Somewhere right now, a scammer is connected to a virtual machine that contains nothing real. The person on the other end reads from a script about "infected computers" while the scambaiter on the receiving end stretches the call past the 45-minute mark. Every minute counts. Not for the scambaiter, who has time to spare, but for the scammer, who just burned a billable hour on a target who was never going to pay.
The Economics of Scam Operations
Scamming is a volume business. The FTC's 2023 Consumer Sentinel report logged 2.6 million fraud reports in the US alone, with total reported losses exceeding $10 billion. Behind those numbers are call centres, heavily concentrated in South and Southeast Asia, staffed by operators working shifts, hitting quotas, and burning through lead lists like any other outbound sales operation.
The FTC's breakdown shows where the money goes: investment scams accounted for $4.6 billion in losses, imposter scams for $2.7 billion, and tech support scams around $1.3 billion. The tech support category is where most scambaiting activity concentrates, because the format (live phone call with screen-sharing) creates the largest time-waste opportunity. Ninety minutes on a single call is ninety minutes of direct human labour gone, not an automated process ticking over in the background.
The unit economics are straightforward. Each operator handles a limited number of calls per shift. Each call has a conversion rate. The longer an operator spends on a non-paying target, the fewer paying targets they can reach. A single dead-end call doesn't just cost the scammer 90 minutes. It costs them every victim they could have reached in that window.
This is what scambaiting exploits. Not a technical vulnerability. A throughput constraint. The scammer's time is finite, and every hour wasted on a synthetic persona is an hour subtracted from real potential victims.
What Scambaiting Actually Looks Like
The public face of scambaiting comes from YouTube creators like Kitboga and Jim Browning, who've turned it into entertainment with millions of viewers. Kitboga plays elaborate characters (confused grandmothers, gullible office workers, panicked retirees) to keep tech-support scammers engaged for hours. Jim Browning takes it further, reverse-accessing scammers' own surveillance systems and filming their operations from the inside.
Behind the entertainment, the operational pattern is consistent. A scambaiter answers an unsolicited call or deliberately contacts a known scam number, presents themselves as a potential victim, and then systematically delays the payment phase. Fake bank login pages that take forever to load. Gift card codes that don't work and need to be "checked." Wire transfers that require "calling the bank," which means 20 minutes of hold music.
The more sophisticated operations go beyond individual calls. Organised scambaiting groups maintain databases of known scam numbers, share intelligence about active campaigns, and coordinate so the same call centre gets hit repeatedly from different numbers. Some groups pass gathered intelligence to law enforcement directly. Jim Browning's footage has contributed to multiple arrests in India, including a call centre shutdown filmed and broadcast by the BBC's Panorama programme in 2020.
The less visible community operates without cameras. Thousands of anonymous participants on forums and Discord servers spend evenings engaging scammers across phone, email, and chat. No YouTube audience. No subscriber count. Just the time-waste itself, repeated by enough people to become a meaningful drag on the industry's throughput.
Building the Persona
A scambaiter's effectiveness depends entirely on being believable. The scammer needs to think the target is a real person who might actually pay. If the persona falls apart under basic questioning, the scammer hangs up and moves on within seconds. The call is worthless.
The persona needs a name matching the expected demographics. A voice and manner consistent with the supposed victim profile. A backstory that holds up to casual questioning. And increasingly, digital footprint elements: an email address that actually receives mail, a phone number that connects, profile details consistent enough that a quick check doesn't raise flags.
Hand-crafted fake identities work for a single operation. Maintaining ten or twenty personas across ongoing scambaiting campaigns, each with consistent details, working email, and plausible background data, is a logistics problem that scales badly. The details need to cohere. A supposedly 73-year-old grandmother in Ohio shouldn't have a phone number with a UK country code or an email address registered to a 25-year-old's name.
Synthetic identities solve the coherence problem automatically. A tool like Another.IO produces a complete persona with correlated data: name, age, location, phone format, and working email address, all consistent with a specific country and demographic profile. The scambaiter gets a believable character with a functional inbox and avoids spending time inventing and cross-checking details that need to stay consistent across interactions spanning days or weeks.
The Technical Stack
The standard scambaiting toolkit has converged on a fairly consistent set of components.
A virtual machine running a clean Windows installation. VirtualBox or VMware, configured to resemble a regular consumer desktop. The VM contains no real data but includes the kind of clutter a real user would have: a few photos, some documents with plausible filenames, a browser with saved bookmarks and browsing history. Some scambaiters populate the desktop with fake banking shortcuts that point to locally hosted decoy pages, wasting even more time when the scammer tries to "check" the victim's account.
A VoIP number for phone contact. Google Voice, TextNow, or dedicated VoIP providers supply phone numbers disconnected from the scambaiter's real identity. For operations targeting specific countries, VoIP services with local numbering in the US, UK, or Canada are standard.
A synthetic identity for the persona itself. Email address (functional), name, age, location, and background details. The email needs to actually work because many scam operations send follow-up emails with payment links, fake invoices, or "verification" attachments that the scambaiter needs to receive and respond to convincingly.
Screen recording software for documentation. OBS Studio is the near-universal choice. Every interaction gets recorded, partly for evidence sharable with law enforcement, partly for the scambaiting community's internal knowledge base, and partly because the recordings sometimes end up on YouTube where they serve double duty as entertainment and public awareness.
Engagement Tactics That Maximise Time Waste
The objective is simple: maximum time consumption with minimum risk of the scammer catching on. Experienced scambaiters have refined a repertoire of delay tactics across thousands of hours of calls.
The slow computer. "Sorry, it's loading. The internet has been terrible all week." Scammers expect elderly victims to have slow machines. Milking this for 5-10 extra minutes per interaction is trivially easy and completely believable.
The confused victim who follows instructions wrong. "You said press the Windows key? Which one is that? The one with the little flag?" Each "mistake" adds minutes. The scammer can't show frustration because the character they're playing is a patient, helpful technician.
The bank that won't cooperate. When the scam reaches the payment phase, the scambaiter claims the bank's website is down, or the transfer requires a phone call to the bank (cue hold music), or the daily transfer limit was reached and they need to "try again tomorrow." This tactic can stretch a single scam interaction across multiple days.
Gift card codes that don't redeem. The scambaiter "purchases" gift cards and reads out codes that invariably fail. "That's strange. Better drive back to the shop for new ones." Another hour vanishes.
The key to all of these is maintaining character. The persona cannot waver. The voice stays consistent. The background story stays aligned. The synthetic identity profile serves as a reference sheet that keeps every detail coherent across calls that might span days or weeks of sporadic contact.
Legal Boundaries and Ethical Lines
Scambaiting exists in a legal grey area, and the ethical questions deserve honest treatment.
Answering a call from a scammer and wasting their time is legal in every jurisdiction that has examined the question. The scammer initiated contact. The recipient has no obligation to end the call. No fraud is committed by the scambaiter.
Reverse-accessing scammers' systems, as Jim Browning and others have demonstrated, is technically illegal under computer misuse statutes in most countries, regardless of the target's criminal activity. Law enforcement agencies have generally not pursued scambaiters for this, but the legal risk exists and should be understood by anyone considering it.
Collecting and sharing intelligence about scam operations is legal and actively encouraged by organisations like the AARP, which maintains scam-tracking resources, and by agencies that accept reports through the FBI's IC3 or Action Fraud in the UK.
Using a synthetic identity during scambaiting adds a layer of protection for the scambaiter as well. Scam operations have been known to retaliate against people who waste their time. Keeping the persona entirely fictional means no real address for the scammer to locate, no real email to target with harassment campaigns, and no personal phone number to attempt a SIM-swap attack against.
The ethical line is straightforward: waste the scammer's time and resources without breaking laws or endangering anyone. Synthetic identities keep the operation clean and defensible by ensuring no real person's information enters the interaction at any point.
What the Community Has Achieved
The cumulative impact of organised scambaiting is difficult to quantify precisely, but the documented results are not trivial.
Jim Browning's operations have provided footage and intelligence contributing to police raids on multiple call centres in India. The BBC Panorama investigation that relied on his footage led to arrests in Kolkata. Subsequent investigations by Indian police, sometimes working from leads provided by overseas scambaiting communities, have shut down additional operations.
Kitboga's channel, with over 3.5 million subscribers, has raised awareness about scam tactics to an audience that substantially overlaps with the demographics most targeted by these operations. Viewers have reported recognising and refusing scam calls because they'd seen the techniques demonstrated on the channel.
Community forums on Reddit (r/scambait), dedicated Discord servers, and independent websites share scam numbers, active campaign intelligence, and tactical advice. Individual scambaiters routinely report keeping call centres occupied for hours, and coordinated campaigns can functionally shut down a small operation's productivity for entire shifts.
The educational impact may be the most lasting contribution. Before YouTube scambaiting channels, most people had never seen the inside of a scam call. They didn't know how the scripts worked, how the pressure was applied, or how convincing the performance could be. Watching a scambaiter dismantle the technique in real time is vaccination against the technique itself. An elderly viewer who has seen Kitboga play a confused grandmother being pressured into buying Google Play cards is far less likely to fall for the same script in real life.
None of this eliminates scamming. The industry is too large and too profitable for that. But every hour wasted is an hour not spent victimising someone who would have lost real money. The arithmetic is simple even if the scale of the problem is not.