Language Log

Forensic syntax for spam detection

The spammers get cleverer all the time. The email I got from the address of my bank, Wells Fargo Bank, at a proper-looking commercial address ending wellsfargo.com, had the bank's official logo in the right colors (as you see it here: it appears to be served from a248.e.akamai.net/7/248/1856/bb61162e7a787f/ where there is a subdirectory called www.wellsfargo.com within which is a file with the relative pathname /img/header/logo_62sq.gif; the logo may be the actual genuine one, not an imitation as an earlier version of this post suggested). The email has the picture of the guys on the stagecoach and everything. The visual details are just about perfect. The message looked businesslike, it looked real. It appeared to even a fairly expert eye to come from my own bank. What it wanted was for me to visit a certain website where the bank's security system would just check a couple of details like my account number and mother's maiden name, and then it would confirm that things were now fine and I would be able to go on using my ATM card. The message began:

During our regular update and verification of the Wells Fargo ATM Service®, we could not verify your current information. Either your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information.

But the spammers messed up. Their syntax let them down. Did you spot the two slips? It's bad luck for those recipients who didn't, because they'll believe this is the bank talking, and in many cases they'll click the link, and they'll answer the questions, and in the morning their checking balance will be $0.00 and their money will be in Africa or Taiwan or Poland or somewhere. You need to be sharp on your grammar to spot the crooks these days.

Look at the second sentence:

"Either your information has been changed or incomplete, as a result your access to use our services has been limited."

First, that has an illicit reduction (they should have said "Either your information has been changed or it is incomplete"), and second it continues with a comma splice ("as a result..." should have been preceded by a big-league punctuation mark like the period, semcolon, or colon, but a wimpy little comma won't do it). Just enough in the way of syntactic slips to sound illiterate, and to convince me that foreign criminals wrote the text and Wells Fargo knew nothing about it and the last thing in the world I should do would be to visit their website and supply some updated security information. So don't ever tell me that being a grammarian doesn't have cash value! Thousands of people fall for these bank security-check scams every day (this one came decorated with a warning at the bottom that you could not initiate the process by calling their customer services line, it had to be initiated by them through email; that's to try and stop people calling the bank to check). Many people who clicked and answered the questions will find their bank accounts have been raided tomorrow. Syntactic analysis can save you real money.

[Note added September 22, 8 a.m.: The first version of this post asserted that no bank ever corresponds with customers about security matters by unsolicited email. But wolfangel told me by email, to my utter astonishment, that at least one bank (Wachovia Bank) did send unsolicited emails to its customers about updating their security information. So that clinches it: grammatical analysis is actually a better source of evidence about whether your bank is emailing you than is general knowledge about bank security practice. Got syntax? Take my course.]

Posted by Geoffrey K. Pullum at September 22, 2004 12:58 AM