The Tricks Behind the Clicks: Cyber Scams and Psychology
What is it that makes people fall for scams? Cybercrime is as hot as ever, with new and more creative scams popping up all the time. There is plenty of focus on spotting scams, but less so on what makes people miss the signs.
Martina Dove, Ph.D., is a senior UX researcher at Tripwire and an expert in fraud psychology. Her research into the brain’s reaction to cyber scams and how the human mind operates when presented with a scam makes for an interesting read. On top of this, it also takes a look at fraud, and how susceptible we are to it, and it does this by using Dove’s own model.
Cybercrime from a Psychological Standpoint
Discussions around cyber security often center on the technical aspects of security and data protection for businesses and people’s personal lives. New gadgets, devices, controls, and defenses are constantly circulating- which helps the fight to fortify our information and secure the confusing and tricky online environment.
Trust is a fundamental human trait. Humans trust by default. Scammers capitalize on this knowing that people look at life and scams and trust first, and scrutinize later. The hard part is how we can best keep ourselves, and our minds, safe against scams and where the holes might lie. The fundamental psychology behind the cybercrime mentality is underexplored, and so far, discussions often go no further than scratching the surface.
This is surprising, considering that it has such huge impact on what motivates people on either side of a scam. According to the latest Verizon Data Breach Investigations Report (DBIR), social engineering is the most common type of attack in regard to cybercrimes.
The psychological elements of how phishing emails are presented, the power of persuasion, and what makes people fall for scams are all important to really understand how things work and ultimately how to avoid becoming a victim.
Martina Dove’s Research into Fraud Psychology and Scams
Few people have provided quite as much insight into this topic as Dove. Having specialized in fraud psychology, Dove became particularly interested in the concept of gullibility when pursuing her master’s degree and ultimately decided to carry it through into her Ph.D.
In an interview with Tim Erlin of Tripwire, Dove said that she had always been interested in the idea of gullibility, which is what makes a person gullible- and what it really means to be a gullible person. After reading an article published by two psychology researchers who were exploring the tricks and techniques used by scammers (particularly in phishing emails), Dove decided to drive her own studies down a similar route, diving deeper into the human psyche and scam vulnerability.
The main point of this research is a fraud susceptibility model that looks at the ins and outs of what puts a person at risk on a psychological level of falling victim to spam, scams, and phishing.
According to Dove, it was not her intention to create a model when she first started- the research naturally took her in that direction as she uncovered more fascinating theories about persuasive techniques, thought processing, and personalities that may influence how people react to these attacks.
Martina Dove’s Ph.D. research has also been turned into a book called The Psychology of Fraud, Persuasion, and Scam Techniques, which is available on Amazon.
The Fraud Susceptibility Model
The research that ultimately led to the model in Dove’s book started as a questionnaire designed to build a “measurable scale of fraud vulnerability.” It was scorable, with the answers determining what areas of a person’s personality put them at risk.
After a series of tests and experimental studies, along with expert analysis and validation, the model just created itself. Dove explained that some factors that influence susceptibility could actually be mapped and used to predict a person’s natural reaction when faced with a fraudulent situation. The fraud psychology expert also went on to describe how the model is used to determine compliance and the reasons behind it, as well as how people strategize after they realize they have been victimized.
It looks into the characteristics that leave a person most susceptible at each stage of a scam.
How do personal circumstances- emotional, social, financial, etc. – influence how we react to fraud? Does our demographic play a role? Our family situations? Essentially, how great an impact do our social surroundings and everything that comes with them have on our ability to identify and avoid scams?
2. Engagement with scammers
Once a person is on the hook, what techniques does the scammer use, and how do personal character traits change how we respond? What types of persuasion works best on different personalities, and how do scammers identify and exploit these vulnerabilities?
3. Dealing with victimization
Dove’s model explores the conscious versus unconscious decision-making processes that occur when people deal with phishing emails and other fraudulent communications- and after they realize they have been fooled. How do people accept what happened, and how does it impact their behaviors?
Throughout her research, Dove shares examples of circumstances and characteristics that can make people more or less susceptible.
- Group mentality: Someone who is highly concerned with being part of a group and uncomfortable going against the status quo may ignore signals of uncertainty and doubt if others disagree.
- Compliance: Naturally compliant individuals are hardwired to follow instructions. Scams prey on this, hoping that the ‘no questions asked’ mentality is enough to make a person adhere to requests.
- Impulse: Impulsive people are less likely to take time to assess a situation and take the necessary steps to confirm a source or authenticity. Those who tend to favor fast decision-making over meticulous processes are more likely to become fraud victims.
- Belief in justice: It may sound strange, but people who believe criminals will get caught and that bad things don’t happen to good people are vulnerable. Because they don’t see these things as pressing threats, they may overlook obvious signs. The naivety that says, “this won’t happen to me- I am a good person,” is potentially dangerous.
- Background knowledge and self-evaluation: How much a person knows- or thinks they know- about cyber security can be a hindrance. People assume that their understanding of how scams work and what to look out for will protect them from becoming victims. This is, to a point, true, but it can also make people complacent. Being an expert in a field doesn’t disqualify a person from falling victim to targeted fraudulent communication.
- Reliance on authority and social confirmation: If someone is particularly concerned with what others think, they may be at more risk. Authority-driven individuals may make decisions based on the belief it is a request from a superior, and socially-driven people may go along with something because of influence from friends or family.
- A general predisposition to scams: According to a study published via ScienceDirect, some people are just prone to fraud because of their engagement levels. Everything about them may suggest otherwise, but they have something in them that makes them more likely to go along with a scam.
Examples of Scams and Victim Profiles
Here are two examples of scams and the types of psychological profiles they are likely to target.
- Business Email Compromise Scam: The basis of this type of scam is a boss or member of management emailing an employee asking for urgent funds. It preys on qualities such as compliance, obedience, respect for authority, and hierarchical values. People who have a strong belief in the pecking order are less likely to question a demand made by a superior and are therefore more likely to comply without hesitation.
- Sexploitation Scams: These scams use fear as the driving force to get people to comply with demands. A scammer working in this field uses language to evoke a person’s most primal drives- hoping their influence takes over the more practical aspects of human thinking. Anyone can struggle to make intelligent decisions when they are especially scared or excited, but someone prone to fast emotions is more likely to be a prime target.
It is interesting to see how different these two examples are, which shows how much a person’s emotional makeup and core values can impact their likelihood to become a victim of fraud.
The Challenges Facing Scam Awareness
As Tim Erlin rightfully pointed out during his interview with Martina Dove– a significant challenge that stalls the progress of beating cyber criminals is the underlying sense of shame and embarrassment many scam victims feel. He stated that people don’t want to admit they fell for it and may not even report that it ever happened. This, sadly, is true and only adds to the stigma of fraud victimization- making it harder to build a substantial defense against these crimes.
Furthermore, there is a dangerous habit out there of immediately labeling scam victims as stupid, making them feel guilty for being the target of what is, at the end of the day, a crime. Fraud is as real as robbery, yet the victims are treated very differently.
Increasing the awareness and understanding of why these things happen and changing the narrative of how victims are perceived could help bring a more accepting mainstream view.
How Can Martina Dove’s Research Help with Fraud Awareness Training?
Modern businesses are acutely aware of the very real risk of cyber scams and take steps to protect and educate their staff, but is there enough focus on vulnerability rather than vigilance? The idea that anyone can fall for a scam needs to be more publicized, and people made aware of what exactly is it about a person’s personality and psychology that makes them vulnerable.
As cyber security professionals can confirm- the human aspect is and always has been the weak link in the defense chain because people can make mistakes, and the brain is open to mind games. If scammers are getting better at playing on the mind, then security experts need to get better at educating people on how this exploitation works.
Using Dove’s research to make anti-fraud training more human-focused and interactive could be the difference between a person falling victim and feeling ashamed and being aware of emotions used against them- and being able to stop an attack in its tracks.
Practical Advice for People at Risk
As part of Dove’s research, she complied a checklist of actions to take towards proactively identifying potential scams and avoiding being drawn into the deception. Here is a brief summary of the key points for consideration.
- Question how it makes you feel: Scams play on emotion and aim to evoke a strong reaction, so how you feel when you read something could be an instant warning sign.
- Look for further language clues: Is there any wording that seems overly strong or makes you feel bad in a way that seems unnatural?
- Beware of links: A quick and convenient ‘click here to solve your problems’ may not be what it seems. Only access trusted links and log into any secure accounts via the official portals and never through an email.
- Make space for rationality amongst emotion: Understand that what you feel in the moment could have been engineered through clever psychological tricks and attacks. Take a step back, wait to make a decision, and ask for opinions from family and friends if you are not sure about how to proceed.
- Scrutinize the details: Look into correspondence for any sign of falsification or something that just doesn’t feel right. Emotional people may be quick to act, but they can also have strong senses of instinct.
- Don’t rush to action, no matter the request: Sometimes, a pause is all it takes. Stopping and thinking is never bad practice in any walk of life or decision to be made.
Everyone was not created equally when it comes to emotions and how they drive our thoughts. Moderating how they impact decisions and how vulnerable they make us to gullibility is not easy, and greater awareness is needed.
The ties drawn between psychology and cybercrime are truly fascinating and open up an interesting and far overdue conversation about the correlations.
Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.