Friday, 29 June 2012

Seeking the gullible

“Why do Nigerian scammers say they are from Nigeria?”

That’s the name of a fascinating piece of research (click here for a pdf download) undertaken by, of all people, a researcher working for Microsoft.

The researcher, Cormac Herley, makes this observation:
“An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. It will be figured out by anyone savvy enough to use a search engine […] It won’t be pursued by anyone who consults sensible family or fiends, or who reads any of the advice banks and money transfer agencies make available.”
I’m sure all of us have thought this every time we hear of yet another victim of the “advance fee” or “419” scams. How can someone have been so catastrophically gullible to fall for the story they received?

Part of it is greed. Hold the prospect of millions of dollars in front of some people and their brain stops working properly. All of their critical faculties evaporate and they start thinking in ways that can politely be described as “non-optimal”.

But it’s more than that. There’s a level of gullibility needed to fall for the frankly bizarre stories that scammers tell. But that’s what the Microsoft research suggests makes the whole thing work so well. The more extreme, the more remarkable, the more unbelievable the story, the more likely the scammers are to make money. Strange but plausible. It goes like this.

Given that the scammers send these ridiculous emails to thousands, perhaps even millions of potential victims, how can they ensure that the ones who respond are most likely to be the ones who will end up coughing up their cash? You might think that they could do this best by constructing a story that is believable as possible? Not correct. If they did that, the research shows, the scammers would have to manage an intolerable number of responses. Most of these more sensible people would eventually realise that there was something suspicious going on.

In fact the best way to maximise their successful response rate, to get the highest proportion of victims to cough up cash, is to make the story as stupid as possible. If they do that, then only the MOST gullible people will respond. The people likely to respond to those emails are the ones worth the scammer’s time. Make the first email as stupid as possible and the victims will select themselves.

As Herley says:
“The initial email is effectively the attacker’s classifier: it determines who responds, and thus who the scammer attacks (i.e., enters into email conversation with). The goal of the email is not so much to attract viable users as to repel the non-viable ones, who greatly outnumber them.”
It’s very easy to think that these scams don’t happen any more, that scammers have moved on to other ways of parting the gullible minority from their money. This is true to an extent, scammers have evolved, they’ve moved into recruitment and immigration scams, they’ve set up fake educational establishments, they’ve broadened their portfolio in the same way any successful business would. But they haven’t abandoned their roots, their core business remains the same, mainly because it can be so horribly profitable for them if they get it right.


Only a couple of weeks ago we heard from someone who had passed the gullibility test. He’d received the first email, the one introducing a beautiful young woman (that's her picture on the right), who, “she” claimed was stranded in a refugee camp in Senegal. Guess what? Her late father had left US$6.5 million in a bank account and she needed his help in transferring it to his country. In return for his assistance she’d let him keep some of the money.

Anyone with even a hint of skepticism, with even a basic level of critical thinking, anyone with just a small amount of common sense would have been suspicious. They would have seen through this, they would have asked questions like “Why did she choose me?”, “How did she get my email address?” and “If she’s prepared to trust me with all that money, why doesn’t she know my name?”

Unfortunately this person wasn’t skeptical at all. He believed the story, believed it when she asked him to deal with her attorney and the banker he put him in contact with and the need to pay the attorney P4,100 and later another P1,800 for various fees in advance of the mythical $6.5 million. See the clue there? “advance”?

He also believed that refugees in camps in Senegal have fast internet access but don’t have cellphones. He believed that the obviously fake bank and legal certificates he received were genuine even though one of them, that he was told was a Senegalese power of attorney certificate, had a cartoon picture of George Washington on it. He ignored the spelling mistakes, the appalling quality of English and the fact that nobody involved had a landline phone number.

But we knew that, didn’t we? The research from Microsoft tells us that. If he believed that first email he was destined to believe everything else the scammers said. In fact the only reason he started to show some critical thinking was that he ran out of money. After he’d demonstrated his gullibility by paying them the first two times they tried to push their luck. They demanded P26,000 from him to pay for the fake attorney to fly to London for a meeting. It was only because he had no money left that he contacted us and we had to break the news to him that he’d been scammed. Even after this he was still referring to them as “The lady”, “the bank” and “the lawyer” instead of “the scamming criminal scumbags”.

The unpleasant truth is that the gullible will always exist and it’s up to their friends, relatives and neighbours to protect them.

No comments: