118

Are the spelling and grammar mistakes in phishing emails done on purpose? Is there some wisdom behind it? Or they are simply indicative of the fact that they've been written by someone who does not natively speak English?

Micah
  • 101
  • 3
Muhammad Hasan Khan
  • 1,291
  • 2
  • 9
  • 6
  • 16
    Have you already heard about `All your base are belong to us`? – ott-- Aug 06 '15 at 21:43
  • 68
    I've read that sometimes these mistakes are added on purpose. Only a fool would fall for messages full of errors. And scammers are looking for that kind of people. – Rob W Aug 06 '15 at 23:13
  • 5
    Cybercriminals don't necessarily have a good education, or speak the primary language of the email as a second language on the generic garbage spam. Most of the quality phishing email out there doesn't have these issues and is often indistinguishable at first glance from whatever corporation is being spoofed. Targeted spearfishes will be by people who have studied internal documents and communications flow and will attempt to closely emulate the education level of the person they wish the email to appear from, including the types of mistakes they would make. – Fiasco Labs Aug 07 '15 at 06:12
  • 7
    @RobW For a 419 scam, sure. But for phishing? I don't buy it at all. The whole point of phishing is to look credible enough that people follow the link and give you their account details. Once you have their account details, you don't care how gullible they are. Sending spam is so cheap that, if you wanted to use mistakes to find extra-gullible people, it would make much more sense to send that as a separate shot: there's no reason to combine the two. Ockham's razor says that mistakes in phishing mails are because spammers are dumb, not because they're super-cunning and subtle. – David Richerby Aug 08 '15 at 12:31
  • 1
    @David Richerby Phishing emails from Nigeria with poor spelling and grammar are the best example of what Rob W is talking about. English is the official language in Nigeria, and everyone speaks it. Furthermore, many phishers are college educated. Poor grammar and spelling actually make the emails *more* convincing to gullible victims, who don't know that Nigerians speak English. – user2752467 Aug 08 '15 at 20:07
  • 4
    @JustinLardinois Are you using a different definition of "phishing" to me? To me, phishing is a form of social engineering involving sending emails that look like they come from some organization the victim is associated with, such as their bank or email provider. My bank and email provider both speak excellent English: anyone who attempted to impersonate them but uses bad spelling and grammar is not going to succeed. – David Richerby Aug 08 '15 at 20:37
  • 3
    @JustinLardinois Although English is the official language of Nigeria, it is actually *not* widely spoken. Very few people in Nigeria use English as their first language. Most people in urban areas will speak English but not necessarily fluently and almost certainly not in a way that would pass off as, e.g., and American or British speaker. Three-quarters of the population live in rural areas, where English isn't spoken much at all. – David Richerby Aug 08 '15 at 20:40
  • 2
    While spammers/phishers using English may be sophisticated, I can assure you that they fail badly on other languages. As German is my mother tongue, I have yet to get a convincingly error-free message in German despite excellent attempts to get the outfit perfectly right (Amazon etc.). – Thorsten S. Aug 10 '15 at 11:12
  • 2
    Hanlon's razor "Never attribute to malice that which is adequately explained by stupidity." Prisons are full of semiliterate people I know someone who was studying it for UK Gov who got shut down as the results were political dynamite. If you have a petty criminal record, poor literacy, but can use a computer, then self evidently doing 419 scams seems to earn. Studies show petty criminals earn less than flipping burgers but since the cannot get that job (criminal record) they "work" for less. If they could spell they would get a job where they can steal from their employers as more reliable. – simbo1905 Aug 13 '15 at 20:50
  • Related: [Why Do Nigerian Scammers Say They are From Nigeria?](https://www.microsoft.com/en-us/research/publication/why-do-nigerian-scammers-say-they-are-from-nigeria/) - updated link. – Kuba hasn't forgotten Monica Feb 28 '17 at 13:36
  • 2
    @simbo1905, it again proves that criminal records should be secret unless relevant for that particular job. Unless we want to keep ex-prisoners in crime the rest of their life. – Lenne Dec 12 '18 at 17:50

5 Answers5

183

This may well be for the same reason as many scammers rely on the tired old 'Nigerian Prince' strategy: by self-selecting for gullible targets, they can be more efficient.

In phishing, as in scams, sending the initial batch of emails is the easy part. The hard part is coaxing information out of the target (which can require a concerted exchange of emails). That can represent a significant investment of time.

As a result, it's really important to ensure that the people you correspond with may actually give you the information that you're after. It can therefore be advantageous to send a badly-drafted email, on the basis that the people who respond to that are likely to be gullible enough to be phished.

(I would probably draw a distinction between these broad, drag-net approaches and targeted phishing, where you're much more likely to see carefully-crafted and legitimate-looking emails.)

sapi
  • 1,850
  • 2
  • 12
  • 11
  • 31
    Fascinating concept! – GreenAsJade Aug 07 '15 at 03:51
  • 19
    -1 as spelling mistakes are also as prevalent (if not more prevalent) in mass send mails that try to get you to log in on an automated fake login page without any manual interaction. In more targeted phishing where actual email exchanges occur the level of english tends to be far far better. – David Mulder Aug 07 '15 at 16:20
  • 3
    Yeah this is a nice thought, but I'm sure the grammar mistakes aren't that nefarious. English is a hard language, and it's not most people's first language. – BlueRaja - Danny Pflughoeft Aug 07 '15 at 21:12
  • 4
    Somewhat related, I think the same self-selecting effect works for homeopathy - "Yes all all physics signify that homeopathy does not work. But it works nevertheless." - although the supporters might not be as cynical as spammers and actually believe in it themselves. – hlovdal Aug 07 '15 at 21:29
  • 3
    From reading the paper, it is evident that they are simply theorizing about the problem. No Nigerians (or other spammers) were consulted. While an interesting analysis, it is not actually true. – ztk Aug 12 '15 at 13:31
  • 2
    Agreed that it is most likely ignorance on the part of the spammer, but could it also be an attempt to bypass spam filters? And can these spam be generated in a way that introduces unique spelling mistakes in each e-mail so that each one would technically be unique and thus again more likely to evade a filter that searches for bulk mailings? – Rick Chatham Aug 13 '15 at 20:02
  • 1
    @hlovdal: Nest time you're in a conversation with someone who believes in homeopathy, ask if they'd be worried if a homeopathic terrorist put a single drop of cyanide in the local water supply. ;) – Mason Wheeler Dec 10 '15 at 16:29
  • 2
    @MasonWheeler Like _cures_ like, so a single drop of cyanide would cure everyone of cyanide poisoning! What you _really_ want to look out for is a single drop of antibiotics... They do that and everyone will be dead of anthrax within the hour! – forest Jun 30 '18 at 06:09
  • 1
    **This is incorrect.** The reason is largely due to the way spam is generated (e.g. with spintax templates), which substitute various words for their synonyms, ignoring the fact that they may make no sense if they were part of an idiom, for example. So this is clever speculation, but it is wrong. -1 – forest Sep 15 '18 at 01:40
  • Search for `james veitch spam` on Youtube. Enjoy ... there are loads of people like him who love to appear gullible in order to waste the scammers' time. – 0xC0000022L Sep 03 '20 at 18:47
50

Emails with mistakes are probably from people who don't know English well enough to write it correctly.

Many phishing emails do not have mistakes and may be copied directly from emails sent by the company they claim to represent.

See this for more details: "Phishing" red flags and countermeasures

schroeder
  • 123,438
  • 55
  • 284
  • 319
ztk
  • 2,247
  • 13
  • 22
  • 3
    Also to avoid detection - i.e. change a couple letters, and see if the spam filters still catch it – user2813274 Aug 07 '15 at 01:42
  • 3
    +1 I reazize this is quite a boring explanation, but I think that in the end it's actually the correct one. And either way, a couple of spelling mistakes probably don't matter *that* much, because people who are dumb/gullible enough to enter their bank login information on a random internet page are probably dumb/gullible enough to not wonder for too long about a couple of spelling and typing mistakes. – David Mulder Aug 07 '15 at 16:25
  • I'm getting lots of spam that is not written in English at all (not that it's written well in my native language either)… – Bergi Aug 08 '15 at 16:35
  • In case anyone else is wondering about the comment from @HasanKhan : http://www.quora.com/Which-is-correct-people-who-doesnt-or-people-who-dont – kR105 Aug 09 '15 at 10:38
  • @ztk sorry for my previous comment. – Muhammad Hasan Khan Aug 12 '15 at 04:04
  • 2
    @HasanKhan, I loved the comment. Initially 'doesn't' was a mistake, but I thought it was pretty funny so I left it in. – ztk Aug 12 '15 at 13:29
14

Spam filters work by looking for certain words. (among many other test)

If these words are misspelled, the filter won't recognize them.

Stig Hemmer
  • 2,403
  • 10
  • 14
  • Firewalls also examine traffic using a keyword list as well. – AbsoluteƵERØ Aug 07 '15 at 07:43
  • 13
    -1 as phishing mails tend to replicate official mails and the words in official mails are not words that a spam filter will tend to block (unlike words in actual spam mails). – David Mulder Aug 07 '15 at 16:21
  • 7
    Well, if typos are indicative of spam, they will be recognized very fast. – Deduplicator Aug 07 '15 at 17:59
  • 1
    There are far more possible typos than correct texts. – chepner Aug 07 '15 at 21:14
  • 4
    This answer isn't really correct. Bayesian filtering doesn't care about spelling, and spam filters are quite good at using spelling errors to aid in their detection. V1@gra vs Viagra is trivial to filtering software. – Rocky Aug 08 '15 at 03:44
  • 2
    Absolutely not true. Well designed bayesian filters will weight unknowns negatively, therefore misspellings will be flagged. – bic Dec 10 '15 at 22:25
9

Is it possible that by appearing to be less intelligent they seem (perhaps even subconsciously) to be less of a threat?

I mean, there's no way somebody who confuses you're and your could fool someone as smart as me!

blokedownthepub
  • 91
  • 2
  • 1
    Although it might not be deliberate, I think this is a good point. I spend far longer (within my role as IT support) looking at convincing emails than badly made ones. More convincing = more of a threat. – Prinsig Aug 07 '15 at 13:02
2

There are some good points in the answers, but I think we need to clarify a few definitions. There is a difference between spam, sometimes referred to as unsolicited commercial email and phishing, attempts to get the user to respond to a link, open an attachment or perform some other action which either assists in the installation of malware or fools the user into providing sensitive data, such as their username and password.

With spam, the spelling and grammar errors are often due to both attempts to get past spam filters and the messages being written by someone who is not a native english speaker. With phishing, the causes are similar, but often you see less grammar and spelling errors than traditionally seen in 'old style' spam.

However, the main point I wanted to make was that using grammar and spelling as an indicator of either spam or phsshing is becoming less useful. These days, with the growing commercialisation of both spamming and phishing in particular, those undertaking these activities are becoming a lot more sophisticated. They will use existing filtering technology to test their messages and find ways to bypass filters. They are also very much aware that many people use bad grammar and spelling as red flags and are therefore taking more care.

In particular, spear phishing is definitely on the increase and those who initiate spear phishing campaigns are taking significant care to ensure their messages look professional and very convincing. There are now organisations out there who will provide a commercial high quality service for mounting phishing campaigns. The emails have increasing amounts of personal information, such as referring to you by your actual name, job title or some other personal refeence and frequently will appear to have come from someone you know, you work with or a senior person in your company who has authority and who you are more likely to respond to.

Noyyom linr,grammar and spelling mistakes are of decreasing value for identifying either spam or phishing emails. The increased sophistication in such campaigns means we need to be vary concious of this change and more vigalant. A belief that spam and phishing emails have bad grammar and spelling is likely to increase our vulnerability to well crafted emails. We need to use other techniques, such as being ware of any unusual or non-standard request - especially those which don't follow normal work practices or policies. We need to be even more vigilant regarding opening of attachments, following links or providing sensitive details via email. Whenever we receive a message which either urges immediate actions, raises fears about something which may have occurred, offers something which sounds too good to be true or warns us that something terrible will happen if we don't do something, we need to stop and think about what the actual motives underlying that message might be.

The other limitation of using grammar and spelling as an indicator is that there are increasing numbers of legitimate messages which include such things - even some of these responses have both. The world is shrinking, but english does seem to be the main language of the internet. As non-english speaking countries become more connected and as more and more IT services are moved off shore, we see increased numbers of legitimate messages authored by people who are not native english speakers. There is also an increasing tendency for people to value speed over accuracy, so spelling and grammar errors seem to be increasingly accepted. We should also remember that even in english, there is differences in spelling and grammar - for example US and British spelling, match versus maths etc

Tim X
  • 3,242
  • 13
  • 13
  • 2
    In a well-written post about grammar and spelling, I almost hesitate to ask -- what the $expletive $disparagement does 'Noyyom linr' mean? – dave_thompson_085 Dec 10 '15 at 09:52
  • 4
    Noyyom linr is really close on the keyboard to 'bottom line'... but not sure... my guess is that's intentionally ironic :) – Corley Brigman Dec 10 '15 at 16:14