This is about complex truths.
The analysis Herley presents in this paper attempts to show – as a matter of base rates and classification error – that Nigerian 419 scammers appear to be incredibly dumb precisely because appearing incredibly dumb is exactly the right strategy for finding incredibly gullible victims. Any time you spend talking to someone who isn’t a rube is time wasted, and incredibly costly, so make sure only fools would reply to you by using a ridiculous story which is easily identifiable as a scam. The discussion – well away from the maths – makes it clear that Herley thinks the scammers are actually pretty smart, to have come up with this method.
Yet 419 scammers are dumb. They send emails manually. They write almost the same scam, many times, using the same names. This is a class of which multiple members have been known to believe, amongst multitudes of other intentionally time-wasting (and false-positive adding) tales, that they have reached:
They fall for these ploys, and run-on gags, even where their opponents are mirroring back to them the exact same forms of persuasion, down to plot elements, that they routinely include in their own emails. They are meant to understand this manipulation, to be masters of it, but they fall for exactly the same things.
So what’s going on? Are they smart, or stupid?
This question has quietly raged a bit in the subtext of several articles on Nigerian fraud, and often exposed a lack of understanding from one angle or another. Let’s take a specific example. Take the horrendous spelling, grammar and presentation of a stereotypical 419 scammer.
On the surface, such a person barely knows English, and especially struggles with professional digital comportment, so they’re dumb. Some spam experts will tell you that intentional misspellings are a classic attempt at evading word-based spam filters (which is true amongst phishers) so they’re smart. But they’re still including all the classic talk of windfalls, lotteries and big money which set off these filters, so it’s pointless, and they’re dumb. Some scholars such as Holt & Graves wonder whether the scammers are misspelling words in order to pretend to be Nigerian, so they’d be cleverly misdirecting you. But, as Herley and others have noted from email header analysis, and is well known amongst the payment processors that move victims’ money, they are largely from Nigeria (which single nation contributes 30-50% of the world’s advance fee fraud).
My opinion is that these questions have fairly little to do with the individual intelligence of scam artists. This is about adaptive pressures. Nigeria is an economic and institutional horrorshow of a nation, and fraud is one of the few reliable sources of income in the country that are not connected to the rampant corruption around the oil and gas industry. This low-trust environment creates actors who are good at lying and not feeling bad about it. The internet puts them in contact with people from higher-trust populations, who are so rich that spending months talking to them to extract what they think of as a small sum is economically viable. Taking the step back to view the fraud in evolutionary terms, as a meme, these features, the obviousness of the story, the spelling mistakes, emerge from first efforts in the 1980s and either are adaptive, or have an insignificant impact on effectiveness to be selected against. Most Nigerian scammers are imitators, blindly tweaking scripts they do not really understand, passed on by a cultural legacy.
So why do Nigerian scammers say they are from Nigeria? Why do they make spelling mistakes? Herley’s right: because it works, but that doesn’t mean they know what they’re doing. That is why so many of them are vulnerable to having their tricks played back at them: they don’t understand why what they’re writing works.