Posted March 1st, 2016
Apartment hunters in big cities know the drill: They spot a listing for a well-priced, attractive place and make an inquiry, only to be met with demands for an instant credit check or an upfront fee to access the full listing. Savvier home hunters spot these scams immediately, but others fall through the cracks, making popular rental listing sites like Craigslist a highly lucrative spot for fraud.
A new study by researchers at the New York University Tandon School of Engineering finds that Craigslist fails to identify more than half of scam rental listings on the site’s pages and that suspicious postings often linger for as long as 20 hours before being removed—more than enough time to snare victims, especially in competitive housing markets.
The research team was led by Damon McCoy, an assistant professor of computer science and engineering, along with Elaine Shi, an assistant professor of computer science at Cornell University, and Youngsam Park, a doctoral student at the University of Maryland. McCoy presented the findings of their paper, “Understanding Craigslist Rental Scams” at the Proceedings of Financial Cryptography and Data Security Conference in Barbados this month.
Rental scams on Craigslist and similar sites are not new, but this is the first systematic, empirical study of these scams. McCoy and his team analyzed more than 2 million rental listings on Craigslist over a five-month period to gain an end-to-end understanding of how such scams are structured and which strategies may undermine them.
The researchers began by developing semi-automated detection techniques that proved highly effective at identifying potentially fraudulent listings. They isolated suspected scams based on shared characteristics; for example, common email addresses, postings with email addresses previously reported in connection to scams, or listings that appeared on other rental sites with different pricing or contact information.
Using an automated conversation engine, the team engaged some suspicious posters by email, which yielded another set of common features associated with scam communications, namely a set of keywords and personal circumstances—the responders always claimed to be out of the country—as well as common IP addresses and embedded links that prospective renters were asked to click.
McCoy and his collaborators detected and analyzed about 29,000 fraudulent listings in 20 major cities, ultimately mapping the listings into seven distinct scam categories, most of which involved credit card payments.
One of the most common was a credit report scam, in which a fraudulent poster instructs a would-be tenant to click a link and purchase a credit report. The scammer gets a referral commission from the credit reporting site even though there is no property for rent.
In another scheme, the “cloned listing” scam, rental listings from other sites are duplicated and posted on Craigslist at a lower price. Scammers make money by requesting a rent deposit via wire transfer from prospective tenants. By responding to these ads and analyzing IP addresses and banking wire information, the researchers learned that most of these schemes originate in Nigeria and are administered by a small group of “scam factories.”
Another pervasive scam involved “realtor service” companies, in which victims are asked to pay both an upfront fee and a monthly membership fee to access listings of pre-foreclosure rentals or rent-to-own properties. In the majority of cases, the companies leading the scams have no connection to the properties listed.
The researchers compared their tally of fraudulent postings with the number of ads flagged as “suspicious” by Craigslist, finding that the site caught only 47 percent of those determined to be fake. Additionally, they learned that for some of the most common scams—particularly the “cloned listing” scam, 40 percent of those ads remained active and unflagged for 20 hours before being detected by Craigslist. On average, Craigslist flagged fraudulent ads 10 hours after posting.
The team emphasizes that the techniques they developed to identify and understand the structure of these schemes can be used to improve the safety of rental site ads.
“This is the first study to really unpack these rental scams and uncover their vulnerabilities,” said McCoy. He explained that most schemes that utilize credit cards are based in the United States and should be vulnerable to disciplinary or regulatory action. He also highlighted that the common characteristics of scam ads should make them easier to detect. “We’ve shown that rental scams are often built on the same foundation—there are common templates, emails, IP addresses and other red flags that can be used to develop more sensitive detection techniques in the future,” he said.
The cities included in the study are: Austin, Boston, Charlotte, Chicago, Columbus, Dallas, Detroit, El Paso, Houston, Indianapolis, Jacksonville, Los Angeles, Memphis, New York, Philadelphia, Phoenix, San Antonio, San Diego, San Francisco, and Seattle.
The research team has shared the findings with Craigslist.
This research was funded through grants from the National Science Foundation and National Security Agency, as well as through the Packard Fellowships for Science and Engineering and Sloan Research Fellowship programs. Additional support came from the Google Faculty Research Awards and the VMWare Research Award program.
The NYU Tandon School of Engineering dates to 1854, when the NYU School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, innovation and entrepreneurship. In addition to programs at its main campus in downtown Brooklyn, it is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai, and it operates business incubators in downtown Manhattan and Brooklyn.