Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

The Language Of Cybercrime

Intercepted emails between a scammer and a victim.
Martin Kaste
Intercepted emails between a scammer and a victim.

Scammers are always looking for more effective words. Most Americans have learned to be on their guard, and they're likely to suspect an overly aggressive phishing phone call from a fake credit card customer service agent speaking accented English.

One solution is digitized voices. There's still a live person on the other end of the call, but he isn't talking. Instead, he's playing audio from a computer, picking prerecorded phrases from a menu as the conversation progresses.

It sounds convincing until you ask a question he doesn't have a canned response for. The resulting hesitations undermine the natural feel of the conversation.

Online scammers use a similar technique. When texting or emailing their marks, they often work from "scripts" of prewritten American English boilerplate. The most effective conversational gambits are saved and distributed to other scammers in the network, and they cut-and-paste the scripts into their grifts at crucial moments.

Ronnie Tokazowski, a senior threat researcher with email security company Agari, has been watching scammers building their scripts.

"Some of the scripts will say, 'If your victim doubts you here, say this,' " Tokazowski says. "We've seen upwards of 28 levels of engagement before your scammer has to work to come up with something [to say]."

He has also been in a position to intercept real conversations as scammers use their scripts on victims. He shared this one with NPR:

Don't see the graphic above? Click here.

In this romance scam, the bits of prepared script appear in a slightly different font, apparently because the scammer didn't take the time to strip out the formatting as he copied-and-pasted from his script. "I dropped a tear in the ocean, the day that I find it is the day I'll stop loving you," cloying as it seems, may have already worked on somebody else.

Tokazowski suspects the scammer was grooming this victim to become part of a larger cybercrime network, perhaps as a "money mule" — people who set up bank accounts to launder money scammed from other victims. But a few weeks later, things took a grim turn.

Don't see the graphic above? Click here.

"Whenever we find victims like this, we try to pass it over to law enforcement as quickly as we can," Tokazowski says. Unfortunately, in this exchange, he says, Agari didn't have enough information to identify the victim or find out how the scam ended. But he says the fact that the victim apparently attempted suicide, then kept talking to the scammer, illustrates the power of these scripts to get inside people's heads.

"People think [scam victims] are a dumb person who doesn't have the education to tell the difference between one thing or another," he says. "But they're hitting them on an even deeper emotional level than we currently understand right now."

Experts say scammers often seek to present themselves as their victims' best ally. Take this email, written by thieves who this year hacked multiple online accounts belonging to a businessman named Gregg Bennett. They made off with half a million dollars' worth of his bitcoin but were frustrated that they hadn't managed to get more. So still in control of some of his online accounts, they offered their hand in friendly extortion:

Don't see the graphic above? Click here.

Bennett ignored them and avoided further losses. But he still has to laugh at the gall of that helpful-sounding subject line.

Copyright 2021 NPR. To see more, visit https://www.npr.org.

Martin Kaste is a correspondent on NPR's National Desk. He covers law enforcement and privacy. He has been focused on police and use of force since before the 2014 protests in Ferguson, and that coverage led to the creation of NPR's Criminal Justice Collaborative.