Almost every inbox has been plagued by them: Emails offering a chance at a share of millions of dollars (or pounds or euros). Someone works at a Department of Finance or Department of Oil or is terminally ill or for some other reason needs to shift a large chunk of money out of their country. And they need your help.
Just shoot through an email with a few personal details, and you'll end up with 5 per cent (or 10 per cent or 15) of some fabulous quantity of money. But then the transaction hits a hitch — you're going to need to send through a small amount of money to help facilitate the transfer. Nothing big and, after all, soon you'll have enough money to fill a swimming pool, and you'll finally be rid of the long hours and low pay of your day job (possibly as a poverty-stricken overworked tech writer). Then they need another small amount. Then a larger amount.
These email scams are typically dubbed 'Nigerian scams' or '419 scams' after a section in Nigeria's criminal code, but are more accurately known as 'advance fee fraud'. And, unfortunately for the country, it's these scams that many people probably think of when they hear Nigeria's name. There is a lot more variety in the scams in these days — you can help out someone trying to shift money out of Libya in the wake of Gaddafi's overthrow, for example — but my inbox still manages to attract a fair share of promises of West African wealth.
And, hard as it might be for a lot of people to believe, these scams can be fantastically successful. Two years ago a Nigerian man received a 12-year jail sentence after scamming US$1.3 million from victims.
Here's a small sample from one I received recently (though this time it's Malaysia, not an African nation):
I am Mr.Davies Abraham the director of Accounts & auditing dept (CIMB Bank Group Malaysia) With due respect, I have decided to contact you on a business transaction that will be beneficial to both of us and our family. At the bank's last accounts/auditing evaluations, my staffs came across an old account which was being maintained by a foreign client who we learn was among the deceased passengers of motor accident on (November 2003) the deceased was unable to run this account since his death.
The account has remained dormant without the knowledge of his family since it was put in a safe deposit account in the bank for future investment by the client and we have tried to contact the details of the next of the kin but our effort is in vain so CIMB Bank gathered that every body in the family died in the Accident.
The question many people have asked themselves after receiving an email like this is: Who would fall for this crap? The persistence of the scam also raises another question: Can't people come up with better worded, more creative forms of attack? Why, given the scam is relatively well known these days, would a scammer still purport from Nigeria or from another West African nation given the association of advance free fraud with the region?
In retrospect the answer to this question is obvious. According to Cormac Herley, principal researcher at Microsoft Research's Machine Learning Department, it's because scammers aren't necessarily interested in seeming believable: They are looking for the most gullible victims they can find, to maximise return on their effort.
A (maths heavy) paper produced by Herley, aptly titled Why do Nigerian Scammers Say They are from Nigeria? (PDF), argues: "In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing.
"This allows us to view the attacker’s problem as a binary classification. The most profitable strategy requires accurately distinguishing viable from non-viable users, and balancing the relative costs of true and false positives…
"Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor."
Herley notes that, contrary to what some people think, an advance fee scam is not free for the fraudster. "[E]ach respondent to a Nigerian 419 email requires a large amount of interaction, as does the Facebook 'stuck in London scam.'"
The cost of sending an email may be close to zero, but "emptying bank accounts requires recruiting and managing mules".
"The endgame of many attacks require per-target effort. Thus when cost is non-zero each potential target represents an investment decision to an attacker. He invests effort in the hopes of payoff, but this decision is never flawless."
He concludes: "[I]f the goal is to maximize response to the email campaign it would seem that mentioning 'Nigeria' (a country that to many has become synonymous with scams) is counter-productive. One could hardly choose a worse place to claim to be from if the goal is to lure the unwary into email communication…
"Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify. An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. It will be figured out by anyone savvy enough to use a search engine and follow up on the auto-complete suggestions [of search engines]. It won’t be pursued by anyone who consults sensible family or fiends, or who reads any of the advice banks and money transfer agencies make available. Those who remain are the scammers ideal targets. They represent a tiny subset of the overall population."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.