Those of you who knew me before 2012 know that . Every once in a while I still check all those old mailboxes and one thing that never ceases to amaze me is how much spam some of these addresses receive.
Fortunately most spam is very easy to recognise. So easy in fact, that Gmail can filter out most of the spam. This begs the question: why don’t spammers put more effort into their emails? Wouldn’t spam be more effective if it wasn’t riddled with grammar mistakes, sketchy-looking shortlinks, and ludicrous stories about Nigerian princes?
A possible answer is provided by this paper, which shows (using very accessible mathematics) that although spam could be made more effective, effectiveness is not the right thing to optimise for.
The main reason why effectiveness isn’t the be-all and end-all is that “attacks” (as these spam mails might be called) are seldom free. This is even true for all those emails that are “sent on behalf of a Nigerian prince”. Sending emails may cost virtually nothing, but responding to each person who replies to such emails requires a large amount of interaction. From the perspective of an attacker, interactions with targets represent investments that may or may not pay off. Some targets can be successfully scammed, but others might “ghost” the attacker halfway through the process or simply not have the means to transfer funds to the attacker.
Attackers can distinguish between four types of targets:
- True positives are targets who can be – and are – successfully scammed.
- True negatives are targets who cannot be successfully scammed and thus ignored by the attacker.
- False positives are targets who yield nothing, but are erroneously attacked (which is a waste of the attacker’s time).
- False negatives are targets that could have been successfully scammed, but were overlooked or didn’t take the bait
Only interactions with true positives are profitable. Interactions with false positives on the other hand are best avoided, as they take up valuable time that could have been spent on more viable targets.
Some targets are more viable than others. For example, an attacker is more likely to extract money from someone who lives in a wealthy neighbourhood than from someone who lives in a run-down area. Similarly, if your goal is industrial espionage you should probably focus on executive-level managers. And .
In the case of Nigerian scam mails, the attacker generally has no way to know the viability of each target. What they can do however, is estimate the viability of their targets based on previous experiences.
A mathematical model (minus the math)
The author presents a mathematical model that describes the trade-offs that attackers have to make when designing their attacks.
In theory, if the costs of an attack were literally 0, profit is guaranteed as long as there are a non-zero number of viable victims. In practice, the cost of sending spam mails is basically 0, which means that attackers have little reason to show restraint. This is good news for attackers, and obviously very bad news for anyone with a mailbox.
Another major variable is the amount of resources that an attacker has at their disposal. If that amount is infinite, there is also no need to show any restraint. Unfortunately for attackers – and very fortunate for the rest of us – time is not an infinite resource.
Any attacker who wants to maximise their profit will not want to find all viable targets, but focus their time on those that are most easily found. Pursuing targets that are unlikely to be viable makes no sense if they cannot be easily distinguished from false positives.
As the number of true positives drops and the number of false positive rises, attacks become less profitable. When uncertainty about the viability of targets is high, attackers try to minimise their costs by attacking fewer targets. As the ratio between true positives and false positives worsens, the costs of an attack may even reach a point where any attack becomes uneconomical.
This insight leads to several conclusions, which I describe below.
Strength in (low) numbers
When a population consists of multiple small groups that have different characteristics, they often have to be attacked in different ways.
The model shows that such a population is much harder to profitably exploit than a large, homogeneous group: even if both groups have the same number of viable targets, the chance that a potential target is a true positive is much smaller in the first population than in the second. As a result, many viable targets that could have been exploited successfully can escape harm, because there is no way to attack them without also attacking many non-viable targets (which would make the whole endeavour unprofitable).
Back to the question that I posed in the title of this article: why do scammers keep saying they are from Nigeria? At this point almost everyone has already heard of the Nigerian prince scam. Those who haven’t can easily google it. Mentioning Nigeria therefore is counter-productive.
As we’ve seen above, . Attackers only want to spend time on the most gullible targets, in order to keep their profit margins high. Sadly for attackers, gullibility is not something that can be observed. But what they can do is target people who self-identify as gullible, by sending emails that seem bizarre to everyone except the most gullible.
Attacking the attackers
What can be done against scammers?
A lot of effort in security has already gone into lowering the number of true positives, e.g. by means of education, firewalls, and antivirus products. Others try to make attacks less profitable by reducing the value that can be stolen from targets, e.g. using fraud detection and withdrawal limits.
Another option would be to intentionally increase the number of false positives using scam baiters. Currently this is mostly done for laughs, but the model shows that this could dramatically lower the number of attacks!
Scamming people requires a lot of manual work, so scammers try hard to avoid interactions with targets that cannot be exploited
Telling people that you’re from Nigeria is a good way to ensure that only the most gullible targets will reply to your emails
Attacks become uneconomical when there are many false positives, e.g. when a population is diverse or includes scambaiters