Web Gateways,
Redefined.

Designed for Distributed. Built for the Cloud.
Delivered as a Service.

Blog

Why Grammar Counts in Decoding Phished Emails

When it comes to crafting the “best” phishing email scam letter, over the years it has been assumed that the less polished a letter, the better. Having something that is poorly worded, or purposely uses bad syntax and grammar tends to eliminate the sharper-eyed readers who probably wouldn’t respond to the phish anyway. This way the phisher ensures that only the most gullible users will end up getting snared. The use of bad grammar makes the emails seem more authentic, as it would appear to be a personal letter written from a foreigner who isn’t completely fluent rather than from a criminal trying to steal your identity or bank account information.

As Wired magazine wrote about this topic more than a decade ago: “this language evokes someone who is 'educated, upper-class, out of touch with the common people.'” The Wired piece goes on to describe the nature of how these email scams are constructed and how they use long, complex sentences to draw in their marks.

Another post on Quora said: “The goal of the emails is to get you to write back and reveal some information about yourself. They don't expect you to believe the letter at first. They only expect you to be curious and to start communicating. Once they get a conversation going, the scam is on.”

Microsoft Research published an academic paper on this subject three years ago that also takes this analysis a step further. “By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select.”

However, the tide may be turning, and finally grammarians might be gaining the upper hand. A new theory is that correct grammar gets better results these days. Leave it to the French to lead the way here. Some criminals are advertising on the dark web for editors to clean up their copy. According to security experts who study these trends, “This is the first time we have seen a direct advertisement for a job in the underground” that is called a “cleaner.” The want ad asks for people who can help edit copy, correct spelling and other mistakes. Oh, and by the way: you will be paid in stolen credit card numbers or other stolen goods, just in case you have any doubt that you are working for cyber criminals. As they say in the advertisement, “Ecrivez-vous français parfaitement?”

One possible cause for having an editor is the complexity of the written French language: its numerous tenses and verb conjugations are legion. (I studied the language myself for many years in primary school and can attest to this issue personally.) Another reason could be a way to differentiate your phishing from others, in hopes of gaining market share from your fellow criminals.

Or, it could all be a hoax: hard to tell. The same security expert says, “The French sometimes conduct business differently and have unique solutions to their cybercriminal business challenges.” Still, this ad stands out as unique in their research. In any event, phishing certainly has gotten more sophisticated since that first Wired article and chalk the grammar cleaners as yet another development.


Read more about stopping evasive threats that steal data