With great technology, there are always going to be people who abuse it. We’ve seen it in movies, TV shows and most recently with the debate between Apple and the US Government. The Government wants Apple to create a back door into IOS so that it can access data on the phone of a known terrorist. Among its many arguments, Apple worries that such an exploit would be catastrophic if it fell into the wrong hands.
Spam (Junk) mail is no exception. The first known spam email, advertising a DEC product presentation, was sent in 1978 by Gary Thuerk to 600 addresses, which was all the users of ARPANET at the time, though software limitations meant only slightly more than half of the intended recipients actually received it. As of August 2010, the amount of spam was estimated to be around 200 billion spam messages sent per day. More than 97% of all emails sent over the Internet are unwanted, according to a Microsoft security report.
We all receive spam messages. My personal Gmail account has a spam folder which fills up from zero to 400 every few days. The spam filter on Gmail is actually impressive and rarely does a spam message sneak past the filter and into my main mail box. Sometimes I like to look in the Spam folder to see if it caught a legitimate email, and I often get carried away while reading various messages convincing me to send money to a “Nigerian Prince” in a ridiculous attempt at a phishing scam.
While it does make me laugh, I cannot downplay the dangers of spam email. The reason spam email exists is because it is successful. In fact, spammers are generating Billions of dollars a year from vulnerable people who believe that the “Nigerian Prince’s” problem is legitimate. Here is a basic rundown of how it works:
Your email address is collected from a form you filled in online, or from an email chain passed from one person to everyone in their contact list. Those are just the most popular ways. Once one spammer has your email address, they will share it with other spammers (And they are usually paid for collecting large amounts of addresses). Then the spammers get to work sending their fake story and relying on pity to exploit money from the recipient.
Usually the story goes like this:
“I live in [African country], I am royalty/president’s nephew/ex central bank worker…. I am in possession of [Millions of dollars] which I need to transfer out of the country and I need your help. If you send me [Cash amount] to cover the transaction fees, I will send you [percentage] of my money as a thank you. Please send me your name, address, date of birth, phone number, first page of your passport…. “
So the objective here is to either get your money or steal your identity. Sometimes these people sound convincing and other times it’s simply laughable. However, as I mentioned before, these scams are actually working on some people. If they didn’t, then spam wouldn’t exist. So how can we avoid being scammed by these people and how do we spot a fake spam/phishing email?
Below is an email I received in my personal Gmail account recently. (Screenshots and text) I have highlighted all of the suspicious parts in Red font with explanations further down. As you will see if you look carefully, this email is practically advertising how fake it is due to all the inaccuracies:
- At first glance, I’m already suspicious. “Thomas” claims to be from the British Consulate in Nigeria. Most of us know that all Government email addresses have the suffix of ‘.gov’ in the domain. “Thomas’s” email address does not.
- The “Reply to” address is not “Thomas’s” address, why would that be?
- The “To” field does not contain my email address, but rather a distribution group. This is also a red flag.
- Finally, “Thomas” has mispelled the word “Beneficiary” in the subject line.
For the sake of argument, let’s assume that I fail to notice these red flags and move onto the body of the email, which I’ve pasted below. I have highlighted all suspicious parts:
From: Mr. THOMAS P. ARKWRIGHT
The British High Commissioner, Nigeria.
British Consulate, Abuja,
Tel: +44 2080401178
This is to bring to your notice that the British High Commission Nigeria, U.S. Consulate Nigeria, African Union, Heads of governments of: Nigeria, Ghana and Benin Republic have ratified and issued a resolution to offset your COMPENSATION/INHERITANCE/WINNING entitlements payment of US$10.5Million (Ten Million Five Hundred Thousand United States Dollars) which you are entitled to receive for the past 3-4 years but due to the high corruption among bank officials, delivery companies in connivance with some bad eggs in the FBI/CIA denied you this rightful entitlement this moment. We acknowledged the losses and bribes which you were made to paid by these corrupt officials and yet you couldn’t receive the funds yet.
However, for the daring intervention of the British High Commission and the American Embassy to end this inhuman treatment meted out to you, we in spoke with one voice by pressuring/sanctioning the above named African governments to bulk and release the US$10.5Million to you. I believe this news will be welcoming to you. We know that amount set aside for you is US$10.5Million(Ten Million Five Hundred Thousand United States Dollars) is not that a huge amount. We plead that you should accept this amount it in good fate.
I have in my custody your certified bank check of US$10.5 Million which will be mailed to you once I receive your response to this very crucial email.
Your are by this email notice to stop every communication either electronic mail or telephone conversation with anyone who in the past or at present claimed to be in possession of your funds. Disbelieve them and their treacherous lies.
This office is the only office empowered by Article 127 of the African Union Charter to oversee and supervise any type of compensation/inheritance/winning to the citizens of the these countries: USA, GREAT BRITAIN, ASIA, MIDDLE EAST, AUSTRALIA and all EU member states.
Due to the lengthy delay your payment suffered, we assumed that you might have made changes to your personal data, we therefore request that you reconfirm your detail as below:
Your Name in Full:
Date of Birth:
Copy of ID:
Click reply on your email, fill your detail as listed above and click send. I will receive you email and will inform you when your email arrives here.
Once again we sincerely apologize to your the delays and losses you encountered.
Thomas Paul Arkwright
Coordinator, Compensation Payment Program
Tel: +44 2080401178
- The biggest and most obvious red flag is the terrible English, spelling, punctuation and grammar used in the entire email.
- Thomas states his name, position, address and country at the top of the email and claims he’s located in Nigeria. However, the phone number is a UK number (+44)
- Thomas begins the email with the word “Beneficiary”, meaning he clearly has no idea what my name is.
- Thomas states that I have “COMPENSATION/INHERITANCE/WINNING” belonging to me, but which one of those words is it?
- Thomas references the FBI and CIA in his email. Most of us are aware that the FBI does not operate outside of US borders and has absolutely nothing to do with what goes on abroad.
- Thomas states that $10.5 Million is “Not a huge amount”. This is a huge amount to anyone.
- “In good fate” is a typo and another indicator that this is not legitimate.
- Thomas claims that he has a personal bank check for me, ready to be sent. How can he have this check ready for me if he doesn’t know anything about me?
- A quick Google search for “African Union Charter” reveals a lot of information. What caught my eye first is that the document contains only 33 articles, Thomas references Article 127.
- Thomas seems to believe that the Middle East and Asia are countries, when they are in fact continents.
- Thomas mentions that I may have changed my personal data. This infers that they already have my personal data, but it could be out of date. Which begs the question, “Why didn’t he use my name when addressing the email?” It’s unlikely that I’ve changed my first name in recent years.
- Next I am asked for my personal data and a copy of my ID. Thomas doesn’t specify which ID he wants, however since he hasn’t asked me for money, this is clearly an attempt at identity theft. Thomas will take my details and the photo from my ID and create a fake passport/credit card and use it to spend money which I will later be held liable for.
- Thomas’s email signature contains different information from what he stated at the very top of the email.
So there are more than enough discrepancies in this email to alert me to a scam. The English wording is enough, but just a brief glimpse of other text tells me in no uncertain manner that I should delete this message and cut “Thomas” out of my life.
However, in recent weeks I’ve begun to ‘Troll’ spammers via email instead of just hitting the faithful ‘delete’ button. ‘Trolling’ is a term coined fairly recently due to the popularity of social networks and online forums. Put simply, a ‘Troll’ is a person who defaces Internet tribute sites with the aim of causing grief to families. However, a more generally accepted definition is someone who basically wants to waste people’s time and cause inconvenience to someone on the internet.
So I reply to some spam emails in order to ‘Troll’ the recipients and waste their time. Because each minute they are wasting on me, is a minute they are not exploiting a hard working yet vulnerable person. You could argue that what I’m doing is mean, however I prefer to argue that it’s a form of justice against online criminals. In my spare time, I reply to the spammers and try to lead them down a long route of questions which are off topic and cause them spend precious time convincing me to just shut up and send them what they want.
Here is the reply which I sent to “Thomas” a few days ago:
Thank you for your interesting email. I had to read it many times because some of the information was really amazing.
For example, I had no idea that the FBI had any kind of jurisdiction outside of the USA. How dare they deny me my right to these funds! That makes me so mad. I can tell you right now that I DO accept this amount in good fate – as fate is something I truly believe in and something we should all accept.
I was also interested in Article 127 of the African Union Charter, I’m so happy that this exists because I always thought that there were only 33 articles in that document. It was a huge relief to hear that this article is overseeing these transactions over countries such as the Middle East and Asia!
Before I send you all the details of my identity, I would like to ask you a question: Since I don’t own a fax machine, is that going to cause any problems? I always wanted to get one but I didn’t have the money. I saw this really awesome one once at Best Buy that didn’t smudge ink all over the paper and it looked super cool and modern, and I thought to myself “This technology is so modern and amazing”. But it cost $79.99 which was out of my price range, so I tried looking on Ebay but nobody was selling the same model so I gave up looking. Now I have to live with less modern technology such as email, which is a shame.
Please let me know the answer to my question so that we can take this relationship to the next level.
As you can see, I enjoyed getting creative with that response and injected my very British sarcasm and wit as much as I could. I haven’t received a response from Thomas yet, but if I do, I will continue to lead him on a merry chase without actually disclosing anything about myself whatsoever. What’s interesting to me is seeing how far these people will go with their communication before realizing that I’m wasting their time.
I know that ‘Trolling’ a few spammers in my spare time isn’t going to change the world, or in any way affect the spam mail industry. However, if my geeky pastime prevents just one person from receiving a spam email and having their identity stolen as a result, then it’s worth it. It’s also surprisingly fun for me. I let my creativity go wild with my responses to spammers with references to movies and pop culture. For example, one spam email I received was from a certain “Mr. Anderson”. (Same name as the lead protagonist in the Matrix movie trilogy). So I responded to “Mr. Anderson” using only quotes from the lead Antagonist (Agent Smith). Perhaps unsurprisingly, the humor was wasted on “Mr. Anderson” and he replied asking when I would send him the $187 he needs to release the $2m I am owed.
Putting humor aside for a moment, I cannot iterate enough how real the dangers of spam email and phishing scams like these are. They happen every day all around the world and they do generate revenue for the senders. In order to stop yourself becoming a victim, follow these simple rules:
- Guard against spam. Be especially cautious of emails that:
- Come from unrecognized senders.
- Ask you to confirm personal or financial information over the Internet and/or make urgent requests for this information.
- Aren’t personalized.
- Try to upset you into acting quickly by threatening you with frightening information.
- Communicate personal information only via phone or secure web sites. In fact:
When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser’s status bar or a “https:” URL whereby the “s” stands for “secure” rather than a “http:”.
Also, beware of phone phishing schemes. Do not divulge personal information over the phone unless you initiate the call. Be cautious of emails that ask you to call a phone number to update your account information as well.
- Do not click on links, download files or open attachments in emails from unknown senders. It is best to open attachments only when you are expecting them and know what they contain, even if you know the sender.
- Never email personal or financial information, even if you are close with the recipient. You never know who may gain access to your email account, or to the person’s account to whom you are emailing.
- Beware of links in emails that ask for personal information, even if the email appears to come from an enterprise you do business with. Phishing web sites often copy the entire look of a legitimate web site, making it appear authentic. To be safe, call the legitimate enterprise first to see if they really sent that email to you. After all, businesses should not request personal information to be sent via email.
- Beware of pop-ups and follow these tips:
- Never enter personal information in a pop-up screen.
- Do not click on links in a pop-up screen.
- Do not copy web addresses into your browser from pop-ups.
- Legitimate enterprises should never ask you to submit personal information in pop-up screens, so don’t do it.
- Protect your computer with a firewall, spam filters, anti-virus and anti-spyware software. Do some research to ensure you are getting the most up-to-date software, and update them all regularly to ensure that you are blocking from new viruses and spyware.
- Check your online accounts and bank statements regularly to ensure that no unauthorized transactions have been made.