B Rosen via Flickr

Scammers often say that they're from Nigeria and that they need your monetary help. But why do they say they're from Nigeria? Cormac Herley of Microsoft Research looked why scammers say they're from Nigeria. Here's a list of why they do, according to Herley.

Comical is advantageous
B Rosen via Flickr

"Far-fetched tales of West African riches
strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since
his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives.

"By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor."

Attackers have false positives too (part 1)
Mike_hcg via Flickr

"False positives have a long history of plaguing security systems. They have always been a challenge in behavioral analysis, and anomaly and intrusion detection. A force-fed diet of false positives have habituated users to ignore security warnings.

"In 2010 a single false positive caused the McAfee anti-virus program to send millions of PC’s into never-ending reboot cycles. The mischief is not limited to computer security.

"Different fields have different names for the inherent trade-off that classification brings. False alarms must be balanced against misses in radar, precision against recall in information retrieval, Type I against Type II errors in medicine and the fraud against the insult rate in banking. "

Attackers have false positives too (part 2)

"Commonly one type of error must be traded off against the other. The relative costs of false positives and false negatives changes a great deal, so no single solution is applicable to all domains. Instead, the nature of the solution chosen depends on the problem specifics. In decisions on some types of surgery, such as, false positives (unnecessary surgery) are preferable to false negatives (necessary surgery not performed) since the latter can be far worse than the former for the patient.

"At the other extreme in deciding guilt in criminal cases it is often considered that false negatives (guilty person goes free) are more acceptable than false positives (innocent person sent to jail). In many domains determining to which of two classes something belongs is extremely hard, and errors of both kinds are inevitable."

Attacks are seldom free
KrisFricke via Flickr

"Malicious software can accomplish many things but few programs output cash. When the digital and physical worlds meet, it requires work.

"Odlyzko suggests that this frictional interface between online and off-line worlds explains why much potential harm goes unrealized. Turning digital contraband into goods and cash is not always easily automated.

"For example, each respondent to a Nigerian 419 email requires a large amount of interaction, as does the Facebook “stuck in London scam."

Their credentials

"Credentials may be stolen by the millions, but emptying bank accounts requires recruiting and managing mules.

"The endgame of many attacks require per-target effort. Thus when cost is non-zero each potential target represents an investment decision to an attacker. He invests effort in the hopes of payoff, but this decision is never flawless."

Victim distribution model

"The viability depends on the specific attack. For example, those who live in wealthier areas may be judged more likely to be viable under most attacks.

"Those who are C-level officers at large corporations might be more viable of elaborate industrial espionage or Advanced Persistent Threat attacks, etc. Those who have fallen for a Nigerian scam, may be more likely to fall for the related “fraud funds recovery” scam."

Rich doesn't mean viable
Don Hankins via Flickr

"It is worth emphasizing that rich does not mean viable. There is little secret about who the richest people in the world are, but attacking the Forbes 100 list is not a sure path to wealth. To be viable the attacker must be able to successfully extract the money (or other resource he targets).

"For example, if an attacker gets keylogging malware on a user’s machine, harvests banking passwords but cannot irreversibly transfer money from the account this counts as a failure not a success. This is a cost to the attacker for no gain."

Attack model

"Our attacker risks two types of errors. Sometimes he will attack a non-viable user and gain nothing, sometimes he will decide not to attack a viable user. Thus he faces a binary classification problem.

"Every attack results in either a true positive (viable user found) or false positive (non-viable user found). Ideal classification requires that the attacker know exactly which users will repay effort and which will not, and never makes the mistake of attacking unnecessarily or of leaving a viable target alone."

Attacking everyone

"Attacking at random has the same expected return as attacking everyone.

"In the special case where it costs nothing to attack, making a profit is easy so long as there are some viable victims. Profit is guaranteed so long as true positives give some gain. If false positives cost nothing, while false negatives mean lost income, there’s little point in restraint.

"If an attacker has infinite resources and places infinite value on each viable target he will attack everyone."

Optimal operating point

"For maximum profit, the attacker does not attempt to find all viable targets, he tries to find the most easily found ones. Pursuing the least-likely viable targets makes no sense if they cannot be easily distinguished from false positives."

Cataloging scams

"An examination of a web-site that catalogs scam emails shows that 51% mention Nigeria as the source of funds, with a further 34% mentioning Cˆote d’Ivoire, Burkina Faso, Ghana, Senegal or some other West African country.

"This finding is certainly supported by an analysis of the mail of this genre received by the author."

Why Africa?
Mike_hcg via Flickr

"Why so little imagination? Why don’t Nigerian scammers claim to be from Turkey, or Portugal or Switzerland or New Jersey? Stupidity is an unsatisfactory answer: the scam requires skill in manipulation, considerable inventiveness and mastery of a language that is non-native for a majority of Nigerians.

"It would seem odd that after lying about his gender, stolen millions, corrupt officials, wicked in-laws, near-death escapes and secret safety deposit boxes that it would fail to occur to the scammer to lie also about his location.

"That the collection point for the money is constrained to be in Nigeria doesn’t seem a plausible reason either. If the scam goes well, and the user is willing to send money, a collection point outside of Nigeria is surely not a problem if the amount is large enough."

The Nigerian scam
Wayan Vota via Flickr

"'Nigerian Scam' is one of five suggested auto-completes in a Google search for “Nigeria." Thus, if the goal is to maximize response to the email campaign it would seem that mentioning “Nigeria” (a country that to many has become synonymous with scams) is counter-productive.

"One could hardly choose a worse place to claim to be from if the goal is to lure the unwary into email communication."

Zero cost
Tsvangirayi Mukwazhi, AP

"The scam involves an initial email campaign which has almost zero cost per recipient. Only when potential victims respond does the labor-intensive and costly effort of following up by email (and sometimes phone) begin. In this view everyone who enters into email communication with the scammer is “attacked” (i.e., engenders a cost greater than zero).

"Of these, those who go the whole distance and eventually send money are true positives, while those who realize that it is a scam and back out at some point are false positives."

The attack

"If we assume that the scammer enters into email conversation (i.e., attacks) almost everyone who responds his main opportunity to separate viable from non-viable users is the wording of the original email.

"If the goal is to attack as many people as possible, then the email should be designed to lure as many as possible. However, we’ve seen that attacking the maximum number of people does not maximize profit. Operating at the OOP involves attacking only the most likely targets.

"Who are the most likely targets for a Nigerian scammer? Since the scam is entirely one of manipulation he would like to attack (i.e., enter into correspondence with) only those who are most gullible. They also need, of course, to have money and an absence of any factors that would prevent them from following through all the way to sending money."


"Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify.

"An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times.

"It will be figured out by anyone savvy enough to use a search engine and follow up on the auto-complete suggestions such. It won’t be pursued by anyone who consults sensible 11 family or friends, or who reads any of the advice banks and money transfer agencies make available. Those who remain are the scammers ideal targets.

"They represent a tiny subset of the overall population. In the language of our analysis the density of viable victims, d; is very low: perhaps 1-in-10,000 or 1-in-100,00 or fewer will fall for this scam."

Victim density

"As we’ve seen at low victim densities the attack/don’t attack decisions must be extremely conservative.

"If only 0.00001% of the population is viable then mistakenly attacking even a small portion of the 99.999% of the population that is non-viable destroys profit. The initial email is effectively the attacker’s classifier: it determines who responds, and thus who the scammer attacks (i.e., enters into email conversation with).

"The goal of the email is not so much to attract viable users as to repel the non-viable ones, who greatly outnumber them. Failure to repel all but a tiny fraction of non-viable users will make the scheme unprofitable."


"The mirth which the fabulous tales of Nigerian scam emails provoke suggests that it is mostly successful in this regard.

"A less outlandish wording that did not mention Nigeria would almost certainly gather more total responses and more viable responses, but would yield lower overall profit.

"Recall, that viability requires that the scammer actually extract money from the victim: those who are fooled for a while, but then figure it out, or who balk at the last hurdle are precisely the expensive false positives that the scammer must deter."

Attack decisions
Don Hankins via Flickr

"We explore attack decisions as binary classification problems. This surfaces the fundamental tradeoff that an attacker must make.

"To maximize profit an attacker will not pursue all viable users, but must balance the gain from true positives against the cost of false positives.

"We show how this difficulty allows many viable victims to escape harm. This difficulty increases dramatically as the density of viable victims in the population decreases."


"Thinking like an attacker is a skill rightly valued among defenders. It helps expose vulnerabilities and brings poor assumptions to light.

"We suggest that thinking like an attacker does not end when a hole is found, but must continue (as an attacker would continue) in determining how the hole can be monetized.

"Attacking as a business must identify targets, and this is easy only if we believe that attackers have solved a problem that has vexed multiple communities for decades."