Now for the padding…
The scamming industry is profitable because there are three types of people:
- People who don’t mind ruining someone else’s life to make a few bucks.
- People who can be fooled into handing over their money.
- People who stand by and let it happen.
Scammers, suckers, and selfish bystanders.
The scammers who steal from the suckers rely on the fact that 99.999% of people will not stand in their way. We — the selfish bystanders — will see the scammers in our inbox (or as a number next to our spambox), hunting their prey. Do we try and stop them? No. We shrug our shoulders and hit “delete spam”, or ignore it entirely.
Don’t get me wrong, I’m not accusing you of being actively selfish for ignoring scam emails. I assume you’re like I was until recently, and didn’t really think about the victims. Didn’t really think that when we see a scam email, we’re witnessing a robbery. Didn’t really think that to delete or ignore is to turn a blind eye.
An analogy: imagine you’re at a show, anywhere with a crowd and a stage. Above the stage appears a masked man, waving a green laser into the crowd — the type that can blind you. From his perspective, a human eyeball is a tiny target, but he knows that if he waves the laser around for long enough he’ll eventually hit someone.
The crowd may seem powerless to stop him, but imagine for a moment: a person in the crowd holds up a mirror. Then more and more people in the crowd produce mirrors out of nowhere, all reflecting the laser beam back at the twerp.
Now the story for the twerp is a very different one. The harm is no longer flowing in one direction, he is now at risk of copping an eyeful of green, and his best option is to pack up and go home.
That’s the power of the crowd.
And so it is with spam. Together we can modify the situation such that sending out a million spam emails is no longer a worthwhile endeavour.
The business of email scams
I want you to put yourself in the shoes of a nasty person. You’ve decided to start a business scamming people on the internet. You’ll pay for an email blast to go out to a few million email addresses. You know most of it will go into spam folders and never be seen, but that’s fine, because sending email is cheap.
You even make the email content obviously scammy, to ensure that only the most gullible 0.001% will respond.
For every million emails you send, you expect to get about 10 replies from people who don’t understand that it is a scam. You’ll work those 10, luring them deeper into your scam script, and you’ll maybe get one or two ‘over the line’, convincing them to buy some gift cards and send you the serial numbers. A neat pay day of a few thousand dollars.
For the sake of simplicity, let’s imagine the the scammer must spend 1 hour of their time to engage with any victim and see them through to the end. When no one is interfering, the numbers might be something like this:
- 1,000,000 emails out
- 10 responses from suckers = 10 hours
- 1 completed scam = $1,000
$1,000 divided by 10 hours gives us: $100/hour.
But what if just 0.1% of spam recipients pretend to be victims, to waste the scammer’s time?
- 1,000,000 emails out
- 10 responses from suckers = 10 hours
- 1,000 responses from you and I = 1,000 hours
- 1 completed scam = $1,000
$1,000 divided by 1,100 hours gets us pretty close to $1/hour.
If this was a business employing people for $2/hour, it has just gone from wildly profitable to decidedly unprofitable. And here’s the thing about scammers: even though they enjoy robbing little old ladies, they won’t do it for free. If there’s no money in it they’d rather spend their time in a pet shop knocking on the fish tanks and daydreaming about sexual encounters with their close relatives.
To be clear, the actual numbers are wild guesses and largely irrelevant; you can adjust any of my assumptions up or down and the following statement will remain true: a scam operation can be destroyed if it receives too many replies.
Scammers know this, and they track their metrics with great interest. TechCrunch managed to get this screenshot of a spammer’s operation a few years back.
It’s a bit depressing when you think about it, all those despicable people, relying on the fact that you and I just don’t care enough to get in their way. Our collective apathy reliably showing up on their dashboards.
What can you do?
OK here’s the deal. I was going to write a 19 minute article. But instead I’ve made this a 16 minute read. So basically I’ve just gifted you three minutes of free time.
In return for these three free minutes, I ask two things of you. First, flick across from Medium to your email app, go into your spam folder, pick the top scam email, hit reply, type a dot, hit send.
Go do that now.
Please actually do it.
Isn’t it amazing to think that if everyone did that we could be done with email scams? People would stop losing their pensions, having their lives destroyed, because you and I and millions like us got in the way with our annoying responses. I don’t know about you, but that triggers a little spritz of dopamine in me noggin’.
The second thing I would like you to do is to tell two people about this. You can share this post if you like, but better yet tell the type of people who don’t read articles on the internet about this sort of thing.
The art of the reply
In the previous section I asked you to type a dot. That was to help you get in the swing of things with minimal effort, (and maybe get a little spritz of dopamine). But the spammers would soon adapt if that’s all we ever did, so don’t send any more dots.
What you really want to do is:
- Minimise the amount of time it takes you to reply
- Maximise the amount of time the spammer must spend replying
Questions are the key to this. Things like “I don’t have a passport, is that OK?”, “I’m retired, is that OK?”. “Is this legal?” work great, you’re pretty much guaranteed a response. Showing trepidation tends to elicit a more tailored (time consuming) response.
To one email that was extra heavy on the Jesus-juice I responded with “I am not a Christian, is this OK?” and I got a lovely reply explaining that it’s totally OK to be Muslim.
To put it another way, you want to be indistinguishable from the actual sucker who is just about to have their life turned upside down if you don’t keep the scammer busy.
Occasionally you may want to just let loose and break character and tell the person you hope they burn in hell for what they do, or try and talk them into a life of not-crime (we should really have a word for that), but you’ll probably just make yourself upset and get no response.
It’s better to get them on the hook first with a bit of back and forth. You can then be quite infuriating in your responses and they’ll feel too invested to let it slide:
The best is when you get a double-reply. That means they’re gagging for ya:
You can still have fun though. For the below email, I opened up dev tools and made all the links white, then replied with a screenshot. Let the asshole spend some time trouble-shooting email formatting:
Scammers will often hand you off to a second email address when they think they’ve got you on the hook. So the below chap is quite invested in me and willing to un-caps-lock his email at my request:
If your email client has auto-reply options (like Gmail) sometimes that’s all you need.
From the scammer’s perspective, “I accept the terms” is not at all useful, but just promising enough that they will be compelled to reply to me saying if I’m interested I need to hand over some personal information.
My goal is to get to 10 responses from a scammer without giving them anything, I’m doing pretty well with this one:
OK so all this is a good bit of fun, but if you really want to string someone along, you’re going to need to provide some …
A lot of scammers will ask for your information. Perhaps to try and break into your social media or bank account (it’s disturbing how many institutions assume that you are the only person on earth that knows your date of birth and post code). Or perhaps the scammers are testing that you are naïve enough to proceed to the next step. Whatever the reason, you have a few options for replies.
Of course, you should absolutely not provide real personal information. Luckily, the scammers don’t know what’s real and what’s not, so sending fake info is every bit as good.
You should first exhaust all the questions that come to mind, like “what sort of identity card?” Any question is fine, as long as you’re a) not giving them any information and b) appearing as though you’re willing to give them information.
For a little more effort, you can use something like Fake Name Generator, and you can even create a fake scan of your passport (you will be asked for your passport a lot).
If asked for a phone number, you could use the local police station, or the number of a scam hotline, or if you don’t mind the extra effort, keep a list of phone numbers from other scammers so they can all be calling each other.
Whatever (fake) information you do give, make sure you drip feed it. This will burn more of the scammer’s time as they are forced to reply and ask for the missing pieces.
The nice thing about respamming is that you get to choose how much time you invest, and every little bit helps. If you’ve got nothing else to do, and want to create a fake email address and concoct a tale of betrayal then you can do that:
By this point, a certain percentage of you will be on board. To those people, thank you for reading, and thank you for all your future respamming. You may go about your day.
The rest of you aren’t convinced, and that’s OK, I never hoped to convert 100% of humanity into respammers. But the idea that someone could save away a little nest egg for decade after decade and then, as they settle into the final stage of their life have it ripped away from them is really rather heart-breaking. So I would be remiss if I didn’t try and address a few specific objections…
‘Meh’ is probably the number one excuse. You hear what I’m saying but you have no intention of action. You don’t have a reason, you just don’t want to. Maybe you wouldn’t even say that you don’t want to, just that you won’t.
I’m certainly not one to judge, I went 40 years without replying to a single email scam. (Fun fact, I was born the same year that the first spam email was sent.) So I understand your apathy, because I had that same apathy for a long long time. It wasn’t until I got a glimpse into the life of a scam victim that I started to wonder what I could do, eventually settling on a combination of responding to spam and writing the blog post currently seeping into your brain.
The population is ageing, and for many, growing old is accompanied by some form of mental decline. This means a growing population of people with email accounts who are susceptible to scammers, just waiting to have their retirement money ripped away from them. A pot of gold for scammers that is only getting bigger.
My suggestion to you is to read up on some victims, and see if you can’t turn that apathy into empathy. The more hatred you feel for the scammers the more joy you’ll get from spending a few minutes a day wasting their time.
Let me tell you a story… when the idea of this article popped into my head, it originally took quite a different form, summed up by the title: We Could Stop Spam Tomorrow, But We Won’t Because You Suck: thoughts about how sometimes even though a technical solution is available and quite simple, it won’t work because you can’t control the behaviour of millions of people.
Then later that day I was grumbling to myself about the tragedy of the commons, tearing up some carboard to put into the recycling bin when I thought hang on a minute, people don’t suck, they recycle!
How about another analogy? Recycling and respamming are really rather similar:
- It’s a miniscule amount of effort.
- The problem you’re addressing is distant and abstract.
- Your individual effort has almost no impact on the world.
- No one sees you doing it, you get no recognition or reward.
- You do it anyway. Because you’re a decent person.
The mechanics of it are quite similar, too. When you’ve got an empty bottle in your hand that you want to dispose of, you have one of two options: put it in with the rest of your waste, or put it into the recycling. There isn’t a massive, endless stream of recycling to be done at any one point in time. It’s a finite number of small chunks of effort, a few seconds a day. As it is with spam emails.
The volume is pretty much bang on as well. How many objects do you recycle each week? How many spam emails do you get? Exactly the same number, right? Coincidence, I think not!
And so I ask you to think of respamming as you think of recycling. When you’ve got a new email in your spam folder, reply to it, it takes only a few seconds, then get back to your life.
If I reply to spam, I’ll get more spam
This objection is like me saying “hey, a bunch of us are going down to the local soup kitchen to help out, do you want to come and help ladle?” and you beginning to sob uncontrollably, stammering through the tears “b-b-but my f-f-fingers might get sticky”.
I mean for God’s sake, how soft are you?
Oh wait, maybe I shouldn’t be abusing you if I want to change your mind. Let me try substituting honey for vinegar, ya big sooky la la.
Yes, my dear friend, I understand your complaint, and I hear you. You are heard. It is true, you will get more spam, but that’s a good thing.
Your mission, if you choose to accept it, is to reduce the amount of money that scammers make, to the point that their businesses fail. You do this by maximising the amount of time they spend with people who aren’t going to give them what they want (you). The more spam you get sent, the more you can hinder their operation.
In practice though, you won’t get much more. I used to get around 40 spam emails per week. When I first started replying to scams, there was no uptick beyond the direct replies (think about it, when someone has you on the hook, they don’t want other people distracting you, so won’t be sharing your email address with others).
It eventually increased though and now I respond to maybe 10 a day or so. It takes less than a few minutes.
Also, if you continue to sit by and do nothing, then in the short term maybe you won’t see an increase in spam, but in the long term this sort of attitude results in more and more spam.
So if spam volume is your only concern, then just try it for a week. You might get more spam, and it’s really not that bad, you will almost certainly survive. If at any point you want to stop, then stop, and everything will return to normal. Spam will continue to get classified as spam, and if you’re lucky, you might even get blacklisted as a time-waster from a few networks. Worst case scenario: you need to click a ‘Mark as spam’ button a few times a day for a few weeks.
It won’t make a difference
Neither does voting, neither does recycling, neither does protesting police brutality, neither does buying an electric car or planting a tree to fight climate change. Nothing you do actually makes a difference if you round off the impact to a few decimal places.
But you must follow the Golden Rule. Behave the way you want everyone to behave and don’t fret about quantifying your own individual impact.
I worry that I might be sucked in
Now this is a good reason to not reply to scammers.
One last analogy: If you’re sitting in a park and you see a child — weaker than you — beating the snot out of a child half his age, you may well decide to step in. But if you saw someone much stronger than you going to town on someone also much stronger than you, you would be forgiven for not getting directly involved. You must judge for yourself if you’re likely to get hurt in the scuffle and look after yourself.
Scammers may seem like people that can barely string two words together, but their techniques have been carefully honed over decades to tug at your heartstrings, pull on your greed lever, and manipulate you into thinking “hey, maybe this one is real”. I’m no dummy, and have a pretty good understanding of the different types of scampaigns, and even I will occasionally catch the little primate part of brain thinking “ooh, a million dollars? Maybe this one…” It’s OK to have this thought, as long as you recognise it for what it is and don’t act on it.
So if you’re not someone who is constantly asking “could this person be lying to me in order to get my money” that’s OK (the herbal remedy industry thanks you for your contributions), but you should definitely not engage with scammers.
On the flip side, if you are operating with a healthy bullshit detector, once you’ve read and responded to a few dozen messages, you’ll begin to see the patterns and it becomes quite clear how they’re trying to trick you. Just be careful, OK? If at any point you find yourself thinking “this one might be real”, feel free to cc me in on the email (firstname.lastname@example.org) and I’ll tell you whether or not you’ve stumbled upon a genuine opportunity to get $4,500,000 transferred to you if you only pay the $1,200 transfer fee.
(If you’re wondering, I don’t mind sharing my email address on the internet because anyone who sends me spam will soon regret it.)
Also, in case it needs to be said, do not click links in spam emails and do not open attachments.
OK how did I do changing your mind? Still have objections? If you would be kind enough to put them in the comments, I hereby promise you that I will not argue with you directly, I will just use that feedback to better hone the message, and I thank you for your input. You’re helping!
Can this be automated?
So why can’t computers do this for us? Why isn’t there a tick box in my email client that says “engage in automated conversation with this scammer”.
There are a few challenges:
- Privacy. Right now, your email provider ‘reads’ your emails in some sense (to decide what’s spam), but you don’t need to worry about actual humans reading it. To build a system auto-replying to spam, you would probably want some human intervention to check that it’s behaving correctly. I suspect most people would not like the idea that others are reading their emails. I say some pretty suss things in emails, I certainly don’t want other humans reading it.
- Legal. What if the scammer becomes enraged and tracks the user down, hacks their social media accounts, says something racist and the person loses their job, because the auto-reply algorithm went too far? Any sensible company lawyer would nix this idea quick smart.
- Responding intelligently. Many emails will have you reply to a different address to continue the transaction, and answer specific questions buried deep in a wall of grammatically incorrect text. One I posted above gave the email of a bank, which then emailed me, and I was asked by one person how I had gotten along with the other person. We don’t yet have systems smart enough to be able to handle all of this.
- Responding uniquely. If the responses from some automated system are at all predictable, then scammers will learn the patterns and be able to filter out the automated responses. You’d get into an arms race, but there’s no way to tell how well the scammers can automatically detect your emails, so it’s a blind arms race.
So don’t hold your breath for the machine to take care of this.
I’ve spoken mostly of email in this post, but phone scams and Facebook scams and investment scams and all sorts of other scams exist. The good news (for now at least) is that all these scams have a human at the other end, and that you have the power to waste that human’s time and reduce the profitability of their operation.
Respamming won’t eliminate scams entirely (the ‘tomorrow’ in the title is perhaps a bit of a stretch goal), and there is plenty more work to be done, but we can definitely reduce the number of people having their life savings ripped away from them by a scammer and I think that’s a worth a bit of effort.
Hey thanks for reading, you’re great. Do you hear that? Is that a xylophone off in the distance? How interesting.