"Pirates" who set up scam websites pretending to be various medical and professional societies pop up every year to intercept unsuspecting attendees of annual meetings -- and they're not going anywhere.
"It's like a mosquito, and it just keeps coming back, and you just catch it -- you have to deal with it, you have to spray bug spray, or you have to do this or that," Pam Ballinger, vice president of meetings and exhibits for the American Association for Cancer Research (AACR), told Ƶ. "I don't like the fact that they're taking advantage of my attendees."
The Pirate Problem
The stakes can be high: companies that set up fake sites offering registration and accommodations for annual meetings -- enormous events with thousands of attendees -- are prolific, with the potential to cheat attendees out of thousands of dollars, often with no recourse. In response, medical associations deploy strategies year after year to keep attendees from falling prey to pirates and to get scam sites removed, costing them resources and time.
Furthermore, these bad actors are getting better at their game. As soon as one site gets taken down, another pops up immediately in its place. "It's like playing a game of Whac-A-Mole," Bill Reed, the chief event strategy officer for the American Society of Hematology (ASH), told Ƶ. "What we try to do is to warn participants in advance to be on guard."
To combat pirates, organizations like , AACR, the (ARVO), and others post versions of the same message to their websites each year in the lead-up to their meetings. They warn attendees not to be misled by companies misrepresenting themselves who reach out by email or phone, and urge them to only use the official channels.
Most organizations make a point of specifying the official URLs for their housing coordinator or registration sites, alerting attendees not to use any others, no matter how convincing they look. ARVO even posted a on its meeting site, names and all.
Another tactic? Buy up any domain name even remotely likely to be used by an impersonator. "In recent years, we have tried to buy every conceivable variation of a URL, just to make sure that we own it," Reed said. "But as you can imagine, we can't own every combination of URLs."
Reed and Ballinger said scam sites sometimes even come up before theirs on a Google search as sponsored links. "We spend a good amount of money trying to make sure ... that we're always the first option at the top of the list," Reed said. "But sometimes, they can outspend us in a particular period and they get prioritized, so it's like a game we play back and forth."
Ballinger also said AACR has worked with Google in the past to have the fake links taken down.
Inside a Scam
On one scam website flagged by Ƶ, Reed pointed to telltale signs: the URL reads "https://23annual.com/ash," (allowing the scammers to swap out other acronyms for various professional organizations), while the official site would start with "hematology.org" or "spargoinc.com," their official housing provider's site. The fake site has a different logo than ASH, and the options for "Registration" and "Housing" don't allow the user to select a specific hotel, like ASH would. The physical address listed is for ASH, but the wording of the "About Us" section is awkward.
Though Reed submitted the site to their attorney to initiate action against the domain name's holder, it was still up as of press time.
A few versions of a scam could happen to an unsuspecting attendee, Reed noted. In a common one, the user might unknowingly contact a pirate who has reserved a few real rooms in a nearby hotel. The pirate uses deceptive sales tactics, like claiming the meeting's main hotel block is already full, to sell the room to attendees at a steep markup. In another, the hotel room doesn't exist at all, and the attendee is out of luck.
Though coordinators said very few attendees per year actually go through with a pirate scam, the few who do can face serious financial trouble. Reed said ASH may encounter around 25 scam companies per year. Only about five people might fall prey to them. But, he added, "those five are deeply upsetting."
These attendees may be the ones with the most to lose, he pointed out. Third-party package deals that include housing, meals, and registration are often geared towards international attendees, potentially making scams harder to spot.
"On an international basis, many times they saved all year for the money to fund a trip to the United States for the Super Bowl of hematology," he said. "So the fact that that money that they saved all year is just gone now is devastating to them, and you can hear that in their voice. So your heart just breaks for them."
Expanding the Fraud
Ballinger said she has been dealing with such scammers for decades, noting that pirates used to target only exhibitors at meetings, but have expanded to hotels and housing for speakers and participants.
Pirates have widened their net in recent years to create fake registration schemes, too, after the COVID pandemic ruled out travel, said Jenniffer Scherhaufer, assistant director of communications and digital strategy for ARVO. "These sites would pop up and they're very slick. They look very good, quite professional," she told Ƶ.
Reed said pirates have also become more sophisticated. For example, they might purchase one legitimate registration to access the official confirmation email, use their fake sites to get payment info, then use the replicated email with certain information changed -- including their steep markups. "It's all about trying to do a transaction with them of any kind, so that the person gives them their credit card number thinking it's ASH that they're giving it to," he explained, noting that attendees have flown to the meeting, discovered they aren't registered, and must pay a second time.
Pirates may also be generating websites with the help of AI large language models like ChatGPT, Reed and others said, accelerating their speed.
At War With the Pirates
Associations said that they use a multi-pronged approach to limit the damage that pirates can cause. Apart from educating attendees on how to spot fakes through their websites, emails, and social media, their legal teams send out cease-and-desist letters to scammers.
"They're very threatening," Ballinger said, but "I think one of the challenges is you cease-and-desist one and it pops up as something else."
Scherhaufer said ARVO has stopped sending them out. Many of the pirates are located overseas, where such cyber-crimes may not be as highly regulated, complicating matters.
Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society, said staying on top of domain name deception is key to reining in the pirates.
"People have gotten much more creative. I think that the phishing emails and things like that are much easier to devise with ChatGPT and other AI-based tools," Kim told Ƶ. "It's a smart idea from a technical perspective to ensure that all of our domains are up to date, and that we're directly managing them and that we renew them appropriately."
Medical organizations can also initiate domain name disputes via the Internet Corporation for Assigned Names and Numbers, an organization that accredits domain name registrars, Kim said. On top of what the medical organizations are already doing, she added it's worth getting a regular report on domain names that sound and look like theirs. In some cases, they can also sue.
ASH joined dozens of other medical and professional organizations to ask to push forward with a new rule that would help crack down on these fraudulent schemes. The letter cites a loss of an estimated $2.6 billion to impersonator scams in 2022 -- 50% growth from 2021.
"Quite frankly, we're focused on actually producing the real, legitimate event for 30,000 people," said Reed. "But I will share with you that, for me, this is personal."