Con artists have been plying their trade since time immemorial, but the internet opened the floodgates to a whole new level of fraud. It has allowed fraudsters to take aim at an endless number of victims and at the range of victims that they would never have reached before. And with the wide spectrum of our personal information accessed via the internet, everything falls more readily into the scammer’s lap than ever before.
In one sense, however, old is still gold. The success of an online con, including phishing (the most pervasive of such scams), hinges largely on human psychology. More precisely, it all tends to boil down to how well the con artist can exploit some of the very things that make us human. And those haven’t undergone much change in, well, quite a while.
Instead of crafting special code and laboriously overcoming technical defenses, “hacking the human” is generally recognized as the easiest way to steal personal data or money online. As this week’s theme of European Cyber Security Month revolves around online scams, let us peek inside the psychology behind these scams, revealing what errors in judgment, and emotional or cognitive biases can blind our reasoning. After all, the more aware of our own weaknesses we are, the likelier it is we won’t be had.
So close, yet so far away?
Despite – or perhaps thanks to – some obvious limitations in terms of physical propinquity when it comes to online space, romance scammers are able to build rapport with victims nearly at (ill) will. As with a genuine online relationship, it won’t probably be love at first sight and the grooming of the “mark” may take quite some time. However, once the “romance” finally blossoms, it’s easy enough to take things to the next level – to part the beguiled from their money.
A number of forces shape, or contribute to, a potential victim’s susceptibility to this fraud. For one thing, we flock to dating sites in search of a romantic relationship, which may leave us somewhat predisposed to building attachments with other people and to taking for granted the good faith of the prospective partner. Of course, scammers also prey on users of social media where social interaction is often the reason to be there in the first place.
The sense of a perceived bond also leads to some degree of dependence, as does the need for approval from our (apparent) love interest. And when the “soulmate” tugs at our heartstrings with an urgent request to help foot the treatment bill for their child, who suddenly turns out to be hooked up to hospital monitors, is also where our empathy and sympathy really kick in.
Other schemes aim to appeal to our desire for something less noble than everlasting love. All of us have probably been “blessed” with an email that promised a fortune in exchange for what is typically an upfront fee that, when you think about it, seems truly miniscule compared to the “riches” awaiting you. It could take any number of forms, such as a Nigerian prince scam or a lottery scam. However, all of them ultimately seek to take advantage of our desire for enrichment.
If you’re like most people, you’ve probably stopped to think at least once about what all those zeroes in the promised money could buy. Arguably, it may not always be easy to think straight when faced with the opportunity to, once and for all, escape the daily schlep. This is doubly true when the offer adds other ingredients to the mix. It will be uniqueness (you, not your neighbor or mother-in-law, received the offer); scarcity (the “supply” is limited); and urgency (the time to act is, well, yesterday).
And, perhaps just as importantly: what if – despite all the red flags urging you to run the other way – the opportunity is genuine, as that nagging feeling tells you?
“A number of forces shape, or contribute to, a potential victim’s susceptibility to this fraud”
Complicating things further, if you do succumb, it’s not over for you – and certainly not for the scammer. Instead, you’re likely to face more requests for additional and ever higher “processing fees”, bribes, and so on. You may well find the pleas increasingly difficult to resist, for which you can blame your hardwired reluctance to admit to a bad decision and give up hope, or a cognitive bias known as sunk-cost fallacy. Or, like a hapless gambler, you will continue to “invest” money so as to recoup your losses. But the house always wins.
The need to “act now or all hell will break loose” is a staple in phishing campaigns, which aim to trick us into divulging login credentials, and in other scams tricking us into installing malware. Knowing that rushing you into acting immediately is likely to cloud your judgment, fraudsters go all out in their attempts to invoke a false sense of urgency.
It’s only natural that we feel compelled to act swiftly: we don’t want anybody to mess with your bank or email account, which is exactly what the “alert” or “notification” is likely to be about. The sense of apprehension can be enough to distract us from the warning signs about something being amiss that might otherwise not escape our attention.
Take a bow (and the bait)
We’re mostly conditioned to obey authorities, and it is this respect for, and perceptions of, authority that phishers turn against us in their attacks. They actually let the presence of authority cues and our adherence to social norms do the heavy lifting for them.
By impersonating police, the taxman or another trusted authority or entity such as a bank, online payments provider or email service provider, the phishers will try to instruct us to take action on pain of facing some unwanted, and usually dire, consequences. Similar to the sense of immediacy, when we’re gripped by fear or panic, our ability to think critically may give way to impulsive actions.
Are we overconfident?
While this (over)confidence can be helpful in many situations, it can also skew the perceptions of our own strengths and weaknesses, leaving us vulnerable in the “knowledge” that “it cannot happen to me”. Ultimately, it may also help explain why some people fall for phishing campaigns, and why they do so repeatedly. Verizon’s Data Breach Investigations Report recently claimed that “the more phishing emails someone has clicked, the more they are likely to click in the future”.
That same report also found that 4% of people in any given phishing campaign will fall for such an email. True, those campaigns were simulated and may vary in how closely they reflect real campaigns. But other campaigns will be real, and we need to be prepared to protect ourselves.
To learn about tips for spotting a phishing message, head over to our “5 simple ways you can protect yourself from phishing attacks”. For a deeper dive into ways to recognize the phish in a sea of email, navigate to David Harley’s “Phish Allergy – Recognizing Phishing Messages”. If you’re more of a video person, we’ve got you covered, too: see “Phishing emails and how to avoid them”.
That’s far from all, of course. Here are a few more interesting articles or papers that cover the topic of scams from various angles: