This is bollocks. Speaking for Britain, and I think I can, there are hoards of would be victims to this kind of scam, particular of the current retirees generation, who are extremely vulnerable to having the wool pulled over their eyes about technical and internet security best practice matters, but for whom just so much as a poor turn of phrase or some unusually laid out punctuation is an absolute dead giveaway. If the scammers got their act together on this front they'd be mopping up huge swathes of these people, but they don't, because at the end of the day they don't speak English very well and don't have access to anyone who can.
100%. This article is a popular “Reddit” theory I’ve seen float around for a while now and it’s just not true!
I’ve worked IT help desk before and have seen lots of phishing emails. If scammers tightened up their spelling and grammar skills a tiny bit they would catch many more victims effortlessly. The bar is insanely low. Most users could spot obvious phishing emails. But emails with even just a little more effort put into spelling and grammar were insanely successful. I worked at a University - I’ve seen professors, students, admin fall for these ones.
Why can’t they spell? Because most scammers are operating from the developing word and don’t have great English. That’s it. There’s no elaborate theories beyond that.
I am another data point that would agree with you on this. I would classify myself as a sophisticated computer user (if I don't say so myself), and I fell for a phishing page once. They recreated a pixel-perfect copy of the Steam login page in a fake browser window with a pretend address bar etc. I entered not only my creds, but also my 2FA code, before realising that it was not legit.
Got an email shortly afterwards about a login from Russia, however I was able to change my password and kick out all other sessions before any damage was done.
The worst part was that I was doing a favour to a Steam "friend" who asked me to vote for his clan in some kind of competition. I will give him the benefit of the doubt and assume it wasn't really him, but someone who had hacked his account, but either way, Steam support were utterly disinterested in doing anything about it when I reported it. As were Cloudflare. I checked on the site a few days later and the safe browsing list had flagged it, so at least those maintainers still seem to give a shit.
Yeah, actual credential phishing attacks can be sophisticated and well put together. The ones where they will make mistakes on purpose to weed people out are the ones where they are REALLY looking for a target to squeeze. They will keep some of these people on for extended periods of time and get loads of money from them.
I have a friend that got a message from a "girl" over the summer. It was like "Hello Dear Joseph, I would like to no if you can help me with to practice English. I find you profile today and I have a work visas starting in 90 days to come to your city for work and I am wanting to make new friends and practice my english!! Sorry if this bothered to you. ~~EMOJIS~~~
- Signed Brazilian Model.
So far I think he's 8 grand into helping her. I'm sure it's more now because that was like before Halloween and it's impossible to convince him that it's a scam.
"So far I think he's 8 grand into helping her. I'm sure it's more now because that was like before Halloween and it's impossible to convince him that it's a scam."
Scams work, because people want to believe in them.
Likewise. It’s scary how easily you can just fall into a phishing trap. I almost gave an attacker my GitHub login due to a (Very very good) phishing email impersonating CircleCI.
The email was really good (not in junk), the domain was close, pixel perfect UI and is just finished a reformat so entering in my feeds again made sense. Unfortunately for them, they sent the email out prematurely because after pressing the button I got a JS error.
The theory I heard worked in the other direction: if we assume scammers have a finite amount of time, it could be in their interest to minimize the amount of "likely good targets" in order to increase the amount of "very likely good targets". So all those untapped potential targets are just too similar to non-good targets for them to discriminate effectively, leaving them so far focused on the lower-hanging fruit.
I mean, with Google Translate, spellcheckers, etc, improving all the time, at least some of those messages should have been improving as well, no? If their grammar has not improved at all during the last decade, then there might be a hinge of truth to the theory.
If we assume that scammers live in the developing world, their time is almost certainly not valued so highly that having a few more responses to copy/paste a unanswered requests for payment to is worth their bulk email losing a single wealthy Westerner that's trusting and unworldly but also a stickler for good grammar (or has a spam filter that knows a lot more about Nigerian princes than they do). I've seen in-person scammers in the developing world continue to waste their own time trying to reel me in even after I've told them I'm familiar with that type of scam and failed to turn up for suggested meetups, and it's not like I was the only white person in Jaipur...
There are often horrible spelling and grammar and composition errors leading to phishing pages which involve zero further input on the spammer's part to collect valuable data too.
Scam companies tend to hire those who either couldn't or didn't invest into a personal career. Some of these also have a gift for persuasion (to other locals) so they just go for it with what they have.
Once you start getting into the mindset of investing time for learning and development of skills, then it's just easier, safer and more profitable to go the legit way.
I think all of the obvious scam emails are part of what makes the higher effort scams so much more effective. People (myself included) are used to being easily able to spot the scams so aren't naturally wary when seeing emails that don't have those obvious indicators.
I'm not sure it's the case with the type of scam that the article is talking about. Phishing credentials and getting people on the phone to buy gift cards and transfer money require a vastly different approach I suppose.
Skip through the hot parts of the video per the graph and just see how the scam actually works, and I think that for all the social engineering steps required and the sheer amount of time spent on the phone, most people would just give up even if they maybe fell for the initial well designed email.
I don't really want to speculate on the spelling/email of scam emails as I think short of some reporter just finding a spam-house and asking, it will all be senseless speculation. The article theory has plausible theories, but might very well be specious. I don't buy that it's due to poor English skills, as spellchecks are plentiful and I have no doubt that the spam-houses could easily pirate older copies of Word and get a decent looking email.
Similarly, if it was effective, I have to imagine that this is the format they'd pick.
The simplest explanations of the poorly formatted/written emails and chats for me are:
1. The targets that have the highest chance of success don't care about the emails
2. The formatting of the initial emails doesn't impact the scam in a significant way
From a more personal perspective and the people I know who continued with the scam past its initial stages, they didn't pay attention to the formatting, just the general idea behind the message was more their concern. The IRS scams, giftcard scams, etc, put some sort of pressure on the people in a way that they truly stopped thinking about the content and were more worried about the idea behind the message: they would get in trouble if they didn't comply, and the financial concerns were the driving force.
Yeah, this sounds a lot like a just-so story. There is never any actual evidence given, and the story plays towards people’s desire to feel smarter than other people who would fall for a scam.
>because at the end of the day they don't speak English very well and don't have access to anyone who can.
They have access to spell checkers. I somewhat agree that current retirees may be very sensitive to spelling mistakes, but spammers often aren't even putting in the minimum amount of effort to produce an error free E-Mail.
I think that both theories aren't satisfying.
I think you're right in general, but I've seen some cases where it couldn't possibly be language barrier.
For instance I once saw one of those sex scam accounts on Facebook where the profile pic was some hot, obviously white woman, but the name was Vietnamese and all the posts were in the Thai alphabet. That to me seemed very deliberately designed to catch men who saw the big boobs and immediately switched off their brains. And obviously no one is incompetent enough to use the wrong alphabet by mistake.
I agree in that the collective that you mention exists, and it is probably the majority. They are not the target.
Remember that scammers are lazy. The target is someone who doesn’t notice the punctuation problems. People with mental illnesses, etc, but with access to funds. It might very well be much smaller than the group you mention but they are easier to scam. No need to use technical trickery. They will give you their credit card details over the phone.
Educated, British retiree is one class of audience, who may need a different nuanced tactic (tech/ amazon/ gmail security like email with a professional English call center that can engage them).
The world is a big place. There are also other classes of audiences (where the engagement effort is much lower) and this purposeful spelling mistake does look like a good way to weed out some of them.
No this is a filter. It is the same reason why the wife of nelson mandela has millions to give. Any interaction after initial spam cost time and hence if there is no return it is lost opportunity. Best victims are the ones which are not aware that there is a scam at all. Overseeing bad spelling correlates with inability to read carefully which correlates with being with bad intelligence. So people answering very bad spam are in fact more likely very good victims.
>because at the end of the day they don't speak English very well and don't have access to anyone who can.
You believe they don't have access to fiverr or any of the numerous sites that will copy edit for a couple dollars of the thousands bucks they are scamming?
Not to mention that if you're looking for copyeditors on freelancer websites, you've got to provide them with some credit card details and evidence you are running something most freelancers are going to identify and report as criminal activity. There's a reason the majority of these scams want cash payment in Western Union or Bitcoin...
I was making a counterpoint that the reason they have bad grammar is not lack of access to a way to make good grammar. The original thought about why the grammar is always bad on scams is simple. The bad grammar is a litmus test that your victim is dumb or mentally not able to analyze your scam so you know to dig in when you get a hit.
Close to 20 years ago I got an email that in it's entirety said "I have a powful tool. I suspect youd like it", exactly as written. No links, no attachments, just plain text. I showed it to my then girlfriend and now wife and since then we have adopted "powful tool" as a term we apply to really great devices or machinery of impressive heritage or even some good software. Warms my heart.
It’s been, fuck, two decades and this is still in my mbox. My wife and I still shout Gouranga at each other some days and, hell, who am I to argue that it doesn’t bring the highest happiness!!
> In GTA, the player received a 'GOURANGA' bonus for running over an entire procession of Hare Krishna. 'GOURANGA' is actually a term that was popularized as use by the Hare Krishna movement during the 1970s. It is often used to describe happiness. This is also a cheat code in the PC version of GTA 2.
A cursory search gave back this gem. Same spam email in 2003 except it goes off on a tangent about a Symantec deal worth a lot of money (since someone mentioned they used Norton 2003) that someone used to buy a company sports car. Then people just keep talking about sports cars.
If I had to guess, it’s a trick to get people engaged.
There’s no link or request for money, so people probably respond more often.
I imagine like many areas of persuasion (like interrogation), getting someone to start talking is the “foot in the door” that starts to snow ball, even if it’s not about anything relevant.
It's called "IP warming". When you send bulk emails, there are throttling limits and other things meant to decrease the ability of scammers. So to warm the IP up you have to send on it for awhile. These sorts of blank emails aren't the best way to do it, it's sloppy. But that's the goal.
The same trick is applied to trick potential customers into going through a sales funnel and convert to a paying customer.
"There are 42 people watching this hotel right now! Only 3 rooms available for your dates! We'll murder ANOTHER puppy if you don't book right now!"
Yes, I worked for Booking.com. They don't do it everywhere, in some places it's illegal, and sometimes they simply change the words slightly to make it suggest urgency.
For a while on change.org (2021 was when I observed it) if you were looking at a petition with n signatures, they would show you n-10 or so, and increment the counter erratically over the next couple minutes to add the remaining 10... as though people were rapidly trickling in to sign this very hot petition right this minute.
Is this why when I'm on Etsy, some obscure, niche item that I'm looking at will always say "13 people have this in their carts right now"? Etsy doesn't seem like the type to me, or maybe that code is just flawed
Wait, how does this work? Google bots this complex, or Etsy especially made it possible for Google bot? Also Etsy shows price directly on page, so whats the reason?
This is true but also...
In my experience[1] a large majority of facebook-level romance scammers use the same copypasta messages when possible, because they actually are from (e.g.)Nigeria and really do have poor English.
This is especially relevant to your point because facebook could EASILY be flagging people based on known pasta messages, for review or shadowbanning etc. They presumably don't do this because "not my problem".
1.Actually the experience of someone I know who's turned screwing with scammers into a personal hobby, who frequently shares notes on this with me.
> They presumably don't do this because "not my problem".
They don’t care. It’s that simple. I’ve (on Facebook/Instagram) reported scams, and they always say it doesn’t violate their community guidelines. But it turns out the computer “reviewed” my report, so I appeal it, and it’s always “sorry, but we don’t have enough people, so we’re ignoring this appeal. Here’s the report ID for the ‘review’ board.” On the rare chance a human does review it, they say “a human reviewed your report, and you’re right.”
They so much don’t care that, now, reporting scam/spam just says, “thanks for letting our system learn” without a way to make an actual report. I’ve given up reporting scam/spam.
For a real kicker, I’ve reported a literal terrorist threat-like post, and it was still “pending” after a week.
I've reported scams where people were selling "spells" to make ex-partners come back to the buyer, or to fall in love with them, and got the same automated responses from Facebook.
I shit you not, there are people on Instagram who are scamming mentally ill people by telling them that they can train them to do psychokinesis and psychic levitation. I've been following them for months since someone I care about fell for it, and they're amassing really large followings while running blatantly obvious scams. Facebook does nothing about it despite multiple reports.
>> because they actually are from (e.g.)Nigeria and really do have poor English.
This isn't true. English is Nigeria's official language (all Education is in English) and people generally speak English well. Secondly, folks from Nigeria actually use the gist of the article as a flag for filtering out scam i.e. once they open an email with bad grammar, they automatically assume it's scam and ignore it.
Anyone ever tried flagging those obvious scam accounts with ridiculously obviously fake photos (or, at least misappropriated from some aspiring models insta account).
Even when it's blatantly obvious Facebook always tells me that their account doesn't break their community standards...
This. I recently got approached by a scammer on Facebook marketplace. It was never going to work but the spelling/grammar issues instantly made me think something fishy was going on.
They put plenty of investment into scamming me before I called them out, and I don't think their grammatical errors would have served to filter anyone (because it also could have just been someone wanting to buy something who happens to have bad English).
this idea has been kicking around for a long time, and sounds nice, but is there any data to support it? A lot of the most visible misspelling seems designed to avoid spam filter detection.
I used to buy into the idea, but it increasingly grates my intuition as time goes on. I'm at a point that I believe much of the misspelling, poor grammar, etc are not intentional. If the same scammers were better at what they did, they'd snare more marks. I think these scammers are only capable of exploiting the bottom of the barrel when it comes to discerning audiences, though.
However the paper itself doesn't present any evidence around the scammer's intention. Rather it presents a mathematical model under which it would make sense for a scammer to intentionally exclude a large swathe of victims, and it posited that misspellings is a way to achieve it.
I would think they do know exactly what they're doing. There's no reason to think it's just to get past email filters or just to skip the smart people. It's probably both, plus other reasons we haven't even thought of.
I am not sure smart people are scammed less often than the average person. Perhaps smart people get sucked in by different scams (like buying altcoins, or complex speculation)?
Just because they're organized doesn't mean they aren't incompetent in other aspects of what they do. There are plenty of dumb organized criminals sitting in prisons.
I get phone calls sometimes that are almost certainly legitimate, such as from my insurance company, and if they ask me to give them any information (like my address for "security purposes") I always refuse and tell them I can call back. The same is true with email. You should never be giving any information away, even if it appears to be a completely legit communication from your bank or whatever.
The exception (and a potential attack vector) is when a phone call or other live interaction ends in an email being sent as part of the process. There you have to weigh the risk I suppose; obviously i have replied to such emails. But i would never reply to a bulk email even if it came form my banks domain.
When the doctor's office phones me, they must immediately learn my DOB or they can't reveal any information. Unfortunately the person calling is sometimes a nurse who's working on test results or some followup and they don't have a direct number. But it's kind of a stalemate if I won't reveal anything to them, and they won't reveal anything to me.
At this point if they manage to have the correct caller ID and I'm more or less expecting the call, it can't hurt to divulge my DOB. Scammer's going to find that out easily anyway.
I'd buy the argument made in the article more if they could explain what harm the scammers are avoiding by weeding those of us who can spot a misspelling as early as possible. Do they immediately start investing a great deal of time in a possible "mark" right after one reply from them?
Savvy users who will become wise to the grift somewhere along the way are the ones they want to weed out. Early in the process ideally.
Having totally convincing emails fails to weed out these savvy users - you get to discover who they are a bit further down the line, after you've invested some time.
Since their time they can spend is finite, they want to only spend time on sure bets. This is why it is important to take a few moments to lead on scammers - you're damaging their ROI the more of their time you can take up.
Yes, but there is a thing what many comments here misses: those email do work, so not only they filter out not-dumb people, they are running on a successful strategy.
Using a proper spelling would improve the conversion but also would add a lot more work for the scammer and therefore he can miss a real doofus who can be scammed, so the overall KPI (heh) would be lower.
Yes, it still the same, but with an additional key part.
To be honest, a lot of them seem to just copy from other scammers... I do wonder if it started off as this (and, potentially, to bypass spam filters in the early days, when many of them did face the keyword problem), but it's now simply a copy-and-paste job?
Ah yes, “smart people don’t get scammed, you’re smart aren’t you?”
Very smarmy line of thinking. Unfortunately on the rise in recent years. We are all vulnerable to scams and victim blaming doesn’t help the conversation any.
It irks me that this is the bulk of what we're taught of phishing training - just to look for the obvious mistakes.
We've been seeing a rise in attacks that are launched from compromised accounts, where the email is a reply to a previous thread. So you have the context, name and address of someone you're presumably already familiar with. The last one I looked at had the body "What do you think of this?", their signature was missing, and the payload was a html file that delivered a passworded zip via a data: blob, and the password was in the html file. "for security".
The attachment was the only real tell. Also noticed the sending server was in the wrong country, but since the thread they were replying to had to come from compromised access, I wouldn't trust that either. If the attachment was an office doc, the payload would have been delivered before I heard anything about it.
It's not quite spear-phishing (you're still a target of opportunity rather than a selected target), but it's effective and convincing. But trainings haven't got much past the nigerian princes yet.
I get a text saying my package is delayed because of address error, AND I’m expecting a package AND I spent my morning cleaning up emails and putting out fires, AND the link opens to an exact copy of the USPS website…
BUT THEN, I notice the URL, BUT THEN I realize my package is coming from UPS, and not USPS, BUT THEN I realize this is like another scam _that I correctly identified_ previously.
If your scamming objective is to get high-level permission, authorization or otherwise to actually get PAID you need a very special someone.
What you don’t need is to waste resources and expose yourself to, now I say, intelligent people who will try to take you down. Even more, you want to avoid special someone with the resources and knowledge to actually scan you.
That’s not a ‘crazy theory’, it’s common sense in the age of advertising and marketing.
Or, if it’s too ‘complicated’, then let me ask you this, have you ever experienced a ‘street hustle’? In a bar trying to buy weed (pre-legal) or a person on the street confronts you for money.
Clever tricks working on personality types.
If you can convert your awareness of spelling errors into distrust so fast, we don’t want to talk to youz.
I don't see the value in articles like these that don't even attempt to convince you what they are saying is true. Sure, I've heard this claim 1,000,000 times on sites such as Hacker News and Reddit - but I've yet to find any reason to believe it.
In the spam e-mail I get, the misspellings are clearly there to get around spam filters. In fact, the e-mails I get look quite convincing, and just have two or three strategic misspellings. A lot of the text will be in the form of an image, and will be spelled and formatted perfectly. But instead of saying "garbagetime" it will say "garbagetim". And instead of saying "18+" it will say "19+".
Looking at one spam e-mail I received recently, I see it even has an "unsubscribe" button, which leads to a vaguely convincing but - after some investigation - certainly non-functional unsubscribe page. That's a lot of effort to go to if you're trying to filter out vaguely clever people.
Maybe there really is a whole other genre of spam e-mail that simple doesn't get sent to me, or is caught by my spam filter. But this article gives me no reason to suspect this to be the case. And for various reasons it seems unlikely.
While we've all heard the theory that poor spelling can be a tactic used to make their communication seem less credible and make it easier for them to trick people, I'm skeptical.
Many scammers may not be native English speakers and may not have a strong grasp of the language. Another possibility is that scammers simply don't put a lot of effort into their spelling and grammar because their primary focus is on making money, rather than creating well-written communications.
Sounds like a perfect use case for text generators to me. If you receive a mail that you're 100% sure is a scam or phishing attempt, you could pass it to ChatGPT and have it teergrube the scammer into some endless conversation that binds as many resources on the scamner's side as possible.
(emphasis on "100% sure" though. If such a system was widely deployed, it could also quickly turn into a Kafkaesque horror show if legitimate messages get caught in it)
This is not true. The scam are usually carried out by highly illiterate young boys who simply carry a file containing files labeled as first letter, second letter, third letter and so on. Then they go phishing with these.
I’ve seen this idea of they’re trying to filter out educated people so often that it makes me laugh. They aren’t , they’re simply dumb.
1. to avoid keyword detection (reason I write to myself garbled sensitive notes online, so potential hacker with online translator won't be able to read them since it's highly unlikely he will be my maybe language speaker)
2. to filter out smart people avoid wasting time with them
Same reason Nigerian 419 scammers continue to make it clear they're from Nigeria: If you're unaware enough not to know that "Nigeria" is a red flag for "scam," you're exactly the mark they want.
There's a much, much simpler reason. The object of the scam is to persuade you to send money to the only country they can collect it, which is Nigeria.
Most of the people who haven't heard of Nigerian prince scams have spam filters which have. I suspect their spam-filter evasion rates are so low they really, really wouldn't want to filter those people out if they knew what they were doing
(I suspect the reverse is actually true: a lot of the people running the scams have heard legends about how much their fellow countrymen made from using certain email templates, but have no idea how much of a running joke they are in Western discourse and how consistently they're filtered out)
I remember about about 15-20 years ago, I noticed that a bunch of spam emails would open using multiple disjointed snippets of public-domain poetry before the dodgy links to try and get around these sorts of filters. I used to love reading through them to see a few words of Yeats jammed together with a bit of Coleridge or something, looking at it as some sort of weird outsider art.
In personal interaction scams, spelling mistakes are also endearing and help you believe you are talking to the real person. Even if they “work for” a known company.
