The clever reason scammers can’t spell
If you’ve attended any of our IT security events or read any of our web pages, you’ll know that we tend to repeat ourselves when it comes to tell-tale phishing signs. Scammers know what works, including the occasional spelling and grammar mistake.
This topic was originally explored by Microsoft researcher Cormac Herley in 2016 if you’d like to read the publication or related Microsoft blog post.
Recap: what’s phishing?
A phishing attack is a form of social engineering by which cyber criminals attempt to trick individuals by creating and sending fake emails that appear to be from an authentic source, such as a business or colleague. The email might ask you to confirm personal account information such as a password or prompt you to open a malicious attachment that infects your computer with a virus or malware.
Being able to spot spelling or grammar mistakes within seconds of opening an email is a handy skill to have. Emails from legitimate companies are mostly either generated by a system or authored by a professional writer. This makes it easy to tell the difference between these and phishing emails.
It’s on purpose. If you can spot it, they don’t want you.
Sometimes people ask us: ‘if spelling mistakes are such a giveaway, why don’t scammers just spellcheck before sending?’ This is normally done on purpose. If you have an attention to detail and take time to read all communications you receive…scammers aren’t targeting you.
By sending an initial email that’s obvious in its shortcomings, the scammers are isolating the most gullible targets. If you trash their email, that’s fine. They don’t want you, someone from whom there’s virtually no chance of receiving any money. They want people who, faced with a ridiculous email, still don’t recognize its illegitimacy.
If you interact with a poorly written email then the scammer’s already half-won you over. Cormac Herley said “anybody who doesn’t fall off their chair laughing is exactly who they want to talk to.”
Bad spelling and grammar is one of many giveaway signs you should know about. We discussed a few more at our recent cyber security event.
If you receive a phishing email, forward it to [email protected] so our IT Security team can investigate.