LEGAL/ETHICS

Out-thinking the cybercriminal

Cybercriminals take advantage of the nature of human psychology to ensnare their victims. Understanding the tactics they employ is the key to defeating them

Mr Andrew Power, Head of the Faculty of Film, Art and Creative Technologies, Institute of Art, Design and Technology,, Dun Laoghaire, Dublin and Ms GrĂ¡inne Kirwan, Lecturer in Psychology, Institute of Art, Design and Technology, Dun Laoghaire, Dublin

March 1, 2012

Article
Similar articles
  • The internet is a domain where we can feel both secure and anonymous, or afraid to the point of panic due to our uncertainty about cybercrime. At times we feel safe and secure – the criminals cannot physically reach us (or so we tell ourselves), and our presence online feels anonymous in many cases. On the other hand, we hear the tales of those who have fallen victim to online offenders, and we fear that a similar fate may await us if we do not take adequate care of our online selves. Both aspects of these conflicting emotions are exploited by cybercriminals, who take advantage of the nature of human psychology to ensnare us in traps such as fraud, downloading malicious software and, in some cases, the online predation of children. 

    Cybercrime includes a wide variety of activities, including hacking, malware development and distribution, identity theft, child pornography offences, cyberterrorism and copyright infringement. These offences and their perpetrators are fascinating from a psychological perspective, in particular because of the psychological tactics that some of these offenders use in order to ensnare their victims.

    Looks phishy?

    Most internet users will have experienced a ‘phishing’ scam at some point, where an email is received which asks the recipient to engage in a behaviour which can eventually lead to fraud or identity theft. Cybercriminals attempt to exploit weaknesses in human perception and decision-making in order to draw in their victims and persuade them to part with personal information. Firstly, they might include information in the emails that makes it look like they have originated from a legitimate entity, such as a trusted company or organisation. This information can include elements such as the organisation’s logo, a legitimate-sounding email address, and use of the recipient’s name. These tactics rely on the ‘heuristics’ or shortcuts that humans use when making decisions – it is impossible for people to consider all elements of every situation, and so we tend to pay more attention to salient cues – those cues which ‘jump out’ at us. We are especially likely to comply when these cues suggest that the source of the email is an authority figure, such as a well-known company, a bank executive or a professional in a position of authority. 

    This weakness in decision-making may occur if the potential victim feels that they are under time pressure to respond, and potential fraudsters also make use of this vulnerability by inducing fear or greed in their victims. Fear is invoked by suggesting that the victim may lose money or get into trouble with authorities if they do not respond to the phishing email quickly. Some emails have given the impression of coming from government agencies, indicating that users must respond immediately to pay overdue taxes, and a delay in responding could result in prosecution. Similarly, a phishing scam may attempt to worry victims by suggesting that their online banking account may have already been infiltrated, and they must immediately log in to ensure their losses are minimised. They are encouraged to do this by clicking on a link in the email which brings the user to a webpage which appears to be the login screen for the online banking account. The user may then input their username and password for the account, and only later discover that the webpage is only a copy of the site, created by the fraudster to capture the victim’s account information. 

    A potential victim’s greed is manipulated when an email offers a share of a large amount of money if the victim agrees to help the fraudster in some way (such as by moving a substantial inheritance or cash amount out of one country and into another). Other emails suggest that the recipient has won a lottery, or is entitled to some form of compensation which they have not applied for. Any person who responds to these ‘advance fee fraud’ emails will find that they are asked for an initial cash injection, either to enable the transfer of the larger sum or as an administrative charge. As the scam progresses, the victim is asked to part with larger and larger sums of money, without ever seeing the promised windfall. On a positive note, similar scams which offer significant sums of money have been in circulation for some time, and as such many internet users are aware of their existence and the nature of the fraud involved. Nevertheless, some fraudsters have developed new methods of exploiting human greed. A recent email circulating in Ireland was written in Irish, and appeared to come from the Revenue Commissioners. This email indicated that the recipient had overpaid taxes, and as such was due a refund. The sum was small, but still desirable, and the email simply asked the user to complete an online form to claim their refund. The information provided through this form would be sufficient for identity theft to take place. 

    An emotional phish

    Online fraudsters may also attempt to manipulate other emotions in their potential victim, including sympathy or guilt. This can be accomplished by sending emails that ask the recipient to send a donation to the sender so that they can obtain some vital food or equipment which they need for survival. The recipient is likely to find that if they make the initial donation, they are repeatedly asked for larger and larger sums. In some cases, the email may claim to be from someone who is suffering from a life-threatening illness. This individual may claim to need the direct financial support of the potential victim, and in these cases the emails are designed to elicit sympathy, but in other cases these emails may use a combination of the sympathy and greed tactics. They do this by suggesting that the sender is close to death, and needs to transfer a significant amount of money out of their country, which they can only accomplish with the help of the email recipient. Such emails often indicate that the monies transferred should be used for specific purposes, often relating to religious charities, but the amounts involved are sufficiently high so as to tempt the potential victim to keep some or all for themselves. These emails sometimes indicate that the target was chosen as they appeared in online search results for an ‘honest’ or ‘honourable’ individual. This is mentioned in order to explain why the email recipient does not know the sender. The email may also use friendly or overly familiar language in an effort to gain the recipient’s trust. 

    In some instances, the potential fraudster might target a specific individual – a technique known as ‘spear-phishing’. In this case the fraudster may take considerable time and effort to uncover details about the target, such as the name and details of their manager, colleagues or even friends and family. The email sent can then include these details, lending greater weight to the content as it in some cases appears to be endorsed by people the recipient trusts. 

    These types of attack demonstrate another human psychological weakness: confirmation bias. When we develop a tentatively held belief – such as that our manager has requested us to share confidential data with a third party – we tend to seek information that confirms this belief (for example, mention of our manager by name in the email) and do not actively seek evidence which might support an alternative conclusion (for example, a brief phone call to our manager would quickly uncover the fraud, but we are not inclined to do so). 

    A final type of fraud involves online dating. In this type of offence a user of an online dating website might find themselves communicating with a potential partner, only to find that their perceived love interest makes more and more demands of them, often seeking financial support. The excuses the dating partner provides are numerous, and often heart-wrenching, as they might seek money to help to pay hospital bills or to make emergency travel plans. Many individuals have been defrauded of significant amounts of money due to such scams, and when the truth finally emerges the victim may find themselves with particularly deep emotional wounds, as they also face the reality that their potential romantic relationship was a lie. 

    Malware

    ‘Malware’ is a catch-all term for ‘malicious software’ – any type of software which causes intentional harm to a victim’s computer or other device. Malware includes software such as computer viruses and spyware, as well as lesser-known terms such as ‘rootkits’, ‘Trojans’, ‘keyloggers’ and ‘worms’. The methods of transmission of such malware have changed over time – 20 years ago one of the most common methods of transmission was by infected floppy disks, whereas today most malware is transmitted using the internet. Nevertheless, in many cases the malware requires some human action before it can infect a system or replicate itself. 

    Some malware hides itself within seemingly useful programmes or files which a user may download from a website. Other malware is transmitted using email or via social networking sites. In many cases, the malware takes advantage of human psychological processes to encourage a user to install or download the file. Historically, there are key examples of computer viruses that exploited human desires: the ‘I love you’ virus of 2000 infected millions of computers as their owners attempted to open an email attachment that appeared to be a love letter. In 2001, the ‘Anna Kournikova’ virus spread rapidly as it feigned to be a photograph of an attractive tennis player. In more recent times, social networking site users have been the targets of malware, and again the malware appears to offer something of interest to the user. This may be a video or photograph, or even an application which allows the user to see who has viewed their profile. When a user clicks on such links, they can inadvertently allow the malware to collect personal information from their account. The malware will frequently post a new link to itself on the user’s status update, often without the user’s knowledge. In these cases, the malware can spread quickly, as it appears to friends of the initial victim that the person has endorsed and approved of the video, photograph or application, and so many may unintentionally fall for the same trick. 

    Grainne Kirwan and Andrew Power of IADT
    Grainne Kirwan and Andrew Power of IADT(click to enlarge)

    Online child predators

    A common fear of parents is that their children will encounter a sexual predator online. While these fears often begin for parents of young children, in many cases, these predators target adolescents, often teenage girls. Online predators use a variety of techniques to persuade their potential victims to meet them offline, a process termed ‘grooming’. Initially they may spend some time complimenting the girl, gaining her trust, and allowing her to feel flattered by the attentions of an older man (in many cases, the victim is aware that the person they are communicating with is somewhat older than they are). The predator may use information gathered online to gain the trust of the victim, perhaps by pretending to know some of their friends by viewing their contacts on a social networking site. They may also pretend to share the hobbies and interests of the victim. 

    The predator will often engage the potential victim in conversation to determine how close they are to their parents or caregivers. This is done in order to determine the likelihood that the potential victim will tell their parents about the predator. Over time the perpetrator will try to get the victim to engage in increasingly sexual behaviours. They may start by encouraging the victim to describe sexual acts to the offender using instant messaging, and may lead to the exchange of naked or semi-naked photographs and/or video chats using webcams. At each stage, the perpetrator monitors the behaviour of the potential victim to see how willing they are to engage in these acts. The more willing a potential victim is to engage in these behaviours, the more likely it is that the predator will try to persuade them to meet for an offline encounter. It has been noted that some predators take advantage of the location tracking aspects of many social networking sites to determine the geographical location of their targets.  

    It should be noted that, in many cases, those victims that do meet their predator offline are aware that they are going to a sexual encounter, but the perpetrator may have one final psychological trick up their sleeve. The predator may persuade the victim that they are truly in love with them, and that they are starting a long-term relationship, in order to increase the probability of a sexual encounter. The victim may then find that, following this encounter, the perpetrator has lost interest in them, and moved on to a new victim. 

    What can we do to protect ourselves?

    Despite the exploitation of human psychology by cybercriminals, there is still a great deal that we can do to protect ourselves and our families. We can ensure that our security software (such as a firewall, anti-virus software and operating system security updates) is current, and runs regular scans of the system. Privacy settings for social networking site profiles of adults and children should be at a high level (generally restricted to friends only whenever possible), and children and adolescents should be informed regarding the importance of only accepting friend requests from people who they know in real life. Children should be encouraged to talk openly with a trusted adult about what happens to them online, and if they are approached by an online predator, this should be reported on the website, www.hotline.ie

    The more aware we are of the weaknesses in human decision-making, the better our chances are of avoiding becoming the victim of fraud and malware. The techniques used by offenders can be outsmarted if we are aware of our decision-making tendencies such as attention to salient details, confirmation bias, and compliance with projected authority. It should also be borne in mind that we have a tendency to underestimate the risk of a negative event happening, and overestimate the likelihood of a positive event occurring, and so we may not recognise a cybercriminal threat when it does occur. Nevertheless, with the right tools and perspective, we can significantly reduce our risk of victimisation.    

    ‘The Psychology of Cyber Crime: Concepts and Principles’ is published by IGI Global

    © Medmedia Publications/Modern Medicine of Ireland 2012