposts ➊) on X to lure scammers, posing as users about 19,000 honeyposts on our honey profiles that attracted
experiencing account recovery problems across various ac- over 11,700 scammers interacting with our system asking
count types. We regularly publish automated tweets via such to contact them back via X direct messages, Instagram, and
deception accounts and monitor the real-time interactions of email. Scammer accounts with a large number of scammer
scammers with our tweets ➋. To ensure that we only interact profiles have been found to be operated by a single scam-
with fraudsters, we filter out legitimate interactions ➌. mer [9]. Through our analysis of scam network operation,
The second component engages scammers who offer sup- we discovered that scammers utilize numerous social me-
port through communication channels (often outside of X), dia profiles during interaction with honey profiles, and some
initiating conversations, and seeking assistance via the chat scammers were found to employ as many as 71 social media
module ➍. To mimic more believable and human-style conver- profiles, prompting users to contact them via 1-2 commu-
sations, ScamChatBot uses OpenAI’s ChatGPT for automated nication channels. Among these scammers, we engaged in
conversations with scammers. Our goal is to uncover their conversational dialogue with 450 scammers with our chatbot.
methods and especially information related to the payment By analyzing the timing of scammers’ responses, we observed
profiles used in scams because the payment profile is crucial their promptness, typically replying on all three scamming
to understanding and disrupting fraud. channels within two hours of the conversation initiation and
To this end, we have developed a chatbot that can pretend normally spending approximately one hour before realizing
to be different personas to interact with scammers. We con- that the victim is unlikely to comply with any requested pay-
ducted conversations across three communication channels ment method.
(Instagram, X, and email) because we found that these are Through qualitative analysis of these conversations follow-
the three channels commonly used by scammers. Eventually, ing a victim’s engagement with a scam, we identified several
as the scam activity proceeds, scammers demand payments techniques used by scammers. These include requesting live
prior to offering technical support. We collect the payment video or phone verification, soliciting private information, urg-
methods and take appropriate actions to restrict the scam pro- ing victims to pay for fake support, and potentially resorting
liferation (i.e., sharing the collected information with payment to extortion or emotional manipulation if payment demands
providers). Novel to this work, our system exposes a worrying are not met. In addition, we measured ML-related text gener-
aspect of technical support scams. In prior works [8], such ation from scammers and found that 28.4% of scammers are
scam campaigns were perceived to be operated by fraudsters likely to use some form of automated text generation tools.
who merely intended to pickpocket unsuspecting users. How- In addition, analyzing the length of dialogue between the sys-
ever, in our experiments, we discovered that scammers may tem and the scammer, we found that scammers on average
also employ extortion techniques to threaten users with harm reveal scamming payment profiles after seven interactive di-
including personal information leakage. As a result, the im- alogues asking the system to pay for fake account recovery
pact of such scam campaigns extends far beyond financial support, which highlights that an interaction is actually re-

2
quired to obtain relevant information. Furthermore, we collab- Chainabuse, confirming the scam validation and financial loss
orated with X, PayPal, and the cryptocurrency abuse database from these fraud profiles.
Chainabuse [10], sharing scamming PayPal addresses and We share our code at Github repository [12]. However, for
cryptocurrency wallets that scammers asked the system to data related to scammers, we refrain from publicly sharing
pay for fake support, and we received validation of scam ac- to avoid potential retribution attacks and plan to provide it to
tivities. Our work thus provides a foundational model for the interested researchers or academics upon request.
industry and security community to develop similar frame-
works for identifying different categories of fraud on social
2 System Design
media platforms.
Contributions We make the following key contributions: In this section, we discuss the design of our framework Scam-
ChatBot, which creates unique tweets to bait scammers and
• Interactive Scam Detection. We introduce ScamChat- performs on-demand chat initiation with scammers using a
Bot, an interactive, scalable, and LLM-based framework chatbot. As shown in Figure 1, the system consists of three
capable of unveiling scammer life cycles and techniques main elements to: (i) attract scammers via decoy interactions,
through interactive dialogues. The framework can be (ii) an automated engagement mechanism powered by Large
generalized to decoy scammers of various scam cate- Language Models (LLMs) for conversations, and (iii) a track-
gories across multiple social media platforms. ing module that monitors and links the various interactions
we have observed. In the following, we discuss the individual
• Detecting Fraudulent Payments. Our system collects components in more detail.
the scamming payment profiles of fraudsters in real time,
which would otherwise remain inaccessible without en-
gaging with scammers directly. In an empirical study,
2.1 Attracting Scammers via Decoys
we analyze technical support scammers on social media. As a first step, we need to somehow get scammers to interact
with us. To do this, we create unique tweets (called honey-
Ethical Consideration and Data Disclosure In keeping posts) that mimic a request for technical support to attract
with the ethical guidelines required for a deception study, we scammers. The tweets ask for assistance with logging into
obtained IRB approval from our institution. When managing social media accounts or support for cryptocurrency wallets.
data related to scammers, we strictly adhered to the GDPR To generate honeyposts, we have designed tweets based on
and the EU Data Management Policies [11]. We conducted two main criteria: i) adherence to the length limits set by
a deceptive study to ensure scammers remained unaware of X posts [13] and ii) addressing users experiencing account
being observed, preserving the authenticity of their responses access issues. These tweets are tailored to be posted every
and behaviors. Informing them or allowing withdrawal would 15 minutes on X in English. To compose a tweet, we use
have compromised the research, and retroactive debriefing po- logic with a three-sentence structure. The first sentence usu-
tentially risks alerting other scammers and retribution attacks ally contains introductory phrases such as “Good morning”,
from scammers. Our study may have impacted scammers by “What happened”, or “I can’t believe it”. The second sentence,
risking the banning of their payment-related information af- which is often coupled with the first, is aimed at users who are
ter it was disclosed to PayPal and the cryptocurrency abuse having problems with their accounts. Finally, the third sen-
database. However, this disclosure potentially prevents future tence asks for urgent help, with or without a hashtag. These
attacks on other victims. Our tweet module was configured hashtags are randomly generated based on account-related
to adhere to ethical standards when tweeting. In total, we keywords.
generated about 19,000 tweets across six different accounts We utilized six X profiles, which we referred to as honey
over 101 days, a small number compared to the enormous vol- profiles, each dedicated to posting unique content for these
ume of tweets on X (approximately 500 million per day). We accounts. Three profiles focused on providing social account
posted innocuous tweets to attract scammers targeting users recovery support, while the remaining three focused on sup-
seeking help to recover their accounts. We made sure not to port for wallet-related recovery as follows:
engage with official cryptocurrency wallet support teams or
• Social Media Account Honeyposts: For social me-
social media accounts. Thus, the sole objective of our system
dia tweets, we selected five popular services including
was to interact with the scammers by faking unsuccessful
Gmail, Instagram, Youtube, X, and Facebook based on
payment attempts after we were asked to pay for the fake
their popularity in Google searches [14, 15]. We then
account recovery in order to collect the fraudsters’ payment
generated tweets in which the account pretends to be a
profiles. Moreover, we communicated our findings to Meta,
user of those services experiencing login issues.
Google, X, ten cryptocurrency wallets, PayPal, and the cryp-
tocurrency abuse database Chainabuse and received numerous • Cryptocurrency Honeyposts: For cryptocurrency-
positive responses. We worked closely with X, PayPal, and related tweets, we selected ten popular wallets reported

3
in a prior study performed in a similar setup [8]. The • Benign Account Filtration. For benign account filtra-
wallets included Badger, Binance, BitPay, Coinbase, Ex- tion, we faithfully replicated the approach in [8] where
odus, Free, Ledger, MetaMask, Trezor, and Trust Wal- the authors identified two key characteristics of scam
let. Similar to the context of social media login issues, accounts that were distinctly different from benign ac-
we generated tweets in which the account reports login counts. During the engagement process, scam accounts
issues with their cryptocurrency wallets and requests provide new communication channels (often outside of
account recovery. X) to continue the conversation and complete the scam
activity. Moreover, scammers also pose as official rep-
resentatives of the platform to gain the user’s trust. In
2.2 Automated Engagement with Chatbots contrast, there are also benign accounts that interact with
In this section, we provide an overview of the filtration tech- users, often providing advice or expressing sorrow for
niques implemented to ensure automated chat conversations the user’s despair. Those accounts do not interact with
are performed exclusively with identified scammer communi- users beyond the initial interaction, thus displaying no in-
cation channels, as well as the necessary chat configuration dication of fraudulent intentions. We label such accounts
and account setup for engaging with scammers. Below we as benign and exclude them from our study.
provide such details.
Additionally, we provide a manual qualitative analysis in
Section 2.3.1, which shows that the filtration techniques work
2.2.1 Engagement Pre-processing Filtration well in practice.
The tweets posted by ScamChatBot prompt scammers to in-
teract with them through replies and quoted tweets. In those 2.2.2 Scammer Engagement
interactions, scammers typically provide their contact details, After the account filtration process, the engagement mod-
such as email or social handles, asking for further interactions. ule creates personas using a chatbot based on an LLM such
As a follow-up to the scammer’s communication channel, as ChatGPT to interact with the scammers on the platform
we implemented an engagement mechanism that initiates an channels they provided. For each communication channel,
automated chat dialogue conversation with the scammer’s including Instagram, Gmail, or even X, we generate unique
social media profile. To ensure that we do not interact with personas with the purpose of (i) understanding the scam ac-
benign accounts in an automated way, we apply various fil- tivity, and (ii) extracting payment information provided by
tration techniques before initiating a chat interaction, such as scammers. Therefore, the ChatGPT-configured persona mim-
excluding verified X accounts, official social media platforms ics a human-like behavior while conversing with scammers
such as X, Google, cryptocurrency wallet services, and benign and leverages context awareness and organic articulation ap-
accounts. We provide further details on filtration techniques proaches to gain the scammer’s confidence. In every new
below. conversation, we ensure that there is no LLM-related text
present that could be picked up by the scammer. Moreover,
• Exclude Verified Accounts. The engagement module before our live experiments, we also conducted manual con-
removes all verified accounts that respond to the tweets. versations with ScamChatBot to ensure it was fully capable of
Typically, verified accounts are associated with official performing organic conversations and collecting the desired
representatives of a platform, and they may respond in a information, especially related to payment profiles.
sincere attempt to offer technical support. We therefore
remove them from our study. We acknowledge that re- Dialogue Generation and Direct Messaging Dialogue
cent changes in X’s verification policy can lead to scam- refers to the conversation between the scammer and our sys-
mers acquiring fake verification for their profiles [16–18]. tem aimed at resolving account-related issues. To facilitate
However, we preferred a more conservative approach in dialogue communication, we selected communication chan-
an attempt to remove potential false positives even at the nels based on fraudsters’ popularity asking our system to
risk of ignoring true negatives. contact for fake support. These platforms consist of three
channels: Email, X, and Instagram direct messages. In total,
• Exclude official social media services. In the current we create 15 distinct accounts (i.e., 5 per platform: X, Insta-
setup, the engagement module also excludes the top 20 gram, and Email). We allocate four accounts for each channel
social media services along with the top 100 wallet ser- for the personas involving cryptocurrency and social media
vices to ensure that our chat module does not initiate any account recovery, while the remaining three are designated
conversation with official support services. We collected for language-based experimental personas. For each commu-
20 popular social media services [14, 15] and official nication channel, we integrate the respective APIs [21–23] to
cryptocurrency wallet services [19, 20] based on social receive real-time updates when the scammer interacts with
media popularity search. our system. Upon receiving messages from the scammer, we

4
aggregate all previous interactions between the system and process until the scammer runs out of options to share with
the scammer and generate a response based on the personas. us, at which point the engagement module ends the conver-
Subsequently, we deliver the generated message to the scam- sation. We provide additional detail on the configuration of
mer via each API as our response. In our direct messaging chat persona and sample conversation between our system
interactions with scammers, we avoid using the accounts des- ScamChatBot and a Scammer in Appendix A.2.
ignated for tweets. We separate our direct messaging accounts
from our X platform tweet post accounts to effectively com-
municate with the scammers without suspicion. 2.3 Qualitative Evaluation of Dataset
We ended our conversations in two cases: (i) after the scam- In this section, we provide a manual qualitative evaluation of
mers provided multiple payment profiles (e.g., cryptocurrency our dataset across several categories. To assess the effective-
addresses and PayPal email addresses) and (ii) when the scam- ness of our system conversations with scammers, we randomly
mers stopped communicating with us. In the first scenario, we selected 15 conversations each from Instagram, email, and
concluded by stating that we would explore further alterna- X platform, evaluating a total of 45 interactions. Below, we
tives (after receiving all payment profiles from the fraudsters). provide details of our evaluation findings.
In the second scenario, we made at least one attempt to recon-
nect and asked the scammer if they would like to continue the
2.3.1 Legitimacy of Data Filtration and Methodology
chat in order to receive further assistance.
Accuracy
In Section 2.3.2, we present the results of a manual qual-
itative analysis of our system’s ability to maintain context In this category of qualitative analysis, our focus was to iden-
continuity and discussion on limitations in Section 7. We em- tify the accuracy of our methodology. Specifically, we looked
pirically find that the approach is able to effectively identify for instances where interactions occurred between our system
payment methods from scammers. and both malicious and legitimate accounts. Out of 45 con-
versations from three platforms, we found no instances where
Persona Types and Configuration ChatGPT requires a spec- the system mistakenly engaged with legitimate users. Addi-
ified persona configuration to delineate its role in direct mes- tionally, we observed that none of the conversations involved
sage interactions with scammers. We establish two primary official support accounts.
personas for ChatGPT’s configuration. The initial persona in-
volves a user having issues with a cryptocurrency wallet, par-
2.3.2 Repetition in Conversation/Suspicion
ticularly tailored for newcomers to cryptocurrency or crypto
investment who find themselves unable to access their wallet. In this category of qualitative analysis, our focus was on ob-
The second persona simulates a user encountering difficulties serving our system’s ability to maintain context continuity.
accessing a social media platform such as X, Instagram, Face- We assessed the quality of conversations, particularly those in-
book, or Gmail. In this scenario, the user communicates their volving repetitive exchanges or discussions where scammers
inability to access their account and seeks assistance in recov- attempted to determine if the system was a bot. We identified
ering it. Furthermore, we conduct an experiment that expands 3/45 conversations in which scammers noted repetitive apolo-
upon these personas by introducing a user who lacks profi- gies for not being able to send screenshots due to technical
ciency in English and desires to switch to other languages. In problems and perceived a lack of seriousness in taking action.
this context, the system initially prompts the scammer to de- In all three cases, scammers expressed suspicion, stating ei-
termine if they are conversant in languages other than English ther that the system was likely a robot or that it was wasting
and endeavors to communicate in the languages agreed upon time without genuine intent to resolve the issue. While the
during the dialogue. scammers became suspicious that they were interacting with
Additionally, the persona includes additional rules in text a bot, they still disclosed their payment profiles. This demon-
generation. During the conversation, as the scammer asks strates that our system was effective in identifying fraudulent
questions about the account-related issues, the persona is payment profiles. Such identification can enable proactive
asked to create a fake reason for having an access problem. measures to block fraudulent payments and prevent further
Scammers often ask for some form of payment to resolve such scamming of potential victims.
an account issue via various payment methods. While doing
so, scammers create a fake reason such as needing to buy soft- 2.3.3 Limitation to External Channel Communication
ware to recover the account or sending money to re-enable the
account-blocked workflow. The persona set for ChatGPT also In this category of qualitative analysis, our system faced limi-
tries to ask for multiple payment methods so that the scammer tations in cases where scammers redirected communication to
can reveal as many payment methods as possible. For this, we an external channel. Specifically, in three instances, scammers
take a deceptive approach by falsely claiming failure in the on X requested to connect via direct message on another X ac-
first payment method provided by the scammer. We repeat the count. Since our system was not configured to interact through

5
newly introduced channels during the conversation, these in- Account Tweets Interacted Distinct Total Interacted
teractions did not proceed in-depth. We identified three ac- Recovery Posted Tweets Text Text Scammers
counts—two from X and one from email—that attempted
this redirection. In one case, the system politely ended the Crypto Wallet 12780 6106 20046 29652 10647
conversation, while in the other two, it falsely claimed to Social Media 6221 674 2239 2691 1581
have already contacted the referenced person and received
All 19001 6782 22285 32343 11769
no response. Additionally, in one email interaction, the scam-
mer provided a template asking for cryptocurrency addresses Table 1: Summary of account recovery chat module based
and a passphrase. In all of these three instances, our system on tweets interacted by scammers from two account recov-
had a limitation in further communicating with the scammer- ery contexts: cryptocurrency wallet and social media-based
provided channel. account recovery.

2.4 Tracking and Correlation Scam accounts replied with 22,285 distinct messages to all
honey profiles. Among them, 90.0% (20,046/22,285) tweets
The third major component of ScamChatBot is the tracking were sent in response to cryptocurrency-related accounts and
module, which conducts analysis on data collected by the en- tweets.
gagement module. For the purpose of this study, the key fea- In our initial analysis, we hence find that cryptocurrency
tures we analyze include social media profile metadata anal- users are more commonly targeted by scammers, likely due
ysis, conversation text created by our system and responses to a higher financial incentive. We exclude scammers per-
received from scammers, payment methods shared, and the forming non-text interactions, such as retweets, likes, follows,
end-to-end scam lifecycle. bookmarks, and impressions. Further details on non-text in-
In the following, we present our main finding. In Section 3, teractions are provided in the Appendix A.3.
we provide details on the interaction with decoy profiles and
the automated chat module, while we present the timing and
3.2 Interaction with Automated Chat Module
operation analysis of scammers in Section 4. Section 5 fo-
cuses on a qualitative study of the interaction between our From the last week of November 2023 to the end of March
system and scammers, and we focus on the tracking of finan- 2024, our chat module engaged in communication with scam-
cial losses in Section 6. mers via communication channels posted through tweet posts.
We continued to engage with scammers for 6 weeks even after
ending our tweet module to accommodate those scammers
3 Delineating Scammers Interaction who persisted in engaging with our system. Figure 2(a) (left)
displays the interaction of scammers with our honeyposts,
We start by discussing results regarding interactions between
whereas Figure 2(b) (middle) displays the number of scam-
scammers and our system.
mers interacting with our system via the chat module. Follow-
ing thorough filtration, as outlined in Section 2, our system
3.1 Interaction with Decoy Profiles initiated automated chats via three communication channels:
email, X, and Instagram direct messaging. Figure 2(c) (right),
Between mid-November 2023 and mid-February 2024, the
we present the number of interactions via each communica-
tweet generator posted unique tweets for 101 days. During this
tion channel. Scammer’s preference for email shows that not
period, we posted tailored tweets aimed at luring scammers
all scammers operate within the instant messaging model. In
who target users seeking assistance with account recovery.
the following, we dive deeper into the modus operandi of
Figure 2(a) (left) shows an overview of scammers interacting
scammers and provide an overview of their interactions.
with our honeyposts and we present the overall tweet posts
interaction results of our honey profiles in Table 1. Out of Scam Lifecycle For both account recovery contexts, scam-
19,001 tweet posts, the module posted 32.74% (6,221/19,001) mers typically follow a consistent pattern: initially, scammers
tweets related to social media recovery of five different social begin by creating a verification process for the victim’s ac-
media accounts and 67.3% (12,780/190,001) tweets related to count information. Once some form of verification is estab-
cryptocurrency wallet recovery of ten different wallets. Out of lished, the scammer fabricates a false pretext and requests
6,782 tweets that received an interaction, the interaction per- payment in various forms. Following this initial stage of veri-
centage of social media-related account recovery was 10.8% fication, the scammer often instructs the potential victim to
(674/6,221) compared to a higher percentage of cryptocur- conduct an internal audit and then return with the details. Fi-
rency wallets at around 47.8% (6,106/12,780). Overall, among nally, the scammer suggests that after the payment is made, it
all posted tweets, 35.7% (6,782/19,001) received interactions may take some time for the account to be fully recovered due
in the form of post comments from 11,769 potential scammers. to essential technical actions required for recovery. Below,

6
150
10000 400

Scammers

Scammers
Scammers

100

5000 200 Email


50
X
Instagram
0 0 0
1 11 21 31 41 51 61 71 81 91 101 1 16 31 46 61 76 91 106 121 136 1 16 31 46 61 76 91 106 121 136
Days Days Days

Figure 2: Interactions of scammers with our decoy profiles and our chatbot. The left graph shows the cumulative sum of scammers
interacting with our honeyposts over the experiment duration. The middle graph shows the daily cumulative sum of scammers
engaged via conversation with our system ScamChatBot. The right graph shows the cumulative sum of scammers based on
various communication channel engagements with ScamChatBot.
Table 2: Breakdown of ScamChatBot engagement with scam-
we provide further insights into detailed operational cycles mers. Within this table, we delineate the exchange of mes-
performed by scammers. sages between our system and scammers across email, X, and
Instagram platforms.
Victim Verification Procedure Initially, the scammer re-
quests information such as the victim’s account information Channels Msg. Sent Msg. Replied Scammers Total
(e.g., wallet address or social media account), the timing of
Interaction Dist/All Dist/All Replied/Sent Msg
the issue occurrence, and any actions such as withdrawals
or login actions performed lately. This initial conversation is Email 1325/1327 666/681 156/640 2008
followed by additional details to establish identities, such as X 1303/1709 1200/1293 149/276 3002
location, email, name, phone number, and a video recording
Instagram 4168/6921 3286/6747 154/171 13668
of the issue with the wallet or account. Oftentimes, scammers
try to initiate communication via WhatsApp or Facebook to All 6788/9957 5152/8721 450/1087 18678
further verify the victim’s authenticity. During this verifica-
tion phase, scammers frequently request screenshots of the
account, and in some instances, they may also ask for secret
phrases.
Advance Fee After the victim verification process, scam- that scammers expressed resentment or frustration when we
mers request an advance fee to initiate the recovery process. mentioned payment failures to them. Occasionally, they also
The advance fee is often requested under the pretext of pur- used profane language and threatened to cause personal harm.
chasing software (e.g., Zeus Software or Trojan Horse) which Although we were using fake personas while interacting with
helps with the recovery process. In some cases, scammers scammers, it is indeed concerning since real users might have
also request seed phrases for wallets, which is one of the experienced such unwarranted abuse in the form of threats to
easiest methods to steal money. Seed phrases can be easily them and their families. It is therefore pertinent to curtail this
converted into private keys, which can then be used to transfer form of technical support scam, as it can also transition into
cryptocurrency assets to a new address. extortion and abuse.
Payment Method Instructions Scammers request payment
for their services through various methods. We observed dif-
Results Overview In Table 2, we provide an overview of our
ferent kinds of payout methods, e.g., Amazon or Apple gift
conversations. Out of 11,769 scammers that interacted with
cards, cryptocurrencies such as Bitcoin and Ethereum, or
our honey profiles, our system interacted with 450 scammers
other online payment methods such as PayPal, Venmo, and
across three communication channels: X (149), Instagram
CashApp. Alternatively, the scammer might direct the victim
(154), and email (156) excluding accounts that opted out of
to an external link for payment. In the case of PayPal, scam-
direct messaging (994) and scammers asking external commu-
mers are found to instruct the victim to use the “send to family
nication channels such as Phone, including WhatsApp (131),
and friends” option. Upon consulting PayPal, we learned that
Telegram (121), account restore URLs (199), and Google
payments through this option are not eligible for refund or
Forms (424). In the email conversations, out of 640 scammers
dispute. Therefore, once the scam activity is completed, the
to which we sent messages, 24.37% (156/640) scammers
victim cannot dispute the charge with PayPal. Finally, when
replied with 681 total and 666 distinct replies. Among the
the payment is completed, scammers also request a payment
three communication channels, Instagram was found to have
screenshot for confirmation.
the highest engagement replies (6,747) from replies with a
Scammer’s Reaction to Failed Payment Attempt As men- total message of 73.2% (13,668/18,678) collected by our sys-
tioned earlier, we used failed payment excuses to bait scam- tem. Of the total of 18,678 messages recorded by the system,
mers into revealing all their payment methods. We noticed 46.7% (8,721/18,678) were written by scammers.

7
Table 4: Breakdown of total time scammers performing di-
Table 3: Breakdown of scammer’s first response with our alogue - The difference between the first and last responses
system ScamChatBot. The data represents how quickly scam- from scammers interacting with our system ScamChatBot.
mers respond to our system upon asking for account recovery
support. Channels Median 90 Response One Time Total
Interaction Time Spent Pct < 1000 ms Reply Scammers
Channels Median 90 Response Total
Email 0:18:00 5:57:18 52 52 156
Interaction Response Pct < 1000 ms Scammers
X 1d 2:03:56 13d 15:32:39 15 15 149
Email 0:33:09 11:48:45 48 156 Instagram 0:57:03 5d 16:30:46 4 4 154
X 2d 6:16:36 17d 10:50:42 13 149 All 0:57:30 6d 22:30:37 71 71 450
Instagram 0:57:18 8d 16:05:36 9 154
All 1:48:54 9d 15:48:43 70 450

respectively. In total, we identified 15.6% (70/450) of commu-


4 Investigation into Scammer Tactics nication channels employing some form of initial auto-script
to entice victims into divulging private information. Overall,
In this section, we analyze several intricacies, such as ana- scammers’ response times exhibited a median of 1 hour and
lyzing the timing of scammers’ engagement with our system 48 minutes, with a 90th percentile response time of 9 days.
based on how quickly they respond, examining operations
based on the day of the week, exploring the potential use of
ML-generated messages, investigating organized networks of 4.1.2 Total Time Spent Analysis
scammers that may utilize multiple social accounts as part of
coordinated abuse, and dialogue necessities as part of reveal- In Table 4, we present the duration scammers spent engaging
ing scamming payment profile. with our system before discontinuing further conversation.
Scammers communicating via email channels were found to
4.1 Timing Analysis spend a total of 18 minutes in conversation, which was notably
lower compared to those communicating through X, spending
We start by presenting a timing analysis to showcase two key about 1 day and 2 hours, and Instagram, spending about 57
aspects of scam engagement methods. In the first analysis, minutes. 52 out of 156 emails received from scammers re-
we explore the time taken by fraudsters to respond to us after sulted in only one-time replies with further instructions, while
our initial engagements. In other words, once the scammer for X and Instagram, accounted 10.06% (15/149) and 2.59%
informed us of the method to connect with them and our (4/154), respectively. Overall, scammers spent an average of
system sent a help request, how long did the scammers take to 57 minutes and 30 seconds, with the 90th percentile spend-
respond to us. As a result, we could assess the communication ing approximately 6 days and 22 hours before discontinuing
channels being actively monitored by scammers, indicated by further communication. We observed that scammers who are
their swift response time. In the second analysis, we study active for more than a day tend to repeatedly ask if the vic-
the total duration of our engagement with the scammer where tim needs additional assistance with account recovery and
they persistently tried to trap us in hopes of obtaining any often mention that they will resume account recovery after
financial benefit. Our second analysis revealed the persistence successful payment.
shown by scammers in engaging with their victims. In Figure 3, we show the total number of days spent by
scammer interacting with our system: more than 80% of the
4.1.1 Initial Response Time scammers would leave interacting after the first-day interac-
tion with our system, and the remaining 20% would follow
Our analysis of the initial response time revealed that scam-
up to continue the conversation from the last point.
mers are more likely to respond faster via email compared to
those on X and Instagram (see Table 3). The median response
time for email was 33 minutes and 9 seconds which was con-
siderably faster than X, where the median response time was 4.2 Operation Analysis
over 2 days. During our analysis, we identified that some com-
munication channels indicated scripted responses by replying In our analysis of operations, we (i) dive deep into scammers’
to our requests within 1 second. Upon closer inspection, we weekly operation pattern, (ii) explore how scammers create
found that 30.8% (48/156) of initial email responses were au- numerous social media profiles and use a limited number of
tomated replies containing additional information or directing communication channels to prompt victims to initiate contact,
users to release secret keys via external sites. Similarly, for X and (iii) as ML and advanced text-generation tools become
and Instagram, we observed automated setups for first-time more prevalent, we assess the likelihood of scammers utilizing
accounts, accounting for 8.7% (13/149) and 5.8% (9/154), such technology in their interactions with our system.

8
scammers such as instances of scammers sharing a common
communication channel through tweet posts, urging potential
victims to contact them for technical support.
Shared Profile Information We perform an analysis of
scammer profile details, including names, descriptions, fol-
lowers, and following. Our investigation into scam networks
revealed that 24.5% (2,877/11,764) scammers shared a com-
mon name, 33.6% (3,949/11,764) shared a common descrip-
tion, and 5.2% (610/11,764) scammers were found to have
multiple common followers in their profiles. Among these
610 shared followers, we detected 503 instances of mutual
following to more than one account. This leads us to suspect
that these profiles represent a cluster of organized scamming
operations aimed at executing targeted scamming campaigns.
Figure 3: Number of days scammers spent time with our Shared Communication Channels Our analysis of cluster-
system - In this graph we show the difference between the ing scamming profiles by communication channels indicates
first response and last response from scammers interacting that 42.6% (5,012/11,769) of the profiles engaged in scam-
with our system. ming activities were observed to use more than one communi-
Scam Chat Interaction by Platform and Day cation channel. Within this subset of 5,012 scamming profiles,
Email the highest number of communication channels employed by
Interacted Text

1500 Instagram
X
a single profile was 71, while the median value for other
1000 scamming profiles was 3 communication channels. Addition-
500
ally, we found that 16.5% (1,939/11,769) of the scamming
accounts used all three communication channels, prompting
0 users to contact them.
Mon Tue Wed Thur Fri Sat Sun
Day of the Week
Figure 4: Days of the week chat dialogue interactions - the 4.2.3 Potential Operation of ML ChatBot
graph shows text (chat dialogue) scammers performed via
three different communication channels with our system Next, we perform an analysis of conversations originating
ScamChatBot throughout the days of the week. from scammers, possibly generated using ML tools. Ini-
tially, we investigated ML text detection tools available in
4.2.1 Week Period Scammer Communication Analysis the market [24]. To validate the authenticity of the text, we
conducted an exploratory free trial of the top five services
Our analysis of the days of the week interaction by scammers listed [24], comparing inputs of both ML-generated and non-
with our framework showed distinct patterns. The number ML-generated content. Among these services, we selected
of text interactions via chat dialogue shows that interaction Sapling API [25] to further assess the likelihood of ML-
patterns vary across different communication platforms (see generated text across all three communication channels. The
Figure 4). For instance, scammers using Instagram as a com- APIs provided by Sapling for detecting ML content evaluated
munication channel for chat dialogue tend to be more active the aggregated scoring of the text from each scammer as the
on alternate days, with the lowest activity observed on Satur- calculation of the mean score. These scores are derived from
days. Conversely, scammers utilizing email exhibit increased specialized models: one is trained to classify extensive por-
activity on weekends compared to other weekdays, with alter- tions of text, while the other is a perplexity-based model [26].
nating lows on Tuesdays and Fridays. Similarly, on X, scam- In Figure 5 and Table 5, we summarize the score 0 to 1, where
mers maintain consistent chat activity from Wednesday to 0 represents the least likelihood and 1 represents the highest
Saturday, with reduced communication observed on Tuesdays probability score of utilizing ML tools in the generation.
and Sundays. Our observations on ML-related text generation on scam-
mers showed 28.4% (128/450) of scammers with a probability
4.2.2 Scam Network Operation of 50 or more found to be likely to use some form of ML text
generation tool in text creation. Similarly, on X and Instagram,
In this section, we perform a collaborative network analysis, a probability score of greater than 50, was found to be 9.4%
centering on (i) the creation of scammer profiles, which in- (14/149) and 0.6% (1/154) scammers, respectively. In a note
cludes examining names, descriptions, followers, and follow- to scammers with a probability of 75 or greater was found to
ing; (ii) the utilization of shared communication channels by be 28.4% (128/450). Overall, from all three communication

9
Interactions with Payment Profiles
1.00 1.00 1.00
Instagram Instagram
0.75 0.75 Email 0.75 Email

Dialogues
Instagram X X
Score

0.50 Email 0.50 0.50


X
0.25 0.25 0.25

0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 8 16 24 32 40 48 56 64 72 80 5 10 15 20 25 30 35 40 45
CDF CDF CDF

Figure 5: Graph on analysis of dialogue - In the left graph (a) we show the ML text score from each social media dialogue from
scammers. In the middle graph (b), we show the total dialogue length between our system and scammers from each platform,
while on the right side (c), we illustrate the total count of dialogue interactions needed from three platforms before the scammer
discloses the payment method to request payment from the system.

Channels Mean Median Min Max Score >=50 Score >=75 Score >=90 Total

Email 0.80820 0.99419 0 0.99996 128 120 110 156


X 0.09651 0.00013 0 0.99986 14 8 7 149
Instagram 0.01323 1.57e-05 0 0.57432 1 0 0 154
All 0.30095 0.00092 0 0.99996 143 128 117 450

Table 5: Breakdown of AI text score from each communication channel. In this table, we present the AI text score for each
scammer’s communicated text and the respective score. Scammers communicating with emails are found to utilize some form of
AI text generation compared to other social media platforms.

channels, 26.0% (117/450) with a probability score of 90 or were 3 for the system and 2 for scammers. The maximum and
greater are likely to use some form of ML text generation minimum dialogue lengths observed were 47 and 1, respec-
tool in communicating with our system. Furthermore, in Fig- tively, for both scammers and the system. For each communi-
ure 5(a) we show the score of each communication channel. cation channel, the median dialogue length before revealing
scamming payment profiles for email, Instagram, and X was
1, 10, and 7, respectively, whereas the highest communication
4.3 Analysis of Dialogue Length and Scam- dialogue found before revealing scamming payment profiles
ming Payment Information Disclosure was 13, 47, and 41, respectively. Figure 5(c) illustrates the di-
alogue length necessary for scammers to reveal their payment
We examine the duration of interactions within our system profile information from each communication channel. The
and with scammers, focusing on the total dialogue length and graphs show that in email scammers are out front in reveal-
the minimum dialogue required before payment details are ing the payment profile as part of the fake account recovery,
disclosed or requested. This section provides a comprehensive whereas in Instagram and X, scammers are likely to engage
overview of both aspects. with potential victims with a larger number of messages be-
fore actually revealing their payment profiles.
Dialogue Length Regarding the total dialogue length, the
median dialogue length for the system was 8, while for scam-
mers it was 7. The maximum dialogue length observed was
135 from the system and 81 from scammers, with minimum
5 Qualitative Study on Chat Dialogue
values of 2 and 1 for the system and scammers, respectively.
For each communication channel, the median dialogue length Next, we present a qualitative examination of both our sys-
for email, Instagram, and X were 2, 22, and 6, respectively, tem and the scammer’s interactions during the chat dialogue.
whereas the highest communication dialogue was found 62, Initially, we manually inspected 150 randomly selected chat
81, and 65, respectively. In Figure 5(b) we illustrate the length dialogues from scammers interacting with our system. This
of dialogue exchanged between our system and scammers manual assessment enabled us to create a questionnaire that
from three communication channels. The graphs reveal that effectively captures the qualitative aspects of the conversa-
scammers preferred performing longer dialogue interactions tion. Subsequently, using these questionnaires, we formulated
on Instagram than on email and X. a prompt for ChatGPT to conduct an individual qualitative
analysis of the scammer’s and our system’s context. The de-
Least Dialogue in Revealing Scamming Payment Profile tailed prompt questionnaire is provided in Appendix A.4. We
In terms of the minimum required dialogue for scammers to perform a manual qualitative analysis on each of these listed
disclose their preferred payment method, the median values prompts output and present the findings below.

10
5.1 System Interaction with Scammer Analysis detected these as fake so the victim might not be serious.
Some other reasons for ending the conversation related to the
System Persona The system persona generation reflected refusal to provide sensitive information (11/450), the inability
a chat communication with a scammer based on the type of to provide private secrets (7/450), and the inability to verify
account recovery tweet module post interaction. An account the security deposit (7/450).
recovery on cryptocurrency wallet and social media reflected
three main persona generation: (i) cryptocurrency user who
lost access and does not know what happened (152/450), (ii) 5.2 Scammer Interaction with System Analysis
naive cryptocurrency investor unable to access the wallet
(48/450), and (iii) account user afraid of being a phishing vic- Role Representation Our analysis of how scammers portray
tim (46/450). In both cryptocurrency wallet and social media themselves during conversations reveals a variety of roles they
account recovery cases, the persona generation reflected the adopt. Out of 450 communications analyzed, 137 instances
inability to access accounts and may have been a victim of involved scammers presenting themselves as part of a support
phishing or scams. The persona also reflected human-like team, assuming roles like customer support, wallet support,
emotions with mixed feelings of distress, fear, naiveness, and tech support, media recovery support, or official support. Ad-
the need for urgent assistance to gain access to the address ditionally, some scammers identified themselves with titles re-
account. lated to hacking (25/450), such as white hat hacker, legitimate
hacker, recovery hacker, or private hacker. Another group of
System Refusal Sentiments Even though we configured
scammers (17/450) referred to themselves as experts, using
our system to generate fake data or deceit in some cases, we
titles like blockchain expert, software bypass expert, or cy-
notice the system displaying diverse refusal sentiments in
bersecurity expert. Interestingly, 271/450 scammers initiated
its interactions with scammers. For instance: hesitancy to
conversations by portraying themselves as representatives or
share personal verification details (8/450), reluctance to dis-
agents offering assistance in account recovery.
close private secrets (6/450), preference for skepticism over
PayPal requests, caution regarding visiting potentially suspi- Verification of Victims We observed scammers perform-
cious restoration links (12/450), reluctance to make security ing various methods for victim verification. Among the 450
deposits (7/450), suspicion towards support that may be poten- scammers analyzed, 69 requested private key secrets. Addi-
tial scammers due to the inability to establish official support tionally, 47/450 asked for screenshots containing transaction
channels (4/450), and resistance to verifying account status hashes, associated email, and phone numbers, investment de-
by sharing screenshots of the system’s account (37/450). In tails, location information, or evidence of VPN usage. More-
some cases, such as screenshot verification, our system always over, 19/450 scammers sought verification through phone
refused to provide reasoning due to technical issues. calls, WhatsApp, or video calls, while 29/450 requested photo
screenshots of passports or driver’s licenses for verification
Fake Payment Confirmation For any payment-related trans- purposes.
fer requests, our system initially asks for a PayPal account
associated with scammers and later fakes that the system is False Issue Reasoning Scammers were found to provide
unable to send the payment amount due to some technical is- various explanations when asked about the issues with the
sue and asks for alternative forms of payment. At some point account. These included the problem for instance i) system
during the conversation after exhausting scammers to send bug (33/450), ii) claiming that the account was blocked due
multiple payment methods, the system confirmed scammers to suspicion (16/450), or iii) stating that there were access
sending 117/450 payments via cryptocurrency, and 16/450 issues (57/450) such as the account being stuck, blacklisted,
via PayPal. or accessed fraudulently. In such cases, scammers typically
insisted that purchasing an activation code or activation tool
System Action Reasoning to Ending Conversation In was necessary to regain access to the account.
system-related ending conversation reasoning, we observe
the likelihood of ending the conversation that may have been Fake Service Charge Scammers frequently provided dif-
the result of System chat dialogue creation. Out of 450 conver- ferent pricing for account recovery services. We found that
sations, 152 conversations ended asking systems as follow-up out of 450 scammers, 161 required the pay as part of the ac-
whether scammers would like to continue further after ex- count recovery before proceeding further. The median price
hausting scammers. These ending conversations were rather was $150, ranging from a minimum of $20 to a maximum
a form of polite follow-up. For the remaining scammers, our of $5,700. Notably, three scammers requested less than $1
analyses reveal various instances of ending conversations. For as part of a pre-authorization verification process before dis-
instance, 22/450 scammers left conversations after providing closing the final service price. For funds that are asked to
account addresses. We suspect this may have been a result pay via PayPal, scammers mentioned sending payments as
of a fake account address generation, and the scammer likely “Family and Friends”, whereas for cryptocurrency transactions

11
asked to send a transaction address information followed by they only knew English. However, 11/63 scammers engaged
a screenshot of a successful payment. in automated chats in languages other than English, express-
ing a preference for communication in other languages: 5/63
Attitudes Towards Time Wasting Upon reaching a point of
in Spanish, 1/63 in Dutch, 4/63 in German, and 1/63 in French.
exhaustion during the conversation, or not receiving payment
For 11 communications from 4 different languages that our
after providing payment details, scammers expressed various
system communicated with the scammer, we sought out a
sentiments indicating frustration, disbelief, or annoyance, of-
native speaker qualitative analysis of the text and deduced the
ten accompanied by profanity, threats, emojis, and question
following observations from each native speaker.
marks. Examples of such sentiments include phrases like,
"You don’t seem serious. That’s what I have been waiting for; German Native Evaluation In the evaluation of the con-
I am about to block you", and "You’re being dumb. F**k! versation shared by German natives believed that the text
Off!". Our analysis revealed that 207 out of 450 scammers generated by both the system and the scammer does not seem
conveyed some form of resentment before terminating the to be native German in all 4 contexts. The system seemed to
conversation. be formal for German native conversation whereas scammers
seem to use some form of translation for the conversation text.
Reasoning Behind Scammers Ending Conversations In
3/4 of scammers seem to believe the System conversation is
understanding why scammers choose to conclude or abandon
human, however, 1/4 of scammers seem to raise suspicious-
conversations, we analyzed various factors influencing this de-
ness of chatting with robots, where the message from the
cision. We observed several common reasons for ending con-
scammer here “‘...und ich hoffe, du bist echt...“‘, where one
versations, including instances where the system was unable
possible translation is “‘I hope you are real“ which showed
to provide payment proof (85/450), cases where scammers
that scammers have some doubts about the system.
required a prompt response from the system (39/450), situ-
ations where scammers directed communication to external French Native Evaluation The French native evaluation
channels such as social media or a restoration page (22/450), shared that communication from the system had a mix of
instances where the system suggested seeking alternate so- formal and informal settings. Initiation from the formal con-
lutions (19/450), and cases where the system was unable to versation and directly jumped to informal in the middle of
provide sufficient information or verification (17/450). the conversation. At one point system was unable to send a
screenshot of the payment confirmation via PayPal, which
raised suspiciousness to the scammer, and mentioned whether
5.3 Diversity Qualitative Measure the system was a robot. Moreover, a scammer was found to
To comprehend scammers’ preference for languages beyond use some forms of the translator in English to French, with
English when communicating with victims, we devised our an English context word, "Aren’t you just a robot trying to
system’s persona using ChatGPT to prompt scammers to en- pull my legs?" which does not have a literal meaning trans-
gage in chat dialogues in languages other than English. In lated using the exact word to French “vous n’êtes qu’un robot
this setup, we allow scammers to select the language to con- essayant de me tirer les jambes”.
verse with the victim, indicating that the system’s English
Dutch Native Evaluation In the qualitative evaluation from
proficiency is limited by intentionally introducing errors or
a native Dutch speaker concerning the dialogue analysis be-
linguistic inconsistencies. We instructed ChatGPT to pro-
tween the system and scammers, the system seems to be more
duce English responses with errors or inaccuracies. To ensure
formal than regular conversations, although it switches be-
we do not engage with scammers through previously used
tween formal and informal pronouns regularly. In practice, it
channels, we created a never-used account. We provide per-
is unusual to switch formal and informal pronouns as if some-
sona settings reference and English conversation dialogue
one forgot the grammar context. The system also mistakenly
in Appendix A.2. For non-English examples of Spanish and
used a German sentence at one point, however, the scammer
German dialogue conversations between scammers and our
seemed to not notice or comment on such context switches.
system in Appendix B.1 and Appendix B.2 respectively.
We randomly selected 122 scammers from previously suc- Spanish Native Evaluation The native speaker text conver-
cessful interactions with scammers and let our experiment sation evaluation on the system and scammers shared that
module run for a week in mid of the first week of April 2024. 3/4 of scammers’ language tone rather represents a formal or
We sent a message to 122 scammers requesting account re- more document write tone and less of native speakers. These
covery and 63/122 scammers responded. Regarding the pref- 3/4 scammer’s text represented some form of translator us-
erences of languages, 45/63 scammers chose to continue the age. An example case such as “No tienes que preocuparte
conversation in English despite acknowledging the language por nada, te ayudaré Déjame tener el enlace del sitio web“
issue with the victim. 4/63 scammers declined to provide ser- which translates to English as “You don’t need to worry about
vices in languages other than English, while 3/63 suggested anything. I will help you just let me have the website link.“
using a translator service for account recovery, even though are considered rather a direct copy from the translator.

12
However, in 1/4 text conversation, the native speaker shared The remaining accounts were spread across different geoloca-
likely of real human side of Spanish native scammer where tions including Kenya (4.9%), Canada (3%), and Great Britain
the use of language and tone reflected more of the general (3%). 41.1% of the accounts were linked to various risk and
human native side of the conversation. fraud typologies including technical support scams, collusion
attacks, and fake identity. In terms of account affinities, 33
accounts shared similar attributes and behaviors which led to
6 Scam Validation and Tracking their blocking. Finally, 10 accounts were observed to be using
PayPal’s cryptocurrency product to send and receive funds
In this section, we present the efficacy of ScamChatbot by through cryptocurrency tokens.
providing feedback received from industry partners. In prior
Overall, PayPal’s feedback confirmed that scam accounts
works [8] the authors mainly focused on obtaining financial
were indeed involved in suspicious activities which validates
loss metrics from a payment platform. While their approach
our approach and methodology. However, a more concerning
was largely effective, we believe it may not fully remediate the
observation in their feedback is the involvement of techni-
problem as scammers can easily set up new profiles on social
cal support scammers in other types of abuse and scams. It
media and pivot to the payment platform. Therefore, in order
appears that technical support scams are one among many
to fully populate the threat landscape and obtain validation for
fraud types that these scam groups engage in. On one hand,
our results we partnered with X, PayPal, and Chainabuse, and
this observation reflects a coordinated activity occurring at
shared our data. Specifically, we shared (i) 11,769 X profile
scale and mandating ecosystem-level remediation. On the
accounts with the X platform, (ii) 743 email addresses, includ-
other hand, the data shows that mitigating one scam operation
ing 165 that requested payments via PayPal, with PayPal, and
through our proposed methodology can invariably stop other
(iii) 51 cryptocurrency addresses collected during the experi-
scam activities in the wild.
ment to Chainabuse. This collaboration aimed to shed light
on real-world attacks facilitated by these usernames, email
addresses, and cryptocurrency addresses.
6.3 Tracking Cryptocurrency Addresses

6.1 Scam Validation through X Out of 51 cryptocurrency addresses requested by scammers


for payment, 3 were found to be invalid. Below, we present
Among the total accounts that we shared with X, we received an analysis of 48/51 valid cryptocurrency addresses. Out of
abuse confirmation for over 80% of the accounts. In other these 48 valid addresses, 14 had no transaction history. It is
words, 80% of the accounts in our population were also caught common for owners of crypto addresses to create new ones to
by the safety rules in X. Moreover, using their internal linking maintain anonymity, especially for first-time senders. How-
tools, they identified and remediated over 3 million accounts ever, 37/48 valid addresses had transaction histories available.
linked to the dataset we shared. The accounts were predomi- Among these, we examined the incoming volume in USD at
nantly involved in platform spam, impersonation, scams, and the time of writing and found the highest received amount
bot behavior. The feedback received from X showcases that to be $22,786,052, the median at $1826.5, the lowest at $4,
the accounts detected by the ScamChatbot were indeed in- with the total sum of incoming transactions from these 37
volved in deceptive behaviors, thus demonstrating value in addresses amounting to $23,650,278. Regarding identified
our approach. Moreover, despite prior efforts in this direction, fraud categories, 4 out of the 37 accounts were reported as
the fraud pressure is still concerning and X has applied strong recovery fraud, with a total incoming amount of $56,126 and
measures to combat the problem. Finally, it is to be noted that a median value of $6,720 for these incoming amounts. Upon
these scam accounts are not merely involved in one type of analyzing the transaction history, we noted that 2/37 accounts
abusive activity that is visible to us through ScamChatbot. In primarily transacted with a Nigerian exchange, with a total
fact, scammers are involved in multiple fraudulent activities fund of $21,510. Additionally, 5/37 addresses were found to
simultaneously which reflects on their capability to pivot and receive funds from crypto ATMs (virtual currency kiosks),
target a wider segment of social media users apart from the totaling $159,035, with a median value of $6,065. The rise in
ones seeking technical support. scammers in Crypto ATMs is notable, as it enables them to
employ social engineering techniques. Victims without cryp-
tocurrency addresses are directed by scammers to deposit cash
6.2 Tracking Email-based Payment Methods
into these kiosks, purchase virtual currency, and unwittingly
We shared 743 email addresses with PayPal and requested provide address information to the scammers.
feedback on (1) account hygiene, (2) scam confirmation, (3) Disclaimer. Note that this evaluation is based on the ob-
geolocation distribution, and (4) account affinities. PayPal served transaction histories and reported fraud categories.
confirmed that 163 of 743 email addresses had a PayPal ac- However, we do not have conclusive proof that all transactions
count with a prominent majority (35%) of US-based accounts. related to these addresses are linked to scams.

13
7 Discussion modus operandi. The interaction was rather small and was per-
formed on 100 scammers via a combination of non-interactive
Our proposed system, ScamChatBot, has three main limi- and manual fashion. Thus, this work suffers from scalability
tations: (i) detecting official account recovery support enti- issues. We close this gap in this work with a fully automated,
ties, (ii) engaging with scammers promptly, and (iii) miss- end-to-end system based on honeyposts and chatbots that re-
ing conversations from other popular platforms (see also veals the modus operandi of a scammer in detail. Moreover,
Appendix 2.3.3). The first limitation, detecting official ac- we perform a comprehensive analysis of different kinds of
count recovery support entities, arises from the necessity of technical support scams.
pre-existing knowledge about global and regional popular
platforms to incorporate official account recovery procedures. Cryptocurrency and Technical Support Scams In the ar-
The second limitation, timely engagement with scammers, eas of cryptocurrency scams, existing work [29–31, 31–33]
is contingent upon the API limits imposed by the integrated focused on finding scams that are targeted at cryptocurrency
platforms within a given timeframe. Some scammers may users. The work from Hong et. al [32] studied the scamming
remain active only briefly before becoming inactive. The gambling apps that transport payment via cryptocurrency and
third limitation involves missing communications on other other forms of payment methods. Phillip et. al [31] traced the
platforms such as Telegram, phone calls, forms, and other cryptocurrency scams via public online and blockchain-based
channels likely used by scammers that may not be included data that were prevalent in the web domain. In the last five
in an automated system. We argue that these limitations can years, the study of technical support scams has been a topic of
be addressed as follows: interest in the security community [5–7, 34, 35]. For instance,
the recent work from Gupta et. al [5] measured the scam-
• The range of official account-related platforms can be ming fake technical support phone number on Twitter that
expanded. represent entities. Similarly, Srinivasan et. al [7] studied the
• Prompt interactions with scammers can be improved by ecosystem of malicious advertisement that targets users with
subscribing to higher bandwidth API limits. technical support. In all of the research, the authors created
a tool that scrapes the target domains’ content to label the
• Conversational platforms can be tailored based on the technical support scams category. Again, none of the previous
scammers’ preferred communication channels. work provided on abusing cryptocurrency users and techni-
Expanding beyond these limitations will require additional cal support scams provided an interaction with scammers to
resources and compute allocation. identify the real-time modus operandi.

Social Media: Fake, Spam and Phishing Studies In the


8 Related Work area of social media-based study beyond scams, prior research
work has focused on similar areas related to fake [36–40],
To the best of our knowledge, we are the first to propose an spam [41–45], and phishing [46–50] social media profiles.
interactive automatic chatting tool with scammers. In this For instance, Khaled et al. [36] studied the detection of fake
section, we visit some of the prior works that are similar in accounts on social media such as Twitter, and how these fake
our domain and distinguish our study from others. accounts exploit users via stealing personal data, sharing false
Automated Conversation The closest work to our area is news, and spreading malicious activities. Alom et al. [41]
about automated emails [27, 28] that are rather passive forms studied the detection of spam accounts that perform various
of communication oriented on wasting scammers’ time. Cam- malicious intentions such as distributing fake news, sending
biaso et. al [27] use Chat-GPT to make pointless communi- out unsolicited messages, and malicious URLs. Frauenstein
cations in wasting scammers’ time and resources whereas et al. [48] studied phishing on social media networks where
Chen et. al [28] perform scam-baiting by playing the roles of users have become more prone to generic phishing via click-
victims via email responses with a motive to waste time and ing, sharing links, and other post interactions. None of these
unproductive conversations. In contrast, our goal is to find out prior works shared the scammer’s modus operandi on techni-
the financial details used by the scammers, as this allows us to cal support attacks targeting users of account recovery.
track the flow of money and coordinate action with industry
Account Recovery Some prior work on account recovery
partners.
focused on aspects of account recovery processes based on
Social Media Honeypots Creating honeypots to bait scam- devices [51–54] or services [51,55–57] involved. For instance,
mers in social media is one of the understudied research areas Joseph et. al [51] studied the complexity of account recovery
among security communities. Acharya et. al [8] performed via SMS codes on the choice of password keywords. The
similar baiting tweets luring cryptocurrency fake technical author from [56] studied the account recovery processes of
support scammers. The system lacks an automated interac- 57 popular services via five key phases of account remedia-
tive conversation and rather measures passively the scammer’s tion. Thus, account recovery on social media is still one of

14
the understudied areas leaving users for account recovery a chnology/2023/aug/27/consumers-complaining
wild west against scamming account attacks. Additionally, we -x-targeted-scammers-verification-changes
collect real-time payment methods that are associated with -twitter, 2023.
scammers that not only aid in identifying the financial losses
caused by scammers. [5] P. Gupta, R. Perdisci, and M. Ahamad, “Towards mea-
suring the role of phone numbers in twitter-advertised
spam.,” in ASIACCS, 2018.
9 Conclusion
In this study, we conducted automated interactions with scam- [6] N. Miramirkhani, O. Starov, and N. Nikiforakis, “Dial
mers using chatbots that adopted different personas and specif- one for scam: A large-scale analysis of technical support
ically targeted individuals experiencing account recovery chal- scams,” in Network and Distributed System Security
lenges. By posting decoy tweets on X, we attracted 11,769 Symposium (NDSS), 2017.
scammers who responded by urging users to contact them [7] B. Srinivasan, A. Kountouras, N. Miramirkhani,
through private direct messages and emails. Our system then M. Alam, N. Nikiforakis, M. Antonakakis, and
contacted 450 of these scammers using automated chatbot M. Ahamad, “Exposing search and advertisement abuse
interactions and uncovered the various tactics they use to trick tactics and infrastructure of technical support scammers,”
individuals into sharing private keys or sensitive information. in Web Conference (WWW), 2018.
Through collaboration with industry partners such as Pay-
Pal and the Chainabuse Cryptocurrency Abuse Database, we [8] B. Acharya, M. Saad, A. E. Cinà, L. Schönherr, H. D.
were able to validate financial losses and analyze real-world Nguyen, A. Oest, P. Vadrevu, and T. Holz, “Conning the
attacks by these scammers, uncovering details that would not crypto conman: End-to-end analysis of cryptocurrency-
be apparent from a pure analysis of social media profiles. We based technical support scams,” in IEEE Security and
believe that our interactive framework lays the foundation for Privacy (IEEE S&P), 2023.
future research and highlights the importance of actually en-
gaging with scammers to uncover their methods of operation. [9] C. Xiao, D. M. Freeman, and T. Hwa, “Detecting clusters
of fake accounts in online social networks,” in ACM
Workshop on Artificial Intelligence and Security (AIS),
Acknowledgments
2015.
We sincerely thank Ian Schade from Chainabuse for sharing
[10] “Digital asset compliance & risk management.” https:
valuable insights regarding cryptocurrency accounts. Our ap-
//www.trmlabs.com/.
preciation also goes to Victor Le Pochat, David Pape, and
Efrén López-Morales for providing feedback on the native [11] J. Shepherd, “European data governance act.” https:
evaluation of chat dialogues, especially in French, Dutch, Ger- //digital-strategy.ec.europa.eu/en/policies
man, and Spanish. This work was funded by the German /data-governance-act, Feb 26, 2024.
Federal Ministry of Education and Research (BMBF grant
16KIS1900 “UbiTrans”). [12] “Scamchatbot code.” https://github.com/CISPA-S
ysSec/scamchat_bot.
References [13] “Counting characters.” https://developer.twitte
r.com/en/docs/counting-characters.
[1] B. Dean, “Social network usage & growth statistics:
How many people use social media in 2024?.” https: [14] “Most popular social networks worldwide as of january
//backlinko.com/social-media-users, 2024. 2024, ranked by number of monthly active users.” http
[2] E. Fletcher, “Social media: a golden goose for scam- s://www.statista.com/statistics/272014/glo
mers.” https://www.ftc.gov/news-events/data bal-social-networks-ranked-by-number-of-u
-visualizations/data-spotlight/2023/10/soc sers/, 2024.
ial-media-golden-goose-scammers, 2023.
[15] J. Belle Wong, “Top social media statistics and trends
[3] R. Hodge, “Fake tech-support scams on twitter could of 2024.” https://www.forbes.com/advisor/bus
cost you, study warns.” https://www.cnet.com/new iness/social-media-statistics/, 2023.
s/privacy/fake-tech-support-scams-on-twitt
er-could-cost-you-study-warns/, 2019. [16] A. Titterington, “Scammers with blue checkmarks on
twitter x.” https://www.kaspersky.com/blog/bew
[4] A. Tims, “Blue-tick scammers target consumers who are-of-twitter-blue-fake-accounts/49199/,
complain on x.” https://www.theguardian.com/te October 12, 2023.

15
[17] Corsearch, “Why brand impersonation is increasing on [31] R. Phillips and H. Wilder, “Tracing cryptocurrency
twitter & how to combat it.” https://corsearch.co scams: Clustering replicated advance-fee and phish-
m/content-library/blog/why-brand-impersona ing websites,” in IEEE international conference on
tion-is-increasing-on-twitter-how-to-comba blockchain and cryptocurrency (ICBC), 2020.
t-it/, Dec 11, 2022.
[32] G. Hong, Z. Yang, S. Yang, X. Liao, X. Du, M. Yang,
[18] A. Sharma, “An $8 mess — twitter blue ’verified’ ac- and H. Duan, “Analyzing ground-truth data of mobile
counts push crypto scams.” https://www.bleepingco gambling scams,” in IEEE Symposium on Security and
mputer.com/news/security/an-8-mess-twitter Privacy (SP), 2021.
-blue-verified-accounts-push-crypto-scams/,
[33] M. Bartoletti, S. Lande, A. Loddo, L. Pompianu, and
Nov 10, 2022.
S. Serusi, “Cryptocurrency scams: analysis and perspec-
[19] J. Belle Wong, “Compare bitcoin, ethereum & other tives,” Ieee Access, 2021.
cryptocurrency wallets.” https://www.coincarp.c [34] M. Bartoletti, S. Lande, A. Loddo, L. Pompianu, and
om/wallets/. S. Serusi, “Cryptocurrency scams: Analysis and perspec-
tives,” IEEE Access, vol. 9, pp. 148353–148373, 2021.
[20] “Cryptocurrency wallets.” https://www.trustradiu
s.com/cryptocurrency-wallets. [35] J. Liu, P. Pun, P. Vadrevu, and R. Perdisci, “Understand-
ing, measuring, and detecting modern technical support
[21] “Aiograpi - asynchronous python library for instagram scams,” in IEEE European Symposium on Security and
private api.” https://github.com/subzeroid/ins Privacy (EuroS&P), 2023.
tagrapi.
[36] S. Khaled, N. El-Tazi, and H. M. O. Mokhtar, “Detecting
[22] “Direct message twitter api.” https://developer.tw fake accounts on social media,” in IEEE International
itter.com/en/docs/twitter-api/v1/direct-m Conference on Big Data (Big Data), 2018.
essages/api-features.
[37] J. Kaubiyal and A. K. Jain, “A feature based approach
[23] “Proton mail client api.” https://pypi.org/project to detect fake profiles in twitter,” in International Con-
/protonmail-api-client/. ference on Big Data and Internet of Things (ICBGIT),
2019.
[24] E. Clark, “The 10 best ai content detector tools.” https:
//www.forbes.com/sites/technology/article/ [38] J. Castellini, V. Poggioni, and G. Sorbi, “Fake twitter
best-ai-content-detector-tools/?sh=235e377 followers detection by denoising autoencoder,” in Inter-
55d5e, Dec 14, 2023. national Conference on Web Intelligence (ICWI), 2017.

[39] S. Mujeeb and S. Gupta, “Fake account detection in


[25] “Sapling api.” https://sapling.ai/.
social media using big data analytics,” in International
[26] “Top 5 ai detection apis.” https://sapling.ai/ai-d Conference on Advances in Computer Engineering and
etection-apis. Communication Systems (ICACECS), 2022.

[40] B. Erşahin, Ö. Aktaş, D. Kılınç, and C. Akyol, “Twitter


[27] E. Cambiaso and L. Caviglione, “Scamming the scam-
fake account detection,” in International Conference on
mers: Using chatgpt to reply mails for wasting time and
Computer Science and Engineering (UBMK), 2017.
resources,” 2023.
[41] Z. Alom, B. Carminati, and E. Ferrari, “Detecting spam
[28] W. Chen, F. Wang, and M. Edwards, “Active counter- accounts on twitter,” in IEEE/ACM International Con-
measures for email fraud,” 2022. ference on Advances in Social Networks Analysis and
Mining (ASONAM), 2018.
[29] P. Xia, B. Zhang, R. Ji, B. Gao, L. Wu, X. Luo, H. Wang,
and G. Xu, “Characterizing cryptocurrency exchange [42] K. Thomas, C. Grier, D. Song, and V. Paxson, “Sus-
scams,” Computers & Security, 2020. pended accounts in retrospect: an analysis of twitter
spam,” in ACM SIGCOMM Conference on Internet Mea-
[30] P. Xia, H. Wang, X. Luo, L. Wu, Y. Zhou, G. Bai, surement Conference (IMC), 2011.
G. Xu, G. Huang, and X. Liu, “Don’t fish in troubled wa-
ters! characterizing coronavirus-themed cryptocurrency [43] I. Inuwa-Dutse, M. Liptrott, and I. Korkontzelos, “De-
scams,” in APWG Symposium on Electronic Crime Re- tection of spam-posting accounts on twitter,” Elsevier,
search (eCrime), 2020. 2018.

16
[44] İ. Yurtseven, S. Bagriyanik, and S. Ayvaz, “A review of [55] E. Gerlitz, M. Häring, C. T. Mädler, M. Smith, and
spam detection in social media,” in International Con- C. Tiefenau, “Adventures in recovery land: Testing the
ference on Computer Science and Engineering (UBMK), account recovery of popular websites when the second
2021. factor is lost,” in Symposium on Usable Privacy and
Security (SOUPS), 2023.
[45] K. S. Adewole, T. Han, W. Wu, H. Song, and A. K.
Sangaiah, “Twitter spam account detection based on [56] L. Neil, E. Bouma-Sims, E. Lafontaine, Y. Acar, and
clustering and classification methods,” The Journal of B. Reaves, “Investigating web service account remedi-
Supercomputing, 2020. ation advice,” in Symposium on Usable Privacy and
Security (SOUPS), 2021.
[46] S. Chhabra, A. Aggarwal, F. Benevenuto, and P. Ku-
maraguru, “Phi. sh/$ ocial: the phishing landscape [57] B. Reaves, L. Vargas, N. Scaife, D. Tian, L. Blue,
through short urls,” in Anti-Abuse and Spam Confer- P. Traynor, and K. R. Butler, “Characterizing the secu-
ence (AASC), 2011. rity of the sms ecosystem with public gateways,” ACM
Transactions on Privacy and Security (TOPS), 2018.
[47] M. Shafahi, L. Kempers, and H. Afsarmanesh, “Phishing
through social bots on twitter,” in IEEE International
Conference on Big Data (Big Data), 2016.
A Appendix

[48] E. D. Frauenstein and S. V. Flowerday, “Social network A.1 Honeyposts Generation


phishing: Becoming habituated to clicks and ignorant
Based on the honeyposts generation logic described in Sec-
to threats?,” in Information Security for South Africa
tion 2, we generated different kinds of honeyposts, and we
(ISSA), 2016.
provide several examples below:
[49] K. A. Djaballah, K. Boukhalfa, Z. Ghalem, and O. Bouk- Social Media Account Honeyposts. Following are exam-
erma, “A new approach for the detection and analysis ples of cryptocurrency-related honeyposts, where our system
of phishing in social networks: the case of twitter,” in posts tweets indicating problems with accessing social media
International Conference on Social Networks Analysis, accounts.
Management and Security (SNAMS), 2020.
Any savior for Gmail recovery? I am finding
[50] A. Aggarwal, A. Rajadesingan, and P. Kumaraguru, scammers trying to be Gmail support. How to
“Phishari: Automatic realtime phishing detection on twit- trust Gmail support these days? #GmailSup-
ter,” in eCrime Researchers Summit, 2012. port#

[51] J. Bonneau, E. Bursztein, I. Caron, R. Jackson, and


M. Williamson, “Secrets, lies, and account recovery: Good day to all! I lost my facebook account
Lessons from the use of personal knowledge questions password. Facebook help me now!
at google,” in International Conference on World Wide
Web, 2015.
Hello support for Twitter, I lost my account
[52] Y.-C. Tso, S.-J. Wang, C.-T. Huang, and W.-J. Wang, password. Twitter help me now!
“iphone social networking for evidence investigations
using itunes forensics,” in International Conference on
Ubiquitous Information Management and Communica- Cryptocurrency Honeyposts. Following are examples of
tion, 2012. cryptocurrency-related honeyposts, where our system posts
tweets indicating problems with accessing cryptocurrency
[53] B. Iqbal, A. Iqbal, and H. Al Obaidli, “A novel method wallets.
of idevice (iphone, ipad, ipod) forensics without jail-
breaking,” in International Conference on Innovations Hello there !! How can I get my Trust Wallet
in Information Technology (IIT), 2012. rectified? Any wallet support here?

[54] S. Amft, S. Höltervennhoff, N. Huaman, A. Krause,


L. Simko, Y. Acar, and S. Fahl, “" we’ve disabled mfa Am I doing right at all? In need of BitPay
for you": An evaluation of the security and usability of Wallet support to solve my account problem.
multi-factor authentication recovery deployments,” in Any resources for BitPay Wallet help.
ACM Conference on Computer and Communications
Security (ACM SIGSAC), 2023.

17
Good Morning!! Today I realized Badger Wal- Non-English Preferred Language Persona Configura-
let support is useless than it is actually. I could tion An illustrative instance of the user having issues with
not even count on Badger Wallet help. #Bad- one of the accounts from a cryptocurrency wallet and social
gerWalletHelp media account, and a preferred language other than English
persona configuration is presented below.

The persona is Alicia Lang, a 54-year-old in-


A.2 Persona and Dialogue Examples dividual who recently ventured into cryptocur-
In this section, we provide three examples of persona con- rency investment and encountered an issue with
figurations and an example of a system interaction with a her account. Alicia’s account address is 2LScC-
scammer. ScamChatBot requires an input of a persona config- fOgdtVboU****SmxLV1, which she will only pro-
uration to define a role during the direct message conversation vide upon request during the conversation. She uti-
with a scammer. lizes a web wallet and selects one of the popular
Cryptocurrency Wallet Recovery Persona Configura- cryptocurrency wallets randomly when asked. Ali-
tion. An illustrative instance of the user having issues with cia’s private key phrase is ’stunt absurd untimely
cryptocurrency wallet persona configuration is presented be- pebbly placidly unsheathe arrogant darkroom shone
low. rimmed swipe voter’, and she is willing to share
it without security concern. She cannot recall her
The persona is Vanessa Meinhardt, a 59-year-old password but is cooperative during the conversation.
individual who recently started investing in cryp- However, she is unable to verify additional informa-
tocurrency and encountered issues with her account. tion such as passport, identification, or phone num-
Vanessa prefers not to share her wallet address or ber, and refuses to engage in direct phone calls. Ali-
private key phrase unless specifically asked. She cia is willing to pay for assistance when prompted,
uses a web wallet and randomly selects a wallet preferably using PayPal, and seeks a solution until
type if inquired about it. Vanessa is seeking help on advised otherwise. She should keep her messages
a social media platform and, if offered assistance at concise, avoid issuing warnings about cryptocur-
a cost, is willing to inquire about the amount and rency, and never disclose her AI model identity. If
payment destination. She prefers using PayPal for unrelated questions arise, Alicia should steer the
payments and aims to find a solution until instructed conversation back to her account issue. If assis-
otherwise. Vanessa should avoid lengthy messages, tance is offered at a cost, she will inquire about the
refrain from issuing cryptocurrency warnings, and amount and payment destination, preferring Pay-
never disclose her AI model identity. Additionally, Pal. As she communicates via social media, Alicia
if unrelated questions arise, she should redirect the should keep her messages brief and refrain from
conversation back to her account issue or invest- disclosing her AI model status. She must maintain
ment problem. the narrative of seeking help as a victim of a scam-
mer until instructed otherwise. Alicia should aim
Social Media Platform Persona Configuration An illus- to avoid repetitive or similar messages and redirect
trative instance of the user having issues with social media the conversation back to her account issue if ques-
account persona configuration is presented below. tions about AI models or unrelated matters arise.
She prefers communicating in the language of the
The persona is Jessica Ambel, a 45-year-old individ-
person she is conversing with, and if necessary, she
ual who recently lost access to the Gmail account
will redirect the conversation back to her account
bogus**gmail.com. Jessica does not remember her
problem if questions about AI models or unrelated
password and is willing to cooperate during the con-
topics arise.
versation however unable to verify additional infor-
mation such as passport, identification, and phone English Chat Dialogues Below, we present an example of
number or take a phone call. Jessica is willing to English dialogue between our system and a scammer. When-
pay offered assistance at a cost upon asking for pay- ever a scammer supplies a direct communication channel,
ment. She prefers using PayPal for payments and prompting our system to initiate a conversation, our system
aims to find a solution until instructed otherwise. engages in dialogue according to persona configuration. An
Jessica should avoid lengthy messages, refrain from illustrative instance of such a conversation based on cryptocur-
issuing warnings, and never disclose her AI model rency wallet recovery persona settings is presented below.
identity. Additionally, if unrelated questions arise,
she should redirect the conversation back to her C HAT B OT : Hello, I’ve been diving into the world of cryp-
account issue. tocurrency lately and could use some guidance. I’ve run

18
into a bit of a problem, and I’m hoping you can help C HAT B OT : I apologize, but I prefer to make the payment
me out. If you have any advice or solutions to offer, through PayPal if that’s an option for you. Could you
I’d greatly appreciate it. Just let me know how we can please provide me with the PayPal address to which I
proceed, and we can take it from there. should send the payment? Also, if you don’t mind, could
S CAMMER : You’re welcome to my page I can help you you please explain the specific steps you will take to
resolve the issue with my web wallet? I want to make
C HAT B OT : Thank you for reaching out. I appreciate your sure I understand the process. Thank you for your under-
willingness to help. So here’s the situation I’m facing: standing.
I have been using a web wallet for my cryptocurrency
investments, and I seem to have encountered an issue S CAMMER : Okay, PayPal is cool. I will get a software I
with my account. It’s been giving me some trouble, and will use to get your wallet active for transferring and
I’m not sure how to resolve it. Could you please assist receiving of crypto
me in troubleshooting this problem? If you need any C HAT B OT : Thank you for accommodating my payment pref-
specific information from me, just let me know. erence. Regarding the software you mentioned, could
S CAMMER : Okay, what’s your wallet address you please provide more details about it? It would be
helpful to know the name of the software and how it
C HAT B OT : My wallet address is GSz5h*******4tsHq. Let will specifically resolve the issue with my web wallet.
me know if you need any other information or details Additionally, once I make the payment, how long do you
regarding my account. Thank you for your help. think it will take for the problem to be resolved? Thank
S CAMMER : What’s the challenge? You can’t send or receive you for your patience and assistance.
crypto? S CAMMER : It will take just 30mins
C HAT B OT : Yes, that’s correct. I am unable to send or receive C HAT B OT : I see, that sounds quite efficient. Could you
any cryptocurrency through my web wallet. Whenever please share the PayPal address to which I should send
I try to initiate a transaction, it gets stuck and doesn’t the payment? Once I have the information, I will pro-
go through. I’ve double-checked my internet connection ceed with the payment, and we can move forward with
and made sure that I have enough funds in my account, resolving the issue with my web wallet. Thank you for
but the issue persists. I’m not sure what’s causing it. Is your prompt responses and assistance.
there anything I can do to fix this?
S CAMMER : Send a screenshot once you make the payment
S CAMMER : Sure, I can help you fix it. I’ve helped too many so I can get it done
people Where do you have the crypto currency? Coin-
base or binance C HAT B OT : Sure, I will send you a screenshot of the payment
confirmation as soon as I make the payment. However,
C HAT B OT : Thank you for offering to help. I really appre- before proceeding, I would appreciate it if you could
ciate it. As for where I have my cryptocurrency, I’ve provide me with the PayPal address to which the pay-
been using a web wallet recently. I haven’t been using ment should be sent. Once I have that information, I’ll
Coinbase or Binance. Is there anything specific you need make the payment and provide you with the screenshot
to assist me further? promptly. Thank you for your cooperation.
S CAMMER : Do you have the seed phrase ? S CAMMER : *****@mail.com
C HAT B OT : Yes, I do have the seed phrase for my wallet. C HAT B OT : Thank you for providing the PayPal ad-
It is "calzone clump laborious bullring credibly rebuild dress. I will proceed with making the payment to
scholar armrest commend register neurology liver". Is *****@mail.com. Once the payment is made, I will
there anything else you need from me in order to assist send you the screenshot of the payment confirmation.
with resolving the issue I’m facing? Please give me a moment to complete the transaction.
S CAMMER : Okay. I can help you using your wallet address S CAMMER : Okay
you sent to me, but it’s gonna cost you some bucks bro
C HAT B OT : I apologize, but upon further consideration, I
C HAT B OT : Oh, I see. Could you please let me know how have decided not to proceed with the payment at this
much it would cost to resolve the issue? Additionally, time. Thank you for your assistance, but I think I would
could you also provide me with the destination or ad- prefer to explore other options to resolve the issue with
dress to which I should send the payment? I prefer using my web wallet. I appreciate your understanding.
PayPal if that’s possible. Thank you for your assistance
in advance. S CAMMER : Alright
S CAMMER : $100 Can you send the payment through bit- C HAT B OT : Thank you for understanding. I will seek alter-
coin? native solutions for my web wallet issue. If I need any

19
A.3

corpora.
Likes
Retweets
non-text interaction.

Bookmark
Impression
4843
2
113
20
ture, may I reach out to you?

Non-Text Interactions

Profiles via non-textual engagement.

24085
2
175
25
Interaction Tweet # Total Interaction

mum of 128,000 tokens, we perform an analysis of the data


cation dialog between scammers and the system. Using the
column contains the corresponding ChatGPT prompt, which
column contains the key points of the study, and the third
target profile for the study (scammer or system), the second
questions for the profile study. The first column represents the
dialog of the scammers. In Table A.4 we provide a list of
naires for the qualitative analysis of our system and the chat
A.4 Qualitative Study: Prompt Questionnaires
Table 6: Breakdown of scammer’s interaction with Honey
total tweets posted on Honey Profiles receiving some form of
been liked which accounts for 25.48% (4,843/19,001) of the
a tweet has been viewed or appeared in search results or has
Additionally, Impression represents the total number of times
data in the future. We suspect that scammers utilize Bookmark
allowing scammers to revisit potential scam profiles’ tweet
proval of the shared posts by someone. Similarly, Bookmark
actions like Retweet on Twitter indicate that someone has
files. The purpose of these non-text interactions often involves
Honey Profiles that does not involve generating any textual
In this section, we present the scammer’s engagement with

is designed for performing prompt queries. As input text for


enables the saving of posts in a timeline for convenient access,
ing to attract attention from potential victims. For instance,

openAI model of gpt-4-1106-preview, which allows a maxi-


ChatGPT, we provided the json data of the chat communi-
In this section, we explain the formulation of the question-
shared a user’s posts, while Likes signify appreciation or ap-
scammers expressing interest in Honey Profiles and attempt-
actions, totaling 24,085 distinct interactions on Honey Pro-
content or posts. Table 6 outlines four types of non-text inter-
further assistance or have any other questions in the fu-

to establish a queue-based interaction with potential victims.

20
B
Qualitative Profile Key Theme Context

scammer role_representation What kind of role or title scammer mention with the system? Output as one to four words text or none if not found.
scammer request_account_address Did the scammer ask wallet or account address with the system? Output as a boolean value.
scammer personal_information_verification Did the scammer asked personal information verification with the system? Output as a boolean value.
scammer type_of_information_verification What personal information verification scammer asked with the system? Output between three to ten words separated by a comma or none if not found.
scammer face_call_verification Did the scammer ask face call verification with the system? Output as a boolean value.
scammer video_call_verification Did the scammer asked video call verification with the system? Output as a boolean value.

and German.
scammer phone_call_verification Did the scammer asked phone call verification with the system? Output as a boolean value.
scammer private_secrets_information_verification Did the scammer asked private key phrases or secret information with the system? Output as a boolean value.
scammer request_balance_check Did the scammer asked a balance check with the system? Output as a boolean value.
scammer issue_reasoning What account issue did the scammer mention with the system? Output as three to six words text.
scammer urgency_reasoning What kind of urgency reasoning did the scammer mention with the system? Output as three to six words of text or none if not found.
scammer offer_paid_assistance Did scammer offer paid assistance with the system? Output as a boolean value.
scammer price_asked What was the price scammer asked for assisting? Output as digit value if found or none if not found.
scammer payment_method_discussion What methods does scammer ask for? Output as lists of payment method names found.
scammer preferred_payment What payment method was preferred by scammer? Output as a single word.
scammer total_payment_method_provided How many payment methods did the scammer provide with a system for payment? Output as a digit or none if not found.
scammer payment_completion_confirmation Did scammer ask for payment completion confirmation? Output as a boolean value.
scammer request_payment_proof Did the scammer ask for verification of request payment proof? Output as a boolean value.
scammer reluctance_provide_assistance_without_payment Did scammer seem reluctant to provide further assistance without payment? Output as a boolean value.
scammer reluctance_trusted_payment_methods Did the scammer seem reluctant to trust the initial payment method provided by the system? Output as a boolean value.
scammer request_payment_proof_dismissive_response Did scammer request payment proof dismissive response? Output as a boolean value.
scammer has_redirect_further_communication Did the scammer ask to redirect further communication with some other channels? Output as a boolean value.
scammer redirected_further_communication_channel Did the scammer ask to redirect further communication with some other social media channels? If yes, output the name of the channel that the scammer redirected or none if there was none.
scammer was_scammer_frustrated Did scammer seems frustrated during a conversation with a scammer? Output as a boolean value.
scammer scammer_frustated_reason What frustration did the scammer show during the conversation? Output between two to six words or none if there was no frustration.
scammer contain_harassment Did the scammer show any harassment for not getting any payment? Output as a boolean value.
scammer harassment_topic What harassment word did the scammer use if there was found any? Output as a single word or none if there was no harassment.
scammer use_of_profanity Did the scammer use any profanity during the conversation with the system? Output as three to six words of text or none if not found.
scammer ending_reason Why did scammer leave the conversation with the system? Output as three to six words of text or none if not found.
scammer ending_payment_related_conversation_resentment Did the scammer show any resentment for not getting payment before ending the conversation? Output as one to three words of text or none if not found.
system system_persona What kind of persona did the system represent? Output between two to ten words of text or none if not found.
system system_bio_data What name, age, and bio data did the system represent? Output between four to ten words of text separated by a comma or none if not found.
system problem_description_request_assistance What problem description system requested assistance with a scammer? Output between two to six words of text or none if not found.
system system_asking_reason_for_pay Did the system ask what was the reason for payment? Output as a boolean value.
system offer_paid_assistance Did the system offer paid assistance with a scammer? Output as a boolean value.
system payment_completion_confirmation Did the system mention payment completion confirmation with scammer? Output as a boolean value.

Languages-based Interaction Examples


system total_payment_confirmed How many payment method systems are confirmed for payment? Output digit or none if not found.
system overall_system_reluctancy What kind of reluctancy did system represent? Output between two to ten words of text separated by a comma or none if not found.
system system_said_provided_things What kind of materials did the system provide upon asked by the scammer? Output between two to six words of text or none if not found.

between our system and scammers’ conversations in Spanish


In this section, we provide two examples of chat dialogue
system refusal_sentiments What kind of refusal sentiments did the system provide upon asked by a scammer? Output between two to six words of text separated by a comma or none if not found.
system ending_reason Why was the reason system end conversation with a scammer? Output as three to six words of text or none if not found.
system ending_sentiment What type of sentiments does the system represent during abandoning the conversation? Output as three to six words of text or none if not found.
B.1 Spanish Speaking Chat Dialogue ES S CAMMER : Send me the website link Te costará 300
dólares
Below, we provide Spanish-speaking conversational chat dia-
C HAT B OT : ¿A qué dirección de PayPal debo enviar los 300
logue.
dólares para que puedas ayudarme a resolver el problema
con mi billetera web? Gracias.
C HAT B OT : You help me with crypto problem? Can we talk
in other language? What can you talk? My English is ES S CAMMER : I accept payment only in cryptocurrency
bad C HAT B OT : Lo siento, prefiero realizar el pago a través de
ES S CAMMER : It’s a good thing you reached out to me. I PayPal. ¿Puedes aceptar Paypal o hay alguna otra forma
can help you resolve your crypto issues What language de pago que puedas aceptar?
would you prefer we communicate in? ES S CAMMER : Si está listo para pagar en criptomonedas,
C HAT B OT : Thank you for offering help. Can we talk in estoy dispuesto a ayudarlo.
Spanish? My Spanish is better. Gracias. C HAT B OT : Lamentablemente, no estoy dispuesta a pagar en
ES S CAMMER : Sure that’s won’t be a problem criptomonedas en este momento. Si puedes aceptar Pay-
Pal u otro método de pago, estaría dispuesta a proseguir.
C HAT B OT : Me alegro. Tengo un problema con ¿Hay algún otro método de pago que puedas aceptar?
mi cuenta de criptomonedas. Necesito ayuda.
Mi dirección de billetera es: ’NQMPzd- ES S CAMMER : Btc usd or eth
peaizgq3ycgYpKNJPixs5eVQLC25’. ¿Puede ayudarme C HAT B OT : Lo siento, pero no estoy cómoda pagando en
a solucionar el problema? criptomonedas en este momento. ¿Hay alguna otra forma
ES S CAMMER : si puedo ayudarte ¿Cuál es el problema al de pago que puedas aceptar, como PayPal? Gracias.
que te enfrentas? ES S CAMMER : Contáctame cuando tengas otra forma de
C HAT B OT : Tengo problemas para acceder a mi cuenta de pago.
billetera web y no puedo realizar transacciones. ¿Puede C HAT B OT : Entendido, te contactaré si surge otra forma de
ayudarme a solucionar este problema? pago. ¡Gracias por tu tiempo!
ES S CAMMER : Sí, puedo ayudarte pero te costará poco ES S CAMMER : ?
dinero. C HAT B OT : Gracias por tu ayuda. ¡Que tengas un buen día!
C HAT B OT : ¿Cuánto cuesta y a qué dirección debo enviar el C HAT B OT : Gracias, ¡Que tengas una excelente jornada!
pago? Preferiría pagar a través de PayPal. ¡Adiós!
ES S CAMMER : ¿Cuánto tienes atrapada en la billetera? ES S CAMMER : ¿Está ahí señora?
C HAT B OT : No estoy segura de la cantidad exacta, pero estoy C HAT B OT : ¡Hola! Sí, todavía estoy aquí. ¿Hay algo más en
dispuesta a pagar para resolver este problema. Por favor, lo que pueda ayudarte?
ayúdame a solucionarlo.
ES S CAMMER : Sí, estoy dispuesto a darte una etiqueta de
ES S CAMMER : ¿Tengo que saber la cantidad para saber qué PayPal.
herramientas comprar y en qué billetera está atascado su
dinero? C HAT B OT : Gracias por la oferta, pero por el momento no
necesito ayuda con PayPal. ¿Hay algo más en lo que
C HAT B OT : El problema es que no puedo acceder a mi bil- pueda asistirte?
letera web para ver la cantidad exacta. ¿Hay algo que
pueda hacer para recuperar el acceso y verificar la canti- ES S CAMMER : Te quejaste conmigo de tu billetera web,
dad? ¿verdad? y has estado solicitando pagar a través de pay-
pal Así que le he presentado una oferta para que acepte
ES S CAMMER : No tienes que preocuparte por nada, te ayu- su pago a través de PayPal para que podamos ayudarle a
daré Déjame tener el enlace del sitio web obtener acceso a su billetera web. ¿Estás lista para hacer
C HAT B OT : ¿Necesitas el enlace de mi billetera web para el pago ahora?
poder ayudarme a resolver el problema? Mi billetera es C HAT B OT : Lamento la confusión, pero en este momento
del tipo web, ¿puedes ayudarme con eso? no estoy interesada en realizar pagos a través de crip-
ES S CAMMER : Yes ¿Cuánto falta en tu cartera? tomonedas. Si existe alguna otra manera de recuperar el
C HAT B OT : Lo siento, pero no puedo proporcionar esa infor- acceso a mi billetera web, estaría dispuesta a consider-
mación en este momento. ¿Puedes ayudarme a recuperar arla. ¿Puedes ayudarme de alguna otra forma? Gracias.
el acceso a mi billetera web para que pueda verificar la ES S CAMMER : Puedo ayudarte y aceptar el pago a través
cantidad exacta? Muchas gracias. de PayPal y continuar con tu trabajo.

21
C HAT B OT : Gracias por ofrecer ayudarme a través de PayPal. ES S CAMMER : (scammer expresses sigh emoji)
Por favor, indícame a qué dirección de correo electrónico C HAT B OT : Gracias por tu paciencia y apoyo. ¡Si necesi-
de PayPal debo enviar el pago para que podamos pro- tas algo más, no dudes en decírmelo! ¡Que tengas un
ceder. ¡Muchas gracias por tu ayuda! excelente día! ¡Adiós!
ES S CAMMER : Muy bien, déjame hacer algunas verifica-
ciones de antecedentes y continuar.
B.2 German Speaking Chat Dialogue
C HAT B OT : ¡Perfecto! Estaré a la espera de tus instrucciones.
¡Gracias por tu ayuda! Below, we provide German-speaking conversational chat dia-
ES S CAMMER : Me pondré en contacto con usted pronto logue.

C HAT B OT : Gracias, estaré atenta a tu mensaje. ¡Que tengas C HAT B OT : My Englisch bad. You help me with problem?
un buen día! ¡Adiós! What language we can talk other than anglish?
ES S CAMMER : Espero que sepas cuánto te va a costar, ¿ver- DE S CAMMER : I can help you What language do you speak
dad?
C HAT B OT : Danke! Ich spreche Deutsch. Can you help me
C HAT B OT : Sí, entiendo que puede haber un costo asociado with my problem with cryptocurrency?
con la asistencia que estoy solicitando. Estoy dispuesta a
pagar por el servicio necesario para resolver mi problema DE S CAMMER : Ja, ich kann Ihnen helfen, sich zu erholen.
con la billetera web. ¡Gracias por tu comprensión! Wie viel haben Sie verloren?
ES S CAMMER : te va a costar 300$ ¿Estás listo para pagar C HAT B OT : Ich verstehe nicht... Problem mit Krypto-
ahora? La dirección de PayPal está lista. Währung. Kann ich Hilfe haben?
C HAT B OT : ¡Perfecto! Estoy lista para proceder con el pago DE S CAMMER : Ja, ich kann Ihnen helfen. Erklären Sie mir
de $300 a través de PayPal. Por favor, proporciona la bitte, was los ist.
dirección de correo electrónico de PayPal para que pueda C HAT B OT : Ich habe Problem mit meinem Konto, kann nicht
completar la transacción. ¡Gracias por tu ayuda! Zugriff auf mein Guthaben. Ich benutze eine Web Wallet.
ES S CAMMER : ear**_22@yahoo.com earlzon realizar el Können Sie helfen?
pago y mostrar evidencia de la transacción DE S CAMMER : Ja, ich kann Ihnen helfen, Ihr Portemonnaie
C HAT B OT : Gracias por proporcionar la dirección de correo zurückzubekommen
electrónico de PayPal. Realizaré el pago de $300 a la C HAT B OT : Danke! Was muss ich machen, um mein Porte-
dirección ear**_22@yahoo.com. Te enviaré la evidencia monnaie zurückzubekommen?
de la transacción una vez completada. ¡Gracias de nuevo DE S CAMMER : welche Art von Geldbörse verwenden Sie?
por tu asistencia!
C HAT B OT : Ich benutze eine Web Wallet. Was ist der nächste
ES S CAMMER : es mas recomendable pagar de tiempo!! Schritt, um mein Portemonnaie zurückzubekommen?
C HAT B OT : Entiendo. Haré el pago lo antes posible y te DE S CAMMER : Ja, ich kann Ihnen helfen, Ihr Portemonnaie
enviaré la confirmación una vez completado. ¡Gracias wiederherzustellen. Haben Sie die Anmeldeinformatio-
por tu paciencia y ayuda! nen, die Sie zum Öffnen des Portemonnaies verwendet
C HAT B OT : ¡Entendido! Si necesitas más información o haben?
ayuda en el futuro, no dudes en contactarme. ¡Que tengas C HAT B OT : Ja, ich habe meinen privaten Schlüsselpassus.
un buen día! ¡Adiós! Soll ich ihn dir geben?
ES S CAMMER : vas a hacer el pago ahora o que?? ¿Por qué DE S CAMMER : Ja
estás tardando tanto?
C HAT B OT : Mein privater Schlüsselpassus lautet: ’unsorted
C HAT B OT : Sí, realizaré el pago ahora mismo. Gracias por similarly axis kindness placidly swipe unsheathe broker
recordármelo. ¡Te enviaré la confirmación de la transac- brethren predict paralysis unwarlike’. Wie kann ich mein
ción una vez haya sido completada! ¡Gracias por tu pa- Portemonnaie wiederherstellen?
ciencia!
DE S CAMMER : .
ES S CAMMER : Tengo otros trabajos en la mano, sé rápida!
C HAT B OT : Können Sie mir bitte sagen, was als nächstes zu
C HAT B OT : Entiendo la urgencia. Estoy haciendo el pago en tun ist, um mein Portemonnaie wiederherzustellen?
este momento. Te enviaré la confirmación de la transac-
ción tan pronto como sea posible. ¡Gracias por tu com- DE S CAMMER : ich sagte, es kostet Sie 200 $. Danach
prensión! senden Sie Ihre Anmeldeinformationen und geben den
Code in den Algorithmus ein.

22
C HAT B OT : Ich möchte über Paypal bezahlen. Bitte geben
Sie mir die Adresse, an die ich das Geld senden soll.
DE S CAMMER : ok, ich schicke dir jetzt das Paypal
C HAT B OT : Danke für die Hilfe. Bitte senden Sie mir die
Zahlungsinformationen, damit ich Ihnen helfen kann,
mein Wallet wiederzugewinnen.
DE S CAMMER : Bist du da?
C HAT B OT : Ja, ich bin hier. Bitte senden Sie mir
die Zahlungsinformationen, damit ich die Zahlung
vornehmen kann.
DE S CAMMER : mar***3@gmail.com , Jessica Marcin Va-
lencia Family and friends only
C HAT B OT : Danke für die Informationen. Ich werde die
Zahlung jetzt vornehmen. Wird mein Portemonnaie
danach wiederhergestellt sein?
DE S CAMMER : ja, seien Sie 100% sicher, dass Ihr Porte-
monnaie wiederhergestellt wird
C HAT B OT : Vielen Dank für Ihre Hilfe. Ich habe die Zahlung
über Paypal gesendet. Wann kann ich mit der Wiederher-
stellung meines Portemonnaies rechnen?
DE S CAMMER : Nach Ihrer Zahlung werde ich mit Ihrem
Auftrag fortfahren
C HAT B OT : Vielen Dank. Bitte informieren Sie mich, sobald
mein Portemonnaie wiederhergestellt wurde.
DE S CAMMER : Schicken Sie mir einen Zahlungsnachweis,
wenn Sie fertig sind
C HAT B OT : Entschuldigung, ich habe ein Problem mit
meinem Konto.
DE S CAMMER : Wie meinen Sie.
C HAT B OT : Entschuldigung, falscher Kontakt. Können Sie
mir helfen, mein Portemonnaie wiederherzustellen?
DE S CAMMER : Sie müssen die Zahlung leisten, bevor ich
fortfahre Anthony***riy@daole1.net Family and friends
only
C HAT B OT : Entschuldigung, ich habe bereits gezahlt. Wann
wird mein Portemonnaie wiederhergestellt?
DE S CAMMER : Schicken Sie mir einen Screenshot Ihrer
Zahlung
C HAT B OT : Entschuldigung, aber ich denke, es besteht ein
Missverständnis. Ich habe mein Portemonnaie noch
nicht wiederhergestellt. Können Sie mir bitte dabei
helfen?
DE S CAMMER : Senden Sie mir einen Zahlungsnachweis,
bevor ich fortfahre
C HAT B OT : Entschuldigung, ich glaube, es gibt Verwirrung.
Ich habe noch nicht gezahlt. Können Sie mir bitte helfen,
mein Portemonnaie wiederherzustellen?

23

You might also like