Nepali citizens face relentless digital scams – phishing links draining eSewa wallets, fake loan offers trapping small businesses – with community reports arriving too slowly to prevent mass victimization. Today, Tech Aware Nepal's manual review process takes 72 hours (source: Q2 ops logs) to connect identical scams, allowing a single fake Daraz coupon link to spread across 17 districts and drain $8,500 before alerting the community (source: Kathmandu Post investigation, Jan 2024). Each hour of delay costs real livelihoods: a micro-merchant loses 3 days' income recovering from a $30 scam (source: UNDP Nepal financial resilience survey).
Business case: 12,000 monthly reports (source: platform analytics, Apr 2024) × 65% preventable repeats (source: Nepal Police Cyber Bureau case analysis) × $38 avg. loss per scam (source: Nepal Rastra Bank 2023 digital fraud report) = $3.55M/year recoverable losses. If adoption reaches only 40% of estimated reports: $1.42M/year. This feature is an AI-powered scam pattern detector that clusters reports and auto-publishes alerts in <15 minutes. It is not a fraud transaction blocker, real-time intercept system, or law enforcement evidence platform.
Execution risk: False negatives could leave campaigns undetected – a 5% miss rate on high-volume scams risks $177K in preventable losses. Inaction risk: Without this by Q3, Nepal Police's planned public scam portal (source: MoCIT roadmap) will capture community trust. Given the asymmetric upside and operational urgency, this warrants immediate build with robust validation gates.
Primary outcomes (D90):
| Metric | Baseline | Target | Kill Threshold |
|---|---|---|---|
| Avg. alert latency | 72 hours | ≤45 min | >6 hours |
| Repeat scam victims | 38% (Q1 survey) | ≤15% | >30% |
| Community trust score | 3.2/5 (n=420) | ≥4.3 | <3.5 |
Guardrails:
| Metric | Threshold | Action |
|---|---|---|
| False campaign alerts | >0.5% weekly | Freeze auto-publish |
| P95 clustering time | >30 sec | Scale inference nodes |
| Unreviewed alerts | >50 backlog | Add moderator capacity |
What we DON'T measure:
- Total alerts generated (vanity; focus on accuracy over volume)
- Detector model precision alone (measures artifact, not user outcome)
- Raw report volume (could increase due to scams, not detector value)
TECHNICAL: URL obfuscation evasion
- Probability: High | Impact: High
- Mitigation: Deploy real-time redirect tracing (Owner: Data Eng lead; Due: MVP+2)
- Trigger: >10% of scam URLs use multi-hop redirects
ADOPTION: Low report volume in rural areas
- Probability: Medium | Impact: Medium
- Mitigation: Integrate with Nepal Telecom's SMS spam feed (Owner: Partnerships; Due: Phase 1.1)
- Trigger: <20 reports/day from Tier 3 districts
COMPLIANCE: Nepal Electronic Transactions Act §35 data retention
- Probability: Low | Impact: Critical
- Mitigation: Legal review of raw report storage (Owner: Compliance Officer; Due: Pre-launch)
- Consequence: If not cleared, store only anonymized clusters
EXECUTION: Moderation capacity bottleneck
- Probability: High | Impact: Medium
- Mitigation: Pre-train moderators with scam corpus (Owner: Ops Lead; Due: UAT)
- Trigger: >1 hour alert backlog for 2 consecutive days
Kill criteria:
-
2% false alert rate sustained for 72 hours
- <40% of alerts acted upon (e.g., shares, blocks) at D30
- Critical compliance gap unresolved by launch date
Core AI job: Cluster unstructured scam reports (SMS/email screenshots, descriptions) into campaigns using three signals:
- Message pattern similarity (e.g., "Daraz 50% coupon" phishing)
- Sender number reuse (e.g., +977-98XXXXXX95 across 20 reports)
- URL fingerprinting (e.g., bit.ly/3xY9zZq redirecting to fake eSewa login)
Performance requirements:
- P0: Cluster identical URLs with 100% precision (zero false campaign alerts)
- P1: Link reports with shared sender numbers at ≥99% recall (miss ≤1% connected reports)
- P2: Detect similar text patterns (Levenshtein distance ≤2) at ≥95% accuracy
Failure boundaries:
- ❌ Does NOT analyze transaction patterns or bank statements
- ❌ Cannot attribute campaigns to criminal groups
- ❌ Will not process image-based reports without OCR (Phase 1)
Sources:
- Incoming user reports: SMS body, sender number, screenshot URLs, free-text description
- Historical scam database: 8,200 verified cases (source: Tech Aware archive 2021-2024)
Pipeline:
- Ingestion: JSON payload via API
POST /report {phone: "98XXXXXX95", text: "क्लिक गर्नुहोस्...", urls: [...]} - Anonymization: Strip user PII before clustering (e.g., mask reporter phone numbers)
- Signal extraction:
- URL normalization (resolve redirects → final domain)
- Sender number grouping (NTC/Ncell prefix validation)
- Nepali text embedding (DistilBERT-multilingual for NLP similarity)
Critical gaps:
- No voice scam data (current reports are 92% text-based)
- Limited regional dialect coverage (validated only on Kathmandu Valley Nepali)
Test suites:
| Test Type | Criteria | Target |
|---|---|---|
| Campaign detection | Time from 5th identical report → alert | ≤15 min |
| Clustering accuracy | F1 score vs human-labeled campaigns | ≥0.97 |
| False alert rate | Campaigns flagged without ≥3 reports | 0% |
Validation protocol:
- Shadow mode: Run detector parallel to manual review for 14 days, log all discrepancies
- Adversarial probes: Seed known scam variants weekly (e.g., URL typosquats, synonym swaps)
- Edge-case tests:
- ✅ Identical scam in Nepali/English Romanized
- ❌ Voice note translation (out of scope)
Evaluation owner: Community Moderator Team (validate against 200-sample threat corpus weekly)
Critical oversight points:
- Alert approval: Auto-detected campaigns require moderator "Verify" before publishing
- Override reason logging required (e.g., "False cluster - similar but distinct scams")
- Cluster auditing: Random 10% of clusters reviewed daily for drift detection
- Emergency kill switch: Instant shutdown if false alerts exceed 0.5% in 24h
UI for oversight:
┌───────────────────────────────[ PENDING CAMPAIGNS ]──────────────────────────────┐
│ ⚠ Daraz 50% coupon scam [12 reports] VERIFY ▼ │
├──────────────────────────────────────────────────────────────────────────────────┤
│ 📱 Sender: 98*****95, 98*****01 ⏱ First seen: 2h ago │
│ 🔗 URL: daraz-offer-np[.]xyz (12x) 📍 Kathmandu (9), Pokhara (3) │
│ 📝 Text pattern: "अन्तिम २ घण्टा! डाराजबाट ५०% छुट को उपहार" │
└──────────────────────────────────────────────────────────────────────────────────┘
Trust metrics:
| Metric | Target | Measurement |
|---|---|---|
| Alert accuracy | ≥99.5% | User "false alert" reports |
| Alert usefulness | ≥4.5/5 | Post-alert survey (n≥100/month) |
| Detector uptime | ≥99.9% | Synthetic report probes |
Failure containment:
- Campaign alerts display confidence badge: "⚠️ Unverified" / "✅ Verified by [Moderator]"
- Public database entries show evidence trail: "12 users reported this URL"
- Auto-sunset: Alerts expire after 7 days unless re-confirmed