Trying to buy time, I asked how the family was. Thankfully, doing so gave me a few minutes to figure out what he was talking about. The phone call ended with me asking for a copy of the offending email, including header information.
URGENT - HELP ME DISTRIBUTE MY $15 MILLION TO CHARITY
I have 15,000,000.00 U.S. Dollars and I want you to assist me in distributing the money to charity organizations. I agree to reward you with part of the money for your assistance, kindness and participation in this Godly project.
I am "Name" and I am a 55 years old man. I am a South African living in the Garden City of Port Harcourt, Nigeria. I was the President of TOMOBA OIL LIMITED -- an oil servicing company in Port Harcourt."
You get the idea.
I called the client back, suggesting he forward the email to the spam-filtering service. They will add the domain to his black list and determine why the email slipped through. I also talked my client into asking if it is common for 419 fraud emails claiming to be from Nigeria to have "from addresses" outside the country. The email he sent me was sent from a Yahoo.co.uk account.
I then forgot (60 years does that) about the whole thing. That is until now.
I know "this" guy
His name is Cormac Herley. I've collaborated with him on several occasions. When he sees a digital anomaly, he doesn't forget about it like yours truly. He studies it. And, if there's something wrong, he will get the word out. That's what smart PhDs, like him, do.
Case in point, Cormac also noticed that 419 emails purported to be from Nigeria really weren't. And, true to form, his latest paper, "Why do Nigerian Scammers Say They are from Nigeria?" explains why.
More complicated than I first thought
To be honest, I thought 419 Advanced Fee Fraud was on the wane. Most users are aware of the swindle, and it's a complicated con to pull off. According to the U.S. Secret Service (419 crimes are under their jurisdiction), the usual steps are:
- An individual or company receives an email from an alleged "official" representing a foreign government or agency.
- An offer is made to transfer millions of dollars in "over-invoiced contract" funds into your personal bank account.
- You are encouraged to travel overseas to complete the transaction.
- You are requested to provide blank company letterhead forms, banking account information, telephone/fax numbers.
- You receive numerous documents with official-looking stamps, seals and logo testifying to the authenticity of the proposal.
- Eventually you must provide up-front or advance fees for various taxes, attorney fees, transaction fees, or bribes.
One can see that significant work is required. And, the victim can back out at any time.
Only the naive apply
To be successful -- and they are -- Cormac feels 419 scammers need a gimmick:
"The most proﬁtable strategy requires accurately distinguishing viable from non-viable targets, and balancing the relative costs of true and false positives."
It took me a while to figure it out what he meant. Definitions helped:
- Viable targets always yield a net proﬁt when attacked.
- Non-viable targets yield nothing.
- True positives are targets successfully attacked.
- False positives are those attacked but yield nothing.
As I see it, the introduction email costs scammers nothing, so they blast those out to everyone. The expense starts when the scammer receives a response and has to begin building a relationship with the potential victim. So to get the best return on their investment, the scammers want only the most naive, gullible people to respond.
By sending an email crafted like the one above, scammers will invariably get responses from just that set of people. Those in the know, like my client, will get irritated and discard the email. No big deal to the scammers, as no effort was required on their part.
In his paper, Cormac asserted that using the name Nigeria is also a filter. As a test, I asked several people about Liberian 419 scams, and most corrected me, asking if I meant Nigerian 419 scams. Point taken.
I found an additional reason in this Economist article. It quoted Basil Udotai, former Nigerian cybersecurity director:
"There are more non-Nigerian scammers claiming [to be] Nigerian than ever reported. Even when Nigerians relocate to other West-African countries they retain Nigerian status, addresses, and operational bases in their e-mails for competitive reasons."
The article continued with Mr. Udotai suggesting why:
"It is Nigeria's dreadful reputation for corruption that makes the strange tales of dodgy lawyers, sudden death, and orphaned fortunes seem plausible in the first place."
How about some proof?
Cormac adds the following:
"An examination of a web-site that catalogs scam emails shows that 51 percent mention Nigeria as the source of funds, with a further 34 percent mentioning Cote d'Ivoire, Burkina Faso, Ghana, Senegal, or some other West African country. This ﬁnding is certainly supported by an analysis of the mail of this genre received by the author."
Interesting, but it doesn't prove Nigerian 419 scam emails are originating in other countries. After some searching, I came upon a paper by Olumide Longe and Adenike Osofisan, researchers at University of Ibadan:
"Using freeware e-mail and internet protocol address tracers, we obtained results that deviate from the generally held beliefs about the origins of advance-fee fraud emails. Our findings have implications for research on spam filtering and by extension web security."
The following graph displays the 419 scam email origin of 400 scam emails they tested.
The researchers used IP2Location to obtain more refined geo-locations associated with scam email IP addresses. The results (redacted) below are from emails supposedly from a Nigerian financial company.
Situations that are not what they seem fascinate me. The question now becomes; was this underlying deception in place initially or is it part of an evolutionary process?
I want to thank Dr. Herley, Dr. Longe, and Dr. Osofisan for allowing me to use their research findings in this article.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.