Summary to Crimes of the Internet

S2-72 Crimes of the Internet: Part 2, Ch. 11 Provide a 275-word summary to Crimes of the Internet: Part 2, Ch. 11 attached to order, “You Can’t Cheat an Honest Man: Making ($$$s and) Sense of the Nigerian E-mail Scams.” Cite references as per APA guidelines. You Can’t Cheat an Honest Man: Making ($$$s and) Sense of the Nigerian E-mail Scams Adam King and Jim Thomas Northern Illinois University Adam King, Ph.D., is an assistant professor at Northern Illinois University, where he primarily studies social psychology, culture, and information technology. He welcomes comments and questions at: [email protected]. Dr. King holds a Ph.D. in sociology from Indiana University. Jim Thomas, Ph.D., emeritus professor in sociology/criminology at Northern Illinois University, specializes in research on cultures of marginalized groups, including computer hackers, prisoners, and Internet subcultures. Dr. Thomas holds a Ph.D. in sociology from Michigan State University. His teaching focus includes corrections, social theory, and ethnographic research ethics and methods. He is currently completing two monographs: Revisiting Critical Ethnography (Sage, 2008) and Communicating Prison Culture (in progress). Abstract The Nigerian e-mail scam, although neither the most costly nor the most frequent Internet crime, remains the most ubiquitous and well known of all cyber crimes. Although many Internet service providers utilize spam filters, randomly generated solicitations reach an estimated 10 million recipients worldwide each day. Many suggest that those who fall prey to such scams are naïve and gullible whereas we suggest otherwise. We introduce affect control theory (ACT) to describe how Nigerian con artists are able to elicit desired behaviors in their victims by blocking the normal inhibitors to such con games. Victimization statistics indicate that the scam has cost victims worldwide over $28 billion since its inception. To accomplish such a task, the scammers create a compelling and believable intellectual narrative to overcome the doubts of their victims using persuasive, yet manipulative tactics. Introduction It begins with an e-mail, one with a plaintive subject heading and a return address that you do not recognize. The author of the e-mail purports to be a former member of the Nigerian royal family (or banking official or terminally ill Christian). Due to ongoing civil unrest (or imminent death from cancer, or impending persecution), the author must surreptitiously move a large sum of money out of the country. After searching the Internet for a reliable partner, the author has selected you as the most trustworthy. As a reward for your help, you will receive a surprisingly large portion of the total amount, millions of dollars. If you continue the communication with the author, you eventually will be asked for personal banking information. If you are “lucky,” not long after providing the requested information (and often additional money to cover “transfer fees” or “legal expenses”), your checking account is cleared out and your refugee vanishes with your money. If you are less fortunate, your checking account is left alone, but a long series of follow-up demands for advance payments begins, leading you to liquidate assets, borrow money, and you may even be asked to make a hasty flight to Africa in order to obtain the payday lying just beyond your reach. You have just been made a victim of the Nigerian 419 scam. The Nigerian scam is neither the most costly nor the most frequent Internet crime. More common forms include auction fraud, which accounts for about 63 percent of reported incidents and 42 percent of financial losses, and nondelivery of goods, which accounts for 16 percent of reported crimes and 15 percent of the losses. However, the Nigerian e-mail scam, despite constituting less than 1 percent of reported Internet fraud complaints and only 2.7 percent of reported financial losses in 2005 (ICCC 2007), remains the most ubiquitous and well known of all cyber crimes. Although many Internet service providers have spam filters that keep most such solicitations out of users’ mailboxes, the sheer volume of the randomly generated solicitations results in them reaching an extremely conservative estimate of over 10 million recipients worldwide each day. There has been no lack of commentary on the Nigerian scam both in the academic literature and in the popular media. However, many of these accounts are built on the assumption that victims fall prey to the scam because they are ignorant, naïve, or simply greedy. We suggest that neither gullibility nor stupidity is an adequate explanation for the growing success of the Nigerian scams, nor—by extension—to the success of con games in general. Instead, we build on previous work in affect control theory (ACT) to describe how Nigerian con artists are able to elicit desired behaviors in their victims by creating an affective scenario that blocks the normal inhibitors that normally raise a caution flag in everyday social interactions. We describe common variants of the Nigerian e-mails and then examine how the common threads of these e-mails are built on the affective symbolic foundations underlying everyday social life. Background Between 1990 and 2006, the number of people with Internet access exploded from 13.5 million worldwide to 1.1 billion (Global Policy Forum 2003; Minwatts Marketing Group 2007). As with any new frontier, as the population of cyberspace expanded, hustlers and con artists followed, and the Internet has become fertile ground for a new breed of international electronic con artists. The Nigerian scam and others like it typify how crimes that require interaction face-to-face are easily imported into the digital world. The Nigerian 419 scam, named after the section of the Nigerian Criminal Code devoted to it (ICNL 2007), provides a dramatic and visible example of a successful Internet scam. Also known as an “advance fee fraud” (AFF) because it requires the victim to pay the scammer in advance with the promise of obtaining seemingly lucrative rewards later, it is hardly new. Variants date back nearly 900 years (re-quest.net 2007) and became more fully developed in the sixteenth century as the “Spanish Prisoner Scam.” Purists might argue that the Nigerian AFF scam is not a true cyber crime, because it primarily uses e-mail to make contact and then shifts to more traditional forms of communication such as telephone and fax. However, we categorize it as a cyber crime because the initial computer-based e-mail and spam-generated outreach are required for the critical first contact, and details of credibility are often supplied through Internet-based interaction. In 2006, most perpetrators of AFF Internet scams, about 97 percent, were based in Nigeria (UAGI 2007). In addition, many other online schemes are also Nigerian-based: Ultrascan Advanced Global Investigations (UAGI 2007) estimates that 95 percent of Internet lottery fraud and 76 percent of Internet check fraud solicitations are of Nigerian origin. Despite increased media visibility, online warnings, FBI, and Secret Service alerts, and growing awareness among computer users as to the dangers of these scams, both the frequency of victimization and the dollar amounts lost continue to increase dramatically. Between 2005 and 2006 in the United States, reported financial losses increased by 8 percent. One reason why Nigeria became a base for Internet scammers lies in the nation’s politics and economy. For decades, the Nigerian government was considered one of the most corrupt in the world. Because government officials profited both directly through bribes and indirectly through the influx of foreign currency, there was little incentive to impede the lucrative scams and every incentive to nurture them. When a new democratically elected government assumed power in 1999, one of the first goals was to reduce corruption. Although the current government in Nigeria has begun cooperating with other countries in combating the scam, decades of corruption in which government officials and other participants have created a “culture of larceny” neither quickly nor easily altered (Ribadu 2006). Although there may be freelancing individuals who initiate contact and solicit information, the scammers generally work in small teams with a specialized division of labor. Unlike con artists who hope for a quick score by taking their gain in a single transaction, called “short cons,” Nigerian scammers work on a long con, one designed to play out over time and gradually deplete a victim’s resources. Contrary to public perceptions, the goal of most Nigerian AFF scam variants is not to simply empty a bank account by immediately obtaining financial information as some other scams do: It is also a misconception that the victim’s bank account is requested so the culprit can plunder it—this is not the primary reason for the account request—merely a signal they have hooked another victim. (United States Secret Service n.d.) Rather than a “quick score,” the scammers intend to draw increasingly large sums from the victim, who is manipulated into seeking additional sources of funds to supply them. The life cycle of the relationship between the scammer and the victim can drag out for months, and the permutations, diagramed as a flowchart, can be complex (.NExT 2007). The U.S. Secret Service (n.d.) adds that, if carried to the conclusion, the victim often will be enticed to come to Nigeria for the final financial coup de grace. The seductive lure of the long con has been demonstrated a number of times in popular fiction. Train’s (1910) short story provides a rich illustration of how a seemingly wealthy, well intentioned, and savvy victim was drawn into the Spanish Prisoner con. Believing he could secure the release of a political prisoner held by the king, the victim would—for a small investment to cover costs—receive a handsome reward and a beautiful young woman in matrimony. Instead, the scheme snared the victim in a beautiful mess after he complied with continued requests for money to meet continuous “unexpected problems.” In the end, he was forcibly robbed of the entire sum that he, and other investors he innocently drew into the plot, had collected. The Spanish Prisoner scam has been around for several hundred years, and the Nigerian AFF scam operates in much the same way, enticing the victims to gradually increasing their investment and into accessing an ever-widening pool of funds obtained from a growing number and variety of sources. The Nigerian scam predates the Internet, dating back at least to the 1970s as a mail fraud scheme targeting especially small businesses (UAGI 2007), and one author of this paper received periodic Nigerian-based hardcopy solicitations over conventional postal mail as late as the 1990s. However, with the growth of the Internet in industrialized countries, it has become a predominantly online epidemic especially since 2000. The scam has many variants, but they all share the same basic characteristics. First, a large sum of money becomes available because of a tragic event. Often, the event will be specific, such as a plane crash, major catastrophe (World Trade Center in 2001 or the 2004 Indonesian tsunami), an auto accident, political strife, or a fatal disease. Legitimate names of the wealthy victim may also be included. This allows the scammer to provide a URL link to a legitimate source that “confirms” both the incident and the actual death, providing initial credibility. Second, the scammer reports that the money remains unclaimed and provides a reason why haste is needed in order to claim it, and secrecy must be maintained to protect the project. Third, a reason for the need to expedite the transfer, usually because of political unrest or a looming deadline in which the money reverts to the bank or the government, adds a sense of urgency to the transaction. Fourth, the scammer invariably implies that the transaction needs help from a “foreigner” in order to skirt laws, outwit others who are also after the funds, or to avoid disclosure that the “fortune” exists. This underscores the compelling requirement of secrecy. Finally comes the direct attempt to establish direct personal contact between the scammer and the recipient. Occasionally, this may be a direct request for information, including personal details and bank account number and bank’s routing number. However, in most variants, the scammer initially requests only a reply, which can lead to extended, even comic, e-mail exchanges or phone calls (Sturgeon 2003). On occasion, the e-mails will include attachments containing pictures or other information to enhance credibility. However, the attachments may also contain malware that includes spyware or worms capable of extracting the recipients e-mail address book or allows the users’ PC to be used to relay future e-mails through a legitimate system. Given the improbable scenarios, the seemingly random good fortune of being the beneficiary of such largesse, and the often stunning illiteracy of the solicitation, it might seem unlikely that any Internet users, presumably people with some sophistication and basic literacy skills, would fall prey to the scams. At least, it would seem that, with the increasing visibility and awareness of the scam, the prevalence of victimization would decrease. Yet, victimization increases. One international firm that provides approximations of Nigerian AFF activity acknowledges that there are no reliable victimization statistics (UAGI 2007). All such figures are, at best, rough estimates for several reasons. First, the scam is international, and there is no centralized data source to provide an accurate accounting of those who have lost money. Second, as with all types of fraud, the complaints to authorities represent a small fraction of victims. An estimated 90 percent of fraud victimization goes unreported, and this may be even higher for Internet fraud. Third, the scam can take months to unfold, and much longer before the victim realizes what occurred. How successful is the scam? One Secret Service investigator suggested that 1 percent of those who receive the solicitation in the United States respond at least once (Emery 2002). This estimate may be inflated, but with millions of solicitations sent out daily, if only one person in 10,000 responded, that still leaves 1,000 potential victims for every one million solicitations. With an average loss in the United States of $5,000 per victim, the potential profits are astronomical. Data compiled by Ultrascan Advanced Global Investigations (UAGI), the most comprehensive source for Nigerian AFF victimization statistics, indicate that the scam has cost victims worldwide over $28 billion since its inception, and in 2006 alone cost over $3.8 billion (UAGI 2007). Why does this scam remain so lucrative that, according to one 2007 estimate, there are over 300,000 perpetrators worldwide, a number growing at a rate of about 3 percent annually (UAGI 2007)? Longtime Internet commentator Jerry Pournelle (2001) has suggested a tongue-in-cheek explanation for the success of the scam by asking: “What percentage of the US adult population is (a) far dumber than average, (b) greedy, and (c) has an email account?” He concludes that, by creating a population “two standard deviations below the norm” as a base population and from it culling those with an e-mail account who are greedy, this leaves more than 10,000 likely victims. However tempting his hypothesis, we suggest that the explanation is more complex. While a touch of avarice and an e-mail account are prerequisites, we argue that stupidity is neither a necessary nor sufficient explanatory factor. Theoretical Framework We cannot, of course, know the inner motives, emotional state, or intellectual prowess of victims of the Nigerian AFF scams. However, a casual search of media stories and court cases suggests that “stupidity” does not provide a useful explanation for victimization, as victims are often well educated and quite successful in other intellectual arenas despite falling for such a seemingly obvious scam. The only two things that our nonrandom reading of victims’ accounts revealed is that the victims shared two primary characteristics, neither of them stupidity. First, they had an e-mail account. Second, they were enticed by a large sum of money with no credible explanation of the source. Some victims succumbed to this unusual circumstance because of greed, others out of well-intended concern to help somebody in need, but few, if any, seemed to succumb due to any overt mental defect. There is a third characteristic victims shared, one basic to most social interaction: They engaged in a form of communicative activity that entailed a process of information exchange containing an explicit affective component. Because Nigerian AFF scam teams are well organized and attempt to tailor their narratives to appeal to specific affective states, they can cast a wide net that increases the probability of finding the right affective key to unlock the barriers that would ordinarily alert the wary and otherwise intelligent targets. By examining the affective content of e-mails, we can begin to tease out how the rhetoric of Nigerian e-mails produces affective frames that make the e-mails effective even when they are dealing with smart people. Goffman, Cons, and “Expression Gaming” The Nigerian scam is not intended as a one-hit mugging, but rather as a sustained interaction in which the target becomes increasingly enmeshed into the plot as a willing partner, drawn in by the scammer’s ability to manipulate a narrative and establish rapport and trust without giving away the game. Goffman’s (1969) rather cynical view of interaction as a dance of secrets illustrates a key ploy in establishing the necessary affective bond between victim and the mark. Goffman contends that every social situation contains elements of information control, in which participants have something to gain by manipulating the process by revealing, tailoring, concealing, or fabricating information, which, he says, makes us all a bit like “secret agents” (Goffman 1952, 81). He calls this “expression gaming.” The control of information generates different types of secrets that must be team-managed in the dance of information control. The participants team up in a secrecy-managing expression game in which the players manipulate the secrets both to the outside world and to individual players. This conspiracy in secrets establishes a seemingly shared affective bond while simultaneously serving to prevent the potential mark from obtaining external information that might reveal the con. Goffman’s conception of the “mark” refers to an intended victim in a plan of illegal exploitation. A scammer obviously does not send out invitations inviting others to be a mark. In a “short con,” the scammer intends a short period of interaction in which the scammer hopes to make off with the mark’s money in a one-time interaction. The pigeon drop, dramatized in the opening scenes of the movie The Sting, illustrates this. Robert Redford and Paul Newman were two street hustlers who convinced a mark to give up a sum of money for the promise of even more money. The premise of a short con, such as the pigeon drop, is that the mark is willing to engage in illegal exploitation of another by working with one scammer to seemingly steal money from another person who is the scammer’s secret accomplice. Both the scammer and accomplice disappear, leaving the mark with a bag of shredded paper instead of money. The Nigerian scam, by contrast, is a “long con,” which is intended to keep the mark on the hook for as long as possible in order to gradually drain the mark of resources. In a long con, the mark must be carefully groomed from the beginning, first with a lure and set-up, next with the actual exploitation, and finally with the breaking off of the game. Because the long con requires sustained interaction and steady depletion of the mark’s resources, the initial lure and set-up are critical to establishing the context to provide a credible framework that will justify subsequent exploitation and reduce the mark’s suspicion. Therefore, the narrative of the lure must include a complex set of threads that can be woven into an explanatory tapestry that calms the mark at the onset and keeps the money flowing once the tap has been turned in. One way that this occurs in the Nigerian scam is by a narrative lure that contains a strong affective component that simultaneously anticipates and defuses suspicion by portraying the scam as a set of shared secrets that can be manipulated for financial gain. Affective Control Theory Affect control theory (ACT) (Heise 2007, 1979; Smith-Lovin and Heise 1988) offers a fruitful way to examine the symbolic lures used by Nigerian scammers to create a credible narrative to hook potential victims into prolonged bleeding for a long con. The underlying ACT premise is that the rhetoric of Nigerian scam e-mails taps the affective (emotional) sentiments and cultural meaning structures with sufficient credibility to sustain the scam. The affective nature of the e-mail narratives also contributes to the longevity of the continued success of the con. ACT provides a lens into how cultural affective meanings are manipulated and presented as a framework of shared secrets and conspiracy that lure people into the electronic equivalent of buying the Brooklyn Bridge and then paying for its maintenance. Based on the measurement work of Charles Osgood et al. (1969, 1975), ACT argues that people process and act on cultural meanings in ways that confirm their affective sentiments toward familiar things, including their sentiments toward their behaviors, social location, and identities. When the components of a situation do not match their previous emotional sentiments toward them, people will attempt to take corrective action to reframe the situation to one that is more compatible with their preexisting emotional sentiments. For example, when someone who is normally associated with positive sentiments does something evil (e.g., a father is observed hitting a child), the observer will try to resolve the affective dissonance by either recasting the situation (the father is punishing the child, not beating him) or by taking another corrective action to restore the balance (the father is labeled as a criminal and sent to jail). An ACT approach would frame Nigerian scams as an achievement of social engineering, one that allows deceptive expression gaming by manipulating a narrative lure to capitalize on preexisting affective sentiments. This manipulation and the corresponding definition of the situation build on the affective structure laid out in the e-mail narrative of the initial solicitation, and through it, the scammer can make handing over money appear as a rational and inevitable course of action. Thus, the initial solicitation is crucial to the scam, because it sets the stage and provides the affective logic for the subsequent playing out of the game. Method Our data draw from 4,893 different Nigerian scam e-mails collected between January 2002 and March 2007. For parsimony, we excluded from this database other AFF schemes such as lotteries, false job offers, and other lures that do not share the standard Nigerian AFF motif. Our data totaled over 180 Megabytes, but about 80 percent of that included large binary attachments. Although we opened few attachments, a scan of their contents indicated that they were often malware intended to use the recipient’s PC as a proxy server, provided jpgs or other graphics files presumably in support of the narrative, or were text files with instructions, “evidence” of the truth of the narrative, or additional instructions or forms. The e-mails were received on nine different e-mail accounts on six different servers in four states. In addition, one author, a Unix system administrator on two university servers, examined daily spam logs that identified and filtered the servers generating the most egregious sources of all spam, including scam-spam. A preliminary examination of the originating addresses of the Nigerian AFF e-mails suggests that, unlike previous years, in the last few years the originating address was not forged or “spoofed.” Instead, the addresses of the sender were legitimate. About 80 percent in our database originated from an eastern European or Asian country. This probably occurs because the scammers need a stable address in order to communicate with potential victims over a period of weeks or months. We also drew from additional Nigerian AFF posts on urgentmessage.org (available at: http://www.urgent.org, accessed October 24, 2007), a homepage that provides an extensive database of Nigerian scam and related e-mails. Because the e-mails were sent automatically and randomly to a vast number of potential victims, there is little reason to believe that the examples in our data are atypical or significantly different from other Nigerian scam e-mail solicitations. As other researchers have indicated (Kich 2005), although Nigerian scam e-mails vary considerably in minor details, their basic structure is formulaic and generally homogenous. This comprehensive body of e-mail sent to diverse accounts provides an accurate and reliable picture of the consistency of the narratives. This analysis also draws from a semantic “dictionary,” a database of 300 common concepts and affective sentiment ratings assigned to them by American college students in 2003 (Heise 2007). Analysis of the affective sentiments of Internet users has demonstrated that Internet users develop strong and nuanced affective sentiments toward online-only identities, settings, and behaviors (King 2001). Like affective sentiments held toward offline phenomena, the sentiments of Internet users form a meaning system that motivates and regulates their online interactions. To examine the affective sequences that are played out in the Nigerian AFF e-mails, concepts matching the tone and content of the e-mails in our e-mail database are compared to those in the 2003 semantic dictionary as a means of assessing the affective weight of sentiments associated with phrases, words, or motifs in online messaging. For example, in one common step in Nigerian scam e-mails, the scammer self-describes as a prestigious or important business person or functionary (VIP) and suggests a business deal. Drawing from the 2003 affective dictionary of status terms, the affective concept ratings of “VIP,” “businessman,” and the action of “doing business” are high status and powerful images that enhance a narrative suggesting exciting and exclusive dealings. Although we do not attribute affective responses to the recipients of AFF e-mails, we suggest that they represent a reasonable approximation of the emotional content that persuasively frames the lure. Because scammers do not know in advance who will be receiving their pitch, they must cast a wide narrative net and construct a message that they believe will be substantially persuasive in tapping the affectivity that corresponds to meanings that are culturally relevant in the recipients’ culture. In this paper, we focus only in U.S. culture. Analysis