Co-authored by Dimitris Dimitriadis and David Barnett.

The FCA has been naming and shaming financial scam domains for decades. Its “warning list” is probably one the most extensive databases of its kind.

But does it do a good enough job of actually warning people?

Let us begin with the FCA website, which would not exactly get full points for user-friendliness: locating the “watch list” is a task in and of itself, to say nothing of consulting and scrutinising it. Incidentally, the consumer watchdog Which? has previously urged that the FCA make its data more accessible including via an API. (They have not.)

That would help, but it wouldn’t solve the problem. And given the majority of people targeted by scams are not journalists or brand protection specialists, it’s fair to assume they wouldn’t necessarily bother with the warning list in the first place. Many, unfortunately, would only look up a company or individual after being scammed, at which point they come across the handy watch list. In which case, the purpose of the list ends up becoming confirmatory as opposed to precautionary, which, at the very least, does not quite live up to its name.

To put an even finer point to it, a warning list is only as good as its ability to, well, warn. People will be inclined to conduct the least amount of due diligence possible (or less) even when or perhaps especially when it comes to scam propositions, which are not known for their tendency to give prospects as much time and space as possible to carefully weigh their options and come to a sober decision.

The least amount of due diligence may look like this: I come across a domain, and I type either the domain itself in inverted commas (”...”) or the name of the business or individual into Google or some combination of the two. Now, if that domain/business/individual is on the FCA’s warning list, that entry will almost certainly come up on Google and most likely will be one of the first results.

Most blacklisted domains won’t even remain active to experience this effect. It’s unclear how many of those domains actually get taken down via intervention. It’s more likely that most domains get taken down by their owners relatively quickly, given the reputational hit they’ve sustained. From a sample of 4,000 domains we analysed—which we extracted from said warning list—fewer than 10 percent were still up, and of those, many more would be expected to go down within weeks or months once their presence on the blacklist becomes evident.

What of those that do persist? We mentioned ‘the least amount of due diligence.’ Well, what if there’s no due diligence at all? What if a person just clicks on a website and they happen to like what they see? You’d hope that say, the search engine or browser would give this person some sort of warning—assuming that the search engine knows this domain to be a scam or is very likely to be a scam and assuming, of course, that such data is publicly available and comes from a credible regulatory body. Granted, that’s a lot of assuming, but luckily for the search engines—and the rest of us enthusiasts—the FCA makes this data available (see the warning list). However, when we took a sample of one hundred live scam domains from said list, for some reason, virtually none seemed to have an unsafe warning attached to them. That is even though they would presumably meet Google’s definition of “suspicious” or “deceptive.” This indicates a possible failure or omission of ‘fraudcasting’ on the part of the FCA: that is, where a trusted provider pushes out feeds of known scam sites to the search engines.

Some of the scam sites that persist have another feature in common. Many of them seem to be part of any of a number of “clusters” of related websites built on a common template. This indicates, essentially, the use of a SaaS product, that is, Scam-as-a-Service. The premise of the business model is that scammers are inherently lazy, and they’d like nothing more than the ability to use a ready-made template and load it with often identical, copy-pasted content. Different URL, same content.

We detected tens of template clusters, each of which featured anywhere between a few to hundreds of URLs. How we detected those clusters is by using DomainCrawler‘s platform to extract HTML tags (meta description and h1)—bits of code that are replicated verbatim across a large number of domains. In our case, we noticed that the longer and more detailed those meta-tags, the more likely the query would return useful results and fewer false positives. A good example of a useful meta-tag query would be: “Trade with confidence on the world’s leading social trading platform.” A bad example would be: “Welcome to our bank” or “Financial.”

What’s more surprising than the presence of these template clusters is that, in many cases, only a fraction of them were on the warning list. And assuming at least some of those sites may be targeting UK customers, the FCA should be in a position to identify those proactively (and filter out false positives).

From a mere peek into the data—and some preliminary analysis—it, therefore, seems that the FCA “warning list” could, with a few simple and easy wins, go much further in terms of actually warning the (non due-diligent practising) public. It could also, it seems, proactively identify lazy clusters of scam sites that rely on the same template.