Friday, December 7, 2012


Not so long ago I had to abandon an email address because it was getting upwards of 30,000 spam emails a day. The idea of filtering through that inbox to find the odd legitimate email was obviously a bit ridiculous.

I don't get 30,000 spam emails a day any more... but it's regularly into the hundreds. And as much as I detest it, it is kind of fascinating.

When I first encountered spam it seemed to be that it was related to a limited number of things: "Rolex" watches were quite common. As were inkjet cartridges and home loans etc etc. (The old, "I need to smuggle some money out of Nigeria and you are the man I trust to help me" emails aren't spam as such, they're a different kettle of con entirely).

I understood the mathematics of spam in those days. If your email at least appears relevant to someone there's more chance of them falling for it. So sending designed to appeal to the needy and the greedy made sense.

If you send it to a million people you only need a tenth of a percent of them to fall for it to have 1000 mugs in the game. And it doesn't matter what it is you appear to be selling because you're not actually selling anything. I'm told that spam is - for the most part - just trying to get your details. It's your name, address and phone number they really want. Information is valuable in today's economy.

But recently the spam I've been getting has been incredibly niche. And this confuses me.

I've had spam telling me about "great deals on forklift trucks". Really? What percentage of people would even read beyond the first line? How many people actually buy forklift trucks anyway? It's not exactly an impulse buy. "I only came in for some paint but they'd put the forklift trucks by the counter and, well... yellow is so my colour, so I just had to get one."

Likewise premium grade aviation fuel. Surely the people charged with buying aviation fuel are a) limited in number and b) pretty wise to spam.

Aren't the spammers just cutting the number of potential dupes down before their evil words have even hit our inboxes?

This spam arrived today.

There's no guess work required here. I can speculate as to how many people buy forklift trucks or aviation fuel... but really I'd just be plucking numbers out of thin air. But I can find out how many people are in the AICPA.

According to the AICPA website, there are 370,000 members. So in the whole wide world, there are only 370,000 people who can genuinely fall for this spam. And how many of them are actually receiving it in the first place? If I'm getting it, it's not as though this email has been sent to a highly targeted list of addresses. It's the same scattergun tactic as all other spam.

But surely accountants are the kind of people who regularly deal in formal documents that contain legalese. Surely they're the kind of people who will read a sentence like, "we have received a denouncement about your recent involvement in income tax hustle" and spot that it's a bit, y'know, shit.  

"The rejection to provide the clarifications within this term will finish in end off of your..." what's that? Really? Will it. If I reject to provide clarification you'll do what now?

I'm really struggling to believe that anyone on earth has fallen for this. If you're not an American Certified Public Accountant the "threat" from the AICPA to end (off) (of) your career is a bit of an empty one so there's no reason for anyone else to respond to it.

And if you are an American Certified Public Accountant you're surely equipped to spot that this isn't legit. If you are and you do, I'd suggest you need a change of career.

But put yourself in the crook's shoes. Imagine creating this email. You've bothered to steal the logo and the colour scheme from the AICPA website. You've formatted the graphics and made it look nice. Would it really not occur to you to, just maybe, find someone who has English as a first language to proof read it first? Are the spammers so stupid they think Google Translate is good enough?

How many levels of stupidity does this reveal? Someone's stupid enough to send this spam. And someone, somewhere, might - just might - be stupid enough to have fallen for it.

Or is there something I don't understand about how this works?

PS: Just as I published this, another, almost identical email arrived.

This time, I think I might be in trouble. They're on to me and my tax return crook business. I hope I don't waiver to submit exposition within this term.

PPS: And then another...

... is it just me, or isn't it even less convincing when they send three in such quick succession? Isn't it just three times as unconvincing? Wouldn't one, well written, email have been more effective?

December 10 version: income tax refund shady transactions:


Unknown said...

Just a Thought:

Could it all be built by "robots"? If there was some type of automated system that’s just building and sending out the emails it could be trying all types of word combinations to fool spam filters.

Unknown said...

There's also the tactic of them wanting to know if your email address is valid and active. By opening the email and downloading any embedded images (which may be teeny, 1-pixel images) you confirm that it's an active account -- which makes it a more valuable address to sell on. So, by creating less obviously-spam emails (which you may open out of curiosity), they have more chance of you opening their messages.

Blackout said...

I've got to admire how "within 7 work days" becomes "within 21 business days" and then "within 14 days".

Normally, you'd assume that the bot/low-end-employee/Apprentice-contestant in question had copy pasted some legal paragraph they'd found online. But in this case they seem to have used the wording from two documents, shuffled it into one and ran it through two translator pages. And then employed a proofreader to remove any traces of grammar.

I'm impressed.

Mr TempleDene said...

Actually, it's very clever, the temptation to open the attachment must be quite high in some people, and the attachment contains the real reason for this email, a trojan which will (they hope) infect your computer and place it in their botnet.

By making it seem a legal email between the AICPA and one of their members just makes the attachment seem more juicy scandal to the unwitting recipient.

You didn't open any of the attachments did you Dave?

Dave Gorman said...

@Mr TempleDene: I didn't. But my point is that they have singularly failed to make it look like a legal email between the AICPA and one of their members when, with just a tiny bit of effort, they could have quite easily done so. What they've made it look like is some semi-literate pretence at a legal email. Why wouldn't they employ someone able to make it convincing?

Dave Gorman said...

@Martin Emery: If it is built by robots and the idea is to try different word combinations, surely that ruse is undone by sending them all to the same addresses. Sending Type A to one collection, Type B to a second and C to a third would be a better test. Having most recipients see all versions only makes each version even more transparently fake than it already is.

Anonymous said...

There's actually been proper scientific research into why scam emails are so illiterate - see

The one-line summary: by being so obviously fake, the scammers can weed out all but the most gullible potential targets, which saves them a lot of effort.

Dave Gorman said...

@Anonymous: but that's about the please-help-me-smuggle-great-riches-out-of-Nigeria scam emails rather than about spam per se. Those aren't spam, as such. They involve hooking one person in and then trying to get as much money out of them as possible by making them think they're going to get hundreds of thousands of pounds and then asking them for tens of thousands of pounds as "security". For that kind of long form con to work, then yes, you want to only hit the most gullible/suggestible people out there.

But spam doesn't work like that. It wants as many people as possible to click on that link. If it's installing software on your computer that makes you a part of their botnet it only needs you to click once.

If it's simply fishing for your information to sell to others, there's no requirement for you to be the dumbest of the dumb for that to work or to be of value.

Anonymous said...

You can always consider the alternative - that the email is not spam and is steganography using something like snow or spammimic.

When you (BadGuy#1) know your communications are being tracked sending a million+ emails that everyone ignores except the recipient you want is pretty inexpensive.

You have a spam folder with 30'000 emails in it that you ignore. BadGuy#2 only has to look for the unique characters 'AICPA' to find the communication. It's certainly easier to filter than 'viagra'!

Comment spam on websites is often the same thing - hide a secret message in a paragraph from 'alice in wonderland' and put it on the BBC website as a comment. You're traffic isn't obviously going to a known bad website and is hidden in the noise of everyone elses.

Dave Gorman said...

@Anonymous: I love the idea that these particular spam emails are nothing to do with spam and all to do with sending coded messages.

I doubt it's true. But I love it as an idea.

Roaul King said...

Be right back just getting tin foil. Great read as ever

Anonymous said...

I had one last year informing me I had a 'Tax Rabate'. All I had to do was give them all my details, including my telephone banking password. You'd think they'd run it through a spell checker, wouldn't you?

There's another one going round saying the recipient owes postage money on a parcel that basically didn't have enough stamps. That's a load of rubbish too.

Gary said...

Hi Dave,
Just re-watching googlewhack adventure, an annual event here (I'm that dedicated / sad) and though i would find out what's up in your world.
Reading spam apparently has become your pastime, so here is my two cents.

The above comments and post don't complete the answer for why those emails exist. For the real answer you should look up the term "Spear Phishing" (Correct Spelling).

Since you are not a CPA you are not the target, just a typo in the cross-hairs. There is probably another D Gorman out there who is a CPA (you may know him/her).

The aim of these emails is to Spear a big fish or two, a CPA will lots of tax records on their computer and who is dumb enough to click on email attachments, you can imagine the rest.

It happens alot, several US local government comptrollers were caught this way only last year and lost a collective $3.6M.

So take this information in the way I hope it is given, in friendship and in the vicarious nature that in some way there is a D Gorman out there worth scamming.

P.S. If you want a good way of avoiding SPAM, try running it though a gmail account, their free and can fetch you email for any other accounts and collect in one nicely ordered place. Believe me it works, being a web-developer I have upwards of 30 email accounts for different clients, servers etc. and my SPAM folder gets around 900,000 real spam entries a month which are deleted automatically after 30 days; though my inbox rarely has one in the same period.

Dave Gorman said...

@Gary Thanks for this... but it raises as many questions as it tries to answer.

If it is spear-phishing and they're after a particular D Gorman who's a CPA, surely they'd be able to look him up and find his actual email address.

That would be far easier than sending thousands of emails to thousands of might-bes. Why would they take the more difficult scatter-gun approach if their target is a specific, findable individual.

But let's assume they're scattergunning in an attempt to hit the one D Gorman they're after... surely the right thing to do then would be to send all the D Gormans they can find one version of the email and see if they get a response. If they don't get one, try another version of the email... and so on.

Instead they chose to send multiple variations of the same email at the same time. So multiple copies arrive in my inbox together. They're contradictory. Someone who might fall for one will have alarm bells ringing when they see four and realise they're different and couldn't all be legit.

And the question as to why criminals who are sophisticated enough to create these emails are not smart enough to get someone who has English as a first language to write them.

If it's spear-phishing as you suggest they're doing everything they can to make it as ineffective as possible.