I’ve worked IT help desk before and have seen lots of phishing emails. If scammers tightened up their spelling and grammar skills a tiny bit they would catch many more victims effortlessly. The bar is insanely low. Most users could spot obvious phishing emails. But emails with even just a little more effort put into spelling and grammar were insanely successful. I worked at a University - I’ve seen professors, students, admin fall for these ones.
Why can’t they spell? Because most scammers are operating from the developing word and don’t have great English. That’s it. There’s no elaborate theories beyond that.
Got an email shortly afterwards about a login from Russia, however I was able to change my password and kick out all other sessions before any damage was done.
The worst part was that I was doing a favour to a Steam "friend" who asked me to vote for his clan in some kind of competition. I will give him the benefit of the doubt and assume it wasn't really him, but someone who had hacked his account, but either way, Steam support were utterly disinterested in doing anything about it when I reported it. As were Cloudflare. I checked on the site a few days later and the safe browsing list had flagged it, so at least those maintainers still seem to give a shit.
I mean, with Google Translate, spellcheckers, etc, improving all the time, at least some of those messages should have been improving as well, no? If their grammar has not improved at all during the last decade, then there might be a hinge of truth to the theory.
https://www.youtube.com/watch?v=18bovtIlrpI
Skip through the hot parts of the video per the graph and just see how the scam actually works, and I think that for all the social engineering steps required and the sheer amount of time spent on the phone, most people would just give up even if they maybe fell for the initial well designed email.
I don't really want to speculate on the spelling/email of scam emails as I think short of some reporter just finding a spam-house and asking, it will all be senseless speculation. The article theory has plausible theories, but might very well be specious. I don't buy that it's due to poor English skills, as spellchecks are plentiful and I have no doubt that the spam-houses could easily pirate older copies of Word and get a decent looking email.
Similarly, if it was effective, I have to imagine that this is the format they'd pick.
The simplest explanations of the poorly formatted/written emails and chats for me are:
1. The targets that have the highest chance of success don't care about the emails
2. The formatting of the initial emails doesn't impact the scam in a significant way
From a more personal perspective and the people I know who continued with the scam past its initial stages, they didn't pay attention to the formatting, just the general idea behind the message was more their concern. The IRS scams, giftcard scams, etc, put some sort of pressure on the people in a way that they truly stopped thinking about the content and were more worried about the idea behind the message: they would get in trouble if they didn't comply, and the financial concerns were the driving force.
Wait until they discover ChatGPT, problem solved.
They have access to spell checkers. I somewhat agree that current retirees may be very sensitive to spelling mistakes, but spammers often aren't even putting in the minimum amount of effort to produce an error free E-Mail. I think that both theories aren't satisfying.
For instance I once saw one of those sex scam accounts on Facebook where the profile pic was some hot, obviously white woman, but the name was Vietnamese and all the posts were in the Thai alphabet. That to me seemed very deliberately designed to catch men who saw the big boobs and immediately switched off their brains. And obviously no one is incompetent enough to use the wrong alphabet by mistake.
Remember that scammers are lazy. The target is someone who doesn’t notice the punctuation problems. People with mental illnesses, etc, but with access to funds. It might very well be much smaller than the group you mention but they are easier to scam. No need to use technical trickery. They will give you their credit card details over the phone.
Educated, British retiree is one class of audience, who may need a different nuanced tactic (tech/ amazon/ gmail security like email with a professional English call center that can engage them).
The world is a big place. There are also other classes of audiences (where the engagement effort is much lower) and this purposeful spelling mistake does look like a good way to weed out some of them.
You believe they don't have access to fiverr or any of the numerous sites that will copy edit for a couple dollars of the thousands bucks they are scamming?
but in this case it is both.
:-)
Don't help them get better at scamming.
> Don't help them get better at scamming.
Yeah. The last thing you want is someone like me getting into scamming, right? /s
> Subject: Gouranga
> Call out Gouranga be happy!!!
> Gouranga Gouranga Gouranga ....
> That which brings the highest happiness!!
It’s been, fuck, two decades and this is still in my mbox. My wife and I still shout Gouranga at each other some days and, hell, who am I to argue that it doesn’t bring the highest happiness!!
> In GTA, the player received a 'GOURANGA' bonus for running over an entire procession of Hare Krishna. 'GOURANGA' is actually a term that was popularized as use by the Hare Krishna movement during the 1970s. It is often used to describe happiness. This is also a cheat code in the PC version of GTA 2.
https://www.mail-archive.com/membersozdat@datascribe.com.au/...
There’s no link or request for money, so people probably respond more often.
I imagine like many areas of persuasion (like interrogation), getting someone to start talking is the “foot in the door” that starts to snow ball, even if it’s not about anything relevant.
"There are 42 people watching this hotel right now! Only 3 rooms available for your dates! We'll murder ANOTHER puppy if you don't book right now!"
Yes, I worked for Booking.com. They don't do it everywhere, in some places it's illegal, and sometimes they simply change the words slightly to make it suggest urgency.
This is especially relevant to your point because facebook could EASILY be flagging people based on known pasta messages, for review or shadowbanning etc. They presumably don't do this because "not my problem".
1.Actually the experience of someone I know who's turned screwing with scammers into a personal hobby, who frequently shares notes on this with me.
They don’t care. It’s that simple. I’ve (on Facebook/Instagram) reported scams, and they always say it doesn’t violate their community guidelines. But it turns out the computer “reviewed” my report, so I appeal it, and it’s always “sorry, but we don’t have enough people, so we’re ignoring this appeal. Here’s the report ID for the ‘review’ board.” On the rare chance a human does review it, they say “a human reviewed your report, and you’re right.”
They so much don’t care that, now, reporting scam/spam just says, “thanks for letting our system learn” without a way to make an actual report. I’ve given up reporting scam/spam.
For a real kicker, I’ve reported a literal terrorist threat-like post, and it was still “pending” after a week.
This isn't true. English is Nigeria's official language (all Education is in English) and people generally speak English well. Secondly, folks from Nigeria actually use the gist of the article as a flag for filtering out scam i.e. once they open an email with bad grammar, they automatically assume it's scam and ignore it.
Even when it's blatantly obvious Facebook always tells me that their account doesn't break their community standards...
They put plenty of investment into scamming me before I called them out, and I don't think their grammatical errors would have served to filter anyone (because it also could have just been someone wanting to buy something who happens to have bad English).
However the paper itself doesn't present any evidence around the scammer's intention. Rather it presents a mathematical model under which it would make sense for a scammer to intentionally exclude a large swathe of victims, and it posited that misspellings is a way to achieve it.
https://www.youtube.com/watch?v=rhdZ2RfmiXo&list=PL4ugKP-T4L...
I would think they do know exactly what they're doing. There's no reason to think it's just to get past email filters or just to skip the smart people. It's probably both, plus other reasons we haven't even thought of.
I am not sure smart people are scammed less often than the average person. Perhaps smart people get sucked in by different scams (like buying altcoins, or complex speculation)?
0) Podesta got a letter-perfect message from "Google" asking him to change his password.
1) Podesta asked his IT guy if it was legit.
2) The IT guy said, "Yes, it is, but please set up 2FA."
3) Podesta clicked on it, ignoring the 2FA part (I think he ignored it).
Why don't they exactly replicate what a Google or Chase email looks like? I don't see how I wouldn't fall for that.
The exception (and a potential attack vector) is when a phone call or other live interaction ends in an email being sent as part of the process. There you have to weigh the risk I suppose; obviously i have replied to such emails. But i would never reply to a bulk email even if it came form my banks domain.
At this point if they manage to have the correct caller ID and I'm more or less expecting the call, it can't hurt to divulge my DOB. Scammer's going to find that out easily anyway.
Savvy users who will become wise to the grift somewhere along the way are the ones they want to weed out. Early in the process ideally.
Having totally convincing emails fails to weed out these savvy users - you get to discover who they are a bit further down the line, after you've invested some time.
Since their time they can spend is finite, they want to only spend time on sure bets. This is why it is important to take a few moments to lead on scammers - you're damaging their ROI the more of their time you can take up.
Very smarmy line of thinking. Unfortunately on the rise in recent years. We are all vulnerable to scams and victim blaming doesn’t help the conversation any.
We've been seeing a rise in attacks that are launched from compromised accounts, where the email is a reply to a previous thread. So you have the context, name and address of someone you're presumably already familiar with. The last one I looked at had the body "What do you think of this?", their signature was missing, and the payload was a html file that delivered a passworded zip via a data: blob, and the password was in the html file. "for security".
The attachment was the only real tell. Also noticed the sending server was in the wrong country, but since the thread they were replying to had to come from compromised access, I wouldn't trust that either. If the attachment was an office doc, the payload would have been delivered before I heard anything about it.
It's not quite spear-phishing (you're still a target of opportunity rather than a selected target), but it's effective and convincing. But trainings haven't got much past the nigerian princes yet.
I get a text saying my package is delayed because of address error, AND I’m expecting a package AND I spent my morning cleaning up emails and putting out fires, AND the link opens to an exact copy of the USPS website…
BUT THEN, I notice the URL, BUT THEN I realize my package is coming from UPS, and not USPS, BUT THEN I realize this is like another scam _that I correctly identified_ previously.
If your scamming objective is to get high-level permission, authorization or otherwise to actually get PAID you need a very special someone.
What you don’t need is to waste resources and expose yourself to, now I say, intelligent people who will try to take you down. Even more, you want to avoid special someone with the resources and knowledge to actually scan you.
That’s not a ‘crazy theory’, it’s common sense in the age of advertising and marketing.
Or, if it’s too ‘complicated’, then let me ask you this, have you ever experienced a ‘street hustle’? In a bar trying to buy weed (pre-legal) or a person on the street confronts you for money.
Clever tricks working on personality types.
If you can convert your awareness of spelling errors into distrust so fast, we don’t want to talk to youz.
In the spam e-mail I get, the misspellings are clearly there to get around spam filters. In fact, the e-mails I get look quite convincing, and just have two or three strategic misspellings. A lot of the text will be in the form of an image, and will be spelled and formatted perfectly. But instead of saying "garbagetime" it will say "garbagetim". And instead of saying "18+" it will say "19+".
Looking at one spam e-mail I received recently, I see it even has an "unsubscribe" button, which leads to a vaguely convincing but - after some investigation - certainly non-functional unsubscribe page. That's a lot of effort to go to if you're trying to filter out vaguely clever people.
Maybe there really is a whole other genre of spam e-mail that simple doesn't get sent to me, or is caught by my spam filter. But this article gives me no reason to suspect this to be the case. And for various reasons it seems unlikely.
https://www.microsoft.com/en-us/research/publication/why-do-...
It is a filter strategy!
Many scammers may not be native English speakers and may not have a strong grasp of the language. Another possibility is that scammers simply don't put a lot of effort into their spelling and grammar because their primary focus is on making money, rather than creating well-written communications.
(emphasis on "100% sure" though. If such a system was widely deployed, it could also quickly turn into a Kafkaesque horror show if legitimate messages get caught in it)
I’ve seen this idea of they’re trying to filter out educated people so often that it makes me laugh. They aren’t , they’re simply dumb.
1. to avoid keyword detection (reason I write to myself garbled sensitive notes online, so potential hacker with online translator won't be able to read them since it's highly unlikely he will be my maybe language speaker)
2. to filter out smart people avoid wasting time with them
edit: article says it's number 2
If you’ve never heard of the Nigerian prince scam by now, you’re their target.
It’s unfortunate that these guys end up siphoning money from fixed-income seniors disproportionately more than any other demographic.
Most of the people who haven't heard of Nigerian prince scams have spam filters which have. I suspect their spam-filter evasion rates are so low they really, really wouldn't want to filter those people out if they knew what they were doing
(I suspect the reverse is actually true: a lot of the people running the scams have heard legends about how much their fellow countrymen made from using certain email templates, but have no idea how much of a running joke they are in Western discourse and how consistently they're filtered out)
https://www.microsoft.com/en-us/research/wp-content/uploads/...
