Phishing, loosely meaning an attempt to trick users into ‘doing the wrong thing’, comes in a range of flavours. Methods include the use of voice and telephony techniques (‘vishing’), using SMS (‘smishing’), redirection to malicious websites (‘pharming’) and faking or stealing an identity (‘spoofing’). Phishing emails are designed to look as if sent by legitimate companies. A recent comprehensive study defined them as ‘a forged email sent from an untrusted source to thousands of victims randomly’.1 The emails direct users to fake websites in the hope of tricking them into revealing sensitive information.
Phishing originated sometime around the year 1995 and has grown continuously. Phishing volume in 2021 outpaced the previous year by 22 per cent, according to a report from PhishLabs.2 It suggested that phishing had become the largest form of cybercrime, outnumbering non-payment/non-delivery, extortion, personal data breaches, identity theft and ransomware. It accounted for twice as many incidents as other types of computer crime.3
Phishing as a service
As the attackers try to avoid the technical measures adopted by companies to prevent it, phishing has evolved, in some cases into a business activity. Microsoft identified ‘a large-scale phishing-as-a-service operation’ called BulletProofLink.4 ‘With over 100 available phishing templates that mimic known brands and services’, the company sells phishing kits, email templates, hosting, and automated services at a relatively low cost in either one-off (about $50 dollars for a one-time hosting link) or monthly subscription-based business models (the monthly service costs as much as $800). This is mostly achieved through the darknet.5
As the number of phishing spams received in my Outlook email increased during the summer of 2021 (to around 20 per day), I took the opportunity to have a closer look at a random sample. 150 were collected between 9 September and 21 September. The aim of this article is to document the main features of the collected spams, including origins, nominal senders, greetings, emails, and the owner of the mailbox, and to explore the narratives created by the senders. Most of the literature deals with technical issues such as the prevention of spam. Few look closely at the content, the linguistic features and the discourse strategies of spam emails. I will firstly review these features. To lure in the potential victim the spammers must provide some token of legitimacy and credibility. I will describe the various tactics that are used for this and explore some genres of spam. I conclude with some assumptions about the mechanisms of acceptance of spam, the role of individual variables such as age and gender, and some thoughts on ‘spam economics’.
Amateurs going phishing
The first striking element is that the great majority of the emails come from common, free services. Gmail dominates (118), with six spread between Outlook, Hotmail and Yahoo. Trade emails – spoofing a company’s legitimate emails – account for 13. This random sample is clearly not representative, as spoofed mails from companies such as banks, delivery companies such as DHL, or government departments are usually much more frequent, but they did not appear as often during the period selected. Neither did other frequent emails, such as from ‘the Outlook team’, urging updates and threatening to close down the account. The remaining emails are diverse, with a few domain emails from companies, including a Brazilian car dealer, a Brazilian supplier of physiotherapy products, a Spanish company which maintains lifts and a Turkish university.
Blaming gullible users is an easy option, but sophisticated attacks have spread to all media
If we follow the typology proposed by Alkhalil et al., the prevalence of similar emails probably means that the attackers belong to the category of ‘script kiddies’ – attackers with no technical background or knowledge who use scripts developed by others.6 These amateurs would most likely acquire the tools they need on the darknet. This assumption seems to be confirmed by the fact that only seven spoofed mails used my actual or full name (‘spear phishing’), a more targeted approach requiring different tools. These emails offer a link to click on. All the other greetings are generic and ask for a reply with personal information.
Almost all the emails are in English, with 22 in other languages. Most do not mention a specific country either for the sender or for the bait they include, simply requiring an answer to deliver more information: ‘Upon Your Reply, I Will Give You Details on How the Business Will Be Executed’. Some just indicate an international institution like the IMF, or a company (Exxon). Only one offers a transaction (to buy gold), but also asks for the disclosure of personal information.
Of the 27 countries of origin, Nigeria ranks first with 12 messages, followed by Germany (10), the UK (7), the US (5), Benin and Ivory Coast (4), France (3), and Burkina Faso, Estonia, Indonesia, Kenya, the Philippines, South Africa, and Syria (2).7 One message originates from each of the following countries: Australia, Belgium, Dubai, India, Ghana, Japan, Libya, Mongolia, Singapore, South Korea, and the United Arab Emirates. These countries are among the top internet countries in terms of the number of users.
Though not representative, the rank of Nigeria in the sample is nonetheless noteworthy. The so-called ‘419’ scam is a type of advance fee fraud dominated by criminals from Nigeria and other countries in Africa.8 Cukier et al., in a 2008 article on genres of spam , introduced what they called ‘Nigerian letters’, stressing that they were ‘distinguished by other sub-genres in a number of ways’.9 These letters were characterised by ‘long, detailed narratives’ and ‘intensely personal stories’.
Building narratives
Some messages can be rather blunt (No subject: ‘Can I talk to you?’); are very brief (‘Hello, how are you doing? I’m Isabel Guerrero, I’ve not received a response from you, please get back to me for further communication, thanks.’) or generally limited to very basic phatic communication. Most of the texts are two or three paragraphs and, as noted, are just asking for an answer. Some, nevertheless, build more sophisticated narratives.
The great majority of the messages do not attempt an appropriate introduction beyond ‘empathetic’ wording to establish contact :
– ‘I know this message may come to you as a surprise as we have not met before’
– ‘I see it as very important and polite to introduce myself properly to you since we have not had any previous communication’
– ‘It is understandable that you may be a bit apprehensive because you do not know me, I am writing this mail to you with serious tears in my eyes and great sorrow in my heart’.
The language is usually emphatic. The legitimacy tactics vary. One approach is to introduce oneself as an important official or a high ranking executive in a company or institution, often using the real names of company representatives (‘Kristalina Georgieva IMF’). Another is to invoke religious beliefs to account for the need to transfer the funds for ‘charity and humanitarian work’, ‘as a donation for God’s work’ or ‘freewill donation of 1.5 Million USD for charity projects and humanitarian aid to help humanity’. Presented as a mission, this is a simple way of drafting a short fiction. These kinds of emails use ‘affective greetings’, described as the ‘dearly beloved’ genre of spam email that often ‘promises an inheritance from a benefactor from distant shores’.10
Some additional dramatisation may also help to stress the urgency of the situation and response. Indeed, the mortality rate among males across the sample is inordinately high. A great number of messages are written by widows who inherited the funds they are ‘willing to donate’ (see a sample in the highlighted box below). However, the female mortality rate appears to be catching up. Many of the writers claim to be about to die, usually of cancer. In both cases they offer to transfer the supposedly available funds to the recipient of the mail. This is known as ‘the dying widow scam’.11 Sons and daughters of deceased wealthy parents seem keen to share their money with far-away strangers. Bankers may have ‘dead customers’ who were kind enough to leave money for the recipient of the mail.
A population not in good health.
Hello Good morning,
I am Mrs Gabriela Johnston, married to Dr. Johnston Akoma from Ivory Coast; my late husband was into, Estate management and also a government building contractor before my husband earlier sickness in January 25 2007. We were married for eleven years without a child due to my fibriod problem. He died after a brief illness. Before his death we deposited the sum of $2.5Million (USD) dollars, we were born again Christian. Since his death I have decided not to remarry or get a child outside my matrimonial home. As my Doctor told me that I would not last for the next Four months due to cancer problem.
From all indications, my condition is really deteriorating and is quite obvious that I may not live more than two months, because the cancer stage has gotten to a very dangerous stage. Having known my condition I decided to donate this fund to good person that will utilize this money the way I am going to instruct herein.
—-
My name is Mrs. Celine Yao
I have been diagnosed with a terminal illness at the critical stage and am currently admitted in a private hospital.
—-
I am Mrs Arik Bukha, 64 years old. From Mongolia, and I am suffering from a long time cancer of the breast. From all indication my condition is really deteriorating, and my doctors have courageously advised me that I may not live beyond 3 month; this is because the cancer has reached a critical stage.
I was married to late Dr Baatar Bukha, gold & cocoa exporter in Ivory Coast (Cote d’Ivoire), West Africa, where we live all our Lives for Thirty-two years before he died in the year 2017.
There are other ways to create fiction. For instance, the sender may put forward a threat that drives him to request the help of the recipient: ‘I will like you to help me to relocate to your country because my stepmother has threatened to assassinate me once she knows my where about’. To make their point more credible some of the drafters use a literary technique once described as ‘effet de réel’ (‘reality effect’).12 They introduce some links to a newspaper or a media website, to flesh out their story.
Leaving aside the effectiveness of the rhetoric deployed to deceive the recipient, the question remains, why should anyone be willing to believe that a dying widow is about to transfer a fortune? Blaming gullible users is an easy option, but sophisticated attacks have spread to all media. As Cukier et al. stressed, referring specifically to the ‘Nigerian letters’ genre: ‘Although the claims in these letters seem highly improbable (in contrast to other forms of spam offering special deals or opportunities), other research indicates that these letters are an effective way of perpetrating fraud.’13
The suspension of disbelief
To quote another concept from the theory of literature dealing with fiction, receptivity to spams may be characterised as a ‘willing suspension of disbelief’ on the part of recipients. Reality effects may increase the semblance of truth and lower resistance. For a narrative to work, the reader must believe that what they read is true within the secondary reality of the fictional world. In the case of spam, the reader must be ready to set aside his analytical/critical mode of thinking and have sufficient incentives to accept the proposed narrative. The ‘emotional/personal’ stories are designed to trigger such an emotional effect. Cukier et al. note: ‘we believe that certain forms of spam, for example, Nigerian letters, tap into deeply rooted hopes and dreams to produce behaviours that are counter-rational’.14 Lin et al. reveal the role of individual variables such as age and gender: ‘the efficiency of phishing varied by user demographic, with older women particularly vulnerable to the attacks’ and ‘older compared to young internet users little aware of these risks’.15
Some users have decided to step in and fight back against the scammers. A ‘scambaiter’ is ‘a type of vigilante who disrupts, exposes or even scams the world’s scammers’.16 In one case a spammer explained to a scambaiter with whom he had become familiar that the country he lived in didn’t have many jobs, that scamming was the norm where he was, that ‘Americans are all rich and stupid and selfish’ and stealing from them ultimately didn’t impact their lives. This sounds more like a self-justification than an explanation of the motives of spammers. However, taking into account the geography of spam, there may be some truth to the claim of a lack of jobs.
The economics of spam
Gañán et al. found that estimated criminal revenues from phishing attacks are relatively low, at under $600,000 in total.17 Estimated revenue losses for all spam were thought to be up to $7.5 million. However, as highlighted by Lindsay, ‘cybercrime can fail most of the time and still be profitable in the aggregate’.18 These data probably mean that the amateurs/script kiddies we came across are not, by most standards, making a significant amount of money. But, even if this assumption is correct, it does not prevent them from trying, as they continue to recycle the templates of available genres.