T.

The Rise of Boring Scams: AI is Killing the Nigerian Prince

By In Technology

You remember the good old days, right? When email scams were delightfully absurd. The kind of nonsense you’d read aloud to your coworkers for a laugh. “A Nigerian prince wants to send me $42 million?” Fantastic! I’ve always wanted to own a small castle in Lagos.

But now? Now I get scams that are just… boring. Like, spreadsheet-level boring. Like, “email from Karen in procurement” boring. And that’s what makes them dangerous.

Thanks to generative AI, these new scam emails don’t just look real, they feel real partly because they’re so boring. They’re written in uninteresting, but polished business English, signed with job titles that sound vaguely familiar, and include documentation that looks like it was pilfered from a mid-tier consulting firm’s SharePoint.

Let’s talk about the hits I’ve gotten lately:

1. The DocuSign Deception

I sign a lot of DocuSigns. So when one comes in labeled “Business Proposal and Service Engagement Agreement Sourcetoad,” I wouldn’t blink. But now I’m on to these and check the From field, and where the link is going. Somewhere… wrong. And while old scams tried to scare you into action, this one just blended into the background. No drama. No typos. Just dull enough to be believable.

2. The P&O Procurement PowerPoint Parade


This one gets an A+ for effort. Pages and pages of well-formatted procurement policy. A full fake vendor onboarding process. PDFs that looked legit enough to pass muster at Carnival UK. They even wanted a surety deposit of £17,150. Honestly, if it had been $999.99, I might have fallen for it. But seventeen grand? That’s too audacious. Even for me. You can download the whole thing here if you’re really interested.

3. The “Employee” Reimbursement Request
This one came from someone pretending to be on our team. Their email was almost perfect… name, title, department. It read like something we actually might get. But we’re vigilant (read: paranoid) and we keep personal emails on file. So we flagged it. Still, for a moment, I doubted myself.

But these scams aren’t exciting anymore. They’re not even trying to con you with outlandish promises. They’re playing the long and boring game. They’re disguising themselves as paperwork. They’re dressing up in khakis and calling themselves “operational compliance liaisons.”

Why AI Makes Scams So… Boring

The thing that makes generative AI such a great scammer isn’t that it’s creative, it’s that it’s bog average. Large language models are trained to produce statistically “normal” text. That means no weird capitalizations, no misspellings, no laugh-out-loud grammar errors. Just smooth, dull, corporate English.

A few specific shifts we’re seeing:

  • Grammar & tone polishing: The old “urgent kindly send me your bank account” is now “Please review the attached vendor onboarding form at your earliest convenience.” It’s the same con, but with less cringe.
  • Contextual customization: Feed an LLM a LinkedIn job title or a scraped company name, and it spits out messages that feel like they belong in your inbox. “Karen from Procurement” suddenly exists everywhere.
  • Document generation at scale: AI can generate fake contracts, invoices, even slide decks with consistent branding. Before, scammers relied on bad Word docs; now they’re churning out PDFs that look like they came from Deloitte, or worse.
  • Volume and targeting: With even simple automation scammers don’t need to craft one great con. They can generate a thousand slightly different ones, tuned to bypass spam filters and land on the desk of the one person who won’t double-check.

And the paradox here is that the less interesting a scam looks, the more likely it is to slip past both humans and machines. And this stuff is getting past the AI filters too… because even the robots are fooled by boring.

So here’s your new red flag: boring.

When something feels too normal, too well-documented, too… enterprise… ask questions. Call the person. Double-check the domain. Assume every PDF is a phishing attempt wearing a polo shirt with a poorly embodied logo.

What to Do About It

If scams are getting more boring, the defenses have to get less complacent. A few things that might actually help:

  • Don’t trust “normal”: Boring is the new red flag. If an email looks like standard corporate paperwork, treat it with suspicion until it’s verified.
  • Check the metadata: Look at headers, domains, and links, not just the text. AI can fake tone, but it usually can’t hide a shady domain registration.
  • Out-of-band verification: Call the person (I know, I know). Text them. Use a channel you already trust. If Karen from Procurement suddenly needs a wire transfer, Karen should be able to confirm it by phone.
  • Train on the mundane: Security awareness programs often focus on laughably bad phishing examples. Start training employees on scams that look like invoices, onboarding documents, or expense requests.
  • Layer your defenses: Filters still matter, but assume they’ll miss some. Logging, anomaly detection, and good approval workflows can turn a boring scam into just another blocked attempt.

So let’s pour one out for the Nigerian prince. He may have been sketchy, but at least he had flair.

Previous ArticleNext Article
I help companies turn their technical ideas into reality.

CEO @Sourcetoad and @OnDeck

Founder of Thankscrate and Data and Sons

Author of Herding Cats and Coders

Fan of judo, squash, whiskey, aggressive inline, and temperamental British sports cars.

Leave a Reply

The Internet Doesn’t Have Enough Love In It (And How We Can Fix It Easily)

In Technology

I’ve been thinking about all the wrong things when it comes to AI writing code.

Everyone else seems to be too. Job displacement. Security vulnerabilities. The ten-times-faster developer who now bills the same and delivers four times as much. These are real conversations worth having, just not the one I want to have right now.

The one I want to have is about teaching a six-year-old multiplication.

Here’s what I mean. Imagine you’ve been sitting with your kid every night for two weeks trying to explain multiplication. You’ve tried drawing rows of dots. You’ve tried songs (don’t judge me). You’ve tried the “just think of it as groups of things” approach that works for literally every other math concept but, mysteriously, not for your kid. Then one night, something clicks. You found the explanation, YOUR explanation, the one that worked for your actual kid with your actual kid’s brain, and it finally, beautifully, clicks.

Now imagine you could spend a Saturday morning turning that into a small web app. Not a startup. Not a SaaS platform. No login. No backend. No one’s going to hack it (there’s nothing to hack). Just a little thing that walks through multiplication the exact way you figured out it works, step by step, the way you’d explain it. You send it to the WhatsApp group for your kid’s class. Some of those other parents, also quietly losing their minds over multiplication, try it. And it helps.

You just made the world a tiny bit better. That’s it. That’s the whole thing.

Claude Code exists now, and a handful of other tools like it, and the reason I think this matters isn’t productivity. It’s access. The barrier between “I have an idea for something that could help people” and “I have a thing that helps people” used to require knowing how to code, or hiring someone who does, or talking a developer friend into your project over enough beers that their guilt exceeded their better judgment. Now it’s a Saturday morning and a good description of what you want to build.

The internet already has beautiful things in it that were built out of love. Free coding education for kids. Open-source video editors. Someone’s incredibly detailed home-brewing app with no monetization plan whatsoever. Artists making interactive experiences because they wanted to see if they could. These things exist because someone cared more about making the thing than making money from the thing. I think that ratio is about to shift dramatically in favor of the people who just want to make something good.

I’m not saying we should all stop paying for Salesforce (we should probably keep paying for Salesforce, there’s a reason that thing costs what it costs). I’m saying the category of software that was previously not worth building because it wasn’t commercial enough to justify the cost, that category just got a lot more interesting.

What’s in that category? Things like:

  • An app that helps beginning judo students understand the concepts behind a throw, not just the mechanics, because judo is where I learned confidence and discipline and I want other kids to find that
  • A private family memory vault (not Instagram, not Facebook, not anything with an algorithm deciding what matters), just a place where the people who love my son can send photos and stories somewhere safe, for him to open when he’s older (Maybe I’ll turn this into something?)
  • A system that reminds companies to send their employees gifts on the days that actually matter to them, because I know from running a company that it fills the cup of the person giving just as much as the person receiving (Thankscrate, if you’re curious, and yes, that one is turning into something real, but that is genuinely not why I built it)

None of those were commercial ideas first. They were just things I cared about.

I think the most interesting software that gets built in the next few years won’t come from developers moving faster. It’ll come from people who previously had no path from “I care about this” to “I built something about this,” and now they do. Parents. Coaches. Teachers. The person in your office who could explain that one complicated process better than anyone and has always secretly wanted to turn it into something.

The stakes are low. The bar to launch is low. The cost is low. The only thing required is that you actually give a damn about what you’re building.

One small caveat before you go off and change the world. If your passion project involves storing the medical records, credit card numbers, or personal information of vulnerable people (childhood leukemia patients, say, or really anyone who has enough going on without also becoming the victim of a data breach), please, for the love of God, do not take that on as a Saturday morning vibe-coding exercise. That is not a passion project, it’s a terrifying lack of judgment and a huge liability. Please hire professionals, follow compliance frameworks, and treat the security of people’s sensitive data with the seriousness it deserves. The whole spirit of what I’m describing here is low stakes, and nothing raises the stakes faster than a database full of information that could ruin someone’s life if it leaks. Build the multiplication app. Build the judo app. Do NOT build the “I’ll just store some PHI real quick” app.

So… What do you give a damn about?

Go build it. I still sometimes have to count on my fingers, but I’m told the app helps.