I suppose it boils down to this "By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor."
It's like all those stupid adverts you see on TV for mega-extreme-fitness-workout or call-meet-super-sexy-local-girl. Always wondered who would actually but this rubbish or call those stupid premium rate numbers, but the very fact there are so many of them must mean someone does!
"for mega-extreme-fitness-workout or call-meet-super-sexy-local-girl"
That's actually a little different. When people are desperate they are willing to go with emotion instead of rationality. That's why they travel overseas for miracle cures even though rationally what they are doing doesn't make any sense at all.
There is also the greed factor which is somewhat similar and why people go for "to good to be true" things if the price is low enough.
There is a blogger who I will not name that has chosen to go with godaddy $9 hosting for his quite popular blog (he used to pay $100 for a VPS or something like that) and he truly believes that gd will give him unlimited everything at that price point just because that's what the site says. While he is not particularly savvy in terms of hosting and technical things (by his own admission) his greed (if I can call it that) makes him overlook and ignore the obvious.
I'm sure someone can point out the exact psych principles that are involved here.
Those ridiculously too-good-to-be-true hosting deals are awesome if you've got a blog that nobody ever reads. The instant one of your posts goes viral, expect your page to be unceremoniously shut down with no call or email to you. Which is of course the worst possible time for it to be shut down-- while it's on front pages of social aggregators and such.
Source: personal experience (Bluehost, not GoDaddy)
Scamming is not remotely a hare-brained scheme. It's an incredibly reliable method for getting rich by exploiting the gullible if you know how to do it. That "if" is a huge if. And there's the whole ethics thing.
And gullible needs to be emphasized. A lot of people seem to think scammers only get the greedy, which is not true. For example, how are fake charities targeting the greedy? Or the grandparent scam? 
That site is really depressing. When they make him woodcarvings and take pictures and read audiobooks for him, you realize those people are just completely desperate and trying to make ends meet any way they can.
There's a huge difference between saying "tormenting these scammers, vigilante-style is unsettling and perhaps distasteful" (the takeaway I got from the This American Life story) and saying "Nigerian scammers are good people".
They can be bad people, some of their number may have murdered people, but I don't think that makes any and all actions toward them justified.
Madoff's 'customers' mostly believed that he must be doing something not quite kosher, but they thought they could still make money off of it.
This is a significant thing. My anecdotal understanding (from talking to my wall st friends) is that his clients basically thought he was screwing someone else (with his trading operations) so that his fund could do so well.
I wonder if this effect also takes hold in Nigerian emails scams. Would their success rate go up if they implied they were screwing someone else out of the money?
Isn't that the point of the Nigerian scams - the money is always illegal (some corrupt politician / foreign aid money) that needs to be got out of the country - so you feel you are "in" on the real scam?
It also discourages you from reporting it once you have sent off any money.
Honestly, I havent' gotten one in a while. I do recall some that seemed very legit (no implication that victim would be in on fraud). It was inheritance, and there were banking regulations that to be worked around, etc. Adding a taste of fraud seems like smart choice for the attacker.
Many ads (including a lot in Facebook) for cellphone money-sucking subscriptions operate in the exact same way. Writing such a stupid message that only very unintelligent people would click and therefore getting the best ROI they can (when they pay per click).
At first glance, the conclusion of the paper seems very intelligently plausible however I believe understanding such reasons will be more accurate from qualitative rather than quantitative research.
It should me noted that the particular format of scam discussed in this paper (the templates/models are called formats) is along the line of inheritance and criminal government officials. However, it does not address other formats such as lottery/employment/relationship scams to mention a few.
This 'reason' given in the conclusion might be one data point but far from being 'The reason' Why Scammers Say They are from Nigeria.
Thanks submitter for putting the quotation marks around Nigerian scammers because I did not see anywhere in the article that certified the letters calming to be from Nigeria were actually from Nigeria.
A final note: Scams (including those originating from Nigeria/by Nigerians) are of international dimensions; therefore assuming a scam would have to be unraveled eventually since the money MUST be eventually sent to Nigeria is false. Therefore there is no compulsion to always eliminate those that are false positives to the word Nigeria. Other false positives can be used without eliminating the very same people all the time.
The answer to the 'research question' would be more accurate/inclusive if got form a qualitative method than quantitative.
"This 'reason' given in the conclusion might be one data point but far from being 'The reason' Why Scammers Say They are from Nigeria."
Agree. There is certainly no discussion of any conversations with actual scammers to see if that is the reason they do what they do or what they are thinking. And as far as copycat crimes go, it would make sense that someone would mimick an existing ubiquitous scheme rather than coming up with an entirely new and unique location in the world. Most people who kill themselves of course choose a method that they've heard other people use and it is well known that there are crime waves that start with a single incident. Lastly there is no data available to show what happens if you don't choose nigeria as your location to back any of this highly academic analysis up.
Of course this paper and analysis could be used with many things. Take dating for example. Is it better to go on a first date dressed to the nines or dressed at 70% (arbitrarily picked to prove a point) your best dressed look? I could take that and get someone to write a paper which shows that you have a higher chance of getting married if you dress at 70% on your first date since you will weed out many people that aren't attracted to your average looks. But the fact that I can present an academic paper showing that doesn't make the fact true without something more to back it up.
A date has a non-zero cost. If you want to weed, do it earlier. Say something embarrassing on your online dating profile maybe? Then, when the selection is done, you go into seduction mode at the date.
I don't think the conclusion is correct. First, I have seen mails from Pakistani, Iranian and North Korean scammers as well.
I think the hackers challenge is to present a story that is credible enough. Claiming to be from a country that is perceived to be mismanaged and corrupt by the target audience helps. Linking it to some real event such as some real coup makes it even more credible. But finally, once someone gullible enough follows up - if you have a nigerian accent or ask them to mail to a nigerian account, claiming to be from some other place will make maintaining that credibility very difficult. I believe that is primarily why nigerian scammers pretend to be Nigerian, and Iranian scammers pretend to be Iranian.
If you want to downvote it, go ahead, use whatever reasoning pleases you. But please be careful about quoting a post calling on others to downvote. Campaigning for upvotes or downvotes is frowned upon, it breaks the entire premise of "The wisdom of the HN crowd."
If you feel this person's anecdote is not helpful, it miht be better to reason against it directly rather than engaging in meta-debate. You risk re-opening a debate about that post rather than the current topoc.
The original article ("Why do Nigerian Scammers Say They are from Nigeria?") does not contradict what the grandparent writes.
Let X = claim to be Nigerian, and Y = earn money using a "419" scam.
The article says that while it may appear foolish to do X if you want Y,
an economic argument shows that doing X in fact leads to more Y.
The scientific or analytical part of the article is solely the part about
X leading to more Y.
The author then conjectures that Nigerians must continue claiming to be
Nigerian because they have somehow come to realize that it is good
The grandparent's conjecture is that Nigerians continue claiming to be
Nigerian simply because they still expect the money to be deposited into a
Nigerian account, they still speak with a Nigerian accent, etc.
Both are reasonable conjectures, and analytical part of the article
is consistent with either one.
The bulk of the reply was reasoned argument rather than anecdote, and the anecdote didn't even contradict research in the paper, they were explaining why scammers might claim to be from Nigeria, not claiming that most scammers were claiming to be from Nigeria.
Fascinating article. I wonder if this is always true though:
> We consider a population of N users, which contains M viable targets. By viable we mean that these targets always yield a net proﬁt of G when attacked, while non-viable targets yield nothing. Each attack costs C; thus attacking a non-viable target generates a loss of C
This supposes that the viability of targets is boolean: you're either gullible or you're not. But isn't it possible that targets' viability (or profit potential) is a function of the sophistication of the attack?
The sophistication of attacks increases in relation to expected payout. My aunt fell "victim" to one of these scams after winning the lottery. It started off with the standard spam, then when she responded the scammer became more personal, learned about her, and after the initial "investment" began an online romantic relationship with her.
After the family learned that she had given $250k to this guy, we stepped in and put a stop to it. She was embarrassed, and ashamed... and kept talking to him. We found out later that she had given him more money, after their "relationship" had continued for a number of months.
FTA, unsophisticated attacks select for unsophisticated targets. As the likelihood of a payday from a given target increases, so too does the sophistication until an equilibrium is reached and increased effort no longer yields increased rewards.
I believe it is a mistake to see the victims of cons as unsophisticated. Or rather, doing so makes one more susceptible to being taken - consider how Madoff operated.
I watched a coworker send money to Nigeria once for a Teacup Yorkie - $900 for a pedigreed dog including air transport seemed like proof of the victim's internet shopping savvy and unsolicited warnings from the workplace were ignored.
What was amazing was how well the scammer read the victim. The dog was to board a 10 am flight and arrive in ATL at 2:30. The email arrived at about 10:15 notifying the victim that another $400 was needed for customs but that the dog could still make the flight.
Two of us working hard managed to convince the victim not to send the money - I think that the possibility of a dog flying from Nigeria to a baggage carousel in Atlanta in three hours finally made it through the filter. But it was a close call.
The victim was a savvy college graduate with a good job which required a lot of responsibility and hard knuckle negotiations with contractors and vendors on a regular basis. The attacker was extremely sophisticated in their pitch. It's why the victim trusted them and didn't verify anything.
Gullibility is a game-theoretic state that you may wander in and out of as you play more "rounds," so it's actually quite hard to model.
Presumably it's possible to compile a statistic that factors in all the game-theoretic elements, so that on a per-attack basis the population can be assumed static like this, even if actual targets are changing over time.
How much "noise" in terms of false leads must the world create to make scams like these unprofitable? Would it be sufficient to mine a spam filter and auto-respond en masse with various canned responses? How about a site which facilitates scam baiting, sans the hand-carved 80's era computers and other extremes of 419eater? It could be positioned as entertainment and a public service rolled-up in one. Want a break at work? Check-in on your currently active scams and send out some email. The site would link-up to gmail/hotmail/whatever accounts you create (to avoid TOS issues) and use Twilio to facilitate anonymous phone calls. It would be like a virtual customer service/call center application. There would be suspense, intrigue, and surprise. How will the authors of this piece of spam attempt to con me?
I actually spent more than an hour on the phone with some of the call-you-up-because-you've-won-something-but-you-can't-have-it-unless-you-give-us-money scams once. I repeatedly gave them a bogus credit card number and insisted it ought to work. I got passed from person to person and was asked with varying degrees of politeness and barely suppressed aggravation to repeat the number backwards and forwards, and was I sure it hadn't expired, and did I possibly have another credit card, etc.. I was very polite and cheerful, agreeing graciously with every request to be put on hold or transferred. Hold times are great to get the giggles under control.
When the last guy they transferred to me asked if I was toying with them (I'm pretty sure I covered my giggle with a decent enough cough, but maybe not), I asked him if I could phone my bank to find out what the problem was and call him back. Out of the question, of course. I asked if I could check with my bank and if they'd please call me back in 10 minutes. He agreed, but I never called my bank and he never called back.
What I wish I had got in there somewhere was something like "it really ought to work, I used it yesterday to pay for postage on a parcel from Nigeria."
That may all be true, but in my experience working at a very large webmail provider, the vast, vast majority of phishing attempts (not just 419 scams, but also really terrible attempts to get passwords to email accounts from which to launch more 419 scams) came from Nigeria, Benin, and Côte d'Ivoire IPs.
I don't really think that makes any difference to the point made.
The overall idea is that it is helpful for them to present an image that less gullible people will immediately write off as a scam, so as to reduce the responses to a set of people that are gullible enough to be profitable to pursue.
The ideal scenario for these people is to be busy all the time dealing with the most gullible potential victims rather than chasing people who will balk at sending them money. Any more responses than they can deal with, and they'd be better off filtering out more of the less gullible people by making their initial approach more likely to send poor targets running.
Presenting themselves as Nigerian is one way of increasing the odds of triggering alarm bells with the less gullible people, but by no means the only alternative.
There's also every reason to assume that a reasonable number of scammers are simply clueless and try these scams because they think they'll make money, not because they've actually found a method that is viable for them, so you'd expect to see a reasonable chunk of scammers that don't do the optimal thing anyway.
If malicious types didn't find a way to circumvent your code such that they could use you as a relay for their junk, they would at least be able to use your auto-responder to try DoS or joe-job someone else (potentially leaving you with a large bandwidth bill and a collection of explaining/apologising to do).
I've often been surprised by how silly the "Russian girl coming to the US" genre of spam sounds when reading it. "Oh, I decided to come to America, found you randomly on the 'net somewhere, and decided that I'd like to meet you." Like the Nigerian scammers, these folks want to induce selection bias toward a population of men who will suspend disbelief and do almost anything in a futile attempt to meet a girl. It would be interesting to respond to such spam in a way which suggests relatively low motivation and see how the scammers respond. Send a casually-shot photo of a reasonably attractive man and claim it to be yourself. Perhaps a photo of such a man with a reasonably attractive woman who quite plausibly could be an ex girlfriend. The idea is to imply that you have options for forming relationships beyond relying on a Russian woman's successful journey to the US. [The scam apparently involves asking for money to pay for unexpected airline fees, etc. -- pay the money, and the girl will be here soon] Then, for contrast, send a photo of an ugly man and compare the scammers' responses.
I think they are wrong. Those email scams are "old school" in the sense that they worked back when people were not really familiar with the internet or scams and lots of scammers got rich from that. The ones still being sent are probably earning just a trickle of money from these (since it's so obvious, and the pool of people who will fall for this is rapidly shrinking).
The scam has evolved into other forms, for example, the variant where a decent looking guy on a dating website communicates with an older foreign woman for months, before he then goes somewhere where he is "kidnapped" by terrorists and they need a few thousands to release him, or where he cannot pay his bills because he lost his wallet.
The scammers are like people creating viruses - they are evolving, becoming more subtle and adapting to the internet. The mass email thing is a known exploit, and I doubt it is profitable for them anymore.
While the topic of this paper is Nigerian scammers, the model that it builds is much more general. At heart, it's a quantitative cost-benefit model of filtering attacks, vs launching unsuccessful attacks. This model can explain quite a lot of things. For example, it can model the viability frivolous lawsuits, including IP extortion (patent trolling). From that, you could extract how expensive filing (or losing) a lawsuit needs to be in order to put the breaks on patent trolling as an industry.
I have often thought the same logic applies to why display ads work better on low-brow, pedestrian websites. If your website caters to smart people, good luck getting clicks. If you are pof.com then you are already attracting the kind of person who is not discriminating in their internet browsing experience, and they may click on the ads.
Ha! I chuckled at a Microsoft Research minion citing a Google completion as evidence that Nigeria is a synonym with scams: "“Nigerian Scam” is one of five suggested auto-completes in a Google search for “Nigeria”"
In other words: always claim to have a fifty billion dollar market. You'll get a higher response rate from gullible VC's, and people who would try to invest at a multiple of your earnings will filter themselves out ;-)
I have in fact never seen a flame war on this topic. I've seen plenty of flame wars over religion, but not actual discussion of the way in which religions operate at a psychological level. Excuse my ignorance. (Yes, I made a quip, but I was in fact broadening the topic. I.e. the basic post is about a limited phenomenon, and there are much larger cases illustrating the same point.)
But I am definitely not alone in making this observation:
Funny story. I became a believer (after growing up doubtful in church) when I came up with what I felt was a plausible theory for God. I stopped being one when I got bored of the intellectual starvation in church.