Why Do We Fall For Online Scams?

An example of a phishing email, disguised as an official email from a (fictional) bank.

Scams are big business. From the letters claiming you’ve won millions in a lottery that you don’t recall entering, to phone calls from people claiming to be your bank, it is becoming increasingly difficult to keep up with the range of scenarios being used to con people out of money.
    
Victims can suffer substantial financial losses that cannot be recuperated and psychological distress.

Collectively, people across the globe are losing billions each year to mass-market scams, with US$12.7 billion lost globally in 2013 to 419 advance fee fraud scams alone. Precise figures are difficult to come by due to the substantial under-reporting of this crime. Recent reports suggest only 15% of victims in the US report the crime to law enforcement.

Advances in technology mean scams have become more sophisticated. Entire fake websites can be set up, complete with company logos. Letterheads can be mimicked and telephone numbers or e-mail addresses can even be spoofed. The aim might be to get you to click a link, write a cheque, provide your personal details or download an attachment but all these scams use particular influence techniques to get people to respond.

Key tactics
The use of authority figures is important, for a start. The person on the other end of the line or email might purport to be an IT specialist, police officer, bank personnel or government official. Such techniques work because people have an inherent tendency to comply with requests from authority figures, something that is encouraged by society from an early age.

They also exploit other common social norms and rules. Humans tend to feel obliged to repay a free gift or favour or help an individual in need, so we find it difficult to say “no” to polite requests. This can range from people requesting monetary donations for fake charities on your doorstep to desperately asking for help to resolve a current crisis, such as travel problems or emergency medical bills – a common scenario in online romance scams.

Scams are also designed to elicit an emotional response. This might be a positive emotion such as excitement at winning money, or hope at the prospect of an online romance, or it might be a negative emotion, such as fear, anxiety or panic about fraudulent activity identified in your bank account.

This allows scammers to influence the cognitive processes people use when making decisions. They encourage the victim to use mental shortcuts, known as biases and heuristics, so that they make decisions quickly and without thinking. For example, by linking e-mail or telephone scams to current and high profile news stories, such as the TalkTalk data breach, scammers are able to increase the likelihood that people will believe them. This is because things that come to mind quicker are more likely to be judged as important and as likely to be genuine, a concept known as the availability heuristic.

Instilling a sense of urgency in recipients by imposing a time limit on responding also increases the likelihood that people will feel pressured when making decisions. They will base their choices on emotional responses and social cues rather than systematically considering the likely authenticity of the communication. This is because responses such as panic at potential identity theft or a fear of losing out can make people prioritise the alleviation of these emotions. They focus on short-term goals that will make them feel better. In this case, that means responding to the scam.

Fighting fire with fire
General awareness about scams is definitely on the rise, which helps us be more wary about who we give information to. However, awareness is only one way of tackling scams. There is growing consideration that wider public health and behaviour change models may play an important part in dealing with this problem.

That means considering the different factors that influence how we respond to scams, such as our specific attitudes and beliefs, previous experiences and the behaviour of those around us.

When we decide whether to respond to a letter or e-mail, or to believe the person on the other end of the phone, these decisions are likely to be based on our prior attitudes and beliefs. For instance, do you perceive a potential risk in responding to a lottery win? Do you generally trust people are who they say are on the phone? Do you often share email links? Have you ever had a bad experience clicking on a link? These factors might make you more or less likely to interact with scams that exploit these behavioral norms.

At the moment, we just don’t know how these different beliefs and attitudes affect people’s decision making when faced with a scam. Until we understand the factors that affect how and why people respond to scams, it is difficult to reduce the problem. The only way this can happen is if people are willing to openly talk about their experiences of scams.

All the awareness campaigns in the world won’t defeat the scammers if people continue to feel ashamed about falling for their tactics. We need to reduce the stigma associated with responding to scams so that all of the ways in which these scams work can be understood. Then we might be able to beat them.

The Conversation: http://bit.ly/1LWBquR

« Brand Reputation Includes Cyber Safety
Is The Cybersecurity Market Facing A Downturn? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

RedTeam Security

RedTeam Security

RedTeam Security is a provider of Penetration Testing, Social Engineering, Red Teaming and Red Team Training services.

SQA Service

SQA Service

SQA Service provide independent software and process Quality Assurance services.

National Cyber Security Centre (NCSC) - Netherlands

National Cyber Security Centre (NCSC) - Netherlands

NCSC Netherlands coordinates enhancing the cyber resilience of the Netherlands in the digital domain.

Netwrix

Netwrix

Netwrix empowers information security and governance professionals to identify and protect sensitive data to reduce the risk of a breach.

AVL Mobile Security

AVL Mobile Security

AVL Mobile Security is a market-leading mobile security company for anti-virus and threat intelligence in the mobile Internet.

Centro de Gestion de Incidentes Informaticos (CGII)

Centro de Gestion de Incidentes Informaticos (CGII)

CGII is the Computer Incident Management Center of the State of Bolivia.

Sphonic

Sphonic

Sphonic provides regulated institutions of any size a powerful compliance & risk platform to quickly and securely onboard new customers and manage ongoing AML and Fraud & Risk trends.

Trusted Objects

Trusted Objects

Trusted Object's mission is to provide state of the art security solutions and services enabling a strong root of trust for the IoT ecosystem.

Venrock

Venrock

Venrock helps entrepreneurs build some of the world's most disruptive, successful companies. We invest in technology: Security, Cloud Services, Big Data, Healthcare IT, AdTech.

Netragard

Netragard

Netragard has an established reputation for providing high-quality offensive and defensive security services.

SessionGuardian

SessionGuardian

SessionGuardian (formerly SecureReview) is the world's first and only technology which ensures second-by-second biometric identity verification of your remote user, from log on to log off.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

Primus Institute of Technology

Primus Institute of Technology

At Primus Institute of Technology our mission is to inspire, support, and empower current and aspiring IT professionals through training and career development workshops.

Bores Security Consultancy

Bores Security Consultancy

Bores Security Consultancy are an established family-run business delivering expertise in security and technology.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.

KTrust

KTrust

KTrust provides Continuous Threat Exposure Management for Kubernetes environments.