September 23, 2004

Inexpert and expert phishing spam

My friend Nathan Sanders has shown me a phishing spam that he got which purported to be from Citibank. It did very badly indeed on linguistic accuracy and thus was much easier than usual to spot as trickery. In fact it's a little lesson in grammatical and orthographic slip-ups all on its own.

From: Citibank Subject: ATTN: SafeGuard your account (Citi.com) MsgID# 80309245

Dear Customer:

Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately.

This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information.

This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension.

Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand.

Please use our secure counter server to indicate that you have signed on, please click the link bellow:

http://219.138.133.5/verification/

!! Note that we have no particular indications that your details have been compromised in any way.

Thank you for your prompt attention to this matter and thank you for using Citibank(R)

Regards,

Citibank(R) Card Department MsgID# 80309245

(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a registered service mark of Citicorp.

Those of you who are taking my distance-learning course in Forensic Syntax For Spam Detection should spend a moment listing the errors in this text. You should be able to find ten errors.

*  *  *  *  *  *   *

O.K., time's up. I'll just run through the correct answers.

  1. "SafeGuard" in the Subject line has a spurious capital G. This word is not a trademark (at least, not here), it is just an ordinary English verb. The spammer was being too clever with capitalization.
  2. The phrase "pointing our database servers" is not grammatical, or at least not meaningful. I'm not sure where that error comes from. "Targeting our database servers" would make more sense.
  3. The phrase "personal check" would not normally be used to mean "check or test that you have to carry out personally", or "check or test to verify your personal information", because it is used instead to mean "check written by an individual as opposed to a corporation". It's not ungrammatical, but it's a sign of not being familiar with American English banking talk.
  4. "This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal..." has a badly chosen word, ensure. You ensure that something is done by either causing it to be done or checking that it has been done; you don't ensure a person. (You can insure a person, but you should be an insurance agent if you do this.) The spammer meant "assure", not "ensure".
  5. "This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal..." has another mistake. The message begins "Dear Customer" (singular). This makes the plural number on yourselves mysterious. It should be the singular, yourself.
  6. The error in "if you did not sign on ... your account may be subject to temporary suspension" is beautiful and subtle, something to warm even the small and stony heart of a grammarian such as I. With all verbs except the copula (be), the preterite inflectional form is used to signal what the irrealis form were signals in the case of the copula. The Cambridge Grammar (chapter 3) calls this a modal remoteness use of the preterite. A particularly clear case of where you need it is in counterfactual conditionals: "If you did not sign on, your account could be temporarily suspended." That means that if a hypothetical world were to arise where you did not sign on (and may that day never come), your account could get suspended, in that world — but it won't in this one, we hope. However, it's crucial that the second part of such a sentence (the apodosis of the conditional) normally also has a modal preterite, often would or could or might, but not will or can or may. You get "If you did not sign on, your account would be suspended" for referring to a hypothetical situation and "If you do not sign on, your account will be suspended" to refer more forthrightly to a claim about what the future is going to be like if you don't sign on. The sentence in the email, "if you did not sign on ... your account may be subject to temporary suspension", should have been "if you do not sign on ... your account may be subject to temporary suspension".
  7. The phrase "within the nearest time" is of course not idiomatic English. Perhaps "at your earliest convenience" was meant.
  8. The phrase "secure counter server" is not known to me and gets no Google hits at all. The spammer meant "secure server", and I just don't know what "counter" was doing in there.
  9. Actually the whole sentence "Please use our secure counter server to indicate that you have signed on, please click the link..." is ungrammatical. It seems to be a very bad run-on sentence with no comma splice: the spammer meant "Please use our secure counter server. To indicate that you have signed on, please click the link..."
  10. In "please click the link bellow", the preposition below is misspelled. (Bellow is a verb meaning "emit a loud, deep, hollow, prolonged sound such as a bull might make, or to speak or shout in a manner reminiscent of this"; that's why a spelling checker wouldn't have caught the mistake.)

So this message is an illiterate, error-stuffed disaster, and the spammer who wrote it will only be stealing the bank account contents of particularly unobservant and linguistically uneducated people: poor people, immigrants, foreigners, semi-literate people, careless readers, not Language Log people at all. Alert Language Loggers are not likely to fall for this piece of junkware.

But beware: I got a message purporting to come from Citibank too, and unfortunately it's grammatically impeccable:


Dear Citibank valued customer,

Citibank is committed to protecting the security of our clients' personal information, including when it is transmitted online. Therefore our ATM services utilize advanced security technology to protect your personal financial information.

In order to be prepared for the smart card upgrade on Visa and MasterCard debit and credit cards and to avoid problems with our ATM services, we have recently introduced additional security measures and upgraded our software.


This security upgrade will be effective immediately and requires our customers to update their ATM card information. Please update your information here

© Citibank Customer Support Dept.

 

It ended with some invisible words written in white, probably a device designed (unsuccessfully in this case) to fool spam filters: "b 5 2141 arboretum preponderate seoul addle devolve salve bette remembrance loud countdown fascicle milk hook finesse lagging daedalus deanna bluish bonneville condemnate bar transmitted perennial Freddie 1 J rendezvous witt nina catalogue walden apologetic gaspee evacuate enol preferring giveth substantiate ladyfern shepard inclose gary contradistinction 638 65093358[0-255", it said, implausibly but also invisibly. (It wasn't invisible to me because I examine my suspected spam with Unix tools, not the brightly colored click-here tempting toyware that Windows programmers want me to use.)

The second example shows what can be done by literate guys who control the grammar and really know how to phish. Caveat browsor.

Posted by Geoffrey K. Pullum at September 23, 2004 01:56 PM