Far-fetched tales of West African riches strike most as comical. So why do Nigerian scammers say that they are from Nigeria? Why so little imagination? Why don’t Nigerian scammers claim to be from Turkey, or Portugal, or Switzerland? Stupidity is an unsatisfactory answer: The scam requires skill in manipulation, considerable inventiveness and mastery of a language that is non-native for a majority of Nigerians.
We’ve all seen some form of this "too good to be true" chopped up English type of technique designed to part us from a significant amount of money. However, the initial reaction of a scam-savvy person is just what the attackers are looking for. This scam method relies on a vast numbers game and is examined in Cormac Herley’s whitepaper, Why Do Nigerian Scammers Say They Are From Nigeria?. A researcher at Microsoft, Herley’s analysis delves into the numbers that make these scams work and the gullibility of the victims. Make no mistake, these scammers are smart and they know what they’re doing.
Attacks are seldom free.
Malicious software can accomplish many things but few programs output cash. At the interface between the digital and physical worlds, effort must be spent. Turning digital contraband into goods and cash is not always easily automated. For example, credentials may be stolen by the millions, but emptying bank accounts requires recruiting and managing mules. The end game of many attacks require per-target effort. Thus when cost is non-zero each potential target represents an investment decision to the attacker. He invests effort in the hopes of a payoff. Therefore, he must "qualify" his victims prior to expending significant amounts of resources (time and money) to attain the prize.
Who is a target and how are they chosen?
There are several models of human behavior that illustrate the theory that when large numbers of communications are cast to random recipients, there is a direct relationship to the number of viable targets harvested. The attacker is looking for people gullible enough to respond to the communication. These people make the "short list" and the attacker continues to nurture these targets until all false positives have been eliminated and there are only true positives left. True positives represent a tiny subset of the initial list of random recipients. In addition to a high gullibility trait, true positives must also have money and an absence of any factors that would prevent them from following through all the way to sending the money.
Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify. These are the communication recipients who respond. An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. Therefore, shrewd recipients are in a sense, helping the scammers by inadvertently classifying themselves as non-viable targets merely by the absence of their response.
So how does this approach answer the question in Herley’s title? His answer: By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select and tilt the odds in his favor.
You say, "I don’t fall for these Nigerian scams so this won’t affect me." That’s great… AND keep in mind all that was discussed in this article was only one type of scam. There are millions more scams relying on the same gullibility factors of human behavior with the same end game. We are the weakest link.
Read the full whitepaper by Cormac Herley here: