During childhood, I remember the excitement of getting my name as an email. Felt like an early adopter without the Product Hunt. The rat race back then was in storage space. We use to switch emails like mobiles. People felt unique email addresses are part of their identity (just on the verge of getting it tattooed).
The concept of inbox zero would sound like a joke. We were waiting for emails to pop up. Refreshing inbox every morning (now I am getting paid to do this). Some of my cousins would email me heavy pics (few hundred kb) from first world countries and I would download them on a dial-up connection. It was fun.
Then I started getting emails from random people. And things got serious. Maybe I was getting popular. These emails were full of typos, random colours and weird jargon words. Like text version of Tiktok (mixing anything to get my attention). You would immediately conclude something's wrong. These were scammers trying to steal my bank and credit card details.
I always felt that who would write such emails. As if scammers were not focusing on their work. It was of such low quality. They need to have QA teams. Why are they not working on UX? At least install Grammarly like me!
They would be fools to believe that someone would respond to such emails. Nigerian Prince wants to donate million dollars. At least put a legitimate country like Singapore. They failed at writing engaging content. They did everything opposite of what is being preached in good writing. Maybe they were the MVP of scam emails.
I always felt genius as I could hunt down the emails that escaped sophisticated spam filters. It felt like these people were looking for failures (managers doing coding).
Then I came across this Microsoft Research paper from Cormac Herley and it all made sense.
This is a two-step attack
- Send emails to
- Do follow up conversations with
victimspotential clients who responded
The first part is relatively cheap, you can send emails in bulk in few cents. However, the second process is costly. Having conversations with victims is a time-consuming process. So if you have a lot of false positives at step two, then this whole scam venture will not be profitable and scalable. The issue almost every product owner faces when they target the wrong audience. The cost of acquiring a new customer is higher than the value of the product.
Like a good product owner, you would define your audience (dangerously optimistic grandparents). Then target that niche. Now, these scammers don't have access to Google Adwords or Facebook campaigns. They can't fill a form and set a bidding to reach such audience.
So they designed the whole process on their own and crafted an email that will act as THE filter. Only niche will seep down. They added all the hints that any sane person would immediately pick and ignore the email.
- Prince (that too in Nigeria) donating millions
- Stranger disclosing sensitive details
- Content full of typos
- Asking for sensitive information
- Weird formatting of email and colours
Their first step was not designed to lure, but to repel the smart people. It was a great litmus test. The funnel where only relevant audience reach to product (dream of every product owner). They wanted to filter out all the people who could smell this scam. After dropping so many hints if someone responds then scammers have almost a sure shot at success. In short, they found their potential customer!
No expensive data analytics, no R&D work, no technical moat. Just a man who hacked human psychology and built the ultimate Product Market Fit strategy.