Online scams, either through phishingWhat is Phishing?Phishing is a type of cyberattack in which attackers send fraudulent communications, or direct people to counterfeit websites in order to trick those individuals into revealing sensitive information,... emails, messages on platforms like WhatsApp, or voice calls, are rising. 60 Minutes devoted an entire episode to examining how easy it is today to craft convincing voice calls using AIWhat is AI? Artificial Intelligence (AI) refers to the simulation of human intelligence processes by computers in an aim to mimic or exceed human cognitive abilities across a range of domains.... tools. However, scams are not just about the scammers. They are also about the victims and how they are affected. Online scams are a social problem that deserves a deeper understanding, not just shallow technical advice.
That was the context of my very interesting discussion with Martina Dove, author of the book “The Psychology of Fraud, Persuasion, and Scam Techniques. Understanding What Makes Us Vulnerable.” The book provides an in-depth explanation of not only why we fall for scams and how fraudsters use technology along with other techniques to manipulate others but also why fraud prevention advice is not always effective.
Without any further delay, here’s an edited version of our discussion. I hope you will enjoy it just as much as I did.
Can you tell us a bit about yourself and your journey into the industry?
Martina: I am a user experience researcher for New Relic, an observability platform. We have products such as application monitoring, infrastructure monitoring, security monitoring, and many other things.
How I ended up being a user researcher is interesting. I was an academic researcher before being a user researcher. So before working in the industry, I was working in academia doing my Ph.D. and that’s how I ended up transitioning from academia and academic research to user research and working in tech companies. When I started, my first job was working on some of the responsible AI issues we face and, after that, in the security and observability space. So, I’ve always been around AI and security. I’m also super passionate about security because my Ph.D. was in the psychology of fraud. Therefore, I’ve always been passionate about fraud, phishing, and social engineeringWhat is Social Engineering? Social engineering is a manipulative tactic cybercriminals use to deceive individuals into divulging confidential information or performing actions that compromise security. Unlike technical attacks, which exploit software.... I really love the space I’m in right now.
What made you study the psychology of fraud?
Martina: It was fascinating because I decided pretty impulsively. I didn’t start my Ph.D. with that in mind. I was primarily interested in doing something with the Barnum effect. The Barnum effect is a cognitive bias where people accept vague feedback as something very personal to them. For instance, when you visit a clairvoyant, and they share some information that appears highly accurate, but that information may apply to everyone. You can use sentences that are very vague but applicable to anyone. What really interested me was the Barnum effect, which I studied as a part of my master’s degree. I wanted to continue doing something exciting with that, but I couldn’t find how to tie it to current events.
I couldn’t define what I would work with for a good year. And then, one day, I came across an article about the psychology used in phishing emails. When I read that article, I realized that this is applicable, and I could expand on the knowledge and how the cognitive biases we are all vulnerable to can make us susceptible to fraud. My supervisor liked the idea, and this is how I ended up studying fraud and the factors that make people vulnerable to fraud and scam techniques that scammers use on us.
And do you know what is funny? That article was written by two Australian researchers who were the first to quote my book when it was published. So, I came full circle.
Life makes circles. You spoke about your book, The Psychology of Fraud. Who are the most common victims of fraud? Is it the elders, our parents, or our grandparents? Or is any age group a potential victim of fraud?
Martina: I would say there’s no typical victim of fraud. We do hear a lot about elderly victims of fraud, but they are also more aggressively targeted by scammers. And there are a couple of reasons for that. The first reason is that when you retire, you have some savings, property, and more money than in your twenties, so you’re a more lucrative victim to the scammer than you would be when you’re younger. And then, as we age, our cognitive functions become less able to process information quickly. Sometimes, people have early onsets of dementia or Alzheimer’s, which makes them easily confused, which may not be evident to the family initially. It is when people understand something’s happening to them that they get easily confused, and they can’t make decisions as quickly and rationally as they used to, but they’re hiding it from the family.
I think scammers focus on older people for these reasons. Having said that, anybody can be a victim of fraud. And some scams that I’ve seen are indistinguishable from real situations. As humans, we trust other people to cooperate with us and conduct business. A lot of the time, scammers dress scams as ordinary operations, and there’s very little that can warn you that it’s a scam. So, I would say there’s no typical victim, but some people are targeted more just because of where they are in their lives.
Also, significant events in our lives, such as divorce or bereavement, make us more vulnerable. Any new event, like the pandemic, is a perfect opportunity for scammers to insert themselves. One thing that happened with the pandemic, which gave fraudsters the ideal opportunity to scam us, is the fear that everybody felt. They exploited that fear by creating, for example, fake websites selling masks that were short in supply. It was the perfect opportunity for scammers because we were in a state of fear.
Therefore, I wouldn’t say it has so much to do with age, but it has to do with stages of life and events that are lucrative for scammers.
Do you think that the lack of digital literacy is a factor that plays into successful scams?
Martina: Yes and no. I don’t like to say yes because you are also not online as much when you don’t have digital literacy. Online presence can make you vulnerable because you’re sharing things, and there’s more for the scammer to use against you. If you don’t have a digital footprint online, scammers have very little to convince you that they have information on you, but if people are unaware of how certain things work, they are more vulnerable. Therefore, it’s not so much about digital illiteracy as it’s about the background knowledge and awareness of how scams operate.
We recently saw an episode on 60 Minutes about how successful scams can be. What are the reasons behind this high success rate? Is it scammers being so convincing? Is it our human nature and our biases, or a combination?
Martina: It is not just one success factor. Scams that are very targeted at a certain person, with the fraudster investing a lot of time collecting information and analyzing what they know about the victim, are also very successful, especially with the increased use of AI and deep fakes. Those are going to be very effective.
But also, there are scams that are just casting a wide net. Scammers that target a broad audience by keeping the scam very vague and the amount low will also have a lot of success. People aren’t as careful when the amount is low because the risk is low. These frauds can be very successful because lower amounts are less likely to be reported to the police, so the scammers go undetected.
You can be successful with more than one strategy in fraud. It depends on what you do and how you do it. I think AI is going to help scammers create more sophisticated phishing emails. If you get a phishing email, you spot things like spelling mistakes or bad grammar. All of that is going to be more difficult now that AI can be so easily used.
How will AI help scammers to craft convincing email or voice messages?
Martina: Several years ago, in 2018, I was analyzing sextortion emails when they first started being very prevalent. I analyzed 60 different sextortion emails to see what the patterns are. These emails had some very persuasive elements, but there were a lot of spelling mistakes. The scammers were even going as far as apologizing for the spelling mistakes because they knew people would notice them and flag them as scams. These messages were poorly written and constructed, whereas I’ve gotten one scam recently, and it was so beautifully written. With AI tools being free to use, I don’t think we should be thinking that scammers are not taking advantage of them either.
What are the most common tactics that the scammers use?
Martina: Different scams have different factors and different techniques. However, successful scams evoke visceral influences or primal drives, which can be very influential. There are lots of scams that evoke fear, like extortion emails or phishing emails pretending your bank account has been compromised. When we are under visceral influence, our judgment is compromised, and we often make impulsive decisions.
Other visceral influences are greed, sexual desire, hunger, thirst, etc. Once we are under the visceral influence, all we think about is how to address the needs of that state. For example, when you’re hungry, all you’re thinking about is food. That’s how strong these primal instincts are.
Good scams will evoke a visceral influence subliminally. They won’t spell out that your account has been compromised; instead, the email will appear informational, but you will still panic when you see that someone used your account to purchase something you did not authorize. There are also other techniques, like authority, scarcity, threats, social proof, flattery, etc. It depends on what the scammer is trying to achieve.
The problem is, and you mention it in your book, that many scams go unreported. Why is that? Is it the psychology of the victims? What keeps them from reporting fraud to law enforcement?
Martina: There are several reasons, but the first one is victim blaming. There’s a big stigma around being defrauded. You see that with other crimes, such as sexual crimes, where aspersions have historically been cast on the victims of sexual abuse through questioning if the clothes they wore were revealing or if they were intoxicated.
There’s a reason why we do that. It’s a cognitive bias called the belief in a just world. We believe that there is justice and that we can control events that are often out of our control. If we can attribute something to the victim, we can justify to ourselves that it wouldn’t happen to us. A lot of victim blaming is down to this bias and our illusion of control. We don’t want to think that bad things could happen to us, so we sometimes blame crime victims to give us a sense that we would have control over similar situations.
Therefore, the stigma of being a fraud victim is what stops victims from reporting fraud. Victims already feel bad and are often ashamed that this happened to them, and when they try to report it, they are often dismissed by police. I’ve interviewed many victims, and they told me that they have tried reporting a scam to the police, and basically, the police didn’t take it seriously. This rejection reinforces the feeling that it’s your own fault.
There is a lot of shame attached to it. And as a result, people just don’t speak up. This is really sad because scammers thrive when we are quiet; they go undetected. People who hear about others’ scam experiences may be able to recognize that scam when they come across it, so sharing this knowledge is extremely important. But I think, as a society, we’re not very sympathetic toward fraud victims, and that’s stopping a lot of people from reporting or talking about it.
Is this an indication of a lack of awareness, or do we lack the empathy to understand how fraud victims feel?
Martina: I think it’s empathy, but it’s also being human. As humans, it’s natural to be more positive. A lot of people that I’ve interviewed who have been defrauded said they thought it would never happen to them. “I’m an intelligent person. This wouldn’t happen to me.”
People often have a positive view of themselves and think that they are smarter than other people. That view and the belief that scams only happen to certain types of people can result in a lack of empathy for victims. When we reflect on scams we hear about, we reflect from a rational perspective. But people forget that it’s easy to be rational when you are not emotionally involved.
When you’re emotionally involved in a romance scam, or you are in a panic because the scammer has persuaded you that your loved one has been kidnapped, as in recent scams, you are not in a rational state. But we forget. I always like to ask people, do you remember when you were really, really in love and you were doing stupid things? When you’re in that state, you see things differently. You justify things which, to a rational person, would seem wrong. I think that lack of empathy comes from the separation between rational and emotional states. You don’t know how you would react until you are in an emotionally charged situation.
When we’re discussing fraud, we mainly focus on the individual side. But fraud has two players, the victim, and organizations like banks and telcos. What is the role of telcos, banks, and governments, including police and law enforcement, in fighting this crime?
Martina: That’s an interesting question. I’ll pick at the police first. Typical police departments may not be equipped to deal with scams. It is a crime that is difficult to investigate, especially when there are cross-border activities and different jurisdictions involved. These online frauds are extremely complicated. And often, when a victim goes to the police, they’re dismissed because they don’t know what to do with it. I think the police and governments should invest more in fighting fraud. First and foremost, the governments.
I have empathy for the banks for one reason. It’s a business, and any business puts a lot of emphasis on earning money. If they mark an activity as a fraud and stop the transaction, only to discover it’s a legitimate business, that customer will suffer and likely be angry with the bank. They have to be very careful not to annoy their legitimate customers. How can they tell for certain that it’s fraud?
Or how do they intervene when they think it’s fraud? It’s not always easy because often, when it is obvious that someone is being scammed, the scammer has already groomed the victim and persuaded them to lie to bank officials.
You need to start prevention before the victim even gets in contact with a scammer. It’s not an easy problem to solve, even with behavioral analytics that they can leverage. But I do feel that banks have a role to play when a scam is reported. They should investigate and act very quickly. A lot of banks have not done that, allowing scammers to reuse the account for fraud even when the victims are reporting it. Everybody has a role to play. It’s not an easy problem to solve, though.
Do you think that adding some friction, for example, multifactor authenticationWhat is Authentication?Authentication is the process by which the identity of a user or system is verified. It ensures that the entity attempting to access a resource is who or..., would be a possible way to deal with this problem?
Martina: Definitely, multifactor authentication is a good thing, but I’m not sure that it would prevent fraud, specifically because scammers are already persuading victims to send the codes. Adding friction would give scammers a little bit of a harder time. But what I’ve observed with scams and how they evolved since I’ve been studying it is that scammers are very good at coming up with interesting ways of getting around whatever we put in place. The only thing they have in common is they are good at hacking humans.
This is where we need to invest, and I think, as a society, we still don’t see the benefit of focusing on the human. We focus too much on technical stuff. But if you have a human operating that technical stuff, immediately you have a weak link to address. Are these humans also vulnerable? How are they vulnerable? What would make them participate?
A lot of companies forget about humans and just invest in technology, and it’s not working. The biggest problem for security teams is humans. People clicking phishing links and downloading malwareWhat is Malware?Malware, a portmanteau of "malicious software," constitutes a broad category of software specifically designed to infiltrate, damage, or disrupt computer systems, networks, and devices without the user's consent.... That’s the biggest threat for them. This is why we should focus more on prevention rather than putting in more friction. If we put the friction in place, within two months, scammers will get around it. And then, we’ll have to think about another type of friction.
How can we protect ourselves from scams?
Martina: Being aware and informing ourselves about scams. And when you’re informing yourself about scams, I would say go a little further and seek literature that talks about what makes us vulnerable as humans. A lot of the time, I see fraud prevention advice that focuses only on technical workaround solutions. That’s good, but tomorrow, that scammer will come up with something else, and it’s going to feel like a totally new scam. If you teach people about the mechanism of scams, that will protect them better. The story or narrative will change, but techniques stay the same and have been around for centuries.
I would say the way to protect ourselves is to dig a bit deeper. Don’t just read about scams that are currently going around. Educate yourself on things like individual factors that make us vulnerable and what scammers do to persuade us. How does our brain process the information we are given and under what conditions, and how can this make us vulnerable to fraud?
Those are all the things that I addressed in my book because I realized there’s such a gap in the market for that kind of information. That’s the awareness you need when you get a scam and are emotionally affected. If you don’t know how scams emotionally affect you, you’re going to act on that emotion. But if you are aware of and expect that emotion, you have a better chance of letting that emotion die before you do anything.
How can awareness help us prevent scams?
Martina: The key is to raise awareness but also invest in quality advice that people can follow. No more ‘do this’ or ‘don’t do this’ type of advice because people switch off when you’re telling them what to do. Rather, providing awareness from the position of this is how scams work. This is how they’re going to make you feel, and this is why. Engaging people to try and understand the mechanics, and through that awareness, they can figure out where their weakness is.
It’s knowing what makes you personally vulnerable and coming up with solutions to avoid situations. Real awareness is not just following anti-fraud advice and not knowing why you’re following it, but really understanding how scams work, how they persuade us, and what effect this has on us. Awareness for me is seeing the holistic picture and examining ourselves in that context as well.
Thank you so much, Martina, for this insightful chat.
If you would like to explore the topics discussed in more detail you can get Martina’s book now from Routledge or your favorite online bookshop. Martina was also kind enough to contribute to our AI eBook, which you can download here.