Digital tools have completely revolutionized online commerce, mostly for the better. Gone are the days of one-size-fits-all product offerings and static storefronts. Modern online businesses thrive by responding to customer needs at an individual level. Using massive databases of historical browsing and shopping data, companies construct detailed consumer profiles, which they then deploy to create online shopping experiences tailored to the preferences of their customers.

　　Amazon’s spot-on product recommendations and the iPhone’s effortlessly intuitive user interface are no accidents. Product designs, recommen­dations, social media activity, and the language, color, layout, and other website and app design features are relentlessly tweaked to create the perfect product and brand experience. Better, more immersive, digital products mean more sales and, just as important, more consumer data, which companies then mine to start the cycle again. This cyclical, two-way data flow between consumer and seller means companies know exactly what we want and when we want it, and they will do everything in their power to deliver the products and services we are looking for. Need a gigantic lumbar pillow that looks like a baguette? Amazon knows you do and has them in three sizes. How about bamboo-based toilet paper for a “forest-friendly flush”? It is only a few mouse clicks away, along with anything else your heart could desire. Digital technologies power the most comprehensive and personalized markets for goods and services that the world has ever known.

　　But digital tools are not limited to the well-behaved. Data-driven advertising campaigns can be fine-tuned to such precise audiences that they have become a powerful tool for online trickery. For example, once a website learns which item a customer is shopping for, a common tactic is to advertise a fake, limited-time sale for the specific item that the customer is currently shopping for to create a false sense of urgency. To increase pressure the site might also include a fake countdown timer that ominously ticks off the seconds remaining on the offer. Or, instead of counting off the seconds, the site might include a fake inventory count proclaiming, “Buy now, only 5 left in stock!” From the Tinder Swindler to identity theft and AI-powered deepfakes, online fraudsters abound. Digital technologies give honest sellers tools to earn your business and unscrupulous ones everything they need to scam you out of it.

　　The nation’s leading enforcer of consumer-protection laws, the Federal Trade Commission (FTC), has been playing catch-up. In contrast with the mass emails of old, scammers now stalk and target their victims with expert precision. Often that means schemes targeting vulnerable populations including the elderly, children, non-native English speakers, and military veterans. Digital technologies help scammers sift through potential targets so that their unscrupulous offerings appear on the screens precisely of those individuals most likely to fall victim. Such targeting dramatically increases success rates, and it also decreases the likelihood that the scammers will be found out. The FTC has taken the problem head-on, but it has resources to pursue only a tiny fraction of potential claims—a few dozen out of the hundreds of thousands of online fraud reports each year. The result has been an explosion of online fraud, with the number of reported instances rising from 181,297 in 2019 to 358,882 in 2023.

　　The Dangers of Technology-Specific Lawmaking

　　Seeing so many Americans affected, and with even more powerful tools on the horizon, legislatures and regulators have sprung to action. To bolster the FTC’s traditional, case-by-case approach to combating unfair competition, lawmakers have proposed (and in some instances enacted) new statutes and regulations to restrict the digital technologies that power online deception. Senators Josh Hawley (R-MO) and Richard Blumenthal (D-CT) introduced the No Section 230 Immunity for AI Act, which would revoke online-intermediary immunity under 47 U.S.C § 230 for claims predicated on an online entity’s use of generative AI tools. Similarly, Senator Mark Warner (D-VA) and Representative Lisa Blunt (D-DE) introduced the DETOUR Act to combat online deception by reducing large online companies’ ability to exploit online consumers’ cognitive vulnerabilities. One rationale for such tech-specific lawmaking is to preserve the government’s scarce enforcement resources by enacting prophylactic restrictions on the technologies that drive deception instead of waiting to pursue wrongdoers after the fact.

　　What is different about modern online fraud is that it is both cheap and highly personalized.

　　That approach is a mistake for two reasons. First, what is new and dangerous about technology-powered scams is not any special power to deceive, but their unprecedented efficiency. Digital marketing technologies bring the marginal cost of scamming one more consumer near to zero. Low-cost schemes are nothing new, and neither are targeted cons. What is different about modern online fraud is that it is both cheap and highly personalized. Whereas once these scams might have required a skilled con artist to invest hours of her time locating a potential victim and learning her vulnerabilities, personalized schemes now can be designed, targeted, and deployed on a massive scale and at far lower cost. This observation suggests that online deception demands no new substantive law, for it already fits comfortably within the existing regulatory regime, but that low-cost digital deception has outstripped existing enforcement resources.

　　Second, the move to adopt technology-focused restrictions appears not to be the product of any careful deliberation, but a knee-jerk response to new threats and budgetary constraints, which favor easy-to-police rules over case-by-case evaluation of standards. Although across-the-board restrictions on digital technologies might have some effect on online fraud, they are almost invariably overinclusive, and their deterrent effect would come only at a major cost to innovation, for the same tools that have revolutionized online fraud have done so for the entire market. Restricting those tools will have consequences far beyond Internet scammers, to the detriment of software and services used by consumers around the country every day. Across-the-board regulation of key technologies would increase costs and reduce product quality for everyone, for a comparatively minor benefit: Scammers would be forced to adopt new tools or, more likely, to ignore the restrictions altogether.

　　The Patterns of Digital Deception

　　Instead of enacting new technology restrictions, regulators should bolster enforcement efforts in a different way—by coordinating governmental enforcement efforts with those of private litigants. Deceptive online practices are prohibited not only by the federal FTC Act, but also by state consumer-protection laws which, unlike the FTC Act, provide victims with a private right of action. Unfortunately, however, procedural shortcomings in the law have enabled many online scammers to perpetrate their schemes without facing the private lawsuits that would ideally provide a check against such wrongdoing. Although online deception is already triply unlawful under the FTC Act, state consumer-protection statutes, and common-law fraud, procedural challenges to private litigation sometimes allow online scammers to avoid the private lawsuits that could otherwise act as a check on online fraud.

　　In particular, four types of online schemes have been especially resistant to private enforcement efforts. First are Fly-by-nighters—entities that operate in ways intended to avoid detection and enforcement. They may be based in foreign jurisdictions, create fake online identities, or conceal their phone numbers and IP addresses to make their true identities and whereabouts difficult to discern. Not only does that complicate law-enforcement efforts, but it also makes it exceedingly difficult for private litigants to obtain relief. The legal obstacles are too many and the sums at state are too small to justify the effort.

　　Second are Nickel-and-dimers, who conduct scams that involve sums that are simply too small to support individual private enforcement, such as hidden shipping charges or purchases of online services deceptively set to automatically renew by default. A consumer tricked by such a scheme will simply swallow her loss rather than throw good money after bad. Such schemes impose large losses on society by allocating resources to undesired or unlawful products and services. To the individual consumer, however, they are certainly not worth bringing a lawsuit over.

　　Third are User-interface shapeshifters, who present users in one region with different interface designs than users in another, with the designs sometimes changing week to week. That is a particular problem with targeted advertising techniques, which are specifically intended to present individually persuasive designs rather than designs of mass appeal. Class action lawsuits against such shapeshifters often fail to satisfy Federal Rules of Civil Procedure Rule 23’s commonality requirement because apps and websites change so regularly that the class members do not encounter comparably deceptive circumstances.

　　Finally are Calculated arbitrators, who include mandatory arbitration provisions in all manner of consumer agreements, including for products and services sold online and in website and smartphone app terms of service agreements. The result is that in a large and rising number of online scams, a victim is obligated to pursue legal relief through private arbitration, not the court system. Since arbitration provisions typically disallow claim aggregation, there is no way for consumers to combine their typically small claims into a large claim of sufficient size for the potential damage award to justify litigation costs.

　　Coordinating Public and Private Enforcement

　　How, then, can online fraud be effectively combatted, if scammers outstrip public enforcement resources while outmaneuvering private litigants? One promising approach, which I have proposed elsewhere, is legislation providing for statutory damages or attorney’s fees in private lawsuits to spur litigation challenging even small-sum deceptive practices. For now, however, what we have are a resource-constrained FTC and a public with better-informed and better-resourced private litigants, who have some ability to protect their own interests, but whose efforts are hindered in many instances by procedural obstacles to private litigation.

　　A second-best approach would optimize existing resources by strategically deploying public enforcement efforts as a complement to private efforts.

　　Barring legislation to incentivize private enforcement, a second-best approach would optimize existing resources by strategically deploying public enforcement efforts as a complement to private efforts, more specifically, by targeting those fraudsters whose schemes employ the four patterns of deception discussed above to avoid private litigation.

　　Fortunately, the patterns of deception that often stymy private lawsuits are less resistant to government enforcement. The primary obstacles to private litigation against scammers are, recall, defendants located in foreign jurisdictions, and the limited recovery available for small losses combined with obstacles to claim aggregation such as shifting interfaces and arbitration and aggregate litigation waivers. The FTC, however, is well-positioned to overcome these difficulties. Government-funded FTC attorneys can bring enforcement actions even where potential recovery is small; the FTC is not bound by arbitration agreements entered into by consumers; and Congress has granted the FTC special powers to pursue cross-border fraud, including authorization to provide and receive assistance from foreign law-enforcement agencies.

　　These advantages have important and counterintuitive implications for how the FTC should allocate its very limited resources. First, the FTC should favor enforcement actions against foreign, rather than domestic scammers. A significant number of online scams are operated by foreign entities, against whom private litigation is impossible or unduly expensive for any but the very largest losses. Second, the FTC should focus its efforts disproportionately on small-scale but widespread schemes, particularly those by entities whose consumer contracts include arbitration clauses with aggregate-litigation waivers. Once stripped of the power to aggregate their claims, private litigants are unable to effectively prosecute such minor claims. The FTC will be far more effective than private enforcement in the context of hyper-targeted consumer advertising campaigns, frequently updated smartphone apps, and other quickly evolving products and services, whose rapid changes may preclude certification of a private class.

　　More important than the technologies that power deception, and more amenable to regulatory action, are the legal obstacles to private enforcement that have allowed online scams to flourish. Rather than technology-specific lawmaking, a superior approach would coordinate public and private enforcement efforts by targeting governmental resources to combat the recurring patterns of deception that help scammers evade justice, thereby more effectively combating online fraud while also avoiding new impediments to technological innovation.

　　This essay presents the highlights of Gregory M. Dickinsons research on online fraud, recently published with the Boston College Law Review, The Patterns of Digital Deception, 65 B.C. L. Rev. 2457 (2024).