(FORTUNE Magazine) – For Matthew Bowin, a petty con man who currently resides in the Santa Cruz County Jail, prosecutors say that suckering investors into a phony stock scam was easy: He did it on the Internet. All it took was a slick ad that slowly flashed across a popular online investor site: "The next Microsoft is offering its stock to the public...over the Internet! ...click here for more information."

With that simple pitch, during the spring of last year Bowin lured nearly 100,000 investors to a Website touting his high-tech startup, Interactive Products & Services. The site included extensive technical information about the firm's revolutionary Internet devices, named NetCaller and PC Remote; a claim that the company had a partnership set up with Microsoft; and instructions on how to invest in the promising startup.

Trouble was, nearly everything about Interactive Products & Services was phony, according to court documents. Its cutting-edge product didn't work. Its partnership with Microsoft didn't exist. Its claim that the company had filed its IPO with the SEC was false. The engineers and consultants listed as "key employees" developing the NetCaller say they had nothing to do with the company. As for its CEO, well, it seems the 36-year-old Bowin's day job was running an escort service (he's currently charged with pimping and pandering).

But so legitimate looking was Bowin's pitch that Elvin East, an entrepreneur from Georgia who was thinking about conducting his own Internet IPO, called Bowin for advice. Nearly 3,000 investors from around the world E-mailed him for information, Bowin says, and 150 actually sent in checks. One investor from Hong Kong wired $10,000. Another, a California attorney, invested $1,500. In three months Bowin pulled in $190,000. Not bad for a guy with such a colorful rap sheet.

Fortunately, Bowin is not a good crook--he was arrested last April and is now on trial, charged with theft. As for investors? "I guess I'll keep looking for the next Microsoft," says a wistful Steven Fujita, a 31-year-old bankruptcy clerk in Los Angeles who entrusted Bowin with $500.

Welcome to the seedy underbelly of online investing: the World Wide Web of securities fraud. The Internet has become a breeding ground for stock scamsters. Where else, after all, can crooks find as many millions of potential victims so quickly, cheaply, and anonymously?

Just a few years ago cyberstock scams didn't exist; now they are so numerous, regulators can barely keep up. Since establishing its online investor hotline in 1996, the Securities and Exchange Commission has received 100-odd complaints a day; in recent years it has been filing a new charge against Internet scamsters about once a month, on average. But even this is not sufficient. So pernicious has the problem become that investors themselves, disappointed by the SEC's relative ineffectiveness, are taking matters into their own hands. More than regulators, these cybervigilantes are the ones who alert fellow investors to potential scams. Still, the vigilantes are far outnumbered by the scamsters, and by all accounts this is just the beginning. Be warned: The micro-industry of cyberstock scams is exploding.

For that you can thank the popularity of the Internet. Just five years ago Matthew Bowin's scheme--perhaps the first Internet IPO fraud case ever brought to trial--would never have gotten off the ground. Back then, Bowin would have been hard-pressed to find anyone who used the Internet to invest. Now there are millions of people trolling the Web for stock tips. According to Jupiter Communications, nearly one-third of the 30 million American households now online use the Web for investing in, or researching, securities. A recent Forrester Research survey shows that some three million of these people have online trading accounts; in the next three years, that number is expected to hit 14 million. Silicon Investor, a popular site where investors go to chat about stocks, receives over 12,000 posts a day from visitors. StockMaster, the site where Bowin planted his ad for Interactive Products & Services, claims to get 600,000 to 700,000 hits a day--up from 50,000 in 1996.

All this activity has not escaped the notice of online scam artists. In the old days, conning investors was hard work. Since most stock fraud involves micro-cap stocks--or other securities no one has ever heard of--scamsters who work the traditional way, hunched over telephones in boiler rooms, have to make hundreds of cold calls; to succeed they need to have the personality of a pit bull. On the Internet, however, a single E-mail or Website can reach millions of potential investors instantly, effortlessly. Besides, using the Internet is cheap. Bowin, for one, never spent a dime on his scheme. Using a computer manual as his guide, he set up his Website on his own. He then got his ad displayed for free by promising to pay for it after his IPO went through. He also rigged his Website so that when investors typed in "Internet stocks" as a search query on, say, Infoseek, his page would come up in their search list.

Scamsters approached the Internet timidly at first, using it as a tool to pull off traditional types of fraud. The first Internet stock fraud case, filed in 1995, according to the SEC, involved a worthless lottery stock, Pleasure Time. The alleged con artists sold Pleasure Time stock by phone but advised investors that to really get the stock up and running, they'd do well to recruit other investors on the Internet. (They settled the case without admitting or denying guilt.)

In Internet time, the Pleasure Time scam was decades ago; its simplicity seems almost quaint today. Consider a more recent online market-manipulation scheme the SEC is bringing to trial this fall: According to court documents, an E-mail that was simultaneously sent out to two million investors helped inflate the stock price of a worthless company named Electro-Optical Systems from 50 cents a share to $7 a share in just three months. In another case--one of the Web's most notorious stock scams to date--Systems of Excellence (best known by its ticker symbol, SEXI) cheated investors out of some $10 million by paying the editor of a popular Internet newsletter to hype the company's worthless stock. The newsletter's publisher was sentenced to a year in jail. SEXI's chairman, Charles Huttoe, is currently serving out the second half of a 46-month sentence in a halfway house in Florida.

Because operating on the Internet is so cheap, anyone with enough skill to build a slick Website can make himself appear as legitimate as IBM or Microsoft. One fake company, Octagon Technology, according to the SEC, even invented its own online magazine, grandly titled World Financial Report, which just so happened to contain a glowing article about Octagon's phony stock offering. (Octagon settled without admitting or denying guilt.)

There is nothing particularly new or clever about the types of scams on the Internet. Indeed, most rely on devices perfected by boiler-room artists decades--even centuries--ago. Early this year, Michael Richmond, in a scheme that allegedly raised $7.2 million, set up a slick-looking Website that promised investors a 24% return if they bought a certificate of deposit with his Royal Meridian International Bancorp. Trouble is, the SEC says, there's only one way to keep up with rates like that: paying off one batch of investors with money coming in from the next. Sound familiar? It is to the SEC: a classic--and illegal--Ponzi scheme. Richmond refused to talk to FORTUNE. His lawyer says he denies the charges.

The Systems of Excellence scheme was another classic known as the "pump and dump": Pump up a stock by spreading positive but false information about the company, and then, once duped investors have driven up the price of the stock, start dumping the inflated shares. Way back in the 1700s, crooks on Exchange Alley in London hyped the South Sea Bubble just this way, selling investors thousands of worthless shares in a South American trading company. More recently, swindlers of the 1980s bilked investors out of millions of dollars using the pump-and-dump method.

But if the Internet hasn't introduced new types of stock scams, it has definitely made the business of fraud far more efficient. Now, instead of having to go out and find their victims, cyberscamsters can sit back and let investors come to them.

Galen O'Kane was the perfect target for an Internet stock scheme. An unemployed engineer in Maine, O'Kane was desperate for an investment with a quick, high return. His savings were dwindling, he had a family to support, and he faced big medical bills for a child with muscular dystrophy. In January 1998, while searching for stock tips on the Web, O'Kane came across an online newsletter called The Future Superstock; there he discovered the newsletter's "stock pick of the year," Electro-Optical Systems, a Boston-based high-tech firm that had developed an electronic fingerprint-identification system. According to The Future Superstock, Electro-Optical Systems would "forever change ATM cash machines as we know them." It was the next America Online. Its stock price would rise over 300% in three months.

Intrigued, O'Kane clicked on the company's Website, where he read several press releases announcing contracts struck with customers and news about the impending launch of its product. He bought 4,000 shares of Electro-Optical Systems at $6 per share, paying $24,000--a third of the money left in his savings. All went well for a while: Electro-Optical Systems, which had traded for pennies just two months earlier, climbed to $7. Then in March, while on a trip to Boston, O'Kane decided to visit the company's headquarters. Arriving unannounced, he was blocked from entering the building. When he finally forced his way inside, he was shocked. "It was the middle of the workday and there was nothing going on--no one there," O'Kane recalls. "It just didn't seem right."

It wasn't. According to the SEC, Electro-Optical Systems is part of a complex market-manipulation scheme that bilked investors out of close to $15 million last winter. The company, which has never earned any revenues, was essentially broke, the SEC says. Its high-tech device was never ready for market, and it had no contracts. Authorities say its stock was artificially inflated by one Thomas Cavanagh, described in court documents as a "malevolent investment banker" who controlled 88% of the shares publicly traded in the market. Cavanagh declined to speak to FORTUNE. According to his attorney, Cavanagh is "himself a victim."

As for The Future Superstock, it is run by Jeffrey Bruss, a professional stock promoter who apparently has quite a record for burning investors with his stock picks. On Silicon Investor there's a even a forum entitled, "Future Superstock: market manipulation???" One posting reads, "I got suckered buying Future Stock's recommendation.... Now I'm sitting on a $1,500 loss." Another chimes in sadly, "You're not alone, I assure you. Lots of trusting investors have lost money at the hands of Jeff Bruss." So far Bruss hasn't been charged with any wrongdoing. Neither he nor his attorney responded to FORTUNE's calls.

Despite all evidence to the contrary, Galen O'Kane, sounding dazed, still believes there must be some value left in his $20,000 investment in Electro-Optical Systems. "If someone could get it to work, that [fingerprint device] could make a lot of money," he says hopefully. He still surfs the Web every day looking for hot stock tips. Which is to say that no matter how many times online investors are warned about cyberscams, human nature dictates that fraudsters will always be blessed with an endless supply of victims.

There is, however, one big shortcoming to the Web, at least as far as cyberscamsters are concerned--regulators can find them just as easily as can investors. "For those people, [the Internet] is a real double-edged sword," says John Stark, head of the SEC's Internet Enforcement unit, which was created in August to handle the agency's growing number of Web fraud cases. Disguising themselves as ordinary investors, attorneys with the SEC's Internet unit--the Cyberforce, as it's known--spend hours a day scouring the Internet for hot stock tips, get-rich-quick opportunities, and investments that sound too good to be true. State regulators in Illinois, California, and Texas also troll the Internet in search of fraud, while the National Association of Securities Dealers uses a proprietary software program, NetWatch, to scan the Web for scams.

But investors gripe that by the time regulators uncover a scam, the money is usually long gone. Besides, government just can't keep up: In the four months since it started investigating the world of online investments, the Illinois Department of Corporations has spotted more than 300 suspicious Websites. But all those discoveries are largely for naught; the Illinois regulators have too much to do to handle even a small percentage of these cases. To make matters worse, regulators are constrained by their jurisdictions. As Bill McDonald, the assistant commissioner of enforcement at the California Department of Corporations, puts it: "If a guy's been ripped off in California by some guy in Amsterdam, there's nothing I can do."

Investors have no time for such excuses. They just know not enough is being done to protect them. "The SEC doesn't get there until it's too late," complains Elliot Gittleman, a chemical engineer in Seattle who says he got duped by the Electro-Optical Systems scam.

To fill this void, cybervigilantes--ordinary online investors who have taken to policing their territory themselves--have sprung up all over the Web. They are relentless about exposing cyberscamsters, or anyone operating online who appears the least bit dubious. On Silicon Investor (www.techstocks.com), there is now a "thread" entirely dedicated to "Stocks That Should Be Investigated by the SEC." Other sites go after individuals--suspected con men. Still others warn investors of questionable Internet stock tip sheets.

The unofficial queen of the cybervigilantes is Janice Shell, a 50-year-old art historian who lives in Milan and got hooked on busting online con men after she was burned in an Internet investment scheme two years ago. A tireless--even obsessive--pursuer of online malefactors, Shell says she spends 12 hours a day trolling the Internet, looking for crooks. Thanks to this single-minded dedication, she has become a celebrity--at least to those who hang out on Silicon Investor. There are two threads devoted just to her: "Janice Shell for President" and "Janice Shell--A Retrospective."

In the past two years, Shell says she has exposed an investor relations director with a murder rap, a so-called biotech company that really sold kitty litter, and a CEO who claimed to have run the largest corporation in Nevada but who was really the head of a two-man air-conditioning repair shop. "God help us if [Shell] ever goes to work for the hypester pump-and-dump gang," one admirer gushed in an August posting. "Being an international sex symbol is hard work, but someone has to do it."

In June, Shell took note of a mining company called Mountain Energy. What caught her eye, she says, were postings announcing that the stock, then trading for pennies, would soon hit $5. Shell started digging, and here is what she says she found out: An "informant" told her that Mountain Energy's management team had once been charged with fraud. She also heard that the firm's main asset--a tract of land Mountain Energy claimed was worth $200 million--was worth little more than $100,000.

Between June and August, Shell posted her findings on Silicon Investor, warning investors to stay away. During that time the stock, which had earlier climbed 200%, fell from $1.70 to 22 cents. That's when trouble began. Investors who had already bought Mountain Energy stock were furious. "These Bulletin Board Stock Guardian Angels...why don't they want us honest investors to make money?" complained one. Finally, in late July the SEC halted trading in the stock. So far it hasn't taken any further action, but it still has its eye on the company. Meanwhile, the company's management has resigned and dismissed all its employees. "A lot of people were really hard on her; they didn't believe her, but she was right all along," says Bill Liang, a medical researcher at Harvard who invested $3,000 in Mountain Energy. "We should have listened."

What's Mountain Energy's side of the story? FORTUNE tried calling company headquarters. The phone was disconnected.

Shell has been accused of being an underhanded broker, a short-seller...and a whole lot worse. ("Well, Miss Janice, protector of the small investor," reads one typically creepy Silicon Investor posting, "you must be very tired of being the north end of a south bound donkey, a.k.a. horse's a**.") She's even received death threats. But Shell isn't fazed--she's far too busy defending her fellow investors, whether they like it or not. "There are a bunch of psychos out there--I'm not exaggerating--each one weirder than the next," she warns.

How easy is it to con online investors? Shell wanted to find out. Last April Fools' Day, she and seven other cybervigilantes set up a phony IPO for a firm that promised it could cure the year 2000 problem. They named the firm FBN (for Fly By Night) Associates, established a Website for it, and started a forum on Silicon Investor where they announced FBN's public offering. The site was a doozy: It included information about FBN's hot product, seductively named NeuralNet2000; a section on careers at FBN; and a slew of glowing press releases with headlines like "FBN Cures Y2K Bug." They even created a very legitimate-looking issue of FORTUNE with a cover story about FBN. There was one small giveaway: a press release that noted, "FBN to receive papal blessing." But even that did nothing to slow people's interest in FBN's IPO: Shell was inundated with E-mails requesting the prospectus and other information about the company. "Now that I know how people do these things, I'm thinking maybe I should do it myself," says Shell with a laugh. "I could make a lot of money."

Meanwhile, back in the Santa Cruz County Jail, Matthew Bowin awaits word on his case. Refusing the services of a lawyer, he's defending himself against charges of theft. That's a bit awkward--he has to cross-examine his own victims, those very people who were lured by his fake Internet IPO. But he's not worried about the outcome of the trial--even if he is found guilty. The maximum penalty Bowin could receive is eight years in prison--which is unlikely. "I'm actually likely to get probation," Bowin declared confidently in a phone interview from his cell. "That means I wouldn't face any prison time."

Indeed, chances are it won't be long before Matthew Bowin or someone like him is back, trolling cyberspace with a smooth story and a slick Website, and searching for unwary victims. Next time he may know enough not to get caught. After all, cyberscamsters are only just beginning to figure out how to make crime pay on the Internet.