Some of America’s poorest people are being targeted by cyber-scammers. Can an errant hacker find the culprits?


IF YOUR JOB involves scamming people, Mike Davis might be the last person you’d want to target.

Mike breaks things apart for a living. He’s paid by companies to find security flaws in the electronics they sell. He’s a masterful coder and a compulsive tinkerer. He earns a six-figure salary and travels the world on top-secret corporate jobs, yet prefers to work in his bedroom-cum-office, where he pulls apart printers and phones and keyboards.

Like many hackers, Mike is quirky, obsessive and smart. Unlike many of them, he is multi-talented. Mike is a digital Merlin, working magic not only with software, but chemicals and electrical components too. He might break into a client’s system via the internet. Other times he’ll concoct acid mixtures in his kitchen, which he uses to burn away the resin atop microchips and expose the secrets hidden inside.

I first hear about him from a hacker contact, who mentions that Mike stalks internet criminals in his spare time. My contact says that Mike has picked up a new obsession. He tells me Mike has a lead on fake debt collectors who are infiltrating the murky payday loans world. The fraudsters’ victims are desperate people who had done nothing but apply for loans online.

Illicit activity, innocent victims and aggressive scammers?

I called him.

Those who imagine cybercrime as a high-tech enterprise underestimate the importance of psychology. Nigerian fraudsters advertise lottery caches that will never be won. Non-existent goods sell on eBay. Bogus technical-support experts call with news that a computer has a virus, and offer to fix it for a fee. Those who accept help find that their clean computer has been infected with software that steals passwords.

There is a term for this kind of deception: social engineering. And experts say that it’s becoming more common. Kevin Haley, the director of security response at the computer security firm Symantec, says that cybercrime relies more and more on “intimidation, bullying and threats.”

Mike’s encounter with these scammers began one rainy day in January of last year, he says when I call. His voice is flat and matter-of-fact; he could be an accountant discussing a company’s tax return. He tells me it started with a text message: “Do you need up to $1,600 today? It’s secure and takes only a minute at”. Mike, who is 34, was on a job for a major software manufacturer and was bored, so he signed up for a loan using a fake name, just to see what would happen.

In a few minutes he was bombarded with offers of money. But, as is often the way with Mike, he got distracted and moved on — that is, until a voicemail arrived a couple of weeks later. The caller identified himself as Jose Garcia from Jackson & Associates, a Texas law firm. Garcia said that he was acting for a payday loan company, and that Mike — or, more accurately, Mike’s fake identity — owed the firm hundreds of dollars. Garcia didn’t seem to know that Mike had never taken out a loan. Or perhaps he didn’t care. He just made it clear that there would be legal action if Mike didn’t pay up.

There is a Jackson & Associates in Texas. Mike knows because he contacted the firm, and they said they knew nothing about the call that he had received.

Every vigilante needs a cause. Now Mike had one.

NO ONE WHO has driven through a low-rent neighborhood in a major city can stay ignorant of the payday loan industry. Neon signs shout from grim storefronts, offering immediate short-term loans to those cornered by their finances.

Over 10 million people in the United States take out these loans every year, spending more than $7 billion in the process. And the industry is expanding beyond street corners and onto the internet, where lenders can take advantage of the web’s anonymity and tap a huge customer base. Sixteen percent of US payday-loan customers now find funds exclusively online, and it’s an area of the business that is growing rapidly.

People take out payday loans because they need cash, and they need it quickly. Sometimes it’s to fix an unexpected problem — a broken appliance, perhaps, or a broken leg. But researchers have found that almost seven out of ten borrowers use payday loans to deal with everyday expenses. For those on a low income or with bad credit, a payday loan may be the only way to avoid eviction or to pay for dinner. The only proof of credit applicants need to show is that they have a pay check coming; the lender then covers the shortfall until it arrives.

Often, though, payday loan customers can’t repay. One study found that almost three out of every four payday borrowers failed to do so in the window available. That’s where the cycle of debt begins. Interest — the annual rate on a payday loan averages 350 percent, though it can go higher than 4,000 percent in some cases — is added monthly to the original bill, pushing the borrower further underwater. The average borrower takes out not just one loan, but eight, each one lasting 18 days, according to researchers at the Pew Charitable Trusts. These loans are typically around $375 each, but they rack up a total average annual interest payment of $520.

As Mike discovered, borrowers can sometimes be exposed to more than just hefty interest charges. Others have received similar calls. One October day in 2010, a man named Mark Merola was working the counter at the Red Sauce delicatessen in The Villages, a lakeside town in Central Florida, when he got a panicked call from his wife. She’d been contacted at home by someone from a law firm, who had told her that Merola owed money to a payday loan company. There would be legal ramifications if he didn’t pay, the caller said.

Merola had taken out a payday loan to cover some business expenses a few years back, but he was sure he’d paid back what was owed. Yet when he called the number, the attorney on the end of the line said that the local sheriff was involved: “He said that he knew where I was working, that he would have warrants and that within three hours they’d take me away in handcuffs.” Merola was rattled. The thought of law enforcement swarming the deli scared him. He didn’t want to risk his job. “I thought about sheriffs coming in the store.” The attorney asked for $523 to clear up the incident; Merola got out his debit card and paid.

The following day, Merola called the sheriff’s office. He found that there was no lawyer, no lien and no trace of the man he had spoken with. The caller, along with Merola’s money and pride, had vanished. “I felt like a sucker,” he said.

MIKE LIVES IN Fremont, a trendy district north of Seattle’s downtown that’s known as a haven for alternative types. Even there, though, he doesn’t quite fit in.

Take his apartment: it isn’t one. From the street, a glass door opens onto a concrete retail space with 25-foot high walls. The windows are covered by blinds. Ceiling-mounted halogen tubes cast a low glow that leaves the corners dark. Delicious smells from a neighbouring sushi restaurant occasionally fill the space, but Mike’s own kitchen is rarely used; obscure electronic components and dismembered gadgets crowd the counters. The floor is covered in random detritus: a single white sock, a piece of fuzzy green string.

Mike is olive-skinned, heavy-set and uninterested in niceties. I ask about his apartment, but the conversation soon veers off course. He sounds off about flaws in airline security and his tendency to carry pot in his bags when he flies, only flashing his medical license for marijuana after the drugs are discovered. Then he hands me a pink explosives handbook and says he once had a license for handling low-powered explosives in New York State, back when he used to build rockets for a hobby. He carries on jumping from subject to subject: the likelihood of a terrorist nuclear attack on the United States; the most efficient ways to kill large numbers of people. He tells me there is a much easier way to do it, without actually explaining how.

I’ve been warned that he is nervous of visitors and lives with a single companion: a feral cat he’s been caring for since it was a kitten. I ask where it is. “It’s scared of people,” Mike says. “It normally hides when they come over.” In the two days I spend with him, it never appears.

We head upstairs, to the place where Mike runs most of his online investigations. His bed nestles in a corner of the loft, at the end of a large desk with a thick plastic top. A 30-inch display — the largest he could find — sits on top, with long rows of tabs crowding his browser windows. It’s clear there’s no real line between work and play; Mike says that he often wakes up and just moves straight to the desk.

I came to this hidden bunker to watch Mike practice his new hobby: tracking scammers like Garcia. It’s time to start. Mike sits down, leans forward in his seat and begins the chase.

His first step is defensive: the creation of a software shield that will hide his identity. He boots up a computer containing a version of Windows that’s cut off from the rest of the machine. It’s a digital Russian doll, a computer within a computer. His sleuthing may attract attention, but any hacker who penetrates the inner realm would probably never know there was a larger doll wrapped around it. And when it’s all done, Mike will delete the hidden computer and any unwanted software that may have slipped into it.

The website mentioned in the text message he’d received has disappeared, so Mike starts with a big player in the world of payday loans: a Florida-based outift called Lead Flash. The company specializes in funneling information on loan applicants to lenders, a process known in the trade as ‘lead generation’. Submitting an application to a Lead Flash website will be a good route into the network of companies that make up the industry.

The glow of the screen paints Mike’s face as he picks a name at random from a list of those owned by Lead Flash’s parent company, Regency Marketing. He picks out The site flashes onto the screen. It feels wholesome. The name is picked out in a calming green, bordered by leaves and watery blue brush strokes. A family photograph dominates the page. Everyone is smiling. Hovering in the deep blue sky above their heads is a come-on in bold white lettering: “You Could Get CASH.”

Payday loan websites ask each applicant for a ream of details: wage, frequency of paychecks, employer’s name, bank account details and more. Mike conjures convincing answers. He pulls up Fake Name Generator, a site that creates not just fictitious names, but whole identities: addresses, jobs, dates of birth, credit card numbers and social security numbers. It even generates a mother’s maiden name.

Mike casts his hands over the keyboard, and makes like God.

AND SO MARY COX IS BORN, at the tender age of 65. Mary gets paid twice a month by the local Safeway in Burbank, California. She’s worked there for less than a year. On her birthday, June 12, she will probably invite friends over to celebrate at her home, which she owns but which, like Mary, doesn’t exist. She’s scammer bait, an applicant designed to sound financially vulnerable, like someone who might miss payments. “I get a mental boost when scammers call,” says Mike, “because I know they’re trying to screw over the poorest people.”

Finally, Mike enters Mary’s plea. “I need $300.”

The application form doesn’t ask why.

Mike hits send and sits back as Mary’s information skitters off to Florida. Its journey is being watched. Mike’s computer is running software called Burpsuite, a kind of stenographer for his internet connection. It starts spitting out data. His browser is talking to TrustedPayday, and Burpsuite is listening in and noting every word they exchange. Soon it picks up new voices.

TrustedPayday has gobbled up Mary’s information and is alerting other sites, with names like Somewhere in the machinery that processes payday loan applications, decisions are being made. In just a few minutes, loan offers begin falling into Mary’s inbox.

We’ve just watched Mary’s identity get turned into profit before she’s even taken out a loan. The process relies on an efficient division of labour. Most payday lenders don’t have the expertise to find customers themselves; lead generation companies, by contrast, are experts at getting in front of people looking for payday loans. Lead Flash alone may have tens or perhaps even hundreds of sites like TrustedPayday in operation at any one time. And while the page designs and website names change, the model that underlies them is the same: application details from people in need of money are acquired and sold on.

The trades happen quickly. Offers are streaming in. Mike is excited. He creates another new identity, Nellie Beem, and fills out more forms at the sites advertised in the emails that Mary is receiving. Nellie’s details are sold on too. Mike’s fictional alter-egos are spreading outwards. They’re being processed by software algorithms, becoming commodities in a web of unseen buyers and sellers.

And somewhere in that web is a scammer.

MIKE’S EARLY LIFE sounds lonely: an only child brought up in Pennsylvania and New Jersey by a single mother whom he describes as financially gullible. In the nineties, when Mike was a teenager, the keys to the Internet were controlled by service providers like Compuserve. Desperate to stay online, but broke, he looked for ways to get money. Mike doesn’t like to say how he solved the problem, but it was not by legal means. Eventually, the authorities arrived. “It isn’t easy, having an FBI agent visit your house,” he says. The episode ended with a few months in a juvenile detention center.

Mike had a string of tech jobs after high school, but in the early 2000s he found the Hacker’s Halfway House in Brooklyn, a loft apartment with a live-in crew of talented tech-heads. These were his people. They would spend days inventing weird and wonderful devices, including a robot that could swing down ropes to spray paint the building.

Hearing all this, I start to warm to him. I, too, found in my computer a refuge from the outside world. As a teenager I hung out at computer clubs, swapping floppy disks with friends and getting together to compare the software we’d created. I’ve always been interested in hacking — and in people who break things apart to make them better. And for all Mike’s quirks and nerdy focus, I saw that he wanted to do more than just make things work better. He has a sense of social justice. If he sees someone making life miserable for someone else, he wants to take them down.

The next day, riding back on the bus home to Canada, I look back over what happened and realise how murky the investigation remains. Mike hasn’t been able to work out how Jose Garcia got his details — or if that’s even his real name (fraud reports online suggest the same number is being used by callers with a range of different identities). He’s going to keep probing the technical side, studying payday loan domains and trying to understand how contact details get from a website and into the hands of scammers. I decide to dive into the public records on Lead Flash. I also want to recreate the scam call that Mike says he received from Garcia. But even more than either of these things, I want to check out how people’s data gets bought and sold — in the flesh.

IF LEAD GENERATION has a heartland, it is Boca Raton — a place that has made the manipulation of the invisible its business.

The city’s population was only around 700 when the US air force brought thousands of servicemen and their families to the area in the 1940s, in part to work on radar. When I arrive, Boca Raton feels pretty but hollow. It sits on Florida’s Atlantic coast, a spiritless landscape of gated communities and shopping districts. In a Starbucks in Mizner Park, a Romanesque retail development, I ask about the city’s downtown. I’m told it doesn’t really exist.

Lead Flash and many other lead generation outfits currently call Boca Raton and the surrounding area home. But just over a decade ago, the region was reliant on another sizeable online industry.

“Boca Raton was the birthplace of spam,” Adam Taub tells me, sitting behind a desk in his West Palm Beach office.

For somebody labeled an aggressive spammer by international group Spamhaus, he seems remarkably candid. Dressed in a dark golf shirt, with a couple of days’ beard growth and slicked-back hair, Taub tells me the history of Estrela Marketing. He started the company in 2003, with the aim of making money by sending millions of marketing emails. “Twelve years ago it wasn’t considered spam,” he says. “It was just another way of advertising.”
Even though the United States passed anti-spam legislation the same year that Estrela was founded, Taub cashed in at first. But advanced filtering — and aggressive efforts by Internet service providers to weed out bulk emails — made it less profitable. “It’s much harder to get into an inbox now,” he says, with a hint of disappointment.

The economic downturn didn’t help either, and in Boca Raton spam is now overshadowed by other forms of online moneymaking, lead generation chief among them. Some people got there early. In 2002, while email marketers were reaping rewards by clogging up inboxes, businessmen Jeffrey Kleiman and Brian Clouse founded Regency Marketing. Although some of Regency’s companies have received complaints — its Patriot Web Marketing has an F rating with the Better Business Bureau — Lead Flash has garnered respect. In 2009, just three years after launch, Lead Flash brought in $50 million in revenues and was named by Inc magazine as one of America’s 500 fastest-growing private companies.

It is not, however, particularly communicative. Neither Clouse nor Kleiman return my email requests for an interview about the lead generation industry. When I finally reach Clouse on the phone, he brushes me off: “I don’t think we’d be interested.” I keep talking, but he complains that he can’t understand my East London accent. Before practically hanging up on me, Clouse suggests that I leave Kleiman a message. I do. It goes unreturned. After this, nobody at Lead Flash will answer my calls or respond to questions about this article or any links to Garcia or other scammers.

Former employees are more talkative. “They sell college leads, they sell auto leads, they sell all types of leads,” says one, when we meet at his home. “But payday loans are where they make most of their money.” The applications come in from across the United States and are channelled to a waiting world of lenders. And in the middle is a mysterious software algorithm: the pingtree.

The pingtree works like a huge, tiered filter for leads. Payday loan companies start by specifying the type of loanee they’re looking for, using criteria like zipcode and income. Lenders also put a price on each bid. The bigger the offer, the higher the tier it occupies. When a new lead arrives, it’s placed at the top of the pingtree, and, if it matches the criteria of any top-tier bids, is offered to bidders. If it doesn’t match, or the bidders pass, it is deemed less attractive and falls to the branch below.

The prime leads at the top are worth between $135 and $185, says Jer Ayles-Ayler, founder of Trihouse Consulting, which advises companies on setting up payday loan businesses. But prices can fall off rapidly as the lead tumbles down, with bottom-feeder lenders paying as little as $3 for a lead. Many companies squeeze maximum profit from the leads they buy by re-selling the information if the applicant doesn’t take out a loan. With each step the information gets further from its source. In the end, data is often re-sold so many times that the path from one end to the other becomes impossible to trace.

For lead-generation firms like Lead Flash, the pingtree is where business really happens. It’s an operation that works quietly, quickly and efficiently, within a leafy complex close to where IBM developed the personal computer. I decide to visit early in the hope of springing a spontaneous meeting on Kleiman or Crouse.

The office is difficult to find; it isn’t even listed on the electronic building directory. I spot an employee going into the side entrance, and he lets me in after I explain that I’m trying to catch up with Jeffrey or Brian. He leaves me in a sleek lobby and tells me to wait for someone to arrive.

Transparent, sculpted plastic twists from floor to ceiling, framing the company’s name, which is emblazoned in silver lettering on a curved blue wall. I look inside one room and see three screens wrapping around a desk, like a mission control console. I walk over to what looks like a boardroom, but my movement sets off a control system. Lights flicker on and the executive reappears. Angry, he bustles me out of the office.

I decide to cruise by Kleiman and Clouse’s houses instead. According to public records, Kleiman paid $2,625,000 for his eight-bathroom, 7,094 square foot property on the water. I find it: a sun-yellow mansion completely protected by gates. Clouse, too, lives in a private enclave. This is a place that Google Street View can’t penetrate. You can guide Google’s camera up to the gates of the vast stucco complex where Clouse lives, but no further. I did the same with my rental car, only to have a guard saunter out and refuse access.

“JUST GOT OFF THE PHONE with scammer,” reads the text from Mike. “He wants Western Union or MoneyGram.”

It’s a few weeks later, and finally the bait has been taken.

A scammer had called Nellie Beem, the identity Mike created soon after Mary Cox sent her details into the pingtree. He isn’t sure which site passed on Nellie’s details, or who owned it, or how many steps it took for her information to get into the hands of a fraudster. But it got there. The caller came out with the usual lies: an unpaid debt; a threat of legal action; the need for immediate payment.

Mike agrees to pay because it forces the scammer to reveal what he needs: the name of the person who will pick up the money. The scammer tells him that a woman, whom I’ll call Jennifer, will collect it from a Western Union office near her home.

Discovering her identity prompts Mike, as he puts it, to “get all OCD”. He opens an empty email to me, gradually filling it out with notes, a rolling series of discovery and commentary on Jennifer’s life. Most of the information he uncovers using free services: Google Street View to learn about Jennifer’s hometown in the Midwest; public records to identify her as a schoolteacher; mapping applications to find key addresses; a website called to track down family members. Within minutes, Mike knows her maiden name, her marriage license number and the addresses of her relatives, several of whom live near her.

A text message follows soon after the email: “Holy shit I just talked to Jennifer. She’s being extorted by these guys.” I feel his “OCD” sharpening into a sort of mania. He’s told Jennifer that he’s a researcher investigating the payday loan scam. But before he can get much further, she caves. “The very first thing she mentioned wasn’t ‘I don’t want to go to jail,” Mike tells me later. “It was ‘I’ll tell you anything you want to know, as long as no one comes to my house.’”

Jennifer is badly shaken by the call. She starts crying, telling Mike that her greatest fear is that her involvement with the scammers will get back to her small town, to the church she attends, to her family and local friends. She tells Mike that she got roped into the scam after applying for a payday loan, although she doesn’t explain how. Mike says that he is just a researcher, and that he is not going to get her into trouble. But he also says that she is laundering money.

The call unsettles him. “I will do anything to ensure that I never have to hear that woman crying ever again,” he tells me later. I get the feeling that, in Mike’s mind, other people’s emotions show up as noise: data that has no apparent purpose, and that his internal software cannot process. In this case, at least, his software gets a break. The local police turn out to be investigating the case; they call Mike later to say that they believe Jennifer to be an innocent party.

This might also be close to home for Mike. His mother, a low-earner, died six years ago, burdened by a mortgage that she could not afford. Mike moved into the house and cleaned up her affairs, gleaning just a tiny profit from the later sale. “My mother would be the kind of person who would have applied for a payday loan,” he told me. “She’d have been contacted by these kinds of people.”

At least in his conversations with Jennifer, Mike got another lead: the phone number of a man who Jennifer has been wiring money to.

I think that man is a scammer, a con-artist who defrauds the vulnerable. But I can’t prove that, for reasons that will become clear. So I’ll call him Mr. Smith — an homage to his bland, Anglo-Saxon name, which contrasts with his thick Indian accent. Mike calls him and applies his usual tricks, poking around the edges of this man’s invisibility, trying to find common ground and get the information he needs.

Almost immediately, Mr. Smith is skeptical. So Mike offers a gambit: he says he’s in the payday loan lead generation business, and can sell Mr Smith leads. How many leads does Mr. Smith typically buy? Three or four hundred per day. And for how much? 30 cents a lead, says Mr. Smith. It’s a far cry from the $100 or more that is common for leads generated by the major lead generation companies. Mike tells him that this is fortunate, as he may be able to beat that price.

“You don’t mind if I ask who our competition is, do you?” Mike asks. Mr. Smith provides a company name.

Mike has a source of the leads and a scammer. The quarry is in sight. Yet he is almost out of bullets. The company that Mr. Smith names is based in northern India. Its website is generic, and suggests no links to Lead Flash. It lists no phone, and the number in the site’s registration records goes unanswered.

I’ve got another issue on my mind. There’s something ragged about the path that Mike has taken recently. He recorded his internet phone calls with Jennifer without her permission, a potential misdemeanor in the state of Washington. Now he goes even further. With his options closing down, Mike builds a fake version of the Indian company’s website. This is called phishing, and it’s standard fare for criminal hackers. The fake sites are often used to steal passwords for online banks and other websites. It doesn’t take Mike long to build a fascimile of the company website, which he posts at a web address similar to that of the real thing. Then he has a female colleague call Mr. Smith and tell him that the company has moved the website to this new address, which is where he should now log in. Mike is trying to steal Mr. Smith’s password.

Such tactics trouble my ethics, but not Mike’s. After all, companies who buy his services pay him to think like a criminal. “I just finished breaking into a place,” he says, from the end of a phone line in Newark, New Jersey. “That’s pretty much what I do for my regular job.” He tells me that a data center is paying him to test its security. He printed out false passes to get into the parking lot and then the center itself. “You get to be the bad guy if you’re trying to do it for good reasons.”

But this time, playing the bad guy doesn’t help us catch the bad guy. Mr Smith doesn’t buy the phishing attack, and tells Mike’s colleague to “go to hell”. The trail is petering out. Mr Smith is too smart for Mike’s tricks. The company he works with is opaque. Jennifer is a pawn, not a player. We’re at the end of the chase, and we’re out of ideas.

IT TAKES ME several weeks to accept that the lead generation web is impenetrable, even to someone as skilled as Mike.

He fed an application into the web; someone, somewhere in the network sold the details to Mr Smith. But who? There is no way of knowing. The details could have been bought and sold countless times. Packets of data bounce around the network, crossing national boundaries and time zones in milliseconds. Mike knows Lead Flash scoops up some details, but there is nothing to link the company to the scammer’s phone calls, nor to anything illegal. Lead Flash is a big player in an industry that has many critics, but selling payday leads is not a crime — nor is keeping a low profile.

It’s not just Mike who struggles to get evidence. In 2012, the FBI asked for $166.5 million to fight internet crime. The bureau has cyber capability in every one of its 56 offices, with the greatest concentration in big cities like New York and Los Angeles. Highly skilled security professionals, many familiar with the techniques that Mike deploys, are on staff and available to work cases. Other agencies help when their expertise is requested.

Yet the chances of Jose Garcia or Mr Smith or anyone like them being identified and arrested are close to zero. It is simply too hard to follow the trail of communication that links criminal and victim. Email addresses and internet phone numbers are easy to obtain and hard to trace. Websites cost next to nothing to set up and can be registered anonymously. These are all the tools that many scammers need, and they are disposable. And when risks have to be taken, there are people like Jennifer to call upon. They’re disposable, too.

Things can get close to absurd when the crime crosses borders. John Bennett, who manages the FBI’s high-tech crime units in the San Francisco area, says he can use a warrant to identify a foreign scammer, but it’s a convoluted process that often works only in theory. He starts by working with an attorney to get a request to the Department of Justice. From there it’s forwarded to the relevant US embassy. An FBI agent on staff at the embassy delivers the request, sometimes by hand, to local law enforcement, who, if the request fits with their priorities, might draw up a warrant. Once it’s served, the information gleaned makes its way back to Bennett by the same tortuous route. The process might take six to nine months, and that’s for countries that cooperate with the United States.

“For China,” he says, “it’s probably not worth the effort.”

It is, of course, a matter of priorities. There are different systems in place for hackers who threaten national security. Warrants can be served rapidly when lives are at risk. But debt collection scams are further down the list, or often barely on it.

And yet fake debt collectors are a growing problem. The Federal Trade Commission, in its role as a consumer guardian, has received thousands of complaints since 2010 — and it has prosecuted at least one payday loan scammer. The FTC alleged that Varang K. Thaker, an Indian citizen living in California, was part of a ring that worked with Indian call centres to defraud American consumers of $5.4 million. Thaker settled the case in 2012 and agreed to pay $170,000, though he admitted no liability and claimed in his defence that he was a victim of the scam, not the mastermind behind it. Jason Schall, an FTC attorney who has worked on cases involving payday lenders, says that often even the commission finds it impossible to determine how fake debt callers get their information.

Law enforcement’s priorities aren’t necessarily misplaced. But they do have consequences, one of which is that Internet crime has become like real-world crime: it disproportionately impacts the poor and the uneducated. A skilled vigilante might feed the authorities leads, but that’s of little use if they are busy elsewhere. “I can dig up as much as I can,” Mike told me recently. “I feel like I have Mr. Smith pretty solid, money mule included, and there’s nothing I can do.”

Mike is frustrated, but in a Mike kind of way. His voice never wavers. There is no stress. He treats it like an engineering problem that, for the time being at least, has stalled.

In any case, there are other things to do. Mike has security conferences to prepare for and electronics to hack into. Jeffrey Kleiman and his partners have leads to process. Halfway across the world, Mr Smith has personal information to buy and people to scam. The FBI has bigger cases to chase. And meanwhile, dotted across America, people have screens to gaze at, as they wonder how to make their next car payment, or how to cope with their kid’s birthday. Some will be filling out loan applications. A few days later, the phone will ring. And some of them will pay.

For more on MATTER’s decision to hide the identities of Jennifer and Mr Smith, see our blog post on sources, anonymity and libel laws.

MATTER: The best writing, the biggest ideas.
free download

This story was written by Danny Bradbury, edited by Constance Hale, fact-checked by Sophia Li, and copy-edited by Lucy Odling-Smee. Illustrations and photography are by Shutterstock, and Andy Cresswell narrated the audio version.