Why would a Nigerian scammer admit that he’s from Nigeria? After all, Nigeria is notorious for fraudulent emails. Shouldn’t the fraudsters claim instead to be from Turkey or South Africa or, really, anywhere but Nigeria? That’s a question asked by Microsoft researcher, Cormac Herley, and seconded by security guru Bruce Schneier. Herley’s insightful answer looks at the economics of scam emails:
Attacking the maximum number of people does not maximize proﬁt. … Since the scam is entirely one of manipulation he would like to attack (i.e., enter into correspondence with) only those who are most gullible. … Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify. An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre.
Nigerian scams are labor intensive for the scammer, but only after the first bite. Actually landing even the most gullible correspondents takes time, effort, and skill that the scammers don’t want to waste.
Herley’s paper raised for me a different question. Why haven’t we put Turing-test machines to work, raising transaction costs for Nigerian scams? Alan Turing famously said that we should treat a computer as capable of thought when it could fool a human correspondent into believing it was human. Computers still aren’t perfect at that task, but they’re getting pretty good. It would take Nigerian scammers a long correspondence before they discovered that they were dealing with a machine. And in the meantime, they’ll have wasted their time, which turns out to be the most precious resource they have.
I’m pretty sure we could crowdsource the programming for such a worthy cause. The harder problem may be, oddly, getting enough spam. The Turing-test machine can’t make the first move. It has to reply to a message actually sent by a scammer. Where would we find mass quantities of such messages? Most obviously, the big webmail companies, who routinely identify and block massive amounts of spam. Since those messages are a drain on the webmail providers’ resources, you’d think they would have an incentive to waste the spammers’ resources in turn by hooking up a Turing machine and letting it reply to all of them. As far as I know, they haven’t. Why not? I’m guessing that they fear a privacy backlash. (Imagine the squib on Drudge Report: “CONTROL: Google isn’t just reading your mail, they’re answering it too!”)
So maybe this is a job for government. The scams are all crimes, under state and federal law. Law enforcement could serve a subpoena on the big webmail providers, obtain copies of all spam fitting certain parameters, and fire up the Turing-test machine as part of their investigation – just as cops hunt pedophiles on line by pretending to be thirteen-year-old girls.
Is it fair for the police to use investigative tactics that waste criminals’ time but don’t lead to arrests? Maybe so, but I don’t think that’s the endgame here, at least not if we bring Cormac Herley’s insights to bear one more time: Just as the scammers test us for gullibility, so too could the machines test them. The machines could be programmed to identify the scammers who are most easily tricked into performing dangerous or foolish stunts to keep their scam alive.
Once the gullible scammers have self-identified, they could all win free airline tickets to the US, and a long stay in a gated community.
UPDATE to clarify the difference between Turing machines and machines that pass the Turing test.