Greeting and Salutations dear friend!

I know this message will come to you as surprised but permit me of my desire to go into business relationship with you.

You’ve had a million of them. They’re so ridiculously easy to spot that you just hit delete and move on with your day.

Yet they keep on coming, like some kind of irresistible force, leaving us wondering all the while “Why do they keep trying? It’s just so obvious with their terrible english skills!”.

Could it be that errors “humanise” the writer so that the recipient believes it’s not a machine sending the emails?

Or is it some kind of clever psychological trap?

Imagine this

A scammer sends out 1,000,000 emails via their super-duper scamming system (Gmail).

10% might actually respond to the email (100,000) leaving the scammer with 100,000 responses to go through.

Sending emails is cheap and easy however qualifying chumps can cost a scammer in labour.

Therefore the you want a system that gives you the highest chance of a scam-responder actually parting with their money.

The result?

Send out an email that will only get a tiny response. 0.1% will do – and even that’s 1,000 prospects, but they’re the ‘right’ people… all the while the rest of us are amazed at the silliness of it all.

It’s all about false-positives.

False positives have a long history of messing with security systems. Ever had a legitimate email marked as spam? That’s a false-positive.

 In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing.

Microsoft Research

Given the huge labour requirements of pulling off a digital scam. Turning digital contraband into cash and goods is not always easily automated. Responding to a Nigerian 419 scam requires a large amount of interaction, meaning that attacks really aren’t free.

An attacker might be able to steal millions of credentials but looting bank accounts requires recruitment and management of more criminals!

The summary of the above chart?

At the top right of the chart, everyone is attacked and all viable targets are found. As the slope increases not only are fewer total targets attacked, but fewer viable targets are attacked.

Each attack is really an investment decision for the attacker

The endgame of many attacks requires the calculation of ‘per-target effort’. Meaning that when cost is not zero, each target represents an investment decision to an attacker. The attackers invests his or her own effort in hope of a payoff of some sort, but this decision is not without its flaws.

It’s all in the numbers

If only 0.00001% of the population is viable for an attack, the mistakenly attacking 99.999% of the population that is non-viable destroys profit.

The initial email is a qualifier

It determines who responds and thus who the scammer attacks (in this case, has an email conversation with). The goal of the initial email is to repel non-viable victims (of which greatly outnumber viable). Failure to repel all but the most viable of victims will result in a labour load so great that the ‘venture’ will become unprofitable.

The fact that these scams of exotic Nigerian fortunes continue suggests that they are mostly successful. A carefully crafted email not mentioning Nigeria would almost certainly yield more results and more viable responses, but would also yield lower overall profit.

Remember – that viability requires money to actually be sent from the victim to the scammer. Anyone fooled for a short period but who ultimately never send money are the expensive false positives that the scammer must avoid.


To maximise profit, an attacker will not pursue all viable victims but must balance the gain of a true positive against the high cost of a false positive.

Unless viable and non-viable victims can be distinguished with great accuracy, a huge quantity of viable victims will remain not attacked.

If a victim is so gullible as to believe the initial email and all follow up correspondence, then the attacker has found the perfect victim… of which, unfortunately, there continues to be way too many.

For more details head on over to the Rock IT Security Blog. You might be eligible for our free Cyber Security Awareness Training Sessions or our Security Benchmark Assessment.