Fraudulent number agreement

« previous post | next post »

I continue to be puzzled by the fact that phishers are unable to manage simple number agreement:

Um, "there are recent update in our security features"?  And did they never learn about comma splices? "This is simply for your safety online, after your account update normal banking activities will resume."

I recognize that the senders' native language is probably not English, but surely there are plenty of unemployed English majors willing to do copyediting for criminals. Not to speak of 5,300 fraud-hardened former Wells Fargo employees with a grudge.

Also, seems like the phishers could do a better job of disguising the fact that the email doesn't come from Wells Fargo:

Though I guess it's a cute joke that "bcsemail.org" is the email server for the Buncombe County Schools

It's also kind of sloppy that the destination of the "Sign On" tab shows up as http://ow.ly/sabU304uYWd — though that does lead to a cleverly stolen copy of the normal Wells Fargo home page.

Anyhow, even if I had a Wells Fargo account, I wouldn't be tempted by this missive. I suppose some people are so easily fooled. But in my experience, phishing attempts of this kind are linguistically clumsy to a surprising degree.

Update — here's a nearly identical message claiming to come from ANZ Bank:



21 Comments

  1. Dick Margulis said,

    September 24, 2016 @ 6:55 pm

    I think it was on Language Log that I read a post (or a link to a post elsewhere) explaining the math behind such solecisms. The gist of it was that the crooks are looking for the small number of people ignorant enough to fall for their scam, and by including errors that will cause better educated people to delete the email rather than responding to it, they improve their productivity significantly.

    And of course Buncombe County NC is in fact the eponym of bunkum (http://www.dictionary.com/browse/bunkum), but presumably that's why you mentioned it.

    [(myl) That's certainly a story, but I don't think that it really applies here. They're not trying to set up a Nigerian 4-1-9 scheme or similar semi-complex confidence trick. They're just trying to get people to go to a fake Wells Fargo web site and log in to "verify their account", thus giving away their login credentials. This might work even on some relatively intelligent people, but elementary grammatical errors and so on must cut down the number of suckers.]

  2. Martin Eberl said,

    September 24, 2016 @ 7:13 pm

    There is an old (well, in internet times) Microsoft paper that confirms what Dick said:

    https://www.microsoft.com/en-us/research/publication/why-do-nigerian-scammers-say-they-are-from-nigeria/

    Basically, by deliberately getting "smart" people to not answer your scam, you save yourself some work:

    "By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor."

  3. Szescstopni said,

    September 24, 2016 @ 7:17 pm

    @Dick Margulis You're right – there's an interesting paper on that by Cormac Herley at Microsoft https://blogs.msdn.microsoft.com/tzink/2012/06/23/bad-spelling-in-419s-is-a-screening-tool/

  4. Tim Leonard said,

    September 24, 2016 @ 7:29 pm

    If I discarded all emails with occasional spelling and grammatical errors, many legitimate businesses would lose my custom. Mistakes of this kind are distressingly common even from big companies.

  5. Amy said,

    September 24, 2016 @ 7:44 pm

    @Tim: I work at a large company and the legitimate emails I get announcing various things almost always contain similar errors. In fact the exact phrase "there are recent update" is in one of the most recent ones I received.

  6. Gregory Kusnick said,

    September 24, 2016 @ 8:01 pm

    Perhaps the explanation is that there are suckers on both ends. The majority of people who attempt these scams, I'm guessing, are not criminal masterminds; they're losers who have somehow got their hands on a DIY toolkit for creating phishing scams, but lack the competence to use it effectively.

    My evidence for this is that I occasionally see phishing spam that says something like "Dear <UserName>, <InsertMessageHere>", with the blanks left unfilled, and garbled links on the buttons.

    I conjecture that there's another layer of smarter scammers who make money by selling the toolkits to wannabes.

  7. Vireya said,

    September 24, 2016 @ 8:18 pm

    The thing that stood out to me was "… from Unrecognized Device Log In". That means nothing in the context. It's not even Nerdview. Is it just meant to sound "computery" to further bamboozle those confused by the electronic world?

  8. Chris Kern said,

    September 24, 2016 @ 8:21 pm

    There's a fake IRS scam going around where you get a voice mail that says this:

    "This message is intended to contact you. My name is [name] and I'm calling regarding an enforcement actions executed by US Treasury intending your serious attention. Ignoring this will be an intentional second attempt to avoid initial appearance before magistrate judge or the grand jury for a federal criminal offense. My number is 949-873-7420. I repeat 949-873-7420. I advise you to cooperate with us and help us to help you. Thank you."

    I've gotten probably 15 of these with various names, all of them by people with foreign accents, often so thick that it's hard to understand some of the words. I guess if you scare people you can get away with a garbled message like that.

  9. Gregory Kusnick said,

    September 24, 2016 @ 8:28 pm

    Vireya: That perhaps supports the hypothesis that this message was generated from a template by someone who doesn't quite know what they're doing.

  10. David Marjanović said,

    September 25, 2016 @ 3:52 am

    I conjecture that there's another layer of smarter scammers who make money by selling the toolkits to wannabes.

    Oh, certainly. Several times I've been offered a list of a million e-mail addresses (or several million), all guaranteed to be valid, for the low, low price of…

  11. RachelP said,

    September 25, 2016 @ 5:01 am

    In my experience as a Brit living 30 years on the Continent, foreign language skills are particularly prone to the Dunning-Kruger effect. Many times I would cringe at emails or even printed brochures that had gone out with ghastly, and pretty basic, mistakes in English. "Dear Mister", to start a letter was fairly common. All the while I was offering to quickly proof-read anything important, but many people seem to think they can write faultlessly in a foreign language when they can't. And there is an additional effect, in that within a given community of speakers of EFL the same mistakes are often copied by everyone.

  12. MattF said,

    September 25, 2016 @ 6:12 am

    Some time ago, Daniel Davies wrote an interesting post on email scams:

    http://blog.danieldavies.com/2002/10/dial-419-for-fun-along-with-shrill.html

    His theory was that email scamming isn't profitable enough to attract people who can write correct English sentences.

  13. MattF said,

    September 25, 2016 @ 6:16 am

    @Chris Kern

    There's been a lot of that lately. You should report it to TIGTA (IRS Inspector-General's office) which has an online report form.

  14. ardj said,

    September 25, 2016 @ 7:20 am

    I'm not sure one can draw very specific conclusions about literacy among crooks compared to the non-c. I recall a huge mailing, sent, I think, by Reader's Digest in the UK, which began, "Dear Personalized Addressee"

  15. Neal Goldfarb said,

    September 25, 2016 @ 8:35 am

    I'm surprised nobody's mentioned "a wrong funds debit activity".

  16. Theophylact said,

    September 25, 2016 @ 12:08 pm

    Amy: Indeed. The "medical record" submitted by Donald Trump's doctor is headed "To whom my concern".

  17. Keith said,

    September 26, 2016 @ 1:18 am

    Here in France there is a scam slightly similar to the "fake IRS scam" described by Chris Kern.

    I've had several calls from a hidden number, where if I pick up the call I get a recorded woman's voice with a general Amercian accent saying "goodbye". But if I don't pick up the call, my phone records a message that is sometimes a live voice, sometimes a recording.

    The message, in French, is along the lines of "we have an envelope containing confidential documents that our courier tried to deliver to your address; please call us on [phone number that I've forgotten] to arrange a suitable delivery time".

    The number is one of those premium numbers that at a guess is charged at around €1 per minute. If I was running the scam, I'd keep people on the line for at least ten minutes, asking "security questions", like asking for the tracking number (the voice message doesn't give one), confirming the delivery address and name of the intended recipient, age and name of the recipient's first pet, etc.

  18. James Wimberley said,

    September 26, 2016 @ 4:55 pm

    So the IRS Inspector-General is on to scammers who take its name in vain? Good. I wonder what happens to people unwise enough to impersonate the FBI, CIA, NSA, MI5, or the FSB?

  19. maidhc said,

    September 26, 2016 @ 5:14 pm

    ardj: Typically a mail merge program takes as its input plaintext mixed with fields, like"Dear <Personalized Addressee>". If you make a mistake with the field delimiters, the field name will come out as plaintext instead of being replaced by the field contents.

    The problem is that it's very difficult to test the results of a mail merge program without actually sending out mail. Typically there's some kind of preview, but it's easy to miss small errors.

    Usually the time you spot a problem is right after you just started sending out thousands of emails.

    This is an error of a sort, but it's not a question of literacy or being to speak English correctly.

  20. ardj said,

    September 27, 2016 @ 2:44 am

    @maidhc – thanks, you are quite right about how it works, though in fact it is very easy to check that all the filters &c have worked correctly if you are careful. My point was not about literacy directly but about just that, the lack of attention, of self-editing often, as it is hard to see a mispeling or wurse in you own work; and ergo hard to tell the crooks from the good guys on these grounds alone.

  21. Timo said,

    October 1, 2016 @ 7:17 am

    Sorry, but what's the deal about comma splices, exactly?

RSS feed for comments on this post