Day 0 Event #250 Building Trust and Combatting Fraud in the Internet Ecosystem

23 Jun 2025 13:30h - 15:00h

Session at a glance

Summary

This discussion focused on building trust and combating fraud in the internet ecosystem, bringing together experts from regulatory bodies, telecommunications companies, international organizations, and technology platforms. The session was moderated by Johannes Vallesverd from the Norwegian Communications Authority and featured representatives from organizations including the Global Anti-Scam Alliance, UN Office of Drugs and Crime, Meta, Telenor, and ICANN’s Government Advisory Committee.

The speakers presented alarming statistics about the global fraud landscape, with an estimated $1 trillion in annual losses worldwide and 25% of the connected population having been victims of scams. Rens Grimm from the Global Anti-Scam Alliance highlighted that only 2.5% of fraudsters are prosecuted, while 67% of people believe they can recognize scams despite high re-victimization rates. The discussion emphasized that fraud has evolved from traditional methods to sophisticated digital operations using artificial intelligence, making it increasingly difficult to distinguish between authentic and fraudulent content.

Several panelists shared successful mitigation strategies, including Norway’s anti-spoofing roaming shield that blocks fraudulent mobile numbers from abroad, and Meta’s deployment of facial recognition technology to combat public figure impersonation scams. The Global Signal Exchange was presented as an innovative solution for real-time cross-sector data sharing to combat fraud internationally. Speakers stressed the importance of treating fraud as serious organized crime rather than petty theft, noting that current international legal frameworks need strengthening to enable better cooperation between countries.

A key theme throughout the discussion was the tension between privacy protection and fraud prevention, with experts arguing that privacy laws should not inadvertently protect fraudsters while hindering legitimate security efforts. The panelists concluded that effective fraud prevention requires unprecedented collaboration between public and private sectors, standardized international approaches, and operational rather than just theoretical solutions to protect global citizens from this serious criminal threat.

Keypoints

## Major Discussion Points:

– **Scale and Impact of Global Fraud**: The discussion revealed staggering statistics about fraud’s global reach, with 25% of the world’s connected population being victims, causing approximately $1 trillion in annual losses, yet only 2.5% of fraudsters face prosecution. Fraud has become the first or second most reported crime in most countries.

– **Multi-stakeholder Collaboration and Data Sharing**: Panelists emphasized that effective fraud prevention requires unprecedented cooperation between governments, telecom operators, social media platforms, law enforcement, banks, and international organizations. The Global Signal Exchange was highlighted as a practical example of real-time cross-sector data sharing to combat fraud.

– **Regulatory and Legal Framework Challenges**: The discussion addressed the need for harmonized international legal frameworks, with UNODC noting that fraud isn’t consistently criminalized as “serious crime” globally, hampering international cooperation. Privacy regulations like GDPR were debated as potentially protecting fraudsters rather than victims when implementation lacks clarity.

– **Technology’s Double-Edged Role**: AI and emerging technologies were identified as both enabling more sophisticated fraud (deepfakes, voice mimicking, automated scams) while also providing tools for detection and prevention. The challenge lies in deploying protective technologies at the speed needed to counter rapidly evolving fraud tactics.

– **Operational Prevention Measures**: Concrete examples were shared of successful fraud prevention, including Norway’s anti-spoofing shield that blocks fraudulent mobile numbers from abroad, Meta’s takedown of 1.4 billion fake accounts, and Telenor’s blocking of 2.2 billion fraud attempts in 2024.

## Overall Purpose:

The discussion aimed to move beyond merely talking about fraud to identifying actionable, operational measures that different stakeholders can implement collaboratively. The goal was to share successful practices, explore technical and regulatory solutions, and build a coordinated international response to combat digital fraud across all channels (voice, SMS, email, internet, social media).

## Overall Tone:

The discussion maintained a serious, urgent tone throughout, reflecting the gravity of fraud’s impact on global society. While acknowledging the enormity of the challenge, the tone was constructively solution-oriented, with speakers sharing concrete examples of successful interventions. There was a sense of cautious optimism about collaborative approaches, though tempered by realism about the persistent and evolving nature of fraud. The tone became particularly somber when addressing tragic consequences like suicide from sextortion, but remained focused on actionable responses rather than despair.

Speakers

**Speakers from the provided list:**

– **MODERATOR** – Role/Title: Not specified, Area of Expertise: Session moderation

– **Johannes Vallesverd** – Role/Title: Senior legal advisor at the Norwegian Communications Authority, Chair of the National Expert Group Against Digital Fraud, Chair of the Global Informal Regulatory Anti-Fraud Forum, Area of Expertise: Legal affairs, regulatory anti-fraud

– **Rens Grim** – Role/Title: Anti-scam specialist, Area of Expertise: Anti-scam operations at Global Anti-Scam Alliance

– **Camilla Sharma** – Role/Title: Director of Market and Services, Department of Norwegian Communications Authority, Area of Expertise: Regulatory affairs, market services

– **Riika Puttonen** – Role/Title: Program Manager of UNODC (UN Office of Drugs and Crime), Area of Expertise: International legal frameworks, organized crime

– **Emily Taylor** – Role/Title: Co-Founder of GSE (Global Signal Exchange), Area of Expertise: Cybersecurity, data sharing for fraud prevention

– **Lucien Taylor** – Role/Title: Co-Founder of GSE (Global Signal Exchange), Area of Expertise: Technical systems, information exchange platforms

– **Rima Amin** – Role/Title: Security Policy Manager, Community Defence at META, Area of Expertise: Platform security, adversarial threats

– **Birgitte Engebretsen** – Role/Title: Managing Director of Telenor Norway, Area of Expertise: Telecommunications, digital security

– **Nico Caballero** – Role/Title: Chair of the GAC (Government Advisory Committee to ICANN), Area of Expertise: DNS governance, domain name policy

– **Andrew Campling** – Role/Title: Trustee of the Internet Watch Foundation, Area of Expertise: Internet safety, content moderation

– **Audience** – Role/Title: Not specified, Area of Expertise: Not specified

**Additional speakers:**

– **Frode Sørensen** – Role/Title: Online moderator, colleague of Johannes Vallesverd, Area of Expertise: Online session moderation

– **Shiva Bisasa** – Role/Title: Not specified, Location: Trondheim, Tobago, Area of Expertise: Not specified (audience member who asked a question)

Full session report

# Comprehensive Discussion Report: Building Trust and Combating Fraud in the Internet Ecosystem

## Executive Summary

This session at the Internet Governance Forum brought together leading experts from regulatory bodies, telecommunications companies, international organisations, and technology platforms to address the escalating global fraud crisis. Moderated by Johannes Wallesward from the Norwegian Communications Authority, with Frode Sørensen as online moderator, the session featured representatives from the Global Anti-Scam Alliance, UN Office of Drugs and Crime, Meta, Telenor, ICANN’s Government Advisory Committee, and other key stakeholders. The discussion revealed alarming statistics about fraud’s global reach whilst showcasing successful mitigation strategies and emphasising the need for international cooperation.

The session was structured as individual presentations followed by a panel discussion, with speakers presenting concrete examples of successful fraud prevention measures and identifying actionable steps for coordinated global response. Key themes included the massive scale of global fraud, the importance of multi-stakeholder collaboration, regulatory framework challenges, and the balance between privacy protection and fraud prevention.

## Scale and Impact of Global Fraud

Rens Grimm from the Global Anti-Scam Alliance opened with striking statistics that established the magnitude of the global fraud epidemic. He revealed that 25% of the world’s connected population has fallen victim to scams, resulting in approximately $1 trillion in annual losses worldwide. Despite this massive impact, only 2.5% of fraudsters face prosecution, highlighting a critical enforcement gap.

Grimm provided historical context, noting that fraud has been a persistent human behaviour for millennia. He cited research showing that of 70 million pet animals mummified in ancient Egypt, one-third were fake—demonstrating that deception predates modern technology by thousands of years. He also shared a contemporary example of a Japanese lady who paid 35,000 euros believing she could help her lover return from space, illustrating how incredible some modern scams can be.

The scale of daily attacks was further illustrated by Birgitte Engebretsen from Telenor Norway, who reported that her company blocked more than 2,200 million fraud attempts in 2024, equivalent to two attempts each day towards their customers. Interestingly, Norwegian data shows that fraudsters “take ordinary Christmas breaks and well-deserved weekend off,” suggesting organised criminal operations with regular schedules.

Grimm noted that fraud has become either the first or second most reported crime in most countries, yet the low prosecution rate creates a climate of impunity. He also revealed that globally, 7% of people admit they would participate as money mules, and despite 67% believing they can recognise scams, re-victimisation remains common. Only 4% of fraud victims globally can obtain full refunds.

## Norwegian Anti-Fraud Measures and Multi-Stakeholder Approach

Camilla Sharma from the Norwegian Communications Authority presented Norway’s comprehensive approach to fraud prevention. She announced that Norway’s digital anti-spoofing roaming shield entered force on November 19, 2024, making it “one of the first in the world” to implement such measures. This system blocks fraudulent mobile numbers from abroad and has helped restore public trust in mobile communications.

Norway’s success stems from its multi-stakeholder approach, where the national anti-fraud group includes mobile operators, authorities, police, and banks working together operationally. Sharma emphasised that this goes beyond theoretical discussions to practical collaboration, with regular meetings and shared intelligence.

The Norwegian model demonstrates how regulatory innovation can enable fraud prevention while maintaining international cooperation. Sharma noted that their approach required careful coordination with international partners and technical implementation that respects both privacy and security needs.

## International Legal Framework and UN Initiatives

Riika Puttonen from the UN Office of Drugs and Crime explained significant gaps in current legal frameworks that hamper effective fraud prevention. She noted that fraud is not consistently criminalised as “serious crime” across all countries, which prevents the use of international cooperation mechanisms available under UN conventions. Serious crime typically requires a minimum sentence of four years’ imprisonment, but many countries classify fraud as a lesser offence.

To address these gaps, Puttonen announced that a new UN Convention Against Cybercrime will open for signature in October 2024, designed to address modern forms of fraud and enable better international cooperation. The UN Convention Against Transnational Organized Crime has 193 parties, providing a strong foundation for international cooperation when fraud is properly classified.

Puttonen also announced that UNODC and Interpol will host a Global Fraud Summit in March 2026 in Vienna to further coordinate international efforts. She emphasised that privacy laws establish qualified rather than absolute rights, which can be legitimately compromised for public safety purposes when prescribed by clear, accessible law.

## Global Signal Exchange and Threat Intelligence Sharing

Emily Taylor and Lucien Taylor from the Global Signal Exchange presented their platform as a practical example of cross-sector collaboration. The platform enables real-time intelligence sharing across more than 160 organisations, processing threat signals with a 40-second input time and four-day average time-to-live.

Emily Taylor highlighted a critical asymmetry: whilst criminals collaborate globally and share information seamlessly, legitimate defenders remain largely siloed within industry verticals and national boundaries. The Global Signal Exchange started with 40 million threat signals and demonstrates the potential for coordinated defensive efforts that match the scale and speed of modern fraud operations.

The platform processes significantly more threat intelligence than traditional reporting mechanisms, showing the value of automated threat detection and sharing compared to manual consumer reporting processes.

## Platform Response: Meta’s Approach

Rima Amin from Meta described her company’s comprehensive approach to fraud prevention. Meta removed 1.4 billion fake accounts in Q4 2024 alone, with 99.9% caught proactively before being reported by users. This demonstrates the scale of automated fraud prevention efforts and the importance of proactive rather than reactive approaches.

Meta’s strategy focuses on disrupting the fraud attack chain as early as possible, from infrastructure building through to victim engagement. Amin explained their ABC framework, which prioritises Actor and Behaviour detection over Content analysis, as fraudsters can more easily modify their messaging than change their fundamental operational patterns.

She provided a practical example of balancing privacy and security through Meta’s use of facial recognition technology to detect misuse of public figures’ images in scams. This technology deployment required careful consideration of privacy implications whilst addressing a significant fraud vector affecting celebrities and public figures.

## Telecommunications Industry Response

Birgitte Engebretsen from Telenor described how telecommunications companies serve as critical infrastructure in fraud prevention. Beyond the massive number of blocked attempts, she explained how Telenor integrates fraud filters directly into customer subscriptions as a standard security measure rather than an optional add-on.

Engebretsen proposed a triangular burden-sharing model between customers willing to pay for enhanced security, government financing, and private sector investment. She argued that effective collaboration requires clear distribution of responsibilities and costs across all stakeholders, rather than expecting any single entity to bear the full burden of fraud prevention.

The telecommunications perspective highlighted how fraud prevention has become an essential service that operates largely invisibly to protect customers from daily attack attempts.

## DNS and Domain Name System Security

Nico Caballero from ICANN’s Government Advisory Committee focused on domain name system security challenges. He noted that phishing comprises more than 90% of DNS abuse cases, with research from the Internet Society indicating an annual impact of $12 billion.

ICANN is developing stricter service level agreements for takedowns and contractual penalties for repeat offenders. However, Caballero noted challenges in achieving uniform enforcement against rogue registrars globally, as different jurisdictions have varying levels of regulatory oversight and enforcement capability.

The DNS perspective highlighted how fraud prevention requires coordination across different layers of internet infrastructure, from domain registration through to content hosting and delivery.

## Privacy and Security Balance

Johannes Wallesward posed what he called a “provoking question” that became central to the discussion: “Are the privacy rules now protecting the victims or the fraudsters?” This prompted nuanced responses from speakers who sought to move beyond binary thinking about privacy versus security.

Riika Puttonen emphasised that privacy laws establish qualified rather than absolute rights, which can be legitimately compromised for public safety purposes when prescribed by clear law. Emily Taylor noted that privacy and security can coexist when proper legal frameworks are established and followed from the outset.

However, speakers acknowledged ongoing implementation challenges. Rima Amin noted operational challenges where privacy regulations can slow deployment of anti-fraud technologies in Europe. Andrew Campling briefly raised concerns that privacy-focused changes to internet standards might remove signals needed for consumer protection.

## Regulatory Coordination and GIRAFF

Camilla Sharma highlighted the Global Informal Regulatory Anti-Fraud Forum (GIRAFF), chaired by ANCOM with 40 countries participating. This forum enables regulators to share best practices and coordinate approaches across different jurisdictions.

The forum represents an important mechanism for regulatory learning and coordination, allowing countries to adapt successful measures like Norway’s anti-spoofing shield to their own contexts and legal frameworks.

## Victim Impact and Human Cost

The human cost of fraud was powerfully illustrated when Shiva Bisasa, an audience member from Trinidad and Tobago, shared knowledge of a financial sextortion victim who took his own life. This testimony transformed the discussion from abstract statistics to human tragedy, emphasising the life-and-death consequences of fraud, particularly in developing nations where awareness campaigns and law enforcement capabilities may be limited.

This intervention highlighted particular challenges in developing countries, where limited law enforcement resources, lower awareness levels, and fewer reporting mechanisms create environments where fraud can flourish with minimal consequences.

## Technology and AI Considerations

Rens Grimm acknowledged that AI will enhance fraudsters’ capabilities through better text generation, voice mimicking, and image creation. However, he expressed cautious optimism that “we’re not yet at the tipping point” where AI fundamentally transforms the fraud landscape beyond recognition.

The speakers agreed that the key to managing AI’s impact lies in the speed of defensive deployment. Legitimate organisations must be able to implement protective technologies as quickly as fraudsters adopt offensive capabilities.

## Actionable Outcomes and Next Steps

The discussion produced several concrete commitments and action items:

– Regulators were encouraged to join GIRAFF to share best practices across participating countries

– The Global Fraud Summit in March 2026 in Vienna will provide a focal point for continued international cooperation

– Countries were urged to criminalise fraud as serious crime with sentences of four years or more to enable international cooperation under UN conventions

– The new UN Convention Against Cybercrime, opening for signature in October 2024, provides a framework for harmonisation

– ICANN’s development of stricter service level agreements represents concrete progress in addressing DNS-based fraud

– The public sector was encouraged to give higher weight to quality and security in procurement processes

## Conclusion

This comprehensive discussion revealed both the enormous scale of the global fraud challenge and the potential for coordinated international response. With 25% of the world’s connected population affected and $1 trillion in annual losses, fraud represents one of the most significant criminal threats of the digital age.

The session demonstrated successful prevention measures across different sectors—from Norway’s anti-spoofing shield to Meta’s proactive account removal to the Global Signal Exchange’s threat intelligence sharing. These examples show that effective countermeasures are possible when properly implemented and coordinated.

The upcoming UN Convention Against Cybercrime and the planned Global Fraud Summit represent important opportunities to build on the foundations established in this discussion. The challenge ahead lies in scaling successful approaches globally whilst navigating the balance between privacy protection and security needs, supported by the operational cooperation frameworks like GIRAFF that enable practical collaboration between stakeholders worldwide.

Session transcript

MODERATOR: Fraud is crime. Every second, somewhere in the world, a new victim is hurt. Are we losing the battle? We are entering unprecedented times where artificial intelligence makes it more and more difficult to differentiate false from true. The fight against fraud is fought everywhere. On voice, SMS, RCS, messaging, email and on internet. The fraudsters are smart and ruthless. Countries and networks are setting up individual and highly necessary digital shields to protect their citizens from the millions of attacks. It’s a whack-a-mole game. The fraudsters change the channel or target another country. Almost always, the fraudster go free. Cooperation is the only way forward. But we must do more than talk. Action is key. It’s time to act. Let’s take action together.

Johannes Vallesverd: Welcome, everybody, to this session on building trust and combating fraud in the internet ecosystem. My name is Johannes Wallesward. I’m a senior legal advisor at the Norwegian Communications Authority. I’m also chairing the National Expert Group Against Digital Fraud, also chairing the Global Informal Regulatory Anti-Fraud Forum. We also have today an online moderator, Frode Sørensen, my good colleague. He is online and taking questions online. So, welcome again, everybody. The goal of this session is to not only talk, but also to look at what we are doing and what can we do in operational terms, regulatory and technical, to reduce fraud. We should aim at not just identifying the vulnerabilities, but also to use our collective intelligence to identify potential mitigating measures. So, in order to do so, you need a good team, a team that has different angles to the problem. So, today, at the stage, we have a powerhouse of fraud fighters. These are people who are working on reducing the problem of fraud from very different angles. We have on my right side Rens Grimm. He’s an anti-scam specialist from Gaza, the Global Anti-Scam Alliance. We have Camilla Sharma, Director of Market and Services, Department of Norwegian Communications Authority. We have Riika Putunen, Program Manager of UNODC, UN Office of Drugs and Crime. We have Emily Taylor, Co-Founder of GSE and the Global Signal Exchange. She will be accompanied by Lucien Taylor on the presentation. We’re also very happy to have Rima Amin, Security Policy Manager, Community Defence at META. Also, Birgitte Engebretsen, Managing Director of Telenor Norway. Last but not least, we also have Nico Caballero, Chair of the GAC, the Government Advisory Committee to ICANN. So, it’s a fantastic lineup. I’m looking forward to hearing your presentations. So, let’s jump right into it. The first speaker can take the podium now. He is Rens Grimm. He is an anti-scam specialist. They have a lot of information on the global picture of fraud. So, tell me, Rens, how is the global picture like?

Rens Grim: Yeah. Welcome, everybody. I hope you enjoyed your lunch. My name is Rens. As Johanna said, I work for the Global Anti-Scam Alliance and I just wanted to show you that I promise you, no artificial intelligence was used to make this presentation, but I’ll leave it up to you at the end of the session. So, Global Anti-Scam Alliance. So, who are we? We are a non-profit organisation. What we try to do and we aim is get all the stakeholders together that are involved in fighting crime. So, we do that by exchanging knowledge. We do that by sharing the best solutions there are on the market to fight fraud. Our mission is very simple. We protect consumers worldwide from scams. If the room was the world today, then 25% of you have literally been a victim, not confronted with scam, but have been a victim of scam. 25%. Imagine that of the worldwide connected population. That’s quite a lot. What we’ve done is we’ve tried to extrapolate on the basis of a worldwide survey that we do on the 60,000 people and we have estimated that the total volume of losses is estimated to be $1 trillion. I’m from the Netherlands and that’s more or less the GDP from my country. In most countries, crime, online scamming, online fraud is either the first or the second most reported crime. I’ve highlighted England with 38%. If you can imagine that only 2.5% of those behind the scenes, those to fraudsters and the online scammers are actually prosecuted. 2.5% is actually good because worldwide it is estimated it’s five hundreds of a percent. So, the English are doing a pretty good job with a 50-fold of that number, but still imagine 2.5% is a desperately low number. I’ve put down some highlights from a survey that we’ve done in 2024. You see that 67% of world citizens believe that they have the skills to recognize a scam. At first sight, you’d say that’s pretty good. That’s two out of three people are capable of seeing a scam and possibly being protected against the scam they’d be confronted with. However, re-victimization is quite a problem. On the basis of the same survey, we’ve seen in many countries that victims are not only victimized twice, but in some cases three times. So, the number is maybe a good number, but if you look behind the scenes, it’s still troubling. Phone calls and text messages are still the most popular media to scam. Almost half of the world encounters a scam once a week. Globally, 31% are uncertain whether AI was used to scam. Shopping scams are the most frequently encountered scams, followed by investment scams and identity theft. Many victims are caught out by reacting quickly to attractive offers. Either it’s too good to be true or they don’t have the knowledge to judge if they are doing the right thing in making a purchase of the services delivered. 74% concluded that they were the victim of the scam themselves. That is a rather high number. It’s also culturally determined. If you go to countries like, say, the Philippines, it’s more a family thing together, that people together say, hey, guy, best friend, you’ve been a victim of a scam. Bank transfers and e-wallet are the dominant scam payment method. Globally, only 4% are capable of getting a full refund, only 4%. The last one, and I saved that one for last, is that 7% of people globally admit they would be taking part in a money mule. They would be asked a question, if I gave you $20,000, you can keep $1,000, and 7% say, well, I think that’s a pretty good idea, I’ll do that. Even 50% of the 7% say, why should I give back $1,000? I’m going to keep the money at all. Looking here at the audience, I would like to, of course, statistically, 7% could be here. Of course, you’re not the piece of people, but if you are, I’d like to meet you at the bar later on, and we can discuss. Scamming has gone back for 3,000 years. In old Egypt, it was good to favor the gods to mummify a pet animal. 70 million animals have been mummified. In recent research in England, of the sarcophagus that were still there, they noticed that almost 33%, one in three was fake. We’ve been scamming, and we have been scamming for about 3,000 years. This is an interesting one. This is a Japanese lady, 65 years old, who actually paid 35,000 euros to get her lover back from space because he needed a rocket. This sounds incredible, but it’s happened. It’s true. 28 seconds. My ex-wife is a scammer. and a whole bunch of non fiction business people like Elliot GSE and Frank Snyder. For more info about the Pew Media Apps and 2017,

MODERATOR: head to www.pewmedia.com. www.pewmedia.com www.pewmedia.com www.pewmedia.com www.pewmedia.com .

Camilla Sharma: Welcome to the first meeting. Today the group has participation from several public and private stakeholders, including mobile operators, the CRDB, authorities, police, bank sector and others. And we are very happy to have three mobile network operators, Telenor, Telia, ÖYSLYSETELE, on board. They are providing crucial and constructive contributions in the collaboration. But it is not just collaborations and discussions. The group also conducts vulnerability assessments and finds mitigating operational measures. This is, for example, one picture here. This is a table from the result of the digital anti-spoofing roaming shield that entered into force 19 November 2024 as one of the first in the world. This shield is the reason why no practical Norwegian mobile number can be spoofed from abroad. The trust in mobile numbers was low some years ago due to a lot of spoofing, but now it is almost restored. A fun fact of this slide, as you may have noticed, that you can see that the fraudsters take ordinary Christmas breaks and they also take a well-deserved weekend off, so they are not on duty all the time. But it is not a full or total shield. This is a very simplified illustration of some of the blocking measures that protects Norway. As you can see, it is missing a chunk, and there are dotted lines breaking through. But again, we are blocking almost all spoofing Norwegian numbers, but we are not blocking foreign spoofing numbers. We are blocking a lot of SMS, but not all. A lot of blocking of fraudulent URLs, but a lot goes through, as you can see. And on the OTTs and the Internet-based services, we do not know how much is blocked or how much is passed through. That is why we are expanding our initiatives towards Internet-based services. It does not matter for the end user where he or she gets defrauded. We need to protect them on all channels. But how do we begin with difficult and or? The answer, we believe, is to reuse the successful multistakeholder working methods that have produced results of both voice and SMS. We need to be collaborative, operational, and pragmatic. Why pragmatic, you may ask? Well, we will never get rid of fraud. The world is far too complex. Crime will always be there, and AI will make it difficult or probably impossible to differentiate fake representatives for true. So, I think it stopped working, Johannes. Yeah. Okay. Yeah. Okay. Lastly, I want to mention the importance of teamwork. One collaborative project that we find very interesting, that is the Global Informer Regulatory Antifraud Forum, or GIRAFF, as we called it. The group is chaired by ANCOM, and 40 countries from all regions of the world have participated in meetings. The goal is to compare best practices and create harmonizing measures in the global fight against digital-enabled fraud. If you’re a regulator, please consider to join GIRAFF. With these concrete operational remarks, I will close my intervention, and I look forward to the rest of this session. Thank you.

Johannes Vallesverd: Thank you very much, Camilla. It’s good to see that some mitigating measures are indeed working and protecting the citizens every day. That’s very good. So, we will move on. Let’s kick it up a notch. We will go over to the UNODC. So, Riika, you can take the stage. So, my question to UNODC and Riika is, what can you tell us about the international legal framework addressing fraud as a form of an organized crime? Very happy to have you here, and good luck.

Riika Puttonen: Thank you very much, and good afternoon to everybody. As we saw in Ren’s presentation, fraud is really as old as humankind. But in this post-truth era, supercharged by technology, artificial intelligence, deep fakes, and so forth, fraud is not only surviving, but it is absolutely thriving. It is evolving in terms of speed, scope, and scale, and it is absolutely exploding in that regard. Also, fraud really affects every one of us. If I asked you if there’s anybody in the room who was never targeted for fraud, I don’t imagine many hands going up. I think all of us are constantly targeted by fraudsters in various ways and forms. So, we don’t fall for fraud. That terminology we should leave aside. We are targeted for fraud. Whom are we targeted by? We are targeted by organized criminal groups. There is a UN Convention Against Transnational Organized Crime, which is almost universally adhered to, with 193 parties to the convention. So, that is a very, very broadly adhered to convention of the UN. The idea behind the convention is simply to promote cooperation. Because clearly, when it comes to fraud, there is nothing one single country can do in isolation, but we need a concerted effort by every single state. And all the different players, like this morning we heard about the multi-stakeholder approach, the private sector, civil society, academia, and all the players. We need everybody around the table. How does the Organized Crime Convention, which is already 20 plus years old… has it really withstood the test of time in terms of applying to fraud as it manifests itself in today’s world? I’m very glad to say that it has, because the drafters, meaning all the member states of the UN, actually drafted the convention to apply to all serious crime. And serious crime, if I again asked you as the audience, what does serious crime actually mean, I would probably get as many answers as we have people in the audience. So drafters had to come up with a threshold. Any offence that in your domestic legal system is punishable by four years or more of imprisonment. The maximum penalty, four years or more, is serious. I’m also very sad to say that fraud, despite the severe consequences that we heard about, is not a serious crime in all countries. So there is homework for all of us to do. The consequences are severe and the nature of fraud keeps on evolving, so does the international legal framework. And there was just the new UN convention against cybercrime that was adopted recently, actually at Christmas last year, and that convention now kind of takes the whole fraud debate also to another level and includes also manipulation of electronic data and ICT systems. So that manipulation is now also covered, not only the traditional forms of fraud through deception. But that convention, which will open for signature in October this year, that’s when the signing ceremony takes place, that convention also builds upon the Budapest Convention, for those of you who may know the Budapest Convention already, and adds, proposed by Singapore, which is a leading country in the world when it comes to combating fraud, proposed by Singapore one more type of a fraud through more kind of traditional deception. This is how fraud is often carried out. So that convention again will mean a bit of homework for all of us, for countries to continue criminalizing fraud in a way that actually reflects the reality in today’s world. So I was very punctual today. I would just like to finish with a little announcement to say that UNODC and Interpol will host a Global Fraud Summit in March 2026 in Vienna, and we hope to see many of you there. Thank you very much.

Johannes Vallesverd: Thank you very, very much, Rikke. Always a pleasure to hear you and your insightful comments. So it’s good to see that there are exciting regulatory measures on the pipeline and looking forward to signing procedures in October. Let’s go to the next one. Please stay up, Emily. We are now going to hear from Emily and Lucien Taylor. They are co-founders of GEC, the Global Signal Exchange. I first learned of GEC this winter, and it was quite refreshing to see the operational aspect of the GEC. So with no further ado, I will give the floor to you both. Could we have our slides? I think we’ve got ICANN slides, which I’m happy to have a go at, but it’s for the Global Signal Exchange. Sorry for this little hiccup. So while we are here now, those of you online, you can ask questions in the chat field, and Frode will arrange which one will be presented later on. So now, Lucien and Emily.

Emily Taylor: Johannes, thank you so much for the floor and for inviting us here to present the Global Signal Exchange. My name is Emily Taylor, and I’m joined by Lucien, and the more observant will have noticed that we have the same surname, and yes, we are married. So RENS has given you a very detailed overview of the scale of scams and fraud and cybercrime generally, so I’m not going to dwell on this slide. Instead, I want to think about the way that cybercrime and fraud and scams can be disrupted, and the journey that a scam will take from building infrastructure, whether that’s establishing a company, a website, a domain, establishing a false identity, using and abusing the services of platforms and of other services, engaging with the victim, so they will be relying on platforms, they will be relying on internet service providers, telephone companies, and it’s only at the very last second when they persuade a victim to part with their money that it becomes obvious that there is a fraudulent payment there. So all of that happens prior to the payment, and all of those services are used and abused. Now, the current status has been that there can be quite advanced sharing of information within each of those industry verticals, perhaps nationally, but there’s almost nothing that takes information across those different sectors and shares that information internationally. The scammers work internationally, they share information, and to fight it effectively, so do we need to do. So the global signal exchange is really a clearinghouse, it’s not a takedown service, it’s about enabling those different services along the fraud attack chain to share intelligence with one another in real time to combat fraud and scams, and it was announced last October, so it was set up, the global signal exchange is a non-profit, and it was set up in partnership with the global anti-scam alliance, bringing together their amazing international scam fighting network, and with the support of Google, which committed to sharing threat signals from right across its business services for the benefit of scam fighters. At the session in London, which Johannes was talking about, the global signal exchange was called out by two ministers, the home office minister, the anti-fraud minister, and the DCIT minister, who I believe is here, and we are already getting many partners on boarded. And so the latest is that we have over 160 organisations either joined up or in the onboarding channel, including four of the big tech, who are committed to sharing those data, and we also of course work across the non-profit sector with fellow civil society organisations, so truly this is a multi-stakeholder, voluntary initiative. So now I will hand over to Lucien.

Lucien Taylor: Thank you, Emily. I’m going to do a full tech demo. I had three minutes, and now Emily took 12 seconds of that. So my job, I built this global signal exchange not overnight, it’s happened over 20 years, we’ve been developing information exchange systems for 20 years, my team in Oxford Information Labs. Our job is to make a difference, both pursue and prevent crime. So on the pursue, we’ve got a new acronym, the QUIC factor, we’re developing systems that support quantity, immediacy, and the quality of threat signals exchanged. In terms of the quantity, we’re now going into the actual global signal exchange. Every day we do an audit of new signals. We started with 40 million threat signals. When you think the British police advertise that they’re getting 30,000 threat signals from consumers every month, we’re getting a million a day. And I don’t think we’re seeing half of it, folks, that’s the problem out there. But we’re also interested in what we call when we share signals, uplift and overlap. And we’re going to go steampunk here. Uplift. When all parties share signals and thereby find new information, we observe uplift. Overlap. When all parties share signals and simultaneously detect the same signal, we increase confidence. And so what we’re now looking at is also the immediacy of the signals. We’ve got the time to live of signals, and we’re getting signals in in 40 seconds, and you can see that the average time to live of signals is basically up to four days. So we all have a job here to try and reduce that time lag. Quality, you have the provider score of the threat signal provider, but also the quality of each signal. And the provider themselves can give a quality score, a confidence rating, and also the people receiving the signal. can give a feedback and we’re missing feedback from this whole game between us all and that’s what we’re trying to do. Another part of our job is to develop league tables. We have registry league tables. Who’s the best? Who’s the worst? Here you can see a huge percentage of the bottom registries have their stock is toxic. Registrars, those with over 50,000 domain names, we say that they’re actually big players. You’re looking at large percentages of stock at the bottom that are toxic. Finally, we have a number of pilots. We’re working with advertisers, registries, registrars, ASN block providers, big tech, marketing providers, and we have a new public sector service for police and law enforcement, which is basically an investigations platform where they can look signal by signal at various metrics in there. Thank you very much. Finally, the impact, we all need to change the game. We need to do cross-sectorial international signal sharing and make things quicker and reduce the cost of threat intelligence for the small players. Thank you for the extra 10 seconds.

Johannes Vallesverd: Thank you, Lucien, and yes, it’s so refreshing to see. This is data sharing in practice. We’re talking a lot about data sharing. We’re doing it. We’re talking about real-time. You’re doing it. We’re talking about scale, so you’re doing it. So it’s very impressive the work that you have carried out and are doing. What you forgot was to say that .no, the Norwegian top level is on the top of that list, but so I said it now. So in a panel on fraud fighting, we need to have social media, and I’m very happy to say that Meta could join this session. We have all seen fake profiles, fake stores, and all the fraudulent activity on social media. So Rima, tell us the work you are doing on Meta

Rima Amin: against fraud. Sure, happy to, and thank you for having us here today. I’m going to start by talking a little bit about where fraud sits sort of within our team. So my team’s focus on tackling adversarial threats. Those are the threat actors who are persistent in nature, often have resourcing behind them, and have a strategic goal in mind. So those threats tend to typically manifest as foreign influence operations, cyber espionage, hacking, and frauds and scams. The reason frauds and scams falls within this subset is because they are some of the most aggressive and agile of actors sort of out there. They also have a huge amount of infrastructure underpinning them as well. Emily’s spoken a little bit about the attack chain. I’m going to add a little bit more sort of detail because this really is the anchor behind a lot of the way in which Meta is thinking about this problem as well. We took a step back and identified what are all the different tactics that these operations are, you know, what are they doing? And then we categorized them in terms of the sequencing within which they happened. And essentially we came up with this sort of attack chain. It starts off with the building of infrastructure, and that’s where people and tools are essentially being organized to conduct scams. It’s important to say that at this point harm is already happening. You may have heard about people being tricked into sort of job scams and being forced into scam centers where they are essentially forced to conduct these scams. The next stage is around preparing digital assets. So when you have the people and the equipment, you are then creating your online identities. The scammer moves on to engage the victim. That can be through a post, an ad, a message. It’s that first point of contact where they’re engaging. They then move on to execute, which is where the financial transaction takes place, and then cleanup, which is when the actor is trying to conceal their activity to avoid being detected. It can involve things like money laundering. In terms of the attack chain, a couple of things that we observe. One is for us as META, we have sort of the most visibility and therefore the most opportunity to really intervene at the engage stage, where the victim is being contacted by a scammer, and a prepared digital asset stage. We’re also conscious that there are others working to counter frauds and scams that may have more visibility into other parts. So law enforcement may have more information on the criminal groups that are building up the infrastructure, or banks may have more information at the execute stage where the financial transaction is taking place. So for us, we’re really focused on what can we do within the space we have visibility, and then what can we do to support others who may have visibility in other sort of phases. And then the other thing that we’re thinking about a lot is how do we push this as far left as possible? Because the further left you put in your interventions, the more chance you have at stopping this at scale. Okay, so I’m gonna try and give an overview of our the pieces of our strategy to tackle frauds and scams. The first is actually building up our product defenses to make them as sort of resilient as possible to scammers who may try to abuse them. Of course, if we know that somebody is a scammer, we’ll take them sort of down off a platform. But there may be times where we don’t have enough signal, and so putting in frictions and warnings and things like that are incredibly important. We’re also thinking about how can we leverage new technologies to counter frauds and scams. So you may have heard that public figures’ images are being sort of misused to trick people into scams. So we launched sort of use of facial recognition technology to understand if a public figure’s face is being misused, and then if we have some signal to accompany that, we’re able to pull it down. That has helped us to be able to tackle that particular problem, and we’re constantly thinking how do we utilize sort of technology in that way. The second area is empowering users. So how do we encourage people to or equip people in the best way possible to be as cyber resilient as possible? So that includes suites of tools, so things like two-factor authentication, making sure that they have everything they need to be cyber secure on our platforms, but also on other platforms across the internet as well. The third piece is disrupting scammers. So here I’m talking about pulling out these criminal networks that I was talking about before. We have investigators who are able to do that, pull those networks out, share that intelligence with others who are tackling the problem, and then be able to use that intelligence to rebuild our product defenses to make them stronger to prevent things in the first place. And then the fourth pillar, and this is really important and goes back to the attack chain as well, is how can we collaborate across society, leveraging organizations like the GSC who is facilitating sort of signal exchange, building up sort of other pilot programs, working with others on sort of campaigns to help inform people around how to tackle frauds and scams. Okay, I’m out of minutes, so I will stop there, but really looking forward to the rest of the discussion.

Johannes Vallesverd: Thank you, Rima, and we will also come back to your interventions in the panel discussion that we will have in not many minutes. But of course, another important part of the global fraud-fighting team, this powerhouse of resourceful people and businesses, is the mobile operators. So what are they doing and how are they doing it? To give you an example, we are very happy to have Birgitte Engelbretsen, Managing Director of Telenor Norway, on the stage. So tell us, Birgitte, what is your insights on this?

Birgitte Engebretsen: Thank you, Johannes. Telenor is a global company currently operating both in the Asian markets, but also in the Nordics, with more than 200 million customers. We have connected both people and societies safely for over 170 years, and in Norway we have close to 3 million customers. The majority of the data traffic in Norway is going through our networks and our services. We are therefore in a unique position to look into what kind of problems do we have related to fraud and digital crime, which is targeted towards the Norwegian society. In Telenor Norway, we have one of the leading security teams in Norway, with the expertise to combat advanced threat actors as well. as well as criminal groups. That means that if you are a Telenor customer, you have some of the best security experts on your team at all times. Our ambition is to be the safety net for the Norwegian customers and society at large. Since we are digitizing services to make our life easy, both in our private lives and in our work lives, this is fantastic. However, that increases the push from criminal actors from the physical space to the digital space. Telenor is experiencing that customers and the public are more concerned about security in their digital lives now, much more than before. There is a high demand for both information and security advices and assistance in protecting against fraud and threat actors. There. All of Telenor’s both mobile and broadband customers will get their subscriptions with fraud filters integrated into those subscriptions. In addition to that, we offer extra services in order to secure both private customers, but also the business customers, with security in their digital life or work life. In addition to a yearly publication, which is called the Annual Digital Security Report, and combined with an open press assessment, we also publish a quarterly security pulse for the security situation in the Norwegian society. In 2024, we could see that we blocked more than 2200 million attempts of fraud and digital crimes towards our customers in Norway. That’s similar to two attempts of digital crime each day towards our customers. This is a huge number, and it shows that we need to take this threat seriously, and it’s not a local threat, it’s a global game for these actors. Although we are taking many, many steps to stop digital crime and fraud towards our customers and the society as a whole, there are still jobs to be done in order to combat this together. And to effectively combat digital crime, it’s crucial for both businesses, government agencies and law enforcement to collaborate closely. The collective effort can lead to a more robust defense against cyber threats. Organizations must prioritize investments in advanced cybersecurity capabilities. By adopting cutting-edge technologies and proactive strategies, businesses can better protect both themselves, but also their customers and the society at large. Quality and security must be given a higher weight in tender processes. It’s crucial that the public sector creates a market for security and robust services and uses their purchasing power in order to support that. By doing that, we can keep the public safer, but also create the market for security services. Effective laws and regulations related to cybercrime can create a safer digital environment. Legislation can stop criminal activities. In this context, effective also implies clear. Let me give you one example. How do we balance customers’ need for data privacy protection and secure communication channels with the need to share data between relevant actors, such as banks and telcos, in order to fight digital crime? Dilemmas such as this must definitely be discussed in a collaborative context. Thank you.

Johannes Vallesverd: Thank you very much, Birgitte, for those insightful comments. I totally agree with the multi-stakeholder comment you made. Also, those operational remarks on the purchasing power and the clarity of law. Last but not least, when I discussed with my co-moderator, Frode, who is online now, we needed the domain name market industry regulations on board. We have FactFinders, we have regulators, UN operators, social media, GSE Hub. We started at the top with the chair of the Government Advisory Committee to ICANN, and he answered, I think, within a couple of minutes. Very happy to have you here, Nico. We want to hear about the issue of phishing that remains a dominant form of DNS abuse, often used in exploiting domain registration loopholes. What specific measures is ICANN advocating to enhance register and registrar accountability?

Nico Caballero: Thank you, Yohannes. Can you hear me? I can’t hear myself here. Thank you. My name is Nico Caballero, and I’m the GAG chair of the Government Advisory Committee to ICANN. I assume everybody knows what ICANN is. I was surprised. I had to explain a little while ago what ICANN is, but broadly speaking, ICANN deals with domain names and, let’s say, the translation between those names and IP address, IPv4 or IPv6 addresses. So let’s take a quick look, and I only have five and a half minutes. The DNS abuse landscape, as we understand it within ICANN, there are five main, I mean, I would say the top five DNS abuse types. The first one being phishing, which makes up more than 90 percent. According to some numbers, it’s 95 or 96 percent of the cases as per NetBeacon Institute, and there are some other sources as well. And then malware, botnets, farming, and spam for the remaining percentage, spam when used as a delivery mechanism for the other four. And a huge impact. I won’t get into the details. It’s been already explained. But broadly speaking, we’re talking about a $12 billion impact in terms of annual losses, and these are numbers coming from the Internet Society from last year. What it does is it basically erodes trust in the DNS ecosystem, which is a very bad thing. Sorry, let me move this. And that’s what I was more or less talking about. So I want to share with you some highlights from our last meeting, ICANN 83 in Prague, about two weeks ago, as a matter of fact. Some highlights from the GAC sessions. On the one hand, we have malicious registrations that clearly enable phishing, and we also identified that there’s a lack of uniform enforcement against rogue registrars. And again, there are many different sources for this, this one coming from a clean DNS study. There’s another case study that says that registrar X, let’s just say, unnamed, is linked to more than 60% of phishing domains in 2024. And we can talk about that a little bit later with more specific numbers. So I won’t read the whole thing because there’s obviously no time for this, but phishing scams account for a large portion of DNS abuse, with, again, some reports indicating they comprise all in all 62%, more or less 62%, and this is according to AAG IT services and some other sources, and you have the sources right there and you can check later. And then we have spam, malware, and botnets. Farming is almost non-existent, but they are at least in the DNS abuse landscape. And then botnets, you know, which are basically networks of infected devices controlled by attackers and so on and so forth. And I’m taking a look at the time. So I won’t get into details, but I want to concentrate on this, you know, the DNS Abuse Mitigation Program that ICANN has at this point and divided into three main pathways, so to say. The first one, you know, is basically contributing data and expertise to fact-based discussions. And there are four things there, the first one being the D.A.R. D.A.R. stands for Domain Abuse Activity Reporting, which is a system that measures domain abuse and registration activity for GTLDs and for volunteer CCTLDs, Country Code Top Level Domains, volunteer CCTLDs. And then Domain Metrica and I.T.H.I., and we can talk about what A.T.H.I. is later on. And then Capacity Building and Training, that’s one track, so to say. The second track being, you know, providing tools to the ICANN community, you know, through the Infermal, Infermal again standing for Inferential Analysis of Maliciously Registered Domains. As you know, ICANN is kind of like an acronym romance, so I’m just trying to be careful to actually explain what each of the acronyms means. And then SIFT, which is Special Interest Forums on Tech. So that’s basically the second track. The third track being enforcing contractual obligations with registries and registrars. You know, ICANN compliance enforces COs, that is Contractual Obligations, again, sorry for the acronym, in policies and agreements, including R.A., which is Registry Agreement, and R.A.A., again, the Registrar Accreditation Agreement. And I’m running out of time. And there are also some potential sanctions and service level agreements being discussed. These are proposed solutions, you know, and some brainstorming we had within the GAC. Sorry. Sorry. Yeah. There we go. The first one being, you know, stricter SLAs for takedowns, you know, 24-hour response mandate, and we’re discussing that. This is not in place yet, but, you know, this is, you know, just some brainstorming session we had in Prague two weeks ago. Contractual penalties, the second one, you know, fines and suspension for repeat offenders within the ICANN contracts, that is. And then proactive screening, you know, as was mentioned before, AI-driven pattern detection, you know, like bulk registrations, and, you know, there’s lots of information in that regard. And then finally, and I’ll finish with this, because we’re running out of time, absolutely, the most important point would be, you know, collaboration frameworks, you know, as per the NetBeacons idea, you know, reporting tools, you know, and standardized abuse reporting, as per the Internet Society’s trust initiatives, you know, capacity building for Global South registries, and, you know, the real-time data sharing, you know, within the GAC itself. Again, the GAC being the Governmental Advisory Committee within ICANN. And there are so many sources there, you know, no more time for that, but anyways, thank you so much, and very happy to engage in conversations or taking questions. Thank you so much.

Johannes Vallesverd: Thank you very much, Nico, and I must say I was in a GAC meeting back in 2007, and it’s good to see that the role of GAC is now evolving, and that you are mentioning taking some stricter operational measures. That’s very, I think, very, very, very needed, because the registrar and registered units are a very important part of the puzzle, where you actually get the domain names. So we are now moving over to a panel session, and I’m looking forward to this for many months now. So we will go through some questions to the panellists, and then we will engage with our online community. So but I will start with my man on the right here, Rens. We’ve been talking about AI in many of these different sessions, so what do you think about AI and in the future of scams? Are we able to see the difference?

Rens Grim: Difficult question, but I mentioned the research that we did in 2024, where the conclusion was that in relation to 2023, we saw about the same amount of scams. The amount of money defrauded was more or less the same. Is that reason to be happy, or I compare that with that the bad didn’t get better. I like to make a comparison with the sporting arena. Let’s say, for instance, your football team that you support has lost 10-0, and the next game they lose again 10-0. I wonder what the atmosphere is in the changing room. Do they say, oh, we did a pretty good job because it wasn’t worse than last year? I doubt that very much. With AI, I think we’ll see writing of fraudulent text in SMSs, in emails. We see that in generating dialogues on platforms like WhatsApp, Telegram, Facebook messaging. We see an increase in mimicking of voice, creation of images, being that a person or a product, and also the producing of voice, again, be it a product or an image. I think it’s a very difficult question, Johannes, to answer, but I think we are not yet at a tipping point, I believe, but that’s my personal opinion. It will get worse before it gets better.

Johannes Vallesverd: I think you’re right. Let’s embrace ourselves, and then we have to tackle it, but it’s getting increasingly difficult to differentiate. Let’s talk a little bit more with the regulator when you are here on the table, Camilla. You talked about the transition, that we will transition towards Internet-based services. What are your thoughts on this transition?

Camilla Sharma: I don’t think that it is a very easy, straightforward answer to that question. I don’t think so. But I think that we must entail that Internet-based services is a very broad term. It is a very complex field, both technically, legally, and culturally. But I really, strongly, truly believe that the industry and the regulators share many of the same goals. We have seen it in so many ways in the past time, so I think we can base that also with the future collaboration. We all want increased digital trust. We all want increased digital inclusion, and we all want to reduce fraud. We will get some new regulatory tools, no doubt about that. But I think that the most important aspect is that we work together with the Internet stakeholders and the traditional stakeholders, both from the regulator’s side and from the industry. I truly believe that is the answer in many ways, and we have to find out how to do it.

Johannes Vallesverd: Thank you very much, Camilla, for those comments. I totally agree. So we sometimes see that we ask for regulations, but many times the regulation is really there. We ask for clearer rules on privacy, but they are really there. Sometimes you just need some guidance. But let’s take a look on the legal framework, and let’s go a question to Rikke and to UNODC. How are countries doing with the criminalization of fraud as it manifests itself in the world today?

Riika Puttonen: Thank you, Johannes. Criminal law is not a magic bullet. It exists in the regulatory framework, and it has to be a complementary measure, and it certainly doesn’t exclude the kind of civil and administrative measures against fraud. They coexist, so to say. Globally speaking, different countries use different terminology for fraud. Some use fraud, scams, trickery, theft, deception, swindling, misrepresentation, and so forth. We are far away from actually having a common understanding of what fraud entails in today’s world. As I mentioned earlier, fraud under these various names is not always criminalized as serious crime, but we’ve heard of the serious consequences of fraud, and therefore I do think that it warrants to be criminalized as serious. This really is problematic for international cooperation, because judiciaries around the world would have to rely on each other for mutual legal assistance, extradition, law enforcement cooperation, and so on. and so forth to be able to tackle the organized criminal groups which operate without any regard for rules and so forth. They operate transnationally, so must countries as well. And if we do not criminalize fraud in a somewhat uniform manner as serious crime, we don’t necessarily have the legal tools for countries to actually cooperate internationally. So these international conventions are not only paper, but they constitute real tools to combat fraud. So really, criminalization matters, and we are not yet there. Thank you, Johannes.

Johannes Vallesverd: Fantastic. Good intervention. So I totally agree. Fraud is not petty theft, as we heard from Rens Grim. The consequences of fraud can be lethal. So let’s tackle this organized crime, international organized crime, as that organized international crime. So, but we always hear about privacy. We can’t share data. We can’t share data. But can we share data? And let’s talk to somebody that has shared data. How did you do it, Emily? How have you been handling the data privacy issue?

Emily Taylor: Thank you very much for the question, Johannes. And I should say, you know, in any healthy democracy, protect for fundamental rights and the rule of law are not unnice to have. They’re absolutely essential. And they also give the bright lines for law enforcement to adhere to. I think often in these sort of debates, you know, we as humans love binary. So we like, you know, are these in opposition to each other, criminal justice and privacy? No, they’re absolutely not. And in the UK, we were very fortunate that our national data protection regulator actually issued some guidance to clarify this matter, which is extremely helpful. And as Erica says, this is not, you know, whether it’s in the criminalization area or in the data sharing area, this is not a static legal international framework. We’ve got, we’ve had the OECD principles, the second additional amendment to the protocol to the Budapest Convention, EU Evidence Act, and the list goes on. So, you know, within the GSE, we have been working on the protections for privacy alongside the technical development from the outset. And I think that that’s really the way to do it. And to make sure that whoever is sharing data is always in control or in charge of what happens to it. And there’s no sort of really over lax default settings. So, you know, privacy laws are not an annoyance. They need to be baked in. The adherence needs to be baked in from the start so that people who are using the system can have confidence that their privacy will be respected and that they, you know, that helps to give the benchmark and the level playing field so that people feel confident in sharing data to combat scams and fraud.

Johannes Vallesverd: Excellent. Good answer. And I concur also in Norway, when we had the talk about the digital shields, we got input from the industry saying, okay, we need just some guidance. Please give us some guidance. And it took a couple of days to provide the guidance and that’s what all it needed to get the ball started. Of course, the industry did all the work, but we made some guidance in the start and that kicked it off. So totally agree. Okay. Now, Rima, many people are being confronted daily, perhaps not daily, but often with fake profiles on different social media channels. And you don’t have to talk for everybody here, but what do you think about the challenges of fake profiles and fake content? How do we reduce this problem? You talked a little bit about it in your intervention, but do you have

Rima Amin: any supplementary comments on it? Sure. Happy to do that. So fake accounts are an incredibly important thing for us to be able to counter. Again, if we go back to the attack chain, creating that deceptive identity is one of the sort of the earlier parts that we are able to have sort of visibility in. So we have teams that are working to create technology to be able to detect this stuff at scale. And just to give you an example of the type of scale that we are looking at, in Q4 of 2024, we took down 1.4 billion fake accounts, 99.9% of those proactively, often at the point of creation before they were reported to us. So our technology is catching these fake profiles. And I should caveat here that because we’re catching them very early on, we don’t know the purposes for which they would be used, right? It’s not necessarily all frauds and scams, but we know that fake profiles are important when it comes to frauds and scams. Now, when it comes to 0.1% of the ones that we weren’t able to catch that were reported to us, there is a challenge that comes with that. So the teams are constantly thinking, okay, how do we close that gap and get closer on it? The challenge can be is that as you become sort of more aggressive and you catch innocent people within that as well. So yes, very important part of the work and something that we’re focused on. I want to touch on content a little bit here as well, as you mentioned it. I don’t know if anyone’s come across a piece of research by Camille Francois, which talks about how you handle or ways to handle adversarial harm on the internet. She says that you can focus on an actor who is behind the activity. Then there’s behavior, which is what are the behaviors that the person is doing sort of on the platform. Things like trying to reach out to numbers of people that they’re not connected with, that type of behavior. And the third piece is content, which is what is it that they’re actually posting on the internet. Now, all three of those components in the ABC framework are incredibly important. For frauds and scams, content is important, but it’s a harder lever to pull. If you compare it to a harm like terrorism, fraud, it’s not as obvious. And they deliberately construct this to not be as obvious. And then the second thing is the content switches over time. Fraudsters will try to promote one item and then move on to another. So they’re constantly shifting, like that’s part of their MO. Whereas it’s much harder for a fraudster to shift sort of their behavior or try to hide who they are. Of course, they will try to. But I think that’s really important to sort of bear in mind. And that framework is something that we think about a lot when it comes to how do we tackle fraud across the ecosystem. Thank you. Thank you very much. We will get some questions afterwards from the

Johannes Vallesverd: room also. So if you have anything, just prepare yourself if you want to do that. Birgitte, you emphasized the importance of cooperation. And I know that many of the measures that Telenor are taking to combat fraud are quite costly. How can the private and public cooperation be in order to help in this regard? I think we should reflect upon

Birgitte Engebretsen: the magnitude of the problems that has been presented from all of us and the fact that we need to work together and we need to share the burden. So maybe let’s think about it in a triangle where you have the customers. They should ask for secure and safe services and be willing to pay for that. The government needs to finance parts of those costly measures. And the tech and telco companies also need to invest. So it’s in this triangle I think we need to really

Johannes Vallesverd: divide the burden between the three. Good. I agree. I think also the money that you put in protecting citizens is in the long run you get it all back with interest. So good intervention. Last but not least, over to Nico. You are in a key position here as the chair of the Governmental Advisory Committee. And you have a lot of data and you have a lot of issues at your hand, but in particular to this fishing topic that you mentioned. Is there any, let’s talk a little bit out of the box now, possibility for data sharing, real-time data sharing, a kind to the anti-fishing working group that you have mentioned, while still balancing the GDPR? Absolutely. And I took the time to prepare some.

Nico Caballero: It’s a very Very short list, you know, mainly four things, but important to take into account. The first one is layered access models, you know, implementing, you know, tiered access to who is data, where, you know, the critical fields, like, for example, anonymized email contacts, you know, are available for legitimate purposes, like cybersecurity, of course, while protecting personal data through reduction or encryption. That’s one thing. The other thing would be, you know, a centralized accreditation. Can you hear me? Because I’m having trouble with my, you know, developing a unified accreditation system for vet entities, so to say, like law enforcement, cybersecurity professionals, and so on, to request nonpublic data, ensuring compliance with GDPR, GDPR’s legitimate interest provisions. Also, you know, a collaborative framework engaging with, you know, data protection authorities and industry stakeholders to align policies with GDPR, as in, you know, as you can see in the temporary specification and the EPDP, that’s expedited policy development process, again, a long and complicated acronym coming from ICANN, but it is what it is. While preserving, again, as I said before, interests, like, you know, like fraud prevention, which is our main point here. And then, finally, there are some technical solutions, like, you know, coming from ICANN, I mean, you know, like supporting innovations like the RDRS, that is the Registration Data Request Service, you know, formerly, you know, known as the SSAD, you know, to streamline secure data requests without, I would say, overburdening the registrars. So that’s more or less what I can share at this point.

Johannes Vallesverd: Thank you. Thank you very much, Mikko. So we will have a couple of open questions first, and you can answer if you, when you want, the one where you just raised your hand, and then we will open the floor. But by first, we’ll talk a little bit about privacy. So I will give you a provoking question on privacy. Are the privacy rules now protecting the victims or the fraudsters?

Rima Amin: Anyone want to give that a shot, or both? I can give it a shot. Thank you. But hopefully, I’ll, yeah, so I think, I spoke a little bit earlier about the facial recognition technology that we deployed in order to protect people from scams relating to public figures. We deployed that pilot across the world in, I think it was October of last year, basically. And one of the challenges were that we were just unable to deploy it within sort of Europe and the UK at that particular time, because we were, you know, navigating with the regulator and putting all those pieces into place to ensure that they were sort of comfortable with this technology. So what I would say there is that these protections were designed for the right reasons and the right sort of principles behind them. But I think what needs to be sort of added to them is understanding sort of the adversarial landscape, especially when it comes to fraudsters as well, to enable us to deploy things at the speed of which we need to, because these are some of the fastest actors out there. And so we need to make sure that we’re able to deploy things in the right way at the speed of which we need to.

Johannes Vallesverd: Thank you. Good comment. Good comment. Riika?

Riika Puttonen: Yes, I totally agree. And indeed, privacy laws were actually put in place to also prevent fraud. So the intention, as Rima said, was a good one. But it’s the implementation of those laws that leaves some room for improvement. The right to privacy is not an absolute right in international human rights law. It is a qualified right. So there are certain conditions, and if those conditions are fulfilled, it can be compromised, the right to privacy. And it can be compromised for certain good reasons, a legitimate aim, and that would be, for example, public order, public safety, national security. And when we look at the scale of fraud, I do think that the legitimate aim is there. So indeed, it is not an absolute but a qualified right. But in addition to that legitimate aim, it also has to be prescribed by clear and accessible law. So again, for legislators, some work to do, serve this legitimate aim, and it has to be necessary and proportionate. And then you are in compliance with international human rights framework.

Emily Taylor: Thank you. Yeah. Emily? Well, I think Rima and Riika have both made excellent points, which I won’t repeat. I think that where I would come in on this is just reflecting on the transatlantic tensions around data sharing, you know, between very close allies, all democracies, all subject to the rule of law. And you know, Nico, I had the misfortune to be on the EPDP, and the expedited bit was certainly not really very apparent in this multiyear process. But actually, rather than blaming ourselves, I think we reflect on how difficult it is and that who is a microcosm of wider difficulties of sharing data. But Riika, you talked about the importance of laws being accessible and also understandable. I mean, there was a story of a guy going around an international law conference wearing a T-shirt saying, only God is GDPR compliant. And I think, you know, if we reflect on how difficult it is to comply, and particularly given the extraterritorial nature for US companies, which are very, very risk averse because they come in a much more litigious society and are not really used to the aspirational quality of many European laws, I think this is a moment of reflection to think, well, how do we do it better? You know, the fundamental rights need to be protected, and legitimate people also need to be protected from intrusion. But we can do better.

Johannes Vallesverd: Thank you for those words. I totally agree. Let’s move on now to, we will take one question from the floor, and then we will get the online community on for the next one, and then we will go back and forth. So we have the first question. When you present your question, just say who you are or where you come from, and then question. Thank you. Hi. Hello. Oh, we have two here. So you first in the front.

Andrew Campling: Hi. Thank you. I’mAndrew Campling. I’m a trustee of the Internet Watch Foundation. We’ve heard why signal is important by effectively everyone in the panel, whether it’s to identify criminals, to aid enforcement, or to protect end users. Building on Emily’s comments about the forced binary choice between privacy and security and the weaponization of, as Rikke quite rightly said, the qualified right of privacy, we’re seeing some significant unintended consequences. For example, current and planned changes to Internet standards are removing signal, which will make those consumer protections that the Norwegians are enjoying ineffective because you’ll lose the signal that you need for that and make it far harder to, again, to identify criminals, or to the ICANN example, the lack of proper know-your-customer processes mean that we’re aiding the criminals that undertake phishing because we’ve got no idea who registered the domains. So registers and registrars are hiding behind those privacy protections. How do we get people like on this panel more involved in actually stopping those harms, those unintended harms, by engaging Internet standards? Is that a question to Nico on know-your-customer? Perhaps.

Johannes Vallesverd: Let’s try. Thank you very much for a good question. Thank you for the question.

Nico Caballero: Even though I’m not involved in any kind of commercial activity within ICANN, ICANN is certainly taking steps in that regard, and I can mention, you know, a stricter registration data accuracy enforcement, like, for example, registrars now must verify and update inaccurate who is data within seven days of changes or face suspension of domains, on the one hand. You know, broadly speaking, ICANN’s Accuracy Reporting System, the ARS, has historically monitored compliance, though I must recognize it was paused after GDPR. But on the other hand, you know, as of right now, registrants are obligated to maintain accurate contact details, you know, to investigate complaints within 15 days, which is good progress, as compared to, well, not an ideal situation, not the best solution, but ICANN is doing, you know.

Johannes Vallesverd: Good, we are just looking at the time here. Thank you for the question, thank you for the answer, and we can connect the dots from GSE to ICANN and then you will get a very good picture. I think we will get the online community up now. Frode, are you there? I feel like it’s a Melody Grand Prix here, Frode Sørensen’s online moderator, so we will get him up on the screen. Many thanks for the presentations from the panelists and for an interesting discussion. So far, there is no question in the chat, but we encourage people to ask questions in the chat, which can be read aloud afterwards. So, I just hand back to you, Johannes, to take more questions in the room. Good, so you are in contact with the producer and then she will give him a sign if there will be, but that doesn’t matter, because we have four people here, three people waiting in line. So, let’s take this one first. No, I was on. Oh, sorry, sorry, sorry.

Audience: So, Rens brought up an issue. You have to say your name first and where you’re from. Shiva Bisasa, Trondheim, Tobago. Rens brought up the issue of financial sextortion, and this is something I had personal experience with earlier this year, where I knew the victim and the victim took his life. And as Rima showed, the engagement aspect is conducted on platforms. In this case, it was WhatsApp. My question is for the Global South, for developing nations. How can we increase awareness? What is the responsibility of platforms to increase awareness on these scams? And further, law enforcement is not as equipped as developed states within the developing world. How can we get law enforcement up to date? And if there is no mechanism to report these things to law enforcement, how can we report directly to the platforms?

Johannes Vallesverd: Thank you, sir. Very good question. I will now go to Rens.

Rens Grim: Thank you for your question, and sorry to hear about your loss. It is a difficult area, especially in the sextortion that I was talking about, because in the country of origin, the people behind these scams are seen as heroes, and even the nation is discouraging people to go to school and, you know, just go scamming. So, but to answer your question, I think, is the whole purpose of the stakeholder participation, you know, getting into touch with local enforcement agencies and propagate that cooperation. It is a difficult story, because as it is said here early on the panel, there is no strict criminal prosecution possible. So, if it happens in country A and the extortionist is in country B, it is extremely difficult to get that person in country B to be prosecuted. And it is a difficult, we are not there yet, but I believe that encouraging countries, nations, governments to also actively go after the people within their country who are propagating and who are actually committing these crimes, that is the first step forward. Does that answer your question?

Rima Amin: Yes, somewhat. I can also take some of that question, and I’m personally so sorry for your personal loss. I think in terms of the question you asked around sort of raising awareness and what we can do there, I think there’s a couple of pieces there, right? So, you’ve got sort of campaigns that we can work sort of together on. I think that’s the working together piece is really important, because what we often see is fragmented sort of awareness campaigns and people, and young people especially, being bombarded with so many different messages that actually bringing those together is incredibly important. And so, that’s something that we look to do with governments and those types of entities. The next is sort of interventions and building products in a way that creates safe environments. So, separating, for example, messages that come from people that you’re not connected with and putting in sort of the guard rails there. And the piece on law enforcement, I think it’s something that we try to do at META is work with law enforcement. So, we have people focus specifically on outreach to help law enforcement identify what information that they can request, how they can request it, and how they can actually use that information to be able to investigate and enforce there. And then the piece on reporting is also particularly sort of important. One of the challenges we have in that type of scam, but also sort of other scams that might end up on websites and other sort of platforms, is that we don’t necessarily have the context that we need to be able to enforce. And so, reporting through the platform or through sort of the law enforcement channels that are available is important for us to then be able to look back and be able to enforce on that particular actor. Thank you very much, Riika and then Emily. And we

Riika Puttonen: have to close down, but it’s an important question, so we need to reflect on it. Yeah, thank you for that important question and example as well. At UN, UNODC, we have these intergovernmental processes, which we’ve done a couple of on fraud, and there’s an increasing awareness of the seriousness of fraud as such, and including naturally also sexual extortion. Tragic example. We also carry out technical assistance activities, and they kind of range from prevention to protection of victims and witnesses, pursuing the criminals, the organized criminal groups behind it, and also promoting that cooperation. So, I hope in the years to come there is an increased awareness, but clearly we still have a lot of work ahead of us.

Emily Taylor: Very briefly, Shiva, very sorry to hear of your loss. I just wanted to address another aspect of getting law enforcement up to date, which is the collaboration with industry. Global South and also other countries are suffering from lack of resources in law enforcement and are simply not able to follow up all of the potential leads, and I think industry has a part to play in it. I think this also goes to the point that Birgitta made about burden sharing, and this is something that we’re doing within the Global Signal Exchange with pilots between law enforcement and industry to see to what extent can industry sort of take some of the burden from law enforcement, enabling them to do what only law enforcement can do, which is the pursue element, but there’s an awful lot of prevent and a lot of following up that industry can do in that. Thank you very much

Johannes Vallesverd: all for those comments to that, and I’m very sorry that we don’t have time for more questions, but we are here, so you can approach us after this session. I would like to thank everybody for your contributions. I would like to thank the panelists. Well, we will never get rid of fraud, it will always be there, but we can tackle it one piece at a time, we can eat the elephant one piece at a time. I would like to thank Frode for his online moderator and also the IGF team for having this session on these important topics. I hope this is not the end of anything, this is the start of anything. We have to be more operational, we have to get action done, share data, share guidance, and we have to tackle this fraud because it’s serious, it’s lethal, so we have to protect the global citizens against this international crime. So, thank you very much everybody for your participation and your presence. you

Rens Grim

Speech speed

145 words per minute

Speech length

1221 words

Speech time

504 seconds

25% of world’s connected population has been victim of scams with $1 trillion in estimated losses annually

Explanation

Rens presents alarming statistics showing that one in four connected people globally have been scam victims, not just confronted with scams but actually victimized. The total estimated losses amount to $1 trillion annually, which he compares to the GDP of the Netherlands.

Evidence

Based on worldwide survey of 60,000 people; $1 trillion is approximately equivalent to Netherlands’ GDP

Major discussion point

Scale and Impact of Global Fraud

Topics

Cybersecurity | Economic

Agreed with

– Birgitte Engebretsen
– Nico Caballero
– Johannes Vallesverd

Agreed on

Fraud represents a massive global problem requiring serious treatment

Fraud is either first or second most reported crime in most countries with only 2.5% prosecution rate

Explanation

Rens highlights that online fraud has become one of the most commonly reported crimes globally, yet the prosecution rate remains desperately low. He notes that while England’s 2.5% prosecution rate is actually good compared to the global average, it’s still inadequate.

Evidence

Agreed with

– Rima Amin
– Nico Caballero

Agreed on

Technology and AI present both challenges and opportunities in fraud prevention

Birgitte Engebretsen

Speech speed

108 words per minute

Speech length

710 words

Speech time

393 seconds

Telenor blocked over 2200 million fraud attempts in Norway in 2024, equivalent to two attempts per customer daily

Explanation

Birgitte reveals the massive scale of fraud attempts targeting Norwegian customers, with Telenor’s systems blocking over 2.2 billion attempts in a single year. This translates to approximately two fraud attempts per customer every day, demonstrating the relentless nature of these attacks.

Evidence

Specific figure of 2200 million blocked attempts in 2024; calculation showing 2 attempts per customer daily

Major discussion point

Scale and Impact of Global Fraud

Topics

Cybersecurity | Infrastructure

Agreed with

– Rens Grim
– Nico Caballero
– Johannes Vallesverd

Agreed on

Fraud represents a massive global problem requiring serious treatment

Effective collaboration requires burden sharing between customers, government, and tech companies

Explanation

Birgitte proposes a triangular model for combating fraud where responsibility is shared among three key stakeholders. Customers should demand and pay for secure services, governments should finance costly protective measures, and technology companies must invest in security infrastructure.

Evidence

Nico Caballero

Speech speed

126 words per minute

Speech length

1347 words

Speech time

640 seconds

Phishing makes up more than 90% of DNS abuse cases with $12 billion annual impact

Explanation

Nico presents data showing that phishing dominates the DNS abuse landscape, comprising over 90% of cases according to some sources reaching 95-96%. The remaining abuse types include malware, botnets, farming, and spam, with the total economic impact reaching $12 billion annually.

Evidence

NetBeacon Institute data showing 95-96% phishing rate; Internet Society figures showing $12 billion annual losses

Major discussion point

Scale and Impact of Global Fraud

Topics

Cybersecurity | Infrastructure

Agreed with

– Rens Grim
– Birgitte Engebretsen
– Johannes Vallesverd

Agreed on

Fraud represents a massive global problem requiring serious treatment

ICANN is developing stricter SLAs for takedowns and contractual penalties for repeat offenders

Explanation

Nico outlines ICANN’s proposed solutions for combating DNS abuse, including mandatory 24-hour response times for takedowns and implementing fines and suspensions for repeat offenders. These measures aim to create stronger accountability within the domain registration system.

Evidence

24-hour response mandate proposal; fines and suspension mechanisms for repeat offenders; AI-driven pattern detection for bulk registrations

Major discussion point

Regulatory and Legal Framework Challenges

Topics

Legal and regulatory | Infrastructure

Agreed with

– Rens Grim
– Rima Amin

Agreed on

Technology and AI present both challenges and opportunities in fraud prevention

Emily Taylor

Speech speed

149 words per minute

Speech length

1156 words

Speech time

464 seconds

Global Signal Exchange enables real-time cross-sector intelligence sharing with over 160 organizations onboarded

Explanation

Emily describes the Global Signal Exchange as a clearinghouse that facilitates information sharing across different industry sectors and internationally. Unlike existing vertical sharing within industries, GSE enables horizontal collaboration across sectors to combat fraud more effectively.

Evidence

Over 160 organizations joined or in onboarding; partnership with Global Anti-Scam Alliance; support from Google; includes four big tech companies

Major discussion point

Multi-stakeholder Cooperation and Data Sharing

Topics

Cybersecurity | Infrastructure

Agreed with

– Johannes Vallesverd
– Camilla Sharma
– Birgitte Engebretsen
– Rima Amin
– MODERATOR

Agreed on

Multi-stakeholder cooperation is essential for effective fraud prevention

Privacy laws are qualified rights that can be compromised for legitimate aims like public safety when prescribed by clear law

Explanation

Emily argues that privacy and criminal justice are not in opposition but can coexist within proper legal frameworks. She emphasizes that privacy protections are essential in healthy democracies but can be balanced with security needs when done correctly with proper legal foundations.

Evidence

UK data protection regulator guidance; OECD principles; Budapest Convention amendments; EU Evidence Act

Major discussion point

Multi-stakeholder Cooperation and Data Sharing

Topics

Human rights | Legal and regulatory

Agreed with

– Riika Puttonen
– Rima Amin
– Johannes Vallesverd

Agreed on

Privacy and security can coexist with proper legal frameworks

Disagreed with

– Rima Amin
– Riika Puttonen

Disagreed on

Privacy vs Security Balance in Data Sharing

Camilla Sharma

Speech speed

151 words per minute

Speech length

676 words

Speech time

267 seconds

Norwegian anti-fraud group includes mobile operators, authorities, police, and banks working operationally together

Explanation

Camilla describes Norway’s multi-stakeholder approach to fraud prevention, bringing together various sectors including telecommunications, law enforcement, financial services, and regulatory bodies. This collaborative model focuses on operational measures rather than just discussions.

Evidence

Participation from mobile operators (Telenor, Telia, Ice), CRDB, authorities, police, bank sector; vulnerability assessments and operational measures

Major discussion point

Multi-stakeholder Cooperation and Data Sharing

Topics

Legal and regulatory | Cybersecurity

Agreed with

– Johannes Vallesverd
– Birgitte Engebretsen
– Emily Taylor
– Rima Amin
– MODERATOR

Agreed on

Multi-stakeholder cooperation is essential for effective fraud prevention

Norway implemented digital anti-spoofing roaming shield as one of first in world, restoring trust in mobile numbers

Explanation

Camilla presents Norway’s pioneering anti-spoofing shield that entered force in November 2024, preventing Norwegian mobile numbers from being spoofed from abroad. This measure has successfully restored public trust in mobile communications that had been eroded by spoofing attacks.

Evidence

Shield entered force November 19, 2024; described as ‘one of the first in the world’; data showing fraudsters take Christmas breaks and weekends off

Major discussion point

Regulatory and Legal Framework Challenges

Topics

Infrastructure | Cybersecurity

Riika Puttonen

Speech speed

127 words per minute

Speech length

Multi-stakeholder Cooperation and Data Sharing

Topics

Human rights | Legal and regulatory

Agreed with

– Emily Taylor
– Rima Amin
– Johannes Vallesverd

Agreed on

Privacy and security can coexist with proper legal frameworks

Disagreed with

– Emily Taylor
– Rima Amin

Disagreed on

Privacy vs Security Balance in Data Sharing

Rima Amin

Speech speed

158 words per minute

Speech length

2019 words

Speech time

762 seconds

Meta removed 1.4 billion fake accounts in Q4 2024, with 99.9% caught proactively before being reported

Explanation

Rima reveals the massive scale of Meta’s proactive enforcement against fake accounts, with their technology detecting and removing accounts often at the point of creation. While not all fake accounts are necessarily for fraud, they represent a critical component of the fraud infrastructure.

Evidence

1.4 billion fake accounts removed in Q4 2024; 99.9% detected proactively; 0.1% were reported by users

Major discussion point

Platform and Industry Response Strategies

Topics

Cybersecurity | Infrastructure

Focus should be on disrupting fraud attack chain as early as possible, from infrastructure building to victim engagement

Explanation

Rima outlines Meta’s strategic approach based on understanding the complete fraud attack chain, from building infrastructure and preparing digital assets to engaging victims and executing transactions. She emphasizes that intervening earlier in the chain provides better opportunities for large-scale prevention.

Evidence

Five-stage attack chain: infrastructure building, preparing digital assets, engaging victims, executing transactions, cleanup; Meta has most visibility at engage and digital asset stages

Major discussion point

Platform and Industry Response Strategies

Topics

Cybersecurity | Infrastructure

Agreed with

– Johannes Vallesverd
– Camilla Sharma
– Birgitte Engebretsen
– Emily Taylor
– MODERATOR

Agreed on

Multi-stakeholder cooperation is essential for effective fraud prevention

Meta uses facial recognition technology to detect misuse of public figures’ images in scams

Explanation

Rima describes Meta’s deployment of facial recognition technology to identify when public figures’ images are being misused in fraudulent advertisements or content. This technology helps combat celebrity impersonation scams by automatically detecting and removing such content.

Evidence

Facial recognition technology launched to detect public figure image misuse; deployed globally in October with regulatory navigation in Europe and UK

Major discussion point

Technology and AI Impact on Fraud

Topics

Cybersecurity | Human rights

Agreed with

– Rens Grim
– Nico Caballero

Agreed on

Technology and AI present both challenges and opportunities in fraud prevention

Disagreed with

– Emily Taylor
– Riika Puttonen

Disagreed on

Privacy vs Security Balance in Data Sharing

Lucien Taylor

Speech speed

167 words per minute

Speech length

491 words

Speech time

176 seconds

Global Signal Exchange processes over 1 million threat signals daily compared to 30,000 monthly consumer reports to British police

Explanation

Lucien demonstrates the massive scale difference between automated threat detection and traditional consumer reporting. The GSE system processes over 1 million signals daily, vastly exceeding the 30,000 monthly reports that British police receive from consumers, highlighting the need for automated systems.

Evidence

Started with 40 million threat signals; now processing 1 million daily; British police receive 30,000 monthly consumer reports; average signal time-to-live is up to four days

Major discussion point

Platform and Industry Response Strategies

Topics

Cybersecurity | Infrastructure

MODERATOR

Speech speed

102 words per minute

Speech length

132 words

Speech time

76 seconds

Cooperation is the only way forward as fraudsters operate internationally and change channels when blocked

Explanation

The moderator establishes the fundamental premise that fraud is a global problem requiring coordinated international response. Fraudsters adapt by switching channels or targeting different countries when individual defenses are implemented, making isolated national efforts insufficient.

Evidence

Fraudsters described as ‘smart and ruthless’; they ‘change the channel or target another country’; described as ‘whack-a-mole game’

Major discussion point

Multi-stakeholder Cooperation and Data Sharing

Topics

Cybersecurity | Legal and regulatory

Agreed with

– Johannes Vallesverd
– Camilla Sharma
– Birgitte Engebretsen
– Emily Taylor
– Rima Amin

Agreed on

Multi-stakeholder cooperation is essential for effective fraud prevention

Andrew Campling

Speech speed

115 words per minute

Speech length

186 words

Speech time

97 seconds

Current Internet standards changes are removing signals needed for consumer protection

Explanation

Andrew warns about unintended consequences of privacy-focused changes to Internet standards that are eliminating the technical signals necessary for fraud detection and prevention. He argues that these changes will make existing consumer protections ineffective and aid criminals by reducing visibility into their activities.

Evidence

Norwegian consumer protections becoming ineffective due to signal loss; lack of proper know-your-customer processes in domain registration; registers and registrars hiding behind privacy protections

Major discussion point

Technology and AI Impact on Fraud

Topics

Infrastructure | Human rights

Audience

Speech speed

145 words per minute

Speech length

141 words

Speech time

58 seconds

Financial sextortion can lead to tragic outcomes including suicide, requiring increased awareness campaigns

Explanation

An audience member shares a personal experience where a sextortion victim took their own life, highlighting the severe psychological impact and tragic consequences of these crimes. The question emphasizes the need for better awareness campaigns and law enforcement capabilities, particularly in developing nations.

Evidence

Personal experience with victim who committed suicide; engagement conducted on WhatsApp platform; challenges in Global South with less equipped law enforcement

Major discussion point

Victim Impact and Awareness Challenges

Topics

Cybersecurity | Human rights

Johannes Vallesverd

Speech speed

156 words per minute

Speech length

Agreed with

– Rens Grim
– Birgitte Engebretsen
– Nico Caballero

Agreed on

Fraud represents a massive global problem requiring serious treatment

The fight against fraud requires eating the elephant one piece at a time through incremental operational progress

Explanation

Johannes acknowledges that while fraud will never be completely eliminated, it can be effectively tackled through systematic, incremental approaches. He advocates for practical, step-by-step operational measures rather than attempting to solve the entire problem at once.

Evidence

Metaphor of ‘eat the elephant one piece at a time’ and emphasis on being ‘more operational’ and getting ‘action done’

Major discussion point

Platform and Industry Response Strategies

Topics

Cybersecurity | Legal and regulatory

Agreements

Agreement points

Multi-stakeholder cooperation is essential for effective fraud prevention

Speakers

– Johannes Vallesverd
– Camilla Sharma
– Birgitte Engebretsen
– Emily Taylor
– Rima Amin
– MODERATOR

Arguments

The goal should be operational action rather than just talk, focusing on regulatory and technical measures to reduce fraud

Fraud fighting requires a diverse team with different angles to the problem, bringing together various stakeholders

Norwegian anti-fraud group includes mobile operators, authorities, police, and banks working operationally together

Effective collaboration requires burden sharing between customers, government, and tech companies

Global Signal Exchange enables real-time cross-sector intelligence sharing with over 160 organizations onboarded

Focus should be on disrupting fraud attack chain as early as possible, from infrastructure building to victim engagement

Cooperation is the only way forward as fraudsters operate internationally and change channels when blocked

Summary

All speakers agree that combating fraud requires coordinated efforts across multiple sectors including government, industry, law enforcement, and international organizations. They emphasize moving beyond discussions to operational cooperation.

Topics

Cybersecurity | Legal and regulatory

Fraud represents a massive global problem requiring serious treatment

Speakers

– Rens Grim
– Birgitte Engebretsen
– Nico Caballero
– Johannes Vallesverd

Both speakers present nearly identical arguments about privacy being a qualified right in international law that can be limited under specific conditions for legitimate purposes like fraud prevention, emphasizing the need for clear legal frameworks.

Speakers

– Emily Taylor
– Riika Puttonen

Arguments

Privacy laws are qualified rights that can be compromised for legitimate aims like public safety when prescribed by clear law

Topics

Human rights | Legal and regulatory

Both Norwegian representatives emphasize the importance of multi-stakeholder collaboration in their country’s successful fraud prevention model, highlighting how different sectors work together operationally.

Speakers

– Camilla Sharma
– Birgitte Engebretsen

Arguments

Norwegian anti-fraud group includes mobile operators, authorities, police, and banks working operationally together

Effective collaboration requires burden sharing between customers, government, and tech companies

Topics

Legal and regulatory | Cybersecurity

Both speakers provide concrete statistical evidence of fraud’s massive scale, demonstrating the relentless nature of fraud attempts and their significant impact on populations.

Speakers

– Rens Grim
– Birgitte Engebretsen

Arguments

25% of world’s connected population has been victim of scams with $1 trillion in estimated losses annually

Telenor blocked over 2200 million fraud attempts in Norway in 2024, equivalent to two attempts per customer daily

Topics

Cybersecurity | Economic

Unexpected consensus

Privacy laws protecting fraudsters rather than victims

Speakers

– Rima Amin
– Riika Puttonen
– Emily Taylor

Arguments

Meta uses facial recognition technology to detect misuse of public figures’ images in scams

Privacy laws are qualified rights that can be compromised for legitimate aims like public safety when prescribed by clear law

Explanation

Despite representing different sectors (tech platform, UN organization, and civil society), all three speakers agreed that current privacy law implementation sometimes inadvertently protects fraudsters. This consensus is unexpected given their different organizational perspectives and typical debates around privacy vs. security.

Topics

Human rights | Legal and regulatory

Need for proactive rather than reactive approaches to fraud prevention

Speakers

– Rima Amin
– Emily Taylor
– Camilla Sharma
– Nico Caballero

Arguments

Meta removed 1.4 billion fake accounts in Q4 2024, with 99.9% caught proactively before being reported

Global Signal Exchange enables real-time cross-sector intelligence sharing with over 160 organizations onboarded

Norway implemented digital anti-spoofing roaming shield as one of first in world, restoring trust in mobile numbers

ICANN is developing stricter SLAs for takedowns and contractual penalties for repeat offenders

Explanation

Representatives from social media, civil society, government regulation, and domain name governance all emphasized proactive prevention over reactive response, showing unexpected alignment across traditionally different approaches to internet governance.

Topics

Cybersecurity | Infrastructure

Overall assessment

Summary

The speakers demonstrated remarkable consensus on key fraud prevention principles: the necessity of multi-stakeholder cooperation, the serious nature of the fraud threat, the possibility of balancing privacy with security, and the importance of proactive technological solutions. Agreement was strongest on operational approaches and the need for international coordination.

Consensus level

High level of consensus with significant implications for fraud prevention policy. The alignment across diverse stakeholders (government regulators, tech platforms, telecom operators, international organizations, and civil society) suggests strong potential for coordinated global action. The consensus on treating fraud as serious organized crime and the need for operational rather than just policy responses indicates readiness for concrete implementation measures.

Differences

Different viewpoints

Privacy vs Security Balance in Data Sharing

Speakers

– Emily Taylor
– Rima Amin
– Riika Puttonen

Arguments

Privacy laws are qualified rights that can be compromised for legitimate aims like public safety when prescribed by clear law

Meta uses facial recognition technology to detect misuse of public figures’ images in scams

Privacy laws are qualified rights that can be compromised for legitimate aims like public safety when prescribed by clear law

Summary

While all speakers agree privacy isn’t absolute, they differ on implementation approaches. Emily emphasizes the need for clear legal frameworks and proper compliance from the start. Rima highlights operational challenges where privacy regulations slow down deployment of anti-fraud technologies in Europe. Riika focuses on the legal technicalities of when privacy can be legitimately compromised.

Topics

Human rights | Legal and regulatory | Cybersecurity

Unexpected differences

Impact of Internet Standards on Fraud Prevention

Speakers

– Andrew Campling
– Emily Taylor

Arguments

Current Internet standards changes are removing signals needed for consumer protection

Global Signal Exchange enables real-time cross-sector intelligence sharing with over 160 organizations onboarded

Explanation

Andrew Campling raises an unexpected concern that privacy-focused changes to Internet standards are actually helping criminals by removing technical signals needed for fraud detection. This creates tension with Emily Taylor’s work on the Global Signal Exchange, which aims to enhance signal sharing. The disagreement is unexpected because both are working toward fraud prevention but see different technical approaches as problematic versus beneficial.

Topics

Infrastructure | Human rights | Cybersecurity

Overall assessment

Summary

The discussion shows remarkably high consensus among speakers on the fundamental challenges and goals of fraud prevention, with disagreements primarily focused on implementation approaches rather than objectives. Main areas of disagreement center on balancing privacy with security, specific mechanisms for multi-stakeholder cooperation, and technical approaches to maintaining fraud detection capabilities.

Disagreement level

Low to moderate disagreement level with high strategic alignment. The speakers demonstrate strong consensus on the severity of the fraud problem, the need for international cooperation, and the importance of multi-stakeholder approaches. Disagreements are primarily tactical and procedural rather than fundamental, suggesting good potential for collaborative solutions. The most significant tension appears around privacy versus security trade-offs, but even here speakers acknowledge the need for balance rather than taking absolute positions.

Partial agreements

Similar viewpoints

Both speakers present nearly identical arguments about privacy being a qualified right in international law that can be limited under specific conditions for legitimate purposes like fraud prevention, emphasizing the need for clear legal frameworks.

Speakers

– Emily Taylor
– Riika Puttonen

Arguments

Privacy laws are qualified rights that can be compromised for legitimate aims like public safety when prescribed by clear law

Topics

Human rights | Legal and regulatory

Both Norwegian representatives emphasize the importance of multi-stakeholder collaboration in their country’s successful fraud prevention model, highlighting how different sectors work together operationally.

Speakers

– Camilla Sharma
– Birgitte Engebretsen

Arguments

Norwegian anti-fraud group includes mobile operators, authorities, police, and banks working operationally together

Effective collaboration requires burden sharing between customers, government, and tech companies

Topics

Legal and regulatory | Cybersecurity

Both speakers provide concrete statistical evidence of fraud’s massive scale, demonstrating the relentless nature of fraud attempts and their significant impact on populations.

Speakers

– Rens Grim
– Birgitte Engebretsen

Arguments

25% of world’s connected population has been victim of scams with $1 trillion in estimated losses annually

Telenor blocked over 2200 million fraud attempts in Norway in 2024, equivalent to two attempts per customer daily

Topics

Cybersecurity | Economic

Takeaways

Key takeaways

Fraud is a massive global problem affecting 25% of the world’s connected population with $1 trillion in annual losses, requiring urgent international cooperation

Multi-stakeholder collaboration between governments, private sector, law enforcement, and civil society is essential – no single entity can combat fraud in isolation

Real-time data sharing across sectors is both technically feasible and legally permissible when properly implemented with privacy safeguards

Privacy laws are qualified rights that can be balanced with legitimate public safety aims when prescribed by clear, accessible law

Operational measures like Norway’s anti-spoofing shield and integrated fraud filters are proving effective in protecting citizens

AI will make fraud more sophisticated but we haven’t reached a tipping point yet – proactive technology deployment is crucial

Current legal frameworks need updating to criminalize fraud as serious crime globally and enable better international cooperation

Prevention and early intervention in the fraud attack chain is more effective than pursuing criminals after damage is done

Burden sharing between customers, government, and technology companies is necessary for sustainable fraud prevention

Resolutions and action items

Regulators should join the Global Informal Regulatory Anti-Fraud Forum (GIRAFF) to share best practices across 40+ countries

UNODC and Interpol will host a Global Fraud Summit in March 2026 in Vienna

Countries need to criminalize fraud as serious crime (4+ years imprisonment) to enable international cooperation under UN conventions

New UN Convention Against Cybercrime will open for signature in October 2024, requiring country implementation

ICANN is developing stricter service level agreements for takedowns and contractual penalties for repeat offenders

Public sector should give higher weight to quality and security in tender processes to create market incentives

Expand successful multi-stakeholder working methods from voice/SMS to internet-based services

Continue developing and deploying technology solutions like facial recognition for detecting misuse of public figures’ images

Unresolved issues

How to effectively balance data privacy protections with the need for rapid threat intelligence sharing, especially across different jurisdictions

Addressing the removal of signals from internet standards that are needed for consumer protection measures

Developing effective know-your-customer processes for domain registration while respecting privacy rights

Scaling law enforcement capabilities in developing countries that lack resources to combat sophisticated fraud operations

Creating unified global standards for fraud criminalization and enforcement across different legal systems

Determining optimal burden-sharing arrangements between public and private sectors for fraud prevention costs

Addressing cultural and jurisdictional challenges where some countries view scamming as acceptable economic activity

Developing effective awareness campaigns that don’t overwhelm users with fragmented messaging

Suggested compromises

Implement layered access models for domain registration data with tiered access based on legitimate purposes while protecting personal data through redaction or encryption

Develop centralized accreditation systems for vetted entities like law enforcement to request non-public data while ensuring GDPR compliance

Create collaborative frameworks between data protection authorities and industry stakeholders to align policies with privacy regulations

Use technical solutions like ICANN’s Registration Data Request Service to streamline secure data requests without overburdening registrars

Deploy fraud prevention technologies at the speed needed to counter fast-moving fraudsters while working with regulators to ensure compliance

This historical perspective provides crucial context that fraud is not a modern technological problem but an ancient human behavior, suggesting that technological solutions alone are insufficient.

Impact

This comment grounded the discussion in historical reality, preventing over-focus on technology as the sole solution and emphasizing the enduring human elements of deception and trust that must be addressed.

Overall assessment

Explanation

Current privacy regulations are often difficult to understand and comply with, creating barriers to legitimate fraud prevention efforts

Disclaimer: This is not an official session record. DiploAI generates these resources from audiovisual recordings, and they are presented as-is, including potential errors. Due to logistical challenges, such as discrepancies in audio/video or transcripts, names may be misspelled. We strive for accuracy to the best of our ability.