Recently I received a phishing email that was a cut above the usual sloppy rubbish and even showed a bit of psychological awareness and guile – “If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you…” However, as always, there were enough tell-tale mistakes – “temporary” rather than “temporarily” – to ensure that most recipients wouldn’t be in any real danger of falling for the scam.

Like most people I’ve tended to take these spelling mistakes and grammatical errors as a reassuring sign of naivety, building a mental picture of the phishers as overseas kids having an amateurish punt rather than ruthless criminals.

But now I’ve changed my mind…

To begin with, whoever came up with this email was clearly intelligent and could certainly spell if they chose to. More to the point, I’ve received thousands of similar emails over the years and I don’t think I’ve ever received one without a spelling or grammatical mistake of some sort. I’d even begun to think it might be some kind of code-of-honour thing: look-we-always-warn-you-so-really-it’s-your-own-fault-if-you-get-caught.

This just doesn’t make sense. Having gone to all the trouble of coming up with a scheme and creating the email and associated site, surely it would be worth the phishers’ while to find an English speaker to boost their conversion rates? Or at least to run a spell checker over it? And has there really never been a native English-speaking phisher in all this time?

Or have I been missing something? Are the typos and weird sentence structure actually deliberate? Or at least not purely accidental.

My first thought on this was that the phishers might be cleverly varying the ocasional word that can easily be misread to avoid spam filters. Perhaps the phishing emails even mutate over time to avoid detection in the same way that viruses do.

That’s possible for a few cases like this current email but, on reflection, I think it gives the phishers too much credit. The real reason is much more basic.

Whether deliberate or not, the embarrassing spelling and grammatical mistakes end up working in the phishers’ interests because they quickly filter out the vast majority of recipients leaving just the real target: the less-than-confident non-native speaker. After all, the phishers don’t want thousands of users who are never going to leave personal details jamming their cheapskate sites or adding them to blacklists or generally making life difficult.

In other words, we – the technically-literate blog-reading public whose inboxes are crammed with this junk- have never actually been the target; we’re a problem. However, with just a couple of mistakes, the phishers effectively put their own spam filter in place and get what they want: a manageable stream of high-quality victims that have already proved susceptible to a bogus voice of authority and who are unlikely to cause trouble.

The quality of phishing emails hasn’t seriously evolved because, unlike viruses, there’s been no selective pressure to change. It works very well just as it is.