What scambaiting is and how it works

Scambaiting is the practice of deliberately engaging with scammers, often with the goal of wasting their time or exposing their tactics. Even if it feels harmless, interacting with scammers can expose you to risks like identity or location exposure, manipulation, malware, and potential legal issues.

In this article, we’ll explain what scambaiting is, how it works, and the risks involved. We also touch on the legal and ethical boundaries to consider and offer safe and practical steps to take if you think you’re being scammed.

What is scambaiting?

Scambaiting is the act of intentionally prolonging an interaction with a suspected scammer. While it’s done for a variety of reasons, the main intention is typically to waste a scammer's time and resources or gather information on them. However, many scambaiters also use it as a form of entertainment, streaming or posting their interactions online on popular platforms like YouTube or Twitch.

Scambaiting can carry substantial risks. Scammers can be unpredictable and even dangerous, so the safest course of action if you think you’re being scammed is to avoid engaging and report suspicious interactions to the relevant authorities.

The role of scambaiters in exposing scams

Scambaiting is sometimes framed as a legitimate form of defense against online fraud because it can expose the social engineering patterns behind scams. When these tactics are shared publicly, they can help others recognize and protect themselves from similar scams.

By wasting a scammer’s time, scambaiters may also indirectly reduce the number of potential victims, limiting scammers’ opportunities to succeed.

In some cases, evidence gathered by scambaiters has supported real law enforcement investigations. One U.S. Department of Justice case from 2025 described how YouTube scambaiters helped dismantle a $65 million fraud ring. Popular scambaiting YouTubers coordinated with each other and with law enforcement to gather information and assist with identifying several perpetrators.

Tactics used by scambaiters

Most scambaiting follows the same basic idea: keeping a scammer engaged without providing anything that could lead to account access, payments, or real personal information. The overview below covers how scambaiting typically works.

Common techniques and approaches

Scambaiters often keep scammers busy by stretching out the conversation, asking repetitive questions, or requesting the same information multiple times.

A study on scambaiting published by researchers from the University of Turku identifies four levels of this behavior: wasting time, annoying scammers, publicly making fun of scammers, and collecting information or assets that may be used to assist authorities.

Time-wasting and annoyance are often achieved through:

• Mock compliance: Maintaining the appearance of cooperation without completing any action that would enable fraud. In some cases, scambaiters pose as the vulnerable victim that many scammers are looking for, creating the potential for a longer interaction.
• Dead-end paperwork: Particularly in email-based scams, scambaiting can involve ongoing correspondence revolving around verification or clarification that never produces a result.

Some companies have even released AI tools specifically designed to engage in certain legitimate scambaiting behaviors. For example, U.K. telecom company Virgin Media O2 has developed an “AI granny” to keep scammers on the line, wasting their time and keeping them away from real victims. Meanwhile, New Zealand online safety non-profit Netsafe has developed Re:Scam, an automated email tool designed to keep scammers occupied.

Risks associated with scambaiting

Scambaiting can come with real tradeoffs, including legal consequences, ethical pitfalls, and situations that put vulnerable people at greater risk.

Scambaiting tactics that cross the line

Scambaiting can create ethical and legal problems when it shifts from documenting scams to targeting individuals, exposing personal information, or involving third parties.

Below are examples of scambaiting-related actions that are especially dangerous:

• Publishing personal information or “naming and shaming”: Sharing phone numbers, addresses, workplace details, or other identifying information is known as “doxxing” and can harm innocent people, potentially exposing scambaiters to legal liability. Misidentification is also possible, particularly when scammers use stolen identities, spoofed numbers, or fake accounts.
• Pulling third parties into the interaction: Using real businesses, real phone numbers, or third parties as bait increases the risk of collateral harm. Requests for the scammer to contact someone else, forward money, or relay information can also be seen as participation in a scam and could have legal consequences.
• Humiliation-driven or harassing engagement: Scambaiting content that prioritizes embarrassment or retaliation increases the likelihood of escalation and can encourage behavior that targets people rather than innocently exposing scam patterns.
• Sharing sensitive or victim-related information: If an exchange exposes personal information about victims or other targets, amplifying it online can cause secondary harm. Republishing screenshots, recordings, or logs without removing identifying details can expose people to further targeting.
• Encouraging escalation or replicable tactics: Publishing step-by-step tactics or operational details can possibly increase risk by prompting others to engage directly with scammers. Educational content is safer when it focuses on recognition and reporting rather than on engagement methods.
• Technical interference or “hacking back”: Interfering with scamming operations through technical means often involves unauthorized access to systems and can carry serious legal and security risks. This activity could expose devices to malware, alert the scammer, or even lead to criminal consequences.

Legal implications and boundaries

Attempting to access or interfere with another party’s computer systems is generally prohibited under laws like the Computer Fraud and Abuse Act (CFAA). In the U.S., the 2017 Active Cyber Defense Certainty Act (H.R. 4036) proposed some narrow exceptions for those engaging in cyber defense, but it did not become law.

Actions that may carry legal consequences include, but are not limited to:

• Unauthorized access: Viewing, changing, or deleting files on someone else’s device or network.
• Installing tools or exploiting systems: Deploying malware, remote access software, or attempting credential access.
• Impersonating officials: Claiming to represent a government agency, financial institution, telecommunications provider, or customer support team.
• Handling money: Moving, redirecting, or taking possession of funds connected to fraud, even with the intention of returning them.
• Becoming part of the scam: Relaying messages, introducing others, helping test payment methods, or otherwise assisting the operational steps of a scam.
• Interfering with investigations: Alerting scammers to law enforcement interest, disrupting activity patterns investigators may be monitoring, or destroying potential evidence.

Laws and enforcement standards vary by country and jurisdiction. When encountering suspected scams, the lowest-risk approach is generally to disengage and report the activity to the appropriate platform, financial institution, or law enforcement agency rather than attempting to intervene directly.

Understanding scammer tactics

Many modern scams fall under the broader category of phishing, a type of social engineering in which scammers impersonate trusted individuals or organizations to manipulate people into revealing sensitive information, granting access to their devices or accounts, or sending money.

Most of these scams follow the same formula: the scammer pretends to be trustworthy, presents a sudden problem or prize, pressures the target to act fast, and pushes for payment or information in a specific way. This is anecdotally known as the “4 Ps”: Pretend, problem, pressure, and pay.

Using the “4 Ps,” scammers may attempt a wide range of fraudulent activity. These are a few common scam tactics that scambaiters often engage with:

Phone calls and voicemail (vishing)

Vishing scams ​​use spam phone calls or voicemails to impersonate authorities like banks, tax offices, or customer support. The goal is usually to access your sensitive information, such as identifiers, one-time passcodes, or requests to “confirm your details” under time pressure.

If the scammer gains your trust, they may shift the conversation toward payment instructions, asking for gift cards, wire transfers, or cryptocurrency. In tech support scams, the request might shift toward remote access or screen-sharing so the scammer can access sensitive information under the pretense of “fixing” your device.

Be aware that Caller ID can be misleading. You might see a familiar brand, such as Spectrum, on the display, but that doesn’t guarantee the call is legitimate. Scammers can use caller ID spoofing to make their calls appear to come from trusted organizations.

Texts and messaging (smishing)

Smishing, or SMS phishing, typically begins with a short, urgent alert. Some examples might include phrases like “suspicious activity,” “package held,” “refund pending,” or “account locked.” These are designed to prompt immediate action.

The message usually includes a link that moves the scam from a text to a website designed to capture sensitive information, like passwords or credit card details. The site may use a misspelled domain, a look-alike URL, or a shortened link that obscures the final destination.

Email phishing

Email phishing often follows a similar structure. Messages designed to seem legitimate may promise prizes, refunds, or urgent threats, encouraging you to click links or open attachments like “documents” or “forms.” Successful attacks can lead to credential theft, payment fraud, or further impersonation scams.

Pop-ups and fake alerts

Fake alerts and pop-ups are commonly associated with tech support scams. These messages use alarming language such as “virus detected” or “device compromised” to trigger panic.

The page may then display a phone number and push you toward a call where the scam follows a tech support script. In these scenarios, the interaction often escalates into requests for remote access or payment, framed as necessary to “fix” the issue.

Practical tips to avoid scams

The most effective way to stay safe is to avoid engaging with suspected scammers altogether. The following tips can help reduce your risk of becoming a target:

• Be careful with unsolicited contact: Treat unexpected calls, texts, emails, or messages as suspicious, especially if they create urgency or pressure you to act quickly.
• Verify the source: If a message claims to come from a bank, service provider, or government agency, use official contact details from their website or statements rather than links or numbers provided in the message.
• Avoid clicking unknown links or attachments: Phishing links and malicious attachments are common entry points for credential theft and malware.
• Never share one-time codes or passwords: Legitimate organizations are highly unlikely to ask for verification codes, recovery keys, or passwords over email, text, or phone.
• Be wary of unusual payment requests: Requests for gift cards, cryptocurrency, wire transfers, or secrecy around payments are strong indicators of fraud.
• Use built-in reporting tools: Report suspected scams to the relevant platform, email provider, financial institution, or local consumer protection agency instead of responding.
• Keep software and devices up to date: Security updates can help reduce exposure to known vulnerabilities that scammers and attackers exploit.

Focusing on scam prevention and disengagement carries less risk than attempting to confront or outmaneuver scammers directly.

Can a virtual private network (VPN) protect you from scammers?

A virtual private network (VPN) is designed to protect your privacy by encrypting your internet connection and masking your IP address. This can help limit the amount of network-level information that websites, advertisers, and third parties can observe about your activity.

For example, a VPN can help limit the exposure of your IP address and approximate location if you mistakenly visit a suspicious link, and it also impedes potential scammers and other third parties from IP-based activity tracking. Some VPNs also include features that block known malicious domains or trackers, like ExpressVPN Threat Manager, which can reduce exposure to phishing sites.

However, a VPN is not a scam-prevention tool. It doesn’t inherently block phishing attempts, stop fraudulent calls or messages, or prevent someone from being manipulated into sharing sensitive information. Most scams primarily rely on social engineering rather than network surveillance.