"If people in the U.S. aren’t suspicious of free money, PayPal payments that look fake, the absence of a payment in their account, fake emails from PayPal’s FBI department or just Nigerians in general, then they deserve to have their money taken from them."
I could easily see my parents falling for this. I don't think they deserve to have their money taken.
Although, to be fair, I doubt my parents could set up and use a Paypal account. So they've got that going for them.
+1. Plenty of people in the US have a subpar grasp of English (and yet are not retarded). For example, my dad was not born in the US, but has a Masters in Electrical Engineering and used to work on power grid systems. He's a smart guy. However, it took him a good amount of time to recognize phishing e-mails, some of it requiring my guidance. For example, it's not easy to identify Misused Capitalizations, or to pick up on missed article in email, or to recognizing verbs not agreed with time.
Furthermore, it is completely plausible to an inexperienced person that PayPal might enlist FBI to enforce shipment of paid-for goods. It takes some experience in this country to realize that 1) this sort of matter is not referred to FBI unless it's super grave, 2) and not referred to any enforcement entity so fast (less than 30 days), 3) and not referred to any separate enforcement entity without at least several resolution attempts from the original business.
In fact, IMO, it's quite arrogant, on the part of the OP to say this. Unfortunately, this is a typical attitude in the geekdom: if something that's obvious to us isn't obvious to you, you're stupid.
I'd still think paying $100 more than the asking price (with no explanation as to why) would be a strong clue something is amiss in this case.
But you're probably right that the use of English and the FBI enforcement letter are obvious only to a subset of people who grew up in a Western, Anglophone culture.
I only skimmed the article; I'd assumed that was part of the scam (forward the extra $100 on via western union, or paypal it back to me on this different account, etc)
The extra money is usually not a scam in itself if they are trying to actually get you to ship the item. Once upon a time scams were all about moving cash, but I surmise those have gotten harder, so now they secure your item and (presumably) resell it.
Thus, the promised extra money is actually just a way to both ensure you'll "sell" to them as they made the highest bid, and also perhaps an attempt at triggering just a touch greed which does wonders for putting the blinders on.
I used to work as a bank teller while in school. About once or twice a month someone would come in with checks from these types of scams. The spectrum of who was falling for it was a lot wider than I would have ever imagined.
We were trained pretty extensively on stopping these checks from being deposited, but it sure broke my heart being the bearer of bad news so often.
I remember one guy who didn't believe me that it was a scam, asked that I at least try to clear the check (we'd put it on hold for about a week). Lo and behold, he came back in a week later to tell me it turned out to be fake.
Many times -- they made you pretty paranoid about fraud at training with horror stories of people who got fired for letting checks get through too loosely, so I was always proactive about it.
After about four years of it, you got really good at being able to analyze every deposit in under 30 seconds or so before the customer even knew what was going on.
God help us if the scammers ever find someone who can write correct English. I know many people get caught by these scams, and I suspect that the numbers would increase if the wording was improved a bit.
There's a metaphor about conversions and copy-writing and startups in there somewhere.
I've heard that for many scams it's actually the opposite: They intentionally throw in huge warning flags so that the people who initially "bite" are less likely to have second thoughts later on, and thus the scammer wastes less time chasing false leads. They're basically prequalifying you as a good mark. (There is a good lesson about marketing here too — theoretically "perfect" copy or design may not be ideal for your market, so test and see what provides the best ROI.)
The problem for the scammers is the response rate is too high. The scammer has to invest time into writing back to the target, so they don't want to spend all day writing letters back.
By peppering the letters with bad spelling, punctuation and case mistakes, they eliminate 99.5% of the population who correctly detect it as a scam. Thus, when they do get a response, the person is much more likely to convert.
It applies to startups if signing up the customer requires cost on the part of the startup. If, for whatever reason, you had to sign up a limited number of people and invest time in each of those people, then reducing your response rate by, say, making the signup process complicated, would allow you to pre-qualify your audience by those actually able to navigate their way through it.
It would have real applicability if you wanted to get a limited market for beta testing.
The poor spelling probably increases the conversion rate from people who make the first reply. The nigerian prince and poor-spelling spammers are dead giveaways to a spam. If you filter out people who know about these cliches, you increase the likelihood that the responder will give you money.
Could you imagine how many emails that they would have to field if they were, at a first pass, a convincing forgery? It's almost certainly used as a low pass filter to only prey on the ones likely to fall for it in the long run.
I read a theory (probably on this site) that using obviously terrible scams helps them select for the most gullible people - e.g. the kind who would wire $500 of their own money back to Nigeria when the laptop arrived and "didn't work", plus a few hundred to cover expenses.
They have already. I regularly get properly phrased phishing emails from "PayPal". A few times I even got some from the banks that I use. I'm not sure if it was a coincidence or not, but the only thing that gave it away was the phishy URL.
Agreed on all counts. To many people, the internet and all are so new and unfamiliar, they have absolutely ZERO context to recognize fake-looking PayPal payments or emails from PayPal's FBI department. To them, they are still completely lost- you can't expect them to recognize a scam.
As for being suspicious of free money, I think most people generally would be, but relax their misgivings when something appears to be legitimate- that is to say, any escapes they are aware of appear to be covered. The scammer, therefore, takes advantage of the victim's lack of knowledge of the escapes in an electronic age.
The Internet has been around for fifteen years, and PayPal has been around for more than ten. I don't think either of them qualify as "new" anymore. Most people get scammed not because the technologies are new, but because they have been using those technologies irresponsibly, i.e. without educating themselves about their dangers first. They simply want to reap the benefits, and end up losing their money.
WWW has been around for 20 years. But it's only recently that people have always on cable modems and active content.
> without educating themselves about their dangers first.
HN is full of stories of well funded, international businesses, with considerable sums of cash at risk, who do stupid insecure things. If they can't get it right why should Joe Sixpack be expected to do any better?
Email inboxes are full of hoaxes about supposed dangers - most of them are garbage.
I'm interested to see what kind of help there is for people who want to learn how to protect themselves on the Internet.
>>I'm interested to see what kind of help there is for people who want to learn how to protect themselves on the Internet.
What kind of help is there for people who want to learn to protect themselves in real life? Does the fact that there is no comprehensive resource somehow remove one's burden to learn anyway?
You're extremely grumpy. Blaming the victim is not some brave, heroic concept.
People can imagine what it looks like to be in physical danger, and instinct can help them avoid the situations to some degree. It's hard to imagine what it's like being in an unsafe situation on the internet.
>>Blaming the victim is not some brave, heroic concept.
Blaming the victim is bad only if you believe that blame is a zero sum game. Unfortunately, it is not. If you walk down a dark alleyway in New York at night alone and get mugged, the mugger is guilty of mugging you, but you're also guilty of being a silly goose. You don't gain immunity to blame simply because you were the victim.
To expand on that (since I find in this topic it is necessary to be explicit), since blame is not zero-sum assigning an amount of blame to the victim should in no way be seen to reduce the blame or fault the perpetrator receives.
In other words, since blame is not zero-sum, placing some blame on the victim is not a defense of the perpetrator.
Why shouldn't you be able to walk down a dark alley in NYC at night? It's not your fault if something happens. With that attitude, we are just tolerating crime and accepting it. If more people walk around at night, the crimes will gain more exposure, be more aggressively stopped, and things will get safer.
The individual has every right to walk down a dark alley, and the group very well may be safer if more people walk down dark alleys, but if the individual is optimizing their behavior for self-preservation (and I think that is how individuals are most likely to act, at least in the 'West') then avoiding the alley is likely the best action
You're expanding on my point exactly. The Internet does not have such an obvious dark alley. You can copy HTML/CSS, have anchors with a different href than shown, and a lot of sly things. I hate using anologies when talking to hackers, so I didn't use the alleyway example even though I was thinking it.
>>You're expanding on my point exactly. The Internet does not have such an obvious dark alley.
Not literally, no. But most Internet scams can actually be avoided using common sense, which dictates that if something sounds too good to be true, it probably is.
Edit: Forgot about this site, but perhaps it could be used as a training tool for family members you feel are not quite as savy as they should be: http://www.shadyurl.com/
Make a page that just says "Grandma, don't click links like that!", convert it to a "shady" url with shadyurl.com, then email it to your grandmother.
Good point. Training family members to look at the status bar first is probably pretty hard, and probably not even effective. At the very least you would have to train them to recognize and avoid url shortening services...
I would say that a criminal is equally guilty if they commit a crime in a dark alley NYC or if they commit a crime in backcountry Idaho.
If I replace my bicycle u-lock with a nice hefty rope and start lashing my bike to whatever object seems solid at the time (this is a concept that actually appeals to me), then I should receive some blame when my bike gets inevitably stolen. However the bicycle thief is no more nor less a thief.
What I was trying to say is that your hypothetical does a good job of showing why blame is not zero sum. Obviously in either case the criminal receives the same blame, but I think it is fairly clear that the victim who took drastic measures to reduce risk is less to blame than the one who did not.
The important thing to remember is that the blame of the victim, while present, has no relation to the blame of the criminal and should never be relevant in, for example, a criminal trial for the criminal. I really feel like I can't emphasis that enough.
In real life I have my parents to keep a watch on me for most of the early part of my life. This takes years of intense involvement, with a lot of teaching about risk and safety.
I have Public Information Films on a variety of subjects:
There are a variety of crime prevention and community safety websites. There are radio and tv programmes with advice about avoiding scams. There are magazine articles (even a well respected consumer law advice magazine "Which?") about scams and consumer law.
All of this is built up over many years and modified when needed.
How are people expected to learn how to keep themselves safe on the WWW? What search terms are they expected to use? (This is when I need Matt Cutts or some other Googler to give us useful stats about the words people use to find information about scams)
Saw a new type of phishing email the other day - a fake order confirmation page from Amazon saying someone in Florida had ordered a widescreen TV on our account.
Obviously, first reaction of a non-techy user would be to click on the Amazon link in the email and enter their account details to check their order history.
And that's how they get your Amazon account details. I think this works because the "OMG my account has been hacked!!!" panic overrides you're natural caution about phishing emails.
I concur. My parents were recently duped by botspam sent from an estranged aunt's hacked aol account. The message was one sentence, two words of which were CLICK HERE. My mother spent a whole day researching the reality content farm it linked to, thinking something was happening to some family real-estate.
Maybe there needs to be some sort of Internet-wide PSA about this kind of thing?
I hate this sentiment so much. No one "deserves to have their money taken from them". Victim blaming 101. One of the reasons we have to waste so much effort fighting this kind of crap is this moronic idea that if you get scammed you deserve it.
My nephew got stung in a Paypal + eBay scam a few years ago. Long story short, they lured him in with a few bonafide transactions, then took big by "selling" a fake antique on eBay but making it look like he was the seller.
To further add to this: there are quite a few gangs here in euroland who are successfully scamming older citizens with nothing but randomly calling them up, pretending to be a grandchild in trouble and in desperate need of some money and then that "grandkid" sends over a friend to collect the money. They are taking literally thousands from the elderly that way, you keep reading about it in the papers.
So I can see how these emails seem totally real and threatening to the average computer-illiterate who sells something for the first time ever. Remember, good scams are about that initial shock, that initial mental blow you deal on your victim to completely catch them off-guard and disable their logical thinking. Flashing a shiny batch or pretending it is an "emergency" is a very good angle.
I could easily see my parents falling for this. I don't think they deserve to have their money taken.
Although, to be fair, I doubt my parents could set up and use a Paypal account. So they've got that going for them.