[mikhmha]

100%. This article is a popular “Reddit” theory I’ve seen float around for a while now and it’s just not true!

I’ve worked IT help desk before and have seen lots of phishing emails. If scammers tightened up their spelling and grammar skills a tiny bit they would catch many more victims effortlessly. The bar is insanely low. Most users could spot obvious phishing emails. But emails with even just a little more effort put into spelling and grammar were insanely successful. I worked at a University - I’ve seen professors, students, admin fall for these ones.

Why can’t they spell? Because most scammers are operating from the developing word and don’t have great English. That’s it. There’s no elaborate theories beyond that.

[SturgeonsLaw]

I am another data point that would agree with you on this. I would classify myself as a sophisticated computer user (if I don't say so myself), and I fell for a phishing page once. They recreated a pixel-perfect copy of the Steam login page in a fake browser window with a pretend address bar etc. I entered not only my creds, but also my 2FA code, before realising that it was not legit.

Got an email shortly afterwards about a login from Russia, however I was able to change my password and kick out all other sessions before any damage was done.

The worst part was that I was doing a favour to a Steam "friend" who asked me to vote for his clan in some kind of competition. I will give him the benefit of the doubt and assume it wasn't really him, but someone who had hacked his account, but either way, Steam support were utterly disinterested in doing anything about it when I reported it. As were Cloudflare. I checked on the site a few days later and the safe browsing list had flagged it, so at least those maintainers still seem to give a shit.

[hattmall]

Yeah, actual credential phishing attacks can be sophisticated and well put together. The ones where they will make mistakes on purpose to weed people out are the ones where they are REALLY looking for a target to squeeze. They will keep some of these people on for extended periods of time and get loads of money from them.

I have a friend that got a message from a "girl" over the summer. It was like "Hello Dear Joseph, I would like to no if you can help me with to practice English. I find you profile today and I have a work visas starting in 90 days to come to your city for work and I am wanting to make new friends and practice my english!! Sorry if this bothered to you. ~~EMOJIS~~~ - Signed Brazilian Model.

So far I think he's 8 grand into helping her. I'm sure it's more now because that was like before Halloween and it's impossible to convince him that it's a scam.

[hutzlibu]

"So far I think he's 8 grand into helping her. I'm sure it's more now because that was like before Halloween and it's impossible to convince him that it's a scam."

Scams work, because people want to believe in them.

[ab-dm]

Likewise. It’s scary how easily you can just fall into a phishing trap. I almost gave an attacker my GitHub login due to a (Very very good) phishing email impersonating CircleCI.

The email was really good (not in junk), the domain was close, pixel perfect UI and is just finished a reformat so entering in my feeds again made sense. Unfortunately for them, they sent the email out prematurely because after pressing the button I got a JS error.

[edwcross]

The theory I heard worked in the other direction: if we assume scammers have a finite amount of time, it could be in their interest to minimize the amount of "likely good targets" in order to increase the amount of "very likely good targets". So all those untapped potential targets are just too similar to non-good targets for them to discriminate effectively, leaving them so far focused on the lower-hanging fruit.

I mean, with Google Translate, spellcheckers, etc, improving all the time, at least some of those messages should have been improving as well, no? If their grammar has not improved at all during the last decade, then there might be a hinge of truth to the theory.

[notahacker]

If we assume that scammers live in the developing world, their time is almost certainly not valued so highly that having a few more responses to copy/paste a unanswered requests for payment to is worth their bulk email losing a single wealthy Westerner that's trusting and unworldly but also a stickler for good grammar (or has a spam filter that knows a lot more about Nigerian princes than they do). I've seen in-person scammers in the developing world continue to waste their own time trying to reel me in even after I've told them I'm familiar with that type of scam and failed to turn up for suggested meetups, and it's not like I was the only white person in Jaipur...

There are often horrible spelling and grammar and composition errors leading to phishing pages which involve zero further input on the spammer's part to collect valuable data too.

[leidenfrost]

Scam companies tend to hire those who either couldn't or didn't invest into a personal career. Some of these also have a gift for persuasion (to other locals) so they just go for it with what they have.

Once you start getting into the mindset of investing time for learning and development of skills, then it's just easier, safer and more profitable to go the legit way.

[jrgoff]

I think all of the obvious scam emails are part of what makes the higher effort scams so much more effective. People (myself included) are used to being easily able to spot the scams so aren't naturally wary when seeing emails that don't have those obvious indicators.

[csydas]

I'm not sure it's the case with the type of scam that the article is talking about. Phishing credentials and getting people on the phone to buy gift cards and transfer money require a vastly different approach I suppose.

https://www.youtube.com/watch?v=18bovtIlrpI

Skip through the hot parts of the video per the graph and just see how the scam actually works, and I think that for all the social engineering steps required and the sheer amount of time spent on the phone, most people would just give up even if they maybe fell for the initial well designed email.

I don't really want to speculate on the spelling/email of scam emails as I think short of some reporter just finding a spam-house and asking, it will all be senseless speculation. The article theory has plausible theories, but might very well be specious. I don't buy that it's due to poor English skills, as spellchecks are plentiful and I have no doubt that the spam-houses could easily pirate older copies of Word and get a decent looking email.

Similarly, if it was effective, I have to imagine that this is the format they'd pick.

The simplest explanations of the poorly formatted/written emails and chats for me are:

1. The targets that have the highest chance of success don't care about the emails

2. The formatting of the initial emails doesn't impact the scam in a significant way

From a more personal perspective and the people I know who continued with the scam past its initial stages, they didn't pay attention to the formatting, just the general idea behind the message was more their concern. The IRS scams, giftcard scams, etc, put some sort of pressure on the people in a way that they truly stopped thinking about the content and were more worried about the idea behind the message: they would get in trouble if they didn't comply, and the financial concerns were the driving force.

[erichocean]

> Because most scammers are operating from the developing word and don’t have great English.

Wait until they discover ChatGPT, problem solved.