Comment: How to protect your event from scammers

Simon Clayton, chief ideas officer, at RefTech looks at how exhibition organisers can protect their events from scammers. 

You may, like me, be one of a lot of people who have seen the video showing YouTuber Max Fosh “breaking into” the International Security Expo at Olympia.

The video has gone viral, and it’s not hard to see why; it’s entertaining for someone that doesn’t understand our industry. But is it an example of how easy it is to have lax security at an event or is it someone just trying to be sensationalist?

Most events encourage visitors to pre-register but it’s often possible to register online or onsite on the day of the event. With most exhibitions, visitors are issued a badge to try and ensure only registered people can get into the event – they aren’t closed events, the organisers just like to know who is there and to collect their data for lead retrieval/etc, and everyone likes to know how many people were there. The International Security Expo is not a closed event, they don’t have a vetting process for their visitors because it’s a general trade show for security products and there’s thousands of industry professionals who might want to attend to see what the latest offerings are from suppliers. So our intrepid “hacker” could have just registered on the event website and walked in anyway but that’s not “exciting” for his YouTube audience.

Instead, he fakes a badge with a jokey name and makes a big deal about gaining entry.  Now the interesting bit for us in the events industry is that he faked a badge by going onto social media and looking for people who had posted photos from the event with their badges visible. In some events, this could be a serious problem but, in this case, the repercussions are pretty much non-existent.

If your event does vet the attendees or charges for entry then this should set alarm bells ringing because his approach could lead to people attending who you don’t want to be there for whatever reason, or haven’t paid for entry.

It was easy for Max to just go to social media and find people who were taking photos of themselves with their badges to see what the badge looked like. It was also easy for him to mock up a roughly right looking badge by grabbing the event logo (and sponsors logos) from the website and adding some barcodes in the right places. He then picked up a lanyard on his way in.

If he’d known a little bit about our industry, he would have realised that creating an exhibitor badge would have been just as easy and would have allowed him to just walk round pretty much anywhere – and could even have allowed him entry before the bag searches were in operation, and there’s a lot of valuable equipment sitting around on empty stands too…

In the video, Max gets very nervous when he presents his badge to the person who needs to scan him in, but he needn’t have worried; a standard scanner just records the barcodes and then the information is downloaded later. Max’s badge has two barcodes – he has faked these up  with easily available online tools – the first barcode says 12345 whilst the second barcode ‘Rick Rolls’ you with a YouTube link. The scanner doesn’t react to a fake barcode, it is simply recorded. I suspect most registration companies will, like we do, get people standing around scanning cans of Coke and all sorts of rubbish. So, if you get a barcode that doesn’t follow format or isn’t valid, it’s probably just discarded. We could report on that stuff, but what’s the point?  We could tell you when they were scanned and where, but we wouldn’t have an image of them, so it doesn’t help.

So, if this could impact your events, what can you do?

Ask your registration company for ‘real time verification scanning’ for your event. These are scanners that link back to a database and will verify (in real time) that the badge scanned is real, the visitor is registered and, if applicable, the admission fee has been paid. This type of scanning can also ensure that only the latest version of an attendee’s badge is allowed in so someone going to the desk having “lost” their badge doesn’t end up with a duplicate which at expensive conferences is definitely a thing.

If you have different levels of visitors who have access to different areas you can even have these scanners at the entry points of each conference room to ensure delegates can only attend the parts that they have paid for or only get one visit to lunch each day.

We also have found people turn up to events with last year’s badge or email and they often look similar but present a data protection issue if the barcode on that email now relates to someone else. To negate this, you could also ask your registration company if they can create event-based barcodes; which contain a short code that changes every year.

We have a responsibility to our visitors and exhibitors to know exactly who is entering our events. Let’s not allow Max and his cohorts to scam the scanners.

Gaming the system

Simon Clayton, chief ideas officer at RefTech, on why the gamification of exhibition stands may not encourage useful interaction.

Gamification has become quite a common way for companies to create specific human behaviour, to encourage participation and create habits. Games are not just for kids or geeks anymore – we only have to look at the number of fully grown adults still walking around trying to catch a Pokémon. We have all embraced gaming in some shape or form, even if it’s simply paying Sudoku on your smartphone, or doing a jigsaw on your iPad. Many of us also have a competitive streak and so we are seeing the use of leagues and rankings as a way of pitching ourselves against other anonymous users. These leagues are used to further motivate and to build FOD (Fear of Demotion) with warnings alerting you that your inactivity is going to lead to relegation to a lower league. No one wants to be demoted, so we do what we have to do to stay up.

Unfortunately, it’s widely documented that with any system, it’s only a matter of time before users learn how to cheat and find ways of achieving their goals or even higher positions in the ‘game’ without necessarily doing the behaviour it is trying to encourage.

Take Duolingo – everyone’s favourite language app with over 300m users worldwide. It boomed during lockdown as everyone strove to do something useful with their furlough time and endeavoured to create better versions of themselves. At the time of writing, I’m on a 1690 day streak, which means that I’ve been using it to learn German for over four and half years. It’s based on a principle of repetition and ‘little and often’ – and so they encourage you to spend time on it every day – hence the build-up of ‘streaks’.

A year or two ago, Duolingo introduced leagues; depending on when you first use the app on a Monday, you are then placed with a small group of people who also used the app at same time as you, and you compete with those people. Human nature (and my own experience) showed that the people that used Duolingo at 8am on a Monday morning were very different to the people using it at 11pm that night. The 8am-ers were keen – far too keen for my liking. They were very enthusiastic, competitive and high achievers who then went on to complete lots of the app and make it harder for me to compete.  On the other hand, the 11pm-ers were the ones who had maybe forgotten to do it during the day, but had rushed and just about squeezed in ‘under the door’ to get their work done before the nightly cut off. Getting into a league with the 11pm-ers was far better for me as they offered little in the way of competition and so my chances of demotion were lower. I played the system because that’s human nature.

This is very ably demonstrated in the book ‘Freakonomics’. One of the authors, the economist Steven D Levitt took over the potty training of his daughter, Amanda, and created an incentive scheme where she was rewarded with sweets every time she used her potty. Within two days she was happy to use the potty and he was one proud father. But on day three she’d cracked the incentive system and was able to go the potty and release a few drops of urine in order to get the reward, only to be able to repeat this over and over again for multiple rewards. As Steven says: “In three days, a three year old had come up with a way to beat the incentive scheme that I, an economist, had developed. So, what hope do we have of incentivising the whole country.” That’s the thing with incentives – you don’t really know what works. Many things will make sense on paper and have sound reasoning to say that they should work, and they may actually work with some people but not with others.

It’s really hard to create a reward system that isn’t open to cheating and only encourages the right behaviour. We have all been to industry events where visitors are encouraged to visit certain stands to collect stamps in a passport and then submit it into a draw or to win a small prize. But all this is just another thing for the salespeople to sell. It may encourage visitors to come on to your stand, but they are only there to get the stamp. I’ve been on a stand, chatting to the exhibitor about my genuine business requirement only to have our conversation interrupted by another visitor looking for a stamp for his card. The weary exhibitor simply stamped the card and shooed them away – and to think, the exhibiting company had paid more to be part of a tiresome ‘game’ that could have jeopardised a genuine sales enquiry. I know that serendipity could lead a stamp collecting visitor to uncover an exhibitor that they didn’t know that they needed, but I think this is few and far between…

Activities such as these are more often than not incentivising irrelevant behaviour rather than the behaviour that is intended – humans are human and they will find a way to game the system.