Why
We Should Scam
the
Scammers
How can we stop those ubiquitous Nigerian ploys and other
flimflams? Look at it from the perps' perspective
 |
| Reply to their scam emails and waste as much of their time as you can |
If you type "Nigerian" into Google, one of the top
suggestions for completing the phrase is "scam." We all get them:
unsolicited emails promising us a share of some lost fortune sequestered in an
obscure place, if only we will help the rightful owner recover it. The
"help" usually consists of transferring money to someone you don't
know, most commonly in Nigeria or another African country. And, of course, the
vast payout never materializes.
It should be a familiar story. In 2006, the New Yorker ran a piece
about a New England psychotherapist in his 50s who was contacted by one
"Captain Joshua Mbote" to help recover $55 million. He ended up
losing $80,000—and, as the scam also involved cashing checks and passing on
some of the funds, was sentenced to two years in prison for bank fraud and
other crimes. According to Dutch firm Ultrascan, victims of these so-called
advance-fee scams lost $9.3 billion in 2009, up from $6.3 billion the year
before.
 |
| Make them dream about the money they hope to scam from you before you turn tire-kicker |
So why do the scammers persist in blanketing the world with
outlandish propositions, announcing that they are from the very country whose
name has become synonymous with online fraud?
Cormac Herley, a computer scientist at Microsoft
Research who specializes in security issues, provides a convincing answer in a
paper presented at a conference in Berlin and recently published on his
website. In it, he analyzes the con mathematically, using an approach called
signal detection theory. His crucial insight is to look at the situation not from
the victim's point of view but from that of the scammers. Their challenge is to
hook only people who will get sucked in deeply enough to send a significant
amount of money—the "true positives." They must minimize the effort
they devote to "false positives" (targets who might seem like dupes
but are suspicious and/or never pay up).
It costs the scammers virtually nothing to spam
the world, but it costs them a lot (especially in terms of time) to conduct all
the follow-ups necessary to reel a sucker all the way in. The people behind
"Captain Mbote" spent six months pursuing their quarry before he
started wiring money to them.
A proposal offering a more realistic scenario
might generate more replies, but most of them wouldn't pan out. The effort of
sorting through them to find the real suckers would undermine the scheme's
profitability. Instead, by screaming "This is another absurd instance of
the familiar Nigerian scam," the fraudsters are filtering out what to them
is spam—responses from suspicious people they don't want to deal with—and
"letting through" only those most likely to play along. The fewer
potential victims in the world, the more precisely the scammers must target
them, and thus the more absurd and easy-to-spot the attacks should be.
The Nigerian scammers aren't alone in using this
approach. Phishing attacks, like the urgent emails from the "IT Support
Team" requesting our passwords to avert some Internet calamity, are so
hackneyed that they likely ensnare only the extremely naive or credulous.
Mr. Herley's analysis of the Nigerian scam suggests a
counterintuitive way to fight back. Most efforts to reduce Internet fraud focus
on reducing the number of people who reply to scammers—by educating users or by
filtering out the scam emails. But some attacks inevitably slip through, and
some Internet neophytes inevitably fall prey.
A more effective solution, Mr. Herley suggests, would require
considering the goal of the scammers. Increasing the number of responses to
their emails, he shows, can reduce profits, as long as those responses come
from people who never send money. Such "scam baiters" already exist
(the community website "419 Eater," named after the Nigerian law that
governs fraud, offers tips and support). The more scam baiters, the lower the
average return to the scammers on each attack and the less incentive they have
to continue the scam.
Perhaps clever artificial intelligence
researchers could create automated scam-baiter bots that would simulate
gullible victims, drawing out the interaction as long as possible. The most
convincing victim-bot would possess sophisticated knowledge of how the scammers
think and behave—precisely the knowledge that tends to elude us when we look at
the world only from our own perspective. Similarly, the profitability of
phishing scams could be reduced by sending bogus account numbers and other data
back to the scammers.
As Mr. Herley's paper shows, what seems stupid can actually be
quite sophisticated. It's only by imagining the situation with the roles
reversed that we can see what we've been missing.
Peter’s
Comment
This is a
radically different approach and the opposite of the advice traditional given
on how to handle spammers.
Previously we
were told don’t open emails that look suspect and certainly don’t reply to
them.
Nigerian
scams have come a long way since the days when they used snail mail and postage
to trap people. Today it is a low-cost, effective and highly profitable
industry. It is the effectiveness that needs to be targeted by scam the scammer
proponents.
So we should
all give them lots of work to do. We should act dumb, plead for their help to
lift us out of our poverty and string them along for as long as we can before
they give us up as tire-kickers.
I’ll go for
that.
No comments:
Post a Comment