You could have placed a bet on it happening. If you had, you’d be quid’s in.
As far back as February, I warned that the UK’s implementation of the EU cookie law opened up a wealth of opportunities for scammers and spammers. I suggested that we were going to have the pathetic scaremongering – which indeed came to pass, and which is still flourishing – wherein “consultants” and software developers could use threats of £500k fines as a revenue stream. We also had the possibility of some of those firms extending the threats to blackmail: pay us to “make you compliant” and we won’t report you to the big bad government.
I hate being proven right.
Got a nasty SPAM call from ezeeaz.co.uk pretending to be the ICO, demanding a £69 cookie audit and threatening a £5k fine. Beware!!—
Alex Stanhope (@alex_stanhope) August 01, 2012
In the spirit of understanding our enemy, let’s meet the scammers. Take a look at Ezeeaz. In addition to claiming to be the Information Commissioner’s Office (ICO) – the government agency responsible for the EU cookie law’s implementation and enforcement within the UK – they are also using a modified version of ICO’s logo and brand.
It is an appropriate measure of ICO’s success in launching the EU cookie law that scammers pretending to be them can run with the baton. It is also an amusing irony that ICO will have to redeploy the resources they had set aside for cookie law compliance and enforcement to deal with infringement of their own brand on the part of “cookie consultancies”!
Who is behind the scam? At first, it’s hard to tell. Ezeeaz.co.uk’s web site features the middleman outsourcer’s dead giveaway of an “About Us” page which lists no names, pictures, personalities, or CVs. In fact, the only name available to us comes from a Whois search. It shows the person to whom the site is registered, a fellow called Greg Youngberry. Greg Youngberry of – wait for it – Queensland, Australia.
The web site lists the company’s address in an office building in Witney, Oxfordshire. This morning I phoned the leasing company and spoke with the landlord who manages the building. They had never heard of Ezeeaz; they had never heard of Greg Youngberry; and they certainly had no idea that someone claiming to be a UK government agency was operating out of the building. From that, you could presume that the Oxfordshire address was the random result of a Google search for any old office building in the UK. But it’s not. The person behind the scam did not choose Witney by throwing a dart at a map. After all, who hails from Witney? That guy Dave, our current Prime Minister. It is absolute textbook behavior for a grandiose fantasist – one who would shamelessly claim to be a UK government agency – to latch on to the prestige of a public figure or location. Recently we saw a notorious web scammer in Edinburgh listing his “agency” address as what everyone could see for themselves was Harvey Nichols; likewise, I knew someone who took out a post office box at a Mailboxes Etc. on Pennsylvania Avenue in Washington DC because he thought people would associate his “prestigious” address with the White House!
Greg Youngberry runs a business service operation in addition to his cookie law круша. The web sites are similar in terms of their stock template layouts and use of bland, unoriginal, generic clip art. (In fact, a Wayback Machine search shows that the two sites were once identical). If you want to fill your Business Bullshit Cliche Bingo card in record time, have a look at it. Not only does he have a White Guy In A Business Suit Shaking Hands To Seal The Deal, but he’s got oodles of florid prose on why his business model of outsourcing everything to India and the Philippines at third world pay rates is a benevolent fairtrade operation, gracing the poor wee souls of those countries with a chance for employment and three meals a day. It is patronising, paternalistic, and, at some points, smells of a visa scam. Where I come from that sort of mindset is known as calling yourself the Great White Hope. Which, on an ethical scale, is right up there with calling yourself a UK government agency.
So wipe a sentimental tear from your eye, then, when one of his low-wage call centre employees – Queensland via Manila via Witney – phones to threaten you with a £5000 cookie law spot fine. Dear god, won’t somebody think of the children?
Ezeeaz’s web site closes with the following feelgood platitude:
“Privacy is more than just a policy, it’s about gaining trust.”
So says the Australian scammer running threatening sales calls to the UK out of a Filipino phone bank.
Sitepoint – ironically an Australian company – recently explained the EU cookie law to its baffled audience like this:
While this law is aimed at protecting users, it’s scammers who gain the biggest benefit. Is it blackmail? Or is the scammer exercising their right to sell you compliance services before reporting you to the authorities for illegal activities? Put it this way, if you send enough emails, you’ll eventually find someone with enough naivety and cash.
It’s heartening that a company half a planet away from the EU is able to call the cookie law for what it is at first glance. They understand, through all the PR and platitudes, that the rise of the scammers is yet another nail in the EU Cookie Law’s coffin. As I said in my July update presentation, the law is not making people reflect upon their individual privacy choices; it does not address this decade’s privacy threats – social media oversharing and app-based data uploads; and it vandalises web sites at best and destroys web site accessibility at worst. The only people whose lives it seems to be making better are the people who know how to make money off it – whether that’s through well-meaning software development, call centre scamming, or padding their CVs at the Information Commissioner’s Office.
Who, come to think of it, have a few phonecalls to make this morning too.
Let’s use this post to track cookie law scams and spam. Have you received a scam call, email, or letter? Leave a comment.
*Update: a London-based legitimate web consultancy has contacted me to say that the Australian company has copied their site content and business tagline for the scam site. I’m sure Greg will blame it on his “staff” in India.
They also note, with even more irony, that Ezeewhatever are not registered as a data processor with…ICO.
Postscript: In September 2012 this blog enjoyed its single biggest day of hits ever courtesy of over 700 visits to this post alone from the call centre in the Phillipines which was doing the outbound calls for their Australian sugar daddy. The scammers also attempted to leave a comment on this post pretending to be Alex Stanhope, who first alerted me to the scam on Twitter, using a fake Google mail address and illiterate Filipino English. You can only imagine what they were thinking as they read this post for the 300th, 400th, and 500th time: “What you mean we’re not working for the UK government? We’re not going to get an Australian visa?”
@alex_stanhope So the cookie law scam callers tried to leave a comment on the blog post I wrote about the scam - pretending to be you.—
Heather Burns (@idea15webdesign) September 11, 2012