A multi-part series…
I introduced 419s in my last post.
Fortunately, 419s aren’t a perfect scam. If they were, most all of us would be quite poor, having been fleeced out of house and home… They aren’t perfect for a few reasons, starting off with their reliance on Very Big Numbers.
Old-school meat-space direct mailers had something like a 1% response rate, and that has probably gone down, as most of us now just put shredders under the mail slot. There’s a start-up idea right there! An RFID-reading, mail-slot shredder! Send RFID stickers to your friends, everyone else’s mail just gets insta-shredded! You heard it hear first, folks!
419s belong, IMNUVHO, in the same category as Spam and Phishing attacks.
Spammers, last I heard, had a response rate that is somewhat less than 1%. 1 in 12.5 million. This is so low because spam has huge hurdles to overcome from a technological and logistical perspective.
Think of spam like human sperm trying to get into a human egg. It’s a long, long journey which starts long before anybody takes off their underwear (or pants, for my British readers… my oldest brother, during his year at boarding school in England, famously insisted that a clothes shop provide him with “corduroy pants” – which probably both titillated and appalled the clerks, pronounced “clarks” for my American readers).
Even when people HAVE taken off their underwear and have significantly increased the chances that sperm and egg will join, each individual sperm still has a ridiculously daunting task. Birth-control, fertility cycles, children interrupting their parents and the rumored significant increase in the popularity of non-penis-in-vagina “unsex” (we can thank Bill Clinton for establishing, once and for all, that if she spits, we must acquit), all play their part in keeping sperm and egg apart.
One thread of evolution has hurled impediments between every sperm and egg, giving us fertility cycles, birth control, and deeply fickle eggs. But another thread of evolution has fought back via Marvin Gay, MySpace, alcohol, charming accents and, critically importantly, by making sex really fun.
The fun part of sex goes back to Very Big Numbers. If you hurl as much sperm as you possibly can, over and over again, into the proximity of eggs, sooner or later you should get a hit. (This is a slight variation on the theory behind the Phalanx CIWS).
There’s a concept in computer security called “surface area”. It’s very important, we will take more about it later. The surface area for one sperm reaching one egg is actually quite small, all things considered. Sometimes it’s so small that it really is non-existent. This all adds up to making pregnancy hard and unpredictable, and one of the best ways to cope with unpredictability is to throw Very Big Numbers at it.
HAH! So there! SO MANY SPERM you can’t count them!
One spam faces similar challenges to those faced by one sperm, but not all, because spam doesn’t actually want a baby. Spam doesn’t really want to get into the egg… spam just wants to go much of the way there.
Spam, frankly, is a slut. Spam just wants a hook-up. The goal of spam is to get me to click on a link, or buy some vitamins which will make me smarter and give me a larger penis. Spam is consensual sex with good birth-control.
Phishing, on the other hand, in particular phishing which seeks root, is most like an STD. Phishing uses spam techniques up to the moment where I respond (we are dating) but then it slips me a roofie and when I wake up I’m not quite sure what happened.
Phishing doesn’t even pretend to make me smarter or to give me a larger penis. It offers me nothing. It breaks past my surface area into my vulnerable core and then it does whatever it wants to me. (Yuck!) Phishing leaves me with an increasingly unpleasant tingling in my nether regions and a commitment to not drink so much next time I go out.
Of the three – spam, phishing, and 419s – 419s are most like sex-for-babies. 419s must go from Very Big Numbers – millions and millions of the same emails (sperm) in search of a single target (egg), but ultimately a 419 is quite personal. It’s about a real relationship, actually, a real relationship between a scammer and a victim. This relationship is entirely based on lies, of course, but it is real, and so you can’t just “phone in” a 419 scam.
419s are personal. 419s actually want a quickie whirlwind marriage after the pregnancy, but they then file for an even quickier divorce and join the French Foreign Legion.
So why do people respond to any of these three things? Why do what this email asks?
There are lots of reasons, but I think they all fit on the following chart:
To think about how this works in your own life, imagine this:
You are in your home, and you get a call on the phone. The caller is a voice you don’t know and they are telling you that there’s a bank just down the street – a bank you’ve never heard of, BTW – and they are giving free money to the next 1000 new accounts but only if go right now! Funnily enough, the voice on the other end sounds more like a recording than a real person. What do you do? Duh, you hang up, of course. You hang up because you don’t trust them (who’s to trust? It’s a recording!) and there’s no evidence that it’s true. (I get spam calls on my cel-phone that are recordings, usually starting off with a fog horn. This leads me to believe that at least some people actually do respond to even something as utterly stupid as this. <sigh, shakes head>)
Now imagine that you are in your house and you get a call on the phone. It’s your absolute bestest friend, someone you trust more than anyone. They are, in your experience, completely unflappable and (remember, very important!, trust isn’t transitive) they are directly experienced in events of civil unrest, having worked for the United Nations on several peace-keeping deployments. So, for you, and for this scenario, they are highly trusted. They tell you that there’s a rampaging mob running down your street towards your house, burning, looting, raping and killing. You hold the phone away from your ear, and now that you are paying attention, you notice that you hear car horns and yelling outside you hadn’t heard before. Maybe you look outside the window and see a few people run by, people running fast and not wearing jogging clothes. What do you do?
You freaking respond, that’s what you do. If it turns out to be a false alarm, you can make your best friend buy the next time you go out. (If you don’t respond, you kinda deserve whatever comes next.)
I have some friends who, if they were to call me and tell me the above, and I were to look around and see absolutely NO evidence of impending mayhem, I would still be very inclined to drop everything and respond as if there were a rampaging mob. I trust them that much, and if they were wrong, they’d so owe me, which has its own dividends.
Were I to look outside my window and see a rampaging mob right now, I’d respond in the absence of needing to trust anyone but myself… I think that, when pushed to the extremes, total trust carries with it some evidence, and vice versa. It has just enough to get us into the “do something” versus “do nothing” category.
For a 419 to work, it must artificially create enough trust, and provide enough evidence, to push you into the “do something” category, and it must keep you there. The scam starts with however much trust and evidence a victim has, which is a complex equation.
You will see, if you get enough 419s, that they play different tricks. For example there are deeply religious 419s, playing the god angle because it can artificially boost trust towards the “go” zone. People who believe in god are already prone to doing things with less evidence (after all, that’s what faith is all about, isn’t it? It wouldn’t be called faith if there was clear evidence, it would be called science).
But this is a trade off, by personalizing a 419 email to increase the chances of success with someone who has a high degree of faith in god, a 419er may significantly reduce the chances that they will ensnare anyone else, in particular someone of another faith, or a devout atheist. We all have our things.
This is a problem I call uni-directional personalization – it’s damn hard to make something everyone likes. It’s even harder if you are trying to get people to give you their banking information.
419s must suffer from an even lower response rate than spam, which is good for them, actually, because at the end of every 419, there’s a scammer, and it takes work for him to get you to give him your money. If he wanted to work, he’d get a job, not be a criminal. Sheesh!
Okay, so we now know that we all have a little graph in our lives, it’s called the “Trust and Evidence Index“. (I made that up!) And of course, your TEI is highly contextual and can vary based on things as varying as the weather, your mood… all sorts of things.
Spam, phishing, and 419s all try to find people who, for some reason, have a TEI in the green all the time, making them primer fodder for a scam, or they try some hook to get people to move their TEI into the green, so that they can be victims.
Of them, 419s are the only ones which are personal, and which require that real people have a real (but based on lies!) relationship. This personal touch is what keeps them from being really awful – there just aren’t that many 419ers out there, thank god…
Next up: It’s on to Peter’s Rule of Little Old Ladies. There will be rake assault, the police will be called, and even some fighting!