Economics of bad phishing emails


Lucas A. Meyer


August 14, 2022

You may have been taught to avoid emails that are full of errors and absurd claims (such a prince wanting your help). You may think that the fraudsters that use such emails are lazy or uneducated, and that the emails have errors because the fraudsters are not good at English. The truth is a lot more fun.

We start by assuming that the “fraudster”/“bad actor” is a profit maximizer, and that their cost per hour is $10. Let’s assume it costs $50 to create an email with errors, and $200 to craft an error-free email. They pay this cost only once.

Let’s also assume that they can send that email for free to 1 million people, of which 10% (100,000) are “gullible” (easy to trick), and the remaining 900,000 are “skeptical” (hard to trick). When a potential victim responds, the bad actor has to invest some time with them to get their financial information. If they’re gullible, the bad actor has to invest 5 hours ($50) on average, and they get $1,000. If they’re skeptical, the bad actor will invest 10 hours on average to realize that they’re skeptical, and will get no financial information (profit = $0).

The email with errors gets a 2 out of 10 response from gullible people and no response from skeptical people. If the bad actor uses this email, the victim pool will have 20,000 gullible people. The well-crafted email gets a 8 out of 10 response from gullible people and a 1 out of 9 response from skeptical people. In this case, the victim pool will have 80,000 gullible and 90,000 skeptical people.

After sending the e-mail, the bad actor has a 1,000-hour budget (that’s about 6 months of work) to work with the pool of respondents. When they choose a new potential victim from the pool of respondents, assume the draw is uniformly distributed over the proportions of the pool. That is, for the error-free email, they get a gullible person with probability 8/17 and a skeptical with probability 9/17. For the email with errors, it’s always a gullible person.

Which of the two emails should the bad actor send in order to maximize their profits?

Follow-up: should the bad actor invest in an even better email that everyone (gullible and skeptical) responds to?

If you work through the example, you’ll find that the email with errors performs better, because it filters out time-wasting smart people. Real scammers use bad emails on purpose: only the very gullible will respond, making the scammer job easier.