Easy
To catch these idiots, departments responsible for doing so only need to create a load of files with "suspicious" filenames (they will know from thier work what these should be), and make sure their machines are open to attack - perhaps by surfing some dodgy, but perhaps not illegal, sites. Then track the payment.