Okay, welcome folks. Welcome to the youth participation practice
network. We're here to talk about scams and bot sign ups for events and surveys.
Quick little caveat, YACVic, aren't necessarily experts on this issue.
We're here to talk a little bit about the experience that we've had and some
of the things that we've done to respond to and try and prevent bots. But actually,
a number of the members at the yppn have been dealing with this same issue. There's
some great ideas forming in the Google Doc that we use through the network as well. So
what has been happening? So a number of years ago, we started to receive some sign ups that we were
kind of nervous were scammers, and it appeared to be connected to our survey monkey account.
And then gradually it started to infiltrate across other platforms, and so we think that maybe our
mailing list and or our humanitix list have ended up on some sort of registration or on somebody's
list, so that when we put out opportunities, it does happen pretty regularly. The last few
events that we've run haven't necessarily had any issues, so it's really hard to predict, and it did
go quiet for about a year, and then it all started again earlier this year. So it is something that
seems to come in waves, and is often connected to events that have payment but not always. It isn't
exclusively related to remuneration. There can be bots and scams, regardless of that as well.
And as I mentioned earlier in the meeting, that we have reason to believe that it is an organised
effort. We've have run events where we've had people attending as multiple individuals,
and so when they've been put into breakout groups, you can hear it across, echoing
across the breakout groups. And so it's led us to believe that there is some sort of human element
to what's going on. It isn't entirely AI or bots. So the risk here is particularly related to child
safety. We feel like that's the kind of main point to note here. The worst case scenario is somebody
getting into an event for young people that is not a young person and is there for the wrong
reasons. And so that's a really important point to recognise. Obviously, there's the
financial implications to organisations as well. If we're paying young people or offering prizes,
there's the financial implications and the administration that goes in line with that,
it can be an awful lot of work to try and sift through large numbers of surveys or EOI responses,
trying to work out who's human and who's a bot. And it is pretty mind numbing process as well.
And then obviously it also affects the quality of our consultations and reports. A lot of work goes
in to this, the work that we do, and then to have data that can't be trusted or reliable is
a huge problem. And so again, the administration involved in verifying and checking is problematic.
What have young people told us? So we asked young people over a number of months what they
would be comfortable doing in our workshops to verify that they're human. So we sort of
got to the point where we felt like we can work out which ones are scams coming through
on registrations and EOIs. So the question that we asked young people was just about
verifying who that they're real in the call themselves. This was partly due to having
some feedback that having your camera on in a meeting may not be accessible for everybody,
and so we were really conscious of what other options and means that we could take. So the
questions that we've asked here are, I will turn on my camera and show my face during an event,
I will turn on my camera at the start of an event in the main room with all participants.
I will turn on my camera at the start of an event in a breakout room with a staff member,
which are the four most popular choices here. And then from there,
we've got our share a photo of myself when I sign up for an online event. I have some
issues with that one though, personally. I will share a photo of my identification card
and I will make my Zoom profile picture, a picture of myself again. I have some issues
with some of those. The photos ones don't seem very reliable.
Or scientific to me, I feel like that would be so easy to fake. And then there's some
a little bit of additional detail at the bottom there of the screen.
Then we asked them what they would not be comfortable doing, and you can see that big
green bar at the bottom there in the middle, there is about sharing the photo of their identification
card when they sign up for an online event, which kind of speaks to a lot of the concerns that I
have anyway. I think it's unnecessary for us to be asking young people for ID to attend an event
or to sign up to something, and it clearly isn't something that young people would be comfortable
doing anyway.. Turning on my camera has got a bit of a mixed response as well from young people.
the next slide talks about other ideas and other issues,
and somebody's identified here having a one to one meeting with someone beforehand.
So this is kind of more specific to a kind of a group, eg. and advisory group,
or a consultation or a co design process. We're talking more about events here than
surveys. You're probably not going to do a one to one meeting with 250
people before they fill in a survey. So we're talking more about events at this point. And
then I've highlighted at the bottom there in the last comment that I know, for some people,
their chosen name might not match their identification card, so it might not be
feasible option for everyone to make them feel safe, which I think is a massive point,
as much as I don't think it's necessary for us to look at ID cards. It also is not accessible for
many people. For that reason, one suggestion here is thinking about splitting up groups and events
based on age, so for under eighteens versus over eighteens, which is quite a practical solution,
but in many ways, is not going to work in a lot of our contexts where we're trying to work with
age the whole age bracket, 12 to 25 so that may work for some, but it's probably not going to
work for others. So the approach that YACVic has taken is that in surveys, we generally,
yeah, sift, filter and delete any information that we think is not reliable. And for events,
our main focus has been on setting up that check in process. So where we're doing a consultation,
we'll have a check in with each person beforehand, which isn't just about screening, it's also about
making sure that they understand what the meeting is going to be about, what to expect,
answer any questions that they've got, and really help them to prepare for that event as well. So it
actually has been quite a positive addition to the work that we do, but it is an addition so there is
additional capacity and resourcing considerations that that go hand in hand with that.
This slide sort of speaks to that point earlier that I made, kind of clearing
up the mess afterwards is much harder than stopping those bots getting through in the first
place. So here are some things to think about in relation to promotion of an event or an activity,
making it clear in the promo or the EOI what is expected of attendees and participants and what
steps you will take to verify identity. So there's part of me that thinks that even if you don't do
it by stating that you will be doing a series of things to verify identity, you're likely to put
people off that you know, that are real, that are reading this information, that that might
be a deterrent for them in the first place. So for example, will you do a check in call prior to the
event, will you ask participants to put their camera on in the meeting, explain how payments
will be made and what any expectations are of that, considering using things like reCAPTCHA,
as we talked about earlier, and ensure that multiple responses and anonymous responses
options are turned off. If that is feasible for you, that works for your context as well.
Some signs to look out for in the information that you get through EOIs and surveys. There's a whole
bunch of stuff here, and we'll talk through what they actually look like over the next few slides.
So checking the phone number of applicants looking out for suspicious names, checking the
address and postcode or location, making sure that applications haven't been filled in very quickly
and back to back or in a very short period of time, reading their application and checking for
bot like or AI generated answers like super generic or lacking any sort of specifics,
and then other suspicious signs might include stating that they
participated in a program but their name is not familiar to you, or
removing their application and registration. Sorry, that last one is if,
yeah, if you're not sure about it and you can't verify the information with them,
you might have to make that decision to remove.
Of their application or registration.
So what do those suspicious phone numbers and landlines and information look like? Well,
we tried calling a whole load of them. So they're nearly always like skimmed from the
internet. I think they're sort of dead numbers that get reused. So you call the number and it
says that the numbers not no longer connected, so they are real numbers, but they're never
connected. And we did it. I did it a number of times over a number of different events.
So my suggestion is, if you're ever unsure, to call them. And we found that people are
often actually not even based in Australia, and that's why it's impossible to get hold
of them over the phone, and they might suggest to meet and connect over zoom,
but we've never gone through with that, but that might be an option open to you as well
suspicious phone number, and then adding to that, interesting names,
or generic names, if you look at that list of names down the left hand side,
you'll see that there's sort of a little bit of a pattern. There's something quite sort of random
about the names that just doesn't ring true in and of itself. That's probably not enough
to fish someone out. But then you look at the phone number, and those columns there are all
problematic for different reasons, and then looking at the email address and seeing that
there's a very clear kind of pattern going on there. Those email addresses have been created
just with two names and the first number that is available to them on Gmail. And then
the post codes. Those post codes are all, all have issues as well or connected to the
other information mean that you would have doubts that they are trustworthy.
Another example of the phone numbers and the similar patterns of the emails
and the Yeah, the consecutive pattern things being done very quickly back to back in the
short space of time, you get sort of 50 or more applications that come through.
This is an example. These are some examples of the problematic answers that you might find
this one is really challenging, because we are all trying as hard
as we can to connect with young people who may not
usually be represented in the type of work that we do. And so I, for one, made a number
of allowances, thinking that I was encouraging and supporting people who maybe had lower
understanding or use of English into events, consultations and whatnot, and giving people
the benefit of the doubt, and then realised kind of halfway through that actually these people
were not genuine. They were not genuine people. They're not contributing to the consultation,
and when they were prompted to their answers were super generic. Just repeated what other
people said. The voices sounded pretty dubious, too. It actually felt to me like they might
be using some kind of like voice decoder or something like that. It was, it was pretty,
pretty disturbing what was going on. And then then looking back at their applications and starting
to really get concerned that the information there is just either chatGBT or is just very,
very basic to the point of just not giving you enough confidence that this person is legit,
and that's where the screening call really helps. So if I am nervous that somebody may be a bot,
and I give them a call so I'm nervous they might be a bot because their answers are really generic
or really basic, or not really what I expect to see in a survey. If I then give them a call,
and they pick up the phone and I have a chat with them, and I think actually, this is a young person
who's just never done anything like this before, and they just haven't got some of the language
that we would expect young people to have, or they're, you know, working out what they think
about this issue, then I would feel comfortable to then invite them to the consultation. But if
I call that number and it's not connected, then so many alarm bells are going off in my head
at that point. But I think, I think I can legitimately say that this person is a scam.
And then, yeah, this point here about
if 40 people have said they were part of a, you know,
a workshop that only had 12 people, then you're immediately going to think, okay,
something's going on here. Something's wrong. Because if you've they found that
information somewhere, or you've given it to them, it's earlier in the form,
and they've just reused it at that point to make it look like they're genuine and real.
and then they might also be pretty over eager about the compensation.
I don't know if anyone else has experienced this,
but we had quite a few circumstances where people were messaging us, like hourly,
pushing us for, you know, compensation, as they put here, the payment. The other one that we've
had is around so we use giftpay, the online platform for paying people by vouchers or by
gift cards if they choose that option. And we've had people messaging us saying, oh, you know,
I'm on holiday in America, and want to know how I can access this internationally. And again,
at the time, I was thinking, oh yeah, gosh. Really is annoying, and try to help them do it. And then,
in hindsight, realised what the heck was I doing? This is clearly a scam, so it's easy to get caught
up in that moment of trying to be inclusive and supportive and recognising that there are, there
can be times where we do have to be vigilant, we have to ask questions, and it is okay to say no
when you're running those sessions Here are some ideas of things that you can do,
screening participants we've mentioned a couple of times now, ensuring that event
links and passwords are secure and safe and only shared privately, as opposed to publicly,
asking for the camera to be on for the first five minutes for identity verification might
work for most people, but there may be times where that doesn't work for young people, particularly
those with disability and thinking about what other options could look like. So for example,
the screening of the call, screening of the caller, might work as a better option for for
certain young people. And whilst we want to have an equitable system and approach,
it's also okay to have an approach that responds to the needs and the access needs of individuals.
So you may not have the exact same approach for every participant to verify their identity,
looking out for that suspicious behavior in the session, eg, duplicate attendees.
If you've got any concerns, there's any duplicate attendees thinking through how you verify that?
We've got there about contacting a moderator or manager, whoever's in a decision making position,
who can decide what you do in that moment, whether you're going to remove that
person making a child safe report. If there's people in your events that
you think are aren't young people, or are dubious
identity, and if you think the session has been compromised,
you want to let people know, debrief with your team and possibly make a report as well,
in terms of payments requiring those Australian contact details
not making international payments using things like going out of your way to
use other systems like PayPal, that kind of thing. People have told us,
you know, as soon as somebody's making it hard for you to make a direct bank
payment, then that, that you know, that's a flag, that's a that's a that's a warning sign
that something's going on. And my suggestion is to call anyone you have suspicions about to
discuss further. May not be you doing that. You may have you may not feel like you're the right
person to do that. But considering who might be at nine times out of 10 if it's a scam,
the phone number won't even work. So that is, again, the absolute red flag to be able to say,
look, and you may or may not contact them. You may just ignore them, or you may let them know
then reporting. There are a couple of key websites to be aware of, scam watch and cyber.gov.au,
both have a lot of information about scams, but honestly, the truth is that these are pretty small
fry scams. It's unlikely that, I think that anybody's going to do an awful lot about it,
in my opinion, but that doesn't mean that we shouldn't report them. If the information and the
data gets through, they build up a better picture and can create better advice for us. But yeah, we
went through a process of reporting it and didn't hear anything back when we did it a couple of
years ago. So just just to sort of flag that it's probably unlikely that there would be a lot of
we keep a list. So after an event that we think
has been compromised and there's been a lot of sign ups from scams and bots,
we add that to an Excel spreadsheet. So we've actually got, I mean, hundreds and hundreds now
listed on them. Just copy and paste them from the download you know of the rego's,
yeah, letting your manager and supervisor know ASAP in order to plan any follow up that might
need to be done. If you run an event with young people and you think someone was in there that
shouldn't have been, you'll need to think through what you do to respond to that. How do those young
people and or parents or carers need to know that somebody might have got their contact
details, for example, that's something to think through. If, if you've shared information
privately with those in the who are in attendance, the risk is pretty low there. But if, for any
reason, there's any potential to find people's contact details through, like an event invite,
for example, that's, that's something to think through, and then, yeah, the last point is just
talking to other staff and teams like it's pretty vulnerable place to be. You can feel like it's
personal. You can feel like you've done something wrong. And I think my main advice is just to urge
us all to be talking about this stuff, sharing it, sharing how we respond to it, so that we can
get better at it over time and not feel like it's a personal situation or a slight on us.
I think that brings us to the end.
