Allowing Gullible Victims to Self-Select in Online Attacks

Cormac Herley’s paper Why do Nigerian Scammers Say They are from Nigeria? explains how some purposefully-lame scam emails are advantageous to the attacker. Such messages allow the scammer to avoid victims who will consume valuable time, but will turn out to be too savvy to fall for the scam. Herley explains that by initiating contact using a blatantly fraudulent email “that repels all but the most gullible, the scammer gets the most promising marks to self-select.”

This motivates some scammers to send messages that are easily identified as fraudulent by many people, yet succeed at catching the more gullible portion of the population. An excerpt from one such example:

"We are top officials of the Federal Government Contract Review Panel who are interested in importation of goods into our country with funds which are presently trapped in Nigeria. In order to commence this business we solicit your assistance to enable us RECEIVE the said trapped funds ABROAD."

An article in The Economist on this subject quotes Basil Udotai, a former cybersecurity director of Nigeria’s National Security Adviser: “There are more non-Nigerian scammers claiming [to be] Nigerian than ever reported.” One motive for this might be “Nigeria’s dreadful reputation for corruption that makes the strange tales of dodgy lawyers, sudden death and orphaned fortunes seem plausible in the first place.”

Allowing victims to self-select as being vulnerable might be useful for online attacks and scams that involve social engineering and require human involvement on the attacker’s part. They also seem most appropriate for mass-scale attacks, where a small percentage of gullible people produces a sufficiently large set of likely targets.

Self-selecting victims by using blatantly malicious communications also might be useful for some penetration testing and targeted attack scenarios. A human-powered attack will want to focus on people most likely to assist the attacker. Moreover, the attacker might conceal his true sophistication by purposefully appearing amateurish.

So perhaps the next time you come across a poorly-worded email scam, filled with all-uppercase letters, typos, grandiose titles and financial promises, you won’t laugh at the naive message. The scammer might be so clever, that his apparent incompetence is a charade.

Hand-picked related articles:


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more