Mind games: The psychology of cyber scams
While we often associate cyber fraud with high-tech scams, most crimes typically have one thing in common – a hacker exploiting predictable patterns in human behaviour.
There are, of course, fraudsters who devise sophisticated attacks that prey on weaknesses in our cyber defences. However, studies have shown that hackers rely on simple deception in more than nine out of 10 incidents of fraud1.
In many cases, it is our overconfidence that puts us at greatest risk, says Paul Maskall, Fraud and Cybercrime Prevention Manager at UK Finance. “Most cybercriminals capitalise on our belief that we would never fall victim to fraud,” he says. “When we consider ourselves immune, we fail to take necessary precautions to defend ourselves.”
Known as social engineering, many cyberattacks tap into our personal vulnerabilities and fears. An online criminal will often convince their victim that they must take immediate action to avoid financial loss. In this heightened state of anxiety, many of us fail to think our decisions through carefully.
The value of personal data
As the most prevalent form of social engineering attack, ‘phishing’ involves a criminal conning someone into revealing personal details or confidential information such as passwords. A hacker will then use the information to perpetrate fraud or identity theft.
Another common tactic is for hackers to contact their intended victims through text message or email masquerading as a legitimate organisation.
If you would like to learn more about how you can reduce the risk of this type of attack, read our article Seven ways to help protect against ‘phishing’.
Phishing is not, however, the only type of cybercrime that relies on deception. Honey traps, diversion theft and diversion scams also employ similar psychology-based tactics.
“Regardless of how bright an individual is, we can all be susceptible under the right circumstances,” says Maskall.
“Imagine you have experienced the breakdown of a relationship or are having difficulties at work. These additional psychological stresses can distort your perception of the people and events around you.
“Who hasn’t, at some point, taken offence at a harmless text message from a family member or misconstrued a friend’s well-meaning suggestion?” says Maskall. “Often, it is our emotional state that determines our reaction, rather than the events themselves.”
If you are a business leader, it is important to understand that these vulnerabilities also apply to others within your organisation, he adds. “Your colleagues could be experiencing a personal emergency or feel overwhelmed by financial pressures, especially during the cost-of-living crisis.
“Under this kind of stress, they may be more likely to disclose confidential details without properly considering the risk or to download a file containing a virus.”
Slow and steady
As part of his study into human behaviour for his 2011 book ‘Thinking, Fast and Slow’, psychologist Daniel Kahneman states that the human brain works on two levels, which he describes as systems. As the Nobel Prize winner explains, System One operates quickly and draws on intuition, while System Two is more reasoned and slower.
According to Kahneman, it is crucial that we understand the correct times at which to engage the respective areas of our brains. This is especially important if we are employing System One thinking, as taking decisions quickly often leads to errors.
As the more methodical part of the brain, System Two can be one of our most effective defences against frauds that rely on creating an illusion of urgency.
“Our defences are at their lowest when we are driven by emotion,” says Archie Nelson, Operational Requirements Lead at XCyber.
“Cybercriminals typically use some form emotional manipulation to impair the logical centres of our brains.” Often, this approach involves presenting themselves as an authority figure whom their victims would be reluctant to question. In other cases, it may involve pretending an item that they are trying to pedal is rare or valuable.
“Once you have been taken in by the deception, you are more likely to act quickly without closely scrutinising the facts,” says Nelson. “This sense of haste can lead you to hand over personal information or transfer money without confirming that the recipient is who they claim to be.”
How can we guard against these ill-conceived actions? “Don’t allow yourself to be pressured into action more quickly than you are comfortable with,” says Nelson. “Ask yourself if you were expecting to receive the email and whether it is demanding you to do something right away. If the answer is yes, proceed very carefully.”
The heart versus the head
Cybercriminals typically begin their attacks by identifying weaknesses that they perceive as easy to exploit. Taking precautions such as installing anti-virus software and regularly changing your passwords can therefore reduce your risk of falling victim. Nevertheless, even the most effective measures have their limitations.
“This may be an unpopular view, but I don’t believe that technology itself poses in the biggest threat in cyberspace,” says Maskall at UK Finance. “What it really boils down to is the way our minds work.
“Any expert in online safety can provide you with a list of precautions to improve your safety online. That’s the easy part. What we cannot do is control your emotional responses when you’re under pressure, which is why none of us will ever be immune from an attack.”
This communication is general in nature and provided for information/educational purposes only. It does not take into account any specific investment objectives, the financial situation or particular needs of any particular person. It not intended for distribution, publication, or use in any jurisdiction where such distribution, publication, or use would be unlawful, nor is it aimed at any person or entity to whom it would be unlawful for them to access.
This communication has been prepared by Barclays Private Bank (Barclays) and references to Barclays includes any entity within the Barclays group of companies.
The communication is:
- not research nor a product of the Barclays Research department. Any views expressed in these materials may differ from those of the Barclays Research department. All opinions and estimates are given as of the date of the materials and are subject to change. Barclays is not obliged to inform recipients of these materials of any change to such opinions or estimates;
- not an offer, an invitation or a recommendation to enter into any product or service and do not constitute a solicitation to buy or sell securities, investment advice or a personal recommendation;
- is confidential and no part may be reproduced, distributed or transmitted without the prior written permission of Barclays; and
- has not been reviewed or approved by any regulatory authority.
Any past or simulated past performance including back-testing, modelling or scenario analysis, or future projections contained in this communication is no indication as to future performance. No representation is made as to the accuracy of the assumptions made in this communication, or completeness of, any modelling, scenario analysis or back-testing. The value of any investment may also fluctuate as a result of market changes.
Where information in this communication has been obtained from third party sources, we believe those sources to be reliable but we do not guarantee the information’s accuracy and you should note that it may be incomplete or condensed.
Neither Barclays nor any of its directors, officers, employees, representatives or agents, accepts any liability whatsoever for any direct, indirect or consequential losses (in contract, tort or otherwise) arising from the use of this communication or its contents or reliance on the information contained herein, except to the extent this would be prohibited by law or regulation.