Screening for gullibility - John C. Kirk
Oct. 5th, 2012
07:54 pm - Screening for gullibility
I've received a few variations on the following message, claiming to be from PayPal:
Dear PayPal Customer,
You have added firstname.lastname@example.org as a new email address for your Paypal account.
If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, click on restore account PayPal and follow the next steps.
Restore Account PayPal
NOTE: For security reasons, we will record your ip-address, the date and time, Deliberate wrong inputs are criminally pursued and indicated.
Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
If you choose to ignore our request, you leave us no choice but to temporary suspend your account.
Sincerely, PayPal Account Review Department.
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.
Unsurprisingly, this is a fake "phishing" message. Aside from the poor English, I always hover over links before I click them, and I could see that this didn't go to the real PayPal website. (I've removed the dodgy link to stop anyone clicking it by mistake.) Also, it gets "SFAIL" status from an SPF check, i.e. the email wasn't sent from one of PayPal's mail servers.
However, suppose that I did believe that this was a real message from PayPal. It still doesn't make sense! They initially say that I should log in if "an unauthorized person has changed your email", which implies that I don't need to do anything if this was a legitimate change. They later say that they'll suspend my account if I ignore this message, but that would be rather harsh if I had actually added the new email address myself. In actual fact, the spammers know that this is a fake email address (because they made it up), but the real PayPal wouldn't know that, so the spammers are sabotaging their own attempt by relying on that knowledge.
I assumed that this was just incompetence on their part, but Microsoft Research have a different theory (link via The Old New Thing). That specifically applies to Nigerian scams, but the premise may apply here too. Basically, the scammers don't want to waste time making contact with people who will get suspicious, so they want to pre-select the people who are so gullible that they'll ignore all warning signs (e.g. glaring contradictions). I haven't read the whole research paper yet (since it's 14 pages of maths), but it's an interesting idea.