You gotta wonder

This is just great! The day after I won a million Euros in the U.K. National Lottery I won the same amount in the East-West Australian Lottery! Just look at this e-mail I just got:

I can't figure out why these people keep giving me such vast sums of money just because I have an e-mail address! That's awesome. I should get another e-mail address. Maybe I never have to work again?

 You really have to wonder though, do people actually fall for this crap? Does the weird batch number really mean people think its real? Let's see how many clues there are in this e-mail:

  1. Australia does not use Euro's. It would make relatively little sense for them to have a lottery that gives away prices in Euros. But, then again, this is probably destined for Americans; who think Australia is a small town in Idaho.
  2. The return e-mail address is incomplete, but then again, do people notice such small details?
  3. I'm not sure what the deal is with "Bank's Name:Bank Name: laagste Bank B.V." but that doesn't look like any Australian bank, or any other bank I know for that matter
  4. "0031 616 293 431" is not a valid international calling convention in most countries (although I think it would work in Australia, ironically, if the area code were not fake). The normal way to write it would be "+31". Besides, if you call +31..., you would end up in the Netherlands, not in Australia.
  5.  The e-mail address I am supposed to contact has a .pl extension. That's Poland, not Australia, nor the Netherlands.
  6. And, finally, if you don't play the lottery, it is quite unlikely you are going to win!

All in all, not the perfect crime; and yet, I get several of these a week. As a friend of mine once said at a conference "clearly, someone is buying ***** enlargement pills!" It's gotta work sufficiently well to make it worthwhile for the criminals. Clearly, there must be enough people out there who have enough of a clue to be able to receive e-mail, but not enough to understand that nobody is going to give them a million Euros for that feat.

I've said many times (c.f. http://www.microsoft.com/technet/technetmag/issues/2006/07/SecurityWatch/default.aspx) that those of us in the InfoSec field need to take it upon ourselves to help others become more paranoid and better able to fend for themselves in security. Typically I am met by blank stares and hostile claims that "users are too stoopid to be taught and need to be prevented from doing stoopid things instead." Then we recommend that they buy some "360" security suite, that provides "total peace of mind for your activities online". Tell me, someone, what software will protect me from willingly sending an e-mail to some "bank" in Poland and giving them my personal information?

I'd also like to question the purported stupidity of end-users. What people is it that we deal with? Who is it that is smart enough to learn a written language, has enough job skills to earn money to purchase a computer, or at least time on one, is capable of signing up for an e-mail account and even good enough to write e-mail; but is too stupid to be taught, inside the span of about 10 minutes, that any e-mail message that claims they won one million anything, just by having an e-mail address is FAKE?!? I mean, do we really have such poor people skills that we can't explain that fundamental concept to someone so smart they can write and send e-mail messages? I'd say that failure lies not with the end user, but with the technologist who is unable to explain even the most basic concepts to the end user. It's really not that high a bar folks! Let's do our share to spread the word. If nothing else, if people stop falling for this nonsense, our mail boxes would be much cleaner.

Published 03 April 2007 11:49 PM by jesper
Filed under:

Comments

# Adam - from Australia said on 04 April, 2007 12:59 AM

That phone number won't work from Australia as it doesn't have the proper international direct dial prefix on it (generally 0011, but could be 001x).  (http://en.wikipedia.org/wiki/Australian_telephone_numbering_plan)

But I guess for the people determined enough to get their million euros they may just persist & work out a number that works :^o

# jesper said on 04 April, 2007 01:29 AM

My mistake! I thought Australia used 00 as the international direct dial prefix. Guess I got used to using my cell phone every time I was there and did not need to worry about it. Thanks for correcting me!

# James Kahn said on 04 April, 2007 02:14 AM

Sadly, many people throw out their sensibilities when they think they're about to get rich quick.  It's just a plain old con moved from the real world to email.  People get taken by them all the time - they have had a couple of articles in the local paper here about people that lost a lot of cash from these scams, and they're usually people that think they've just been handed a leg up - they're not so bright, and need the money.

BTW - I am in Australia, and yes, the international dialling code is 0011.  00 is the international code in New Zealand - commonly mistaken for a state of Australia ;).

# Rob said on 04 April, 2007 03:02 AM

The phone number is actually correct, but you gave to wonder why a president of a bank would hand out his mobile phone number. In The Netherlands all mobile numbers have area code 06 (+316 for international dialers). Also the fax number will route directly to a voicemail service, since area code 084 is reserved for those services.

# Stephen Edgar said on 04 April, 2007 03:03 AM

Not only do you have to wonder, You also need to think about how "smart" the people looking after your own personal interests are.

http://www.smh.com.au/news/breaking/dumb-and--much-dumber/2006/02/02/1138590592345.html

"Police are staggered by the amount of money gullible Australians are losing to Nigerian investment scammers.

The long-running internet-based rort has netted more than $7 million from Queenslanders alone, and the loss Australia-wide is likely to be far higher, police say.

Among those being duped are financial advisers, lawyers and university professors, and one person had put $2.2 million into the hands of scammers over the past two years."

# MIchel k said on 04 April, 2007 03:17 AM

if you translate laagste bank b.v from dutch to english you get, Lowest Bank Company.

0031616293431 is a dutch cell phone number.

0031847599547 is a faxmail number.

and www.O2.pl is a webmail provider.

# Bas from the Netherlands said on 04 April, 2007 03:21 AM

The telephone number could be a valid dutch mobile phone number, it's just formatted "weird".

They usually are in the format 06 12345678, and you can leave out the leading 0 when calling from abroad.

Also, the bank's name and contact person are Dutch sounding names.

# Patrick Ogenstad said on 04 April, 2007 05:34 AM

I guess I’m as amazed as you are that people are falling for these kinds of things. However I have a few other reflections.

Your point number 6. where you say you have to play to win, there are a lot of people who play the lottery. I would presume this type of scam would have a higher success rate in that audience. If someone is playing the lottery and all of a sudden they receive an email notifying them that they had won they might just get too excited and ignore such facts at the reply address, the .pl domain or the fact that the lottery they were entering hasn’t been played yet.

The other group I think would be suckered by this is the kind of people who finds a wallet in the street and keeps the money inside the wallet for themselves. Even if they didn’t play the lottery they might think someone has won and by some freak accident the person who received the email might get away with a million bucks.

All in all I guess greed and stupidity is a dangerous combination.

Ps. It’s great to see that you’re writing a new book. With all the money you won from the lottery, perhaps you will find more time to write?

# Martin Brown said on 04 April, 2007 05:50 AM

I'm not convinced of the argument that "It's gotta work sufficiently well to make it worthwhile for the criminals."

I reckon that the stupidity is on the part of the people sending the spam thinking it is going to work. There are some phishing emails that are a lot more sophisticated than the one shown which do catch people. I guess emails like the one shown are sent by copycat criminals that aren't cleaver enough to pull it off, but they keep trying anyway because the risk & cost is low and potential reward is high.

Taking the lottery analogy: I play the lottery here in the UK where I have a 14,000,000 to 1 chance of winning. I didn't win the first week but that didn't stop me I still played on the second week. Even though I haven't won big in the year that I have been playing, I haven't learnt and am still playing. I guess it is the same for the spammers. Even though no one has responded to them they keep trying because they have convinced themselves that if they continue they might just pull it off one day.

# John C. Kirk said on 04 April, 2007 05:59 AM

There is a counter-argument to the theory that "it must work, or they wouldn't keep doing it", if the real money comes from selling mailing lists. E.g. I will sell you a list of addresses (guaranteed to be valid!), and a program that will send lottery spam to those addresses. You just have to pay me a small amount of money, and then you'll get rich from all the suckers who reply to you. This would be a variant on the old pyramid schemes like the Dave Rhodes letter.

I vaguely remember a scene at the start of the Asimov novel "Foundation" where someone is selling an alchemy machine - he demonstrates that it can turn someone's shoe buckle into gold, so the buyer will easily recoup their initial costs. (It turns out that the machine doesn't really work on a larger scale.)

Under this theory, nobody actually needs to reply to the spam messages; the only people who need to fall for it are the spammers themselves (probably helped by blog posts like this). I'm not sure how realistic this theory is, but I find it vaguely comforting that they'd be the ones getting exploited.

# Eric Eskam said on 05 April, 2007 11:54 AM

Great post, as usual!  Again, it makes one wonder why they call it "Common Sense" when it apparently isn't as common as we would like.

I don't know why people's perception changes so dramatically when they sit down in front of a computer.  I used to argue with my father that using a computer was no more difficult than writing technical reports, or building a house with no previous experience (both things he did on a routine basis).  I never could get him interested in using one - he claimed they were too hard to understand, while he routinely performed tasks that were many more times complicated...

If people got those ridiculous emails as paper letters in the mail, they would throw them away after reading the first sentence with poor grammar - but looking at in on the computer screen somehow gives it "authenticity" in their minds.  If we could better understand how, we might be able to fight against it.

It's like the attitude show in the "If GM ran a helpdesk" emails that have been going around (I linked to one spam-free version in my URL above).  We look at that from a car perspective and collectively go "well duh, I would never ask that" and laugh at the absurdity of it.  But sit quite a few people down in front of a computer and for some reason a "switch" gets shut off and common sense goes out the window.  And the "why aren't you protecting me from myself" attitude you speak to pop's up.  We laugh at the GM helpdesk jokes because they are funny, but not when people pull the equivalent (or worse) with computers?

<sigh>

# Joe Elway said on 12 April, 2007 06:13 AM

This one's been running in Europe by snail mail too.  Badly photocopied letters have been sent out saying people have been entered into a European lottery and they've won.  In order to get their cash, they have to fax copies of their passports and banking details to an office in Madrid.  The dude running it has even had the £^$$ to answer the phone and invite people to call into his office :-)

It's been all over our press in Ireland but still you hear of grannies losing their life savings to it every now and then.

# Angelo DiMaggio said on 18 April, 2007 11:32 AM

btw, with regards to the script, might not want to stop DNS services across the board prior to starting them.

Angelo

Leave a Comment

(required) 
(required) 
(optional)
(required)