Tracking Down Online Scammers—A Conversation with CISPA Researcher Bhupendra Acharya
When navigating the web or using social media platforms, people encounter some form of potential online scam almost every day. Online fraud has become a widespread phenomenon with serious financial and social consequences. Dr. Bhupendra Acharya, who worked as a postdoc at CISPA, dedicated much of his research to understanding online fraud and scams on social media. We spoke with him about the issue—and the many forms that online scams can take.
Bhupendra, where does your interest in the topic of online fraud come from?
My inspiration in the topic of online fraud came from—in tragic sense—of how vulnerable users fall for social engineering tricks each day. These attacks often lead to financial losses, authorize access to sensitive information and leave victims dealing with emotional and psychological distress. During my undergraduate studies, I was also a victim of scam which resulted in a loss of my savings. Although it wasn't a large amount, the experience sparked my interest in understanding how such scams work and how they can be prevented through scientific research.
Online fraud can take many forms. Could you outline the different types of scams that exist?
Online fraud can take many forms and is often built around sophisticated social engineering techniques. For example, someone might reach out via social media or email pretending to want a friendship, an intimate relationship, or to offer mentorship in a "high-return, low-risk" online investment. Others may impersonate representatives from banks, tax offices, or job recruitment agencies by phone. Scammers typically craft scenarios designed to strategically manipulate users into either (i) sharing sensitive personal information such as bank account details, credit card numbers, or identification documents, or (ii) sending money through specific payment methods, based on a fabricated story or sense of urgency.
How large is the economic damage caused by online fraud?
Online fraud causes significant harm to both individuals and society as a whole. According to a report from the US Federal Trade Commision (FTC), reported losses in the US from fraud in 2024 amounted to $12.5 billion—a 25% increase compared to 2023, and the number continues to rise.
What role do social networks and messaging platforms play in online fraud?
With the ubiquity of social media platforms and the number of users surpassing 5 billion, these platforms have also become a lucrative ground for fraudsters to carry out various online attacks. Social media offers an accessible attack surface, where setting up fake profiles is easy and direct engagement with potential victims is readily available through posts, direct messages, follows, and similar outreach mechanisms. Creating a scamming environment on social media is much cheaper than doing so through dedicated scam websites or email campaigns. For example, scammers don’t need to provide sensitive information, such as credit card details, to set up a social media profile—making it more difficult to trace their identity.
How does an online scam typically unfold?
Online scams often begin with fraudsters reaching out to potential victims through various online platforms and systems. This includes contact via email, social media, dating websites, investment platforms, and in some cases, through malicious advertisements or fake websites. Before launching the actual scam, fraudsters typically build a sense of trust or credibility with the victim. The victim then falls for the attack, deceived by the social engineering tactics carefully laid out by the scammers.
Could you give a concrete example of a social media fraud?
Let’s take the case of a fake donation scam. A user interacts with a social media post mourning civilians killed in the Ukraine war. A scammer may respond to the user via a comment, expressing sympathy and suggesting a way to donate to those affected by the war. The scammer then invites the user to continue the conversation on WhatsApp. After building trust through chat, the scammer solicits a donation, often requesting payment through platforms like PayPal or transfer via cryptocurrency addresses.
Has the field of online fraud changed with the rise of artificial intelligence—and if so, how?
With the rise of AI, fraudsters are developing new techniques, such as generating content, images, and videos that are increasingly difficult to distinguish from legitimate material based on visual inspection alone. Detecting such scams often requires deeper analysis and reverse engineering to verify the legitimacy of the source. For example, in our recent research, we identified cases where scammers used Large Language Models (LLMs) to generate email templates for phishing attacks targeting private key phrases of cryptocurrency wallets. In addition, LLMs can be used to crawl accounts for scam attacks. The scam attacks themselves can also be automated, which allows the number of potential attacks to rise drastically. All of this shows that scammers have a powerful tool in their hands with AI. The good news, however, is that AI tools can be just as effectively used to detect and prevent scams.
You’ve been researching online fraud for several years now. Which aspects of this topic have you covered in your work over time?
My research focuses on various areas of applied security, especially internet-based cybercrimes and attacks. Some of the topics I work on include: (i) impersonation attacks targeting brand customers on social media through fake support accounts and fraudulent online sales; (ii) romance and cryptocurrency investment scams directed at users via social media and dating apps; (iii) fake donation solicitations, which are increasingly being used to exploit support for charitable causes, among others.
I’d like to take a closer look at one of your recent studies. In the study, you developed a method called ScamChatBot. What’s the idea behind it?
In this study, my research group and I investigate how to interact with scammers in a systematic way. Currently, there is no structured approach to engaging with scammers to waste their time and uncover their methods of operation, including how they request and process payments. Our system ScamChatBot is designed to interact with scammers and expose these intricacies, which are typically hidden from the public.
What advice would you give to individual users to protect themselves?
Scams and online attacks have become super hard to identify as they often resemble legit services or profiles. With the rise of AI and sophisticated ML tools, scammers are coming up with sophisticated social engineering attacks. Thus, being cautious and always doing a reverse check on any online schemes is necessary. Always validating the source and being extra cautious is super important. Additionally, if someone (non-official) asks for your private information such as key phrases, password, and other sensitive information, these are outright red flags.
What advice would you give to social media platforms and financial companies?
Monitoring customer interactions on social media and other online platforms beyond official channels can help identify risks. In many cases, customers seek alternative sources of support, which opens the door for impersonation by scammers. Clearly communicating accepted contact channels and official purchasing procedures plays a key role for companies in guiding customers toward safe engagement. It is also important to stay vigilant against fake profiles that mimic brands, trademarks, or official representatives. Data sharing between platforms and companies is also crucial for tracking scammers. Once a scam is detected, immediate action—such as blocking the associated accounts—is essential. In addition, more sophisticated authentication procedures can make it significantly harder for scammers to set up fraudulent accounts.
In July, you left CISPA for the U.S. to become an Assistant Professor at the University of Louisiana. What are your expectations for this next step in your career?
I am super excited to start the tenure-track faculty position at the ULL. My goal as faculty remains the same, i.e., how to make a web safer place through scientific work. I plan to mentor next generation cybersecurity researchers in making the web a safer place through teaching and research work. I am happy that I could already hire two PhDs but I am still looking for other potential candidates.
Looking back, how do you reflect on your time here at the center?
First of all, I am thankful for CISPA and my amazing advisor Prof. Dr. Thorsten Holz for the opportunity of having me as postdoc for over 2.5 years. It was an amazing collaboration. During my time here, I had the opportunity to mentor over 15 students from Saarland University and Ruhr University in their thesis work. Our group collaboration extended beyond CISPA and Germany, as we published several impactful research work at top conferences such as IEEE Security and Privacy, USENIX Security, IMC and WWW. I am also glad that I had the chance to work with amazing researchers in empirical web security and security: to name a few—Dr. Giancarlo Pellegrino, Dr. Ben Stock and Dr. Lea Schönherr. I am taking all these beautiful memories with me, and we plan to continue these collaborations.
Thanks for the interview and all the best for your next career step in the US.
Bio Bhupendra Acharaya
Bhupendra Acharya was a postdoctoral researcher at CISPA Helmholtz Center for Information Security (March 2023 – July 2025). He worked with Prof. Dr. Thorsten Holz at SysSec Lab. He completed his Ph.D. from the University of New Orleans under the supervision of Dr. Phani Vadrevu. His Phd (Jan 2018 – Dec 2022) work primarily focused on areas of Phishing, Web Security Crawlers, Browser Fingerprinting, and building tools for large-scale measurement using honeypots. Before academia, he worked several years in multiple industries including Amazon and Microsoft, performing software development and assurances. After leaving CISPA, he joined the University of Louisiana as an Assistant Professor.
