Why does 'phishing' ever work?

[Whitney168]

I mean, I'm assuming it does, as they keep trying ...

Why was anyone ever going to respond to a badly written URGENT email from someone they don't know from a hole in the wall, but particularly when phishing is such a well publicised thing now?

People are complacent and think it will never happen to them.
Or they don't believe all the stories.
A strange belief that they have to reply to everyone, or answer anyone elses questions.
Don't read the emails properly, just see paypal and the urgent log in message, and they click on the link.

You also have those with various impairments who click and are taken advantage of, their details often passed to other scammers.

Although I do miss the old Microsoft PC scam. I used to keep them on the phone for as long as possible playing the inept user. Then I'd say after at least 30 minutes, along the lines, who did you say you were from? Oh it's Microsoft, I'm not sure if I have that and drop the bombshell I'm using Mac 🤣

People have different cognitive skills.

Some phishing attempts are more sophisticated than others. The phone ones particularly so. You virtually never see the Nigerian Prince ones these days, so they must have concluded that no one is falling for them anymore.

Some groups are easier to take in than others such as the elderly, those with dementia or learning difficulties. Scammers like to target these people because they know the scam is more likely to work.

Even intelligent, professional people have been phished though, so they must work on a psychological basis which bypasses intelligence.

I’m still incredulous that’s my uncle fell for it. Great uncle George unclessurname had apparently died In Nigeria and left 20 million quid and my uncle was the only remaining relative (despite having a sister, my mother).

He sent a copy of his driving licence, his bank details, and was about to transfer £5000, but the bank intervened.

My uncle was in his 50s and ran a successful business at the time.

They’re much more subtle nowadays.

Eg at work we get: “client has sent an attachment via this online sharing site. Please login to view.”

Colleagues then login to see the files but of course all the login process does is collect usernames and passwords.

Not many fall for it but there’s always a couple who do, because they’re worried about not seeing the files from the client etc or they’re distracted or in a rush.

I absolutely get that there are more sophisticated ones that we must all be very careful not to fall for.

The Great uncle George unclessurname ... not so much LOL.

Mine this morning:

multiple of times i have writing to you i do not know if you did not get my message but can you write me now because i have an urgent information for you kindly email me now at [email protected]

Sorry, mrsshuiang7764, I think I'll pass.

Sadly, they're particularly targeting the most vulnerable people out there - those with low intelligence/cognitive skills and maybe severe anxiety and/or paranoia.

I read somewhere that all the spelling mistakes and incoherent writing is actually done deliberately, to weed out all the people they will see as wasting their time. They have no interest in people who will cautiously respond to a first well-written one and then receive the follow up(s) and say "Wait, this is a scam, isn't it?" before ignoring them further.

They figure that, if you're taken in by the first jumble of terrible spelling, grammar, syntax and implausible scenarios, you're far more likely to go all the way to sending them money or handing over your bank details.

This has been explained quite well in a book I read recently ("Think Like A Freak," by Steven D. Levitt and Stephen J. Dubner), essentially the typos/implausibility in phishing emails actually help to filter out less gullible individuals, making it easier for scammers to then concentrate their efforts on easy marks.

I get quite a few, got one last week saying my tv licence was overdue. No spelling mistakes, pictures taken from official website looked very good, only give away was that they addressed me as 'customer' rather than my name. That and the fact I knew I was paid up until November.

If my DM or DGM recieved this email they would definitely be taken in.

Kitboga on YouTube strings these scammers along for hours.
Amazing stuff.

@UpToonGirl I’ve had that a fair few times and it’s actually pretty good. It was the dear customer that made me realise it was fake.

I’ve also seen some really convincing PayPal ones which use your email address as your name (essentially hoping that your email address is your name of [email protected] would then get his email saying dear John Smith. You log in, I assume it then reads the username and password. I think it’s very easy to be taken in, same as people who get tricked by romance scams, or ones where you sell something on say gumtree you then get an email saying I’ll give you x amount but ship to Nigeria, they then provide a scam email confirming the money has been sent and you ship the product. I nearly fell for this once before it was only when I thought well can’t they just buy the item in Nigeria and said I wouldn’t ship there. I got a confirmation email confirming the amount had been sent to my paypal etc.

It’s also like marketing, it’s a numbers game, you send 1000 emails your take up for a marketing campaign my be 10%, same goes for phishing scams, you send 1000 emails I would think a handful of people react to it. And it’s that small number of people where you make your money.

I've only known two people who've fallen for them. One was a dentist who fell for the old "Fred died with an estate worth millions and you may be the only beneficiary" scam, and the other a successful businessman who fell for the Nigerian scam. Both were fully aware of the types of scam and went into it with their eyes open, but greed took over - in the case of the dentist, he actually said "but what if it's genuine and I lose all that money Fred's left me". They both intended just to take it slowly and not hand over too much, but inevitably they both got sucked in and both lost a lot of money.

A bit like the retired police inspector of my MIL's neighbour who's just been scammed out of £5k by a rogue roofer. He's only in his 60's, got full mental capacity, and with his previous job you'd think he'd have known better, but he still got scammed by a smooth talking con man.

Successful conmen wouldn't be successful if they couldn't con "normal", sensible people.

There is also a DHL email going around about a package they have for you. It looks very convincing. It's one of those sweepstake things.

Yes, I've seen the TV licence one and that was far more convincing.

The points about deliberate shoddiness in the type that I got today to target certain groups are very worrying, but logical.

I had one from Amazon that looked like a genuine email with all the proper headings etc. I only knew it was a scam as I haven’t ordered anything from them at the moment. I forwarded it to Amazon’s fraud team.

I think it is also about if you're expecting the correspondence or if its right out of left field. My fil texted to request our bank details to transfer some cash, he got a text back addressing him by his name from an unknown number stating bank details. So far exactly what he expected to happen. It was an unknown number but he presumed it was a work mobile he didn't gave stored in his contacts. He transferred the money although the bank warned him the account was not in our name, he presumed it was our business account. There was red flags but he was taken in as on the whole things were as he expected

I’m getting fed up of PayPal telling me my account has been suspended and I need to update my card details

I get a fair few from PayPal, telling me to update my details and Apple Pay, in one email telling me they are suspending my account and in another sending me invoices for Rubloks? / Fortnite bucks etc.

Had the TV license one too.

Oh and the number of £1000 gift cards I've won, for just a simple survey...and all of your personal data.

A lot have a 'mask' over the email, so hotmail tells me it's from Apple Play but the actual email is something like [email protected]

All my scams (and other crap) go to my hotmail.

The 'untargeted', dear customer, dear startofemail tend to be easier to spot for the discerning. But people fall for them; slightly disordered finances and not entirely sure when your tv license expires, easy to believe you're overdue and oh how convenient I can just log on straight through the email and sort it now...

Email telling me 50 quid has been spent on virtual currency. Oh no, what's dc1 been up to on my iPad, I'll log in straight away and check how much they've spent...

The 'long game' ones though? I have no idea how anyone gets them. I wonder how many people think...oh it's totally a scam but I wonder if I can play them at their own game....