Thursday, September 15, 2016

Understanding psychology of phishing

Everyone gets phishing emails. For scammers, it is probably the most cost effective way of scamming people. Sometimes phish emails are relatively harmless, but often they can be extremely harmful and trick you into parting with you personal passwords, log in details and bank information.   I wanted to collect a few to show you the types of phishing emails and psychology behind them, language they use and how the message will make you feel and want to react. 

First of all, the biggest and most important message and one I think every fraud agency should use is that phishing emails will have one fundamental thing in common; something to click, be that a link or an attachment. Clicking anything in an email is bad, even if it came from your friends, as people's email accounts can be easily hacked. What you should look for in that case is whether this is out of character for your friend. If so, don't click it. 

Let's examine the most frequent phishing emails and how they persuade. Most phishing emails are designed to evoke visceral states. Visceral states are sexual arousal, hunger, greed, fear and so on. When we are under visceral influence, we are likely to bypass careful information processing and act without proper thinking - because we are acting on that visceral influence. When you are starving, you are likely to eat stuff you would reject otherwise, when you are scared of something, you will do anything to save yourself from danger, when you are attracted to someone, you will do anything to get them... so let's see the language used by phishing emails. 

Those offering refunds 

Who doesn't like getting refunds and money back. The offer of free money often puts one in a visceral state of excitement and greed and this is precisely what the scammer wants. They want you to get excited at the prospect of free money enough to act straight away. 

 Who doesn't like a tax refund. Notice this one also have an expiration date, which will further influence you to act in the moment, fearful that you will miss a deadline.
Then there is a link you need to click. Probably will ask for your bank details so they can pay you. They give you 4 weeks so that you don't report anything for a while and they have time to scam you. 

TV licence refund anyone - when does that happen? Not even in your wildest dreams. Juicy link to boot - see how it stands out so you have no time to read anything else. 

Those offering free prizes 

 Argos doesn't know my postcode - see how it is not specified? Also, you cannot see a link in this one that well but I guarantee you that yes and no buttons don't do anything so you will have to click a link under them, confused that you cannot activate the buttons. Then they will ask you for details to give you the gift card but trust me, you won't be buying anything from Argos's Elizabeth Duke collection. 

Here is another one, note again, two nice juicy links, offering a prize package, all you have to do is confirm your details. 

Added time limit to make you act in a moment in case you lose the deal - this is a known scamming and persuasion technique. 

Good old malware types 

 Lucky, most virus software filters flag these but note how they targeted me on my university email and they made it very relevant - academics are likely to go to conferences.  It asks you to note the date and time in the attachments so in order to check what is going on, you would have to click on it.  

Those preying on your fears 

Here are few examples of phishing emails that will induce panic and fear and make you want to sort out the problem as soon as possible. 

 Of course you did not initiate this download so you will frantically click the link saying cancel and support. They mention initiating a download few times, so you get the message that all you have to do is confirm you did not do it yourself and all will be fine.  Note there is another link lower down and that one will probably lead to a legitimate site - scammers are very good at making everything else look exactly so. 

You won't have time to notice the weird way this email is composed. Why would your account be limited? All you see is something is wrong and things will get worse in 24 hours if you don't click that button. 

I still see advice such as 'hover over a link' to see if it is legitimate but this is now outdated.  Good scammers can fake everything, the link will give you an appearance of going to a legitimate place. Email will seem fine.  Look at this example - is part of the email for my university and this was faked. Previously when people clicked the attachment thinking it came from the university, the virus infected their address book, sending spam and scams to all their contacts - this time from their email. 

The only reason why you would need to click a link in an email is if you subscribed to something that minute and you need to verify email or you requested a password change and you need to follow a link. Any unsolicited emails with links are probably not good news. Scammers cannot get to your details if you don't click links but it helps to understand psychological states the emails are designed to put you in, so you act against your best interests. 
If you are worried about your accounts being compromised, call/log in from another source, never use a link. 

Add me on Twitter for daily advice and stay scam safe. 

Wednesday, August 3, 2016

Do scams really happen only to 'some' people?

Once upon a time it was a common belief that scams only ensnare gullible and greedy people, and if you were neither, than you were safe.  And maybe this was true but it no longer holds.  Let me explain why. 

Scams used to cost money to execute many years ago.  A scammer would have to go door to door, make phone calls (and many years ago, phone calls were not cheap), send a fax or set up a venture to defraud.  It would not always pay off for scammers and it would only pay off in cases where they get someone who fits the bill of a 'typical scam victim'.  And there are many traits that may make you more likely to engage with a scam; impulsivity, emotional thinking, greed etc. 
However, since the internet, scammers have been given a unique opportunity to create multiple identities, to call or contact potential victims with almost no cost to themselves and to even program computers to do that for them.  Somewhere along the internet brick road, defrauding became easy, affordable and anonymous.  This, in turn, encouraged more fraud.  When a person is hit with higher volume of scams, there is a chance that one will pay off - that is just simple maths.  The more fraud pays off for scammers, the more they invest in making scams look legitimate and this leads to more victims. 

When something becomes profitable and there is a low risk of prosecution, it will attract intelligent people to it and this is also true of scams.  Scammers are now very aware of human psychology, they often also know things about you before they target you with scams that are likely to appeal.   They invest in appearing legitimate, often manipulating the social media and the internet (i.e. good looking websites, registering a fake company - this is not checked by the government and the scammer only needs couple of months to defraud many victims).  It is often hard to spot a scam these days as people often don't know whom to trust.  And scammers, feeling safe from prosecution, go to great lengths to defraud; impersonating governmental websites, faking identity documentation to open bank accounts and so on.  

The amount of fraud and the fact that it can be delivered from anywhere in the world makes it extremely challenging for the authorities.  It is not always possible to track down the exact person who defrauded you from somewhere else in the world.  The resources are just not there.  And fraud is so omnipresent now that there are very few people out there who can say they have never been defrauded, either by a fake ebay auction or by having their identity cloned.  

The popular thinking, that scams only happen to a small number of people with specific characteristics, no longer applies today and may actually make one less cautious and therefore, more vulnerable to a scam attack.  Never underestimate a scammer, they are businessmen who know their business well.  Fraud is now an organised crime.  And it's here to stay. 

Tuesday, June 7, 2016

A chain is only as strong as its weakest link

Friday, January 8, 2016

Always, always look a gift horse in the mouth

Do you love your giveaways?  Social media are full of them; free iPads, iPhones, free holidays, free first class travel for a year with British Airways, Virgin flights, BMWs and so on.  All you have to do is like a page and share their post.

Harmless enough, right? No. Most of these giveaways are fake pages that need you to proliferate their scam to other people and once you like them, unless your profile is watertight, they have access to your social media, your likes, dislikes, photos, friends and if you particularly naive, your phone number and date of birth.

People love giveaways.  We like to think that lucky things do happen and they do but this belief is often exploited by scammers and the way to get you to comply, the rewards are often big (does anyone ask themselves before sharing, why would British Airways give away first class travel for a year, likely to cost them hundreds of thousands of pounds) and/or in line with current desires.

Last hoax giveaway, even though not particularly malicious, was that Mark Zuckerberg, the founder of Facebook will be giving away free money to people sharing the status about it.  

People got excited and shared it and there is nothing more legitimate than a post saying; according to this and that, this is not a hoax.  It adds legitimacy but does anyone bother checking?  This is precisely how scams work.  If one sees a post like this (or any advertising some giveaway) from a friend, the credibility of a friend extends to the message, even if it has been shared thousands of times and is not actually written by a friend in question. 

So next time you see shared giveaways, check the page that is sharing it and Google the giveaway (more here).  This is often enough to spot a hoax or a scam.