Wednesday, August 08, 2012

Online Scammers: Sophistication in Stupidity

Online fraud like the Nigerian Email Scam has been a growing billion industry, where victims has reportedly lost a hefty $9.3 billion in 2009 which has been up from $6.3 billion the year before.

Yet scammers ‘specialize’ on their predation, as their ‘marketing’ activities focus on duping on the most vulnerable of the society.

From the Wall Street Journal, (bold emphasis mine)

So why do the scammers persist in blanketing the world with outlandish propositions, announcing that they are from the very country whose name has become synonymous with online fraud?

Cormac Herley, a computer scientist at Microsoft Research who specializes in security issues, provides a convincing answer in a paper presented at a conference in Berlin and recently published on his website. In it, he analyzes the con mathematically, using an approach called signal detection theory. His crucial insight is to look at the situation not from the victim's point of view but from that of the scammers. Their challenge is to hook only people who will get sucked in deeply enough to send a significant amount of money—the "true positives." They must minimize the effort they devote to "false positives" (targets who might seem like dupes but are suspicious and/or never pay up).

It costs the scammers virtually nothing to spam the world, but it costs them a lot (especially in terms of time) to conduct all the follow-ups necessary to reel a sucker all the way in. The people behind "Captain Mbote" spent six months pursuing their quarry before he started wiring money to them.

A proposal offering a more realistic scenario might generate more replies, but most of them wouldn't pan out. The effort of sorting through them to find the real suckers would undermine the scheme's profitability. Instead, by screaming "This is another absurd instance of the familiar Nigerian scam," the fraudsters are filtering out what to them is spam—responses from suspicious people they don't want to deal with—and "letting through" only those most likely to play along. The fewer potential victims in the world, the more precisely the scammers must target them, and thus the more absurd and easy-to-spot the attacks should be.

The Nigerian scammers aren't alone in using this approach. Phishing attacks, like the urgent emails from the "IT Support Team" requesting our passwords to avert some Internet calamity, are so hackneyed that they likely ensnare only the extremely naive or credulous.

Mr. Herley's analysis of the Nigerian scam suggests a counterintuitive way to fight back. Most efforts to reduce Internet fraud focus on reducing the number of people who reply to scammers—by educating users or by filtering out the scam emails. But some attacks inevitably slip through, and some Internet neophytes inevitably fall prey.

A more effective solution, Mr. Herley suggests, would require considering the goal of the scammers. Increasing the number of responses to their emails, he shows, can reduce profits, as long as those responses come from people who never send money. Such "scam baiters" already exist (the community website "419 Eater," named after the Nigerian law that governs fraud, offers tips and support). The more scam baiters, the lower the average return to the scammers on each attack and the less incentive they have to continue the scam.

Perhaps clever artificial intelligence researchers could create automated scam-baiter bots that would simulate gullible victims, drawing out the interaction as long as possible. The most convincing victim-bot would possess sophisticated knowledge of how the scammers think and behave—precisely the knowledge that tends to elude us when we look at the world only from our own perspective. Similarly, the profitability of phishing scams could be reduced by sending bogus account numbers and other data back to the scammers.

As Mr. Herley's paper shows, what seems stupid can actually be quite sophisticated. It's only by imagining the situation with the roles reversed that we can see what we've been missing.

The growing size of the illicit industry accounts for a sad state of societal affairs which means there have been that big a number of precision targets or "suckers" in the world.

Yet “something out of nothing” has been the basic trap laid out by scammers for unsuspecting victims.

Ironically, “something out of nothing” is the same principle that undergirds politics—only that they come in the jargon of “free lunch” or the “Santa Claus fund”.

The difference is that politics has been rationalized as having to provide the services of “public goods” whereas online scams have been outright frauds.

My guess is that these two may have important causal connections; personal responsibilities may have likely been relinquished for the dependence on the welfare state, making many people vulnerable and highly sensitive to predation.

Nevertheless, knowing what you are getting into, understanding that there is no such thing as a free lunch, critical thinking, conducting research to self-educate, and importantly, self discipline will always serve as the best insurance against fraud of any kind—online scammers, stock market (e.g. boiler rooms), Ponzi schemes and etc., and most importantly, against political tomfoolery.

No comments: