Show Hide image

Hacking the heart: the psychology of scams

Online deception can be a threat to people’s mental and physical health, warns Professor Monica Whitty, cyberpsychologist at the University of Warwick.


Con artists have been scamming victims for centuries. However, because the internet allows criminals to target many more victims, in the last 10 years we have witnessed scams on a global scale. In the UK in 2016, it was reported in the National Crime Survey that citizens are 10 times more likely to be robbed while at their computer by a criminal based overseas than to fall victim of physical theft (Office for National Statistics, 2016). In my work in the Cyber Security Centre at the University of Warwick, WMG, I have been leading inter-disciplinary projects that attempt to understand the psychology of scams and find effective methods to detect and prevent them. In particular, we have focused on mass-marketing frauds (MMFs).

Not all readers will be familiar with the term MMF; however, most would have encountered at least one of these in their lifetime. MMF is a serious, complex and organised crime. Examples include foreign lotteries and sweepstakes (in which the victim believes they have won money from a lottery and are told to pay a fee in order to release the funds); ‘419’ scams (advance-fee fraud, in which victims believe that for a small amount of money they will make a large fortune); and romance scams (taken in by a fake online dating persona, in which the victim sends the fake persona money). Some MMFs are low-value, one-off scams on large numbers of victims, whilst others involve developing a relationship (e.g romantic, business, friendship) where money is defrauded over time, again with simultaneous or sequential victims.

Victims of MMF suffer both financial losses and psychological impacts; with the latter sometimes outweighing the former, even when large sums of money are lost. One of our motivations to investigate this particular cyber crime is the severity of this psychological harm – in some cases victims have been known to commit suicide. Common reactions to being scammed include shame, guilt, embarrassment, depression, grief, anxiety and loss of trust.

Catching and prosecuting MMF criminals is difficult, for three main reasons. Firstly, the criminals often live in a different country to the victims. Secondly, the methods they use make them difficult to trace, and thirdly, prosecution is very time-consuming, owing to the large amounts of online data that need to be analysed to establish evidence.

Although disruption tactics are important, we have taken a more victim-oriented approach to protect users from MMF. Our work has involved interviewing victims of MMF to gain a greater understanding of why they believed they were tricked and persuaded to give money to fraudsters as well as to map out the anatomy of these scams.

In my work, I have argued that criminals are able to exploit the media they are communicating within to develop hyper-personal relationships with victims (especially victims of a romance scam). Communicating in online spaces can potentially isolate victims from friends and family to allow the criminal to become the dominant person in the victim’s life. A synchronous and long-distance communication in the form of emails, texts and instant messenger allows criminals to be very strategic in the stories they create and the messages they send, creating the perfect online lover. In fact, many of the victims of romance scams that I have spoken to find it difficult to delete messages and photographs sent by the criminal, even after it has been revealed to them that they have been deceived.

We have also researched the victimology of different types of scams, considering demographic as well as psychological factors. Our research is finding that different types of people are susceptible to different types of scams. Many romance scam victims, for instance, have been found to be middle-aged, educated women who score highly on psychological measures such as impulsivity, addictive disposition and trustworthiness.

One of the novel methods we are currently researching to detect and prevent MMF involves a team of computer scientists: Professor Rashid, Dr Stringhini, an expert in human-computer interaction; Professor Sasse, a criminologist; Professor Levi; and a philosopher, Professor Sorell. The work we are undertaking involves developing a proof-of-concept automated agent to identify communication with a potential scammer and hoping to do so prior to the ‘sting’ taking place. The agent will need to make decisions about the probability of a victim communicating with a scammer by drawing upon their personal data.

One of the challenges in our research is the human element. MMFs, unlike phishing or even spear phishing, are especially a challenge to detect because they typically involve communication with another person, rather than a bot – this means that scripts can vary and are more complex. Often the criminal is developing a relationship that appears authentic to the users (romantic, friendship, working relationship) over a long-period of time prior to asking for money, and they can vary the communication when a user demonstrates a lack of trust. They can also use multiple media channels to communicate with the user.

The research being undertaken in our project is drawing from psychology, media and communications, criminology and linguistics to help identify deception and persuasive communication, and evidence of the “grooming” often found in MMFs. We are also interested in identifying the online identities, other communication and online behaviours typical of scammers as well as victims. By examining socio-technical features such as the use of the same profile photographs, descriptions across multiple profiles and patterns of interaction and contact with other users (e.g. login times), we can help to spot MMF earlier.

Importantly, we will be considering the ethical and social challenges associated with detecting and preventing MMF. For example, questioning the ethics of drawing in personal data from genuine and disingenuous people to assist in decisions regarding the identity and authenticity of another user. Moreover, we are interested in considering the ethics involved in how we ought to treat victims who cross the line and knowingly become “money mules” in order to recoup their losses. Should they also be treated as criminals?

As we produce papers we will present our latest findings on the DAPM website, and we are looking for volunteers to help us with our research. If we’re successful, we hope prevent some of the most damaging and upsetting cyber crime.

Show Hide image

Investing in a secure future

Increased training and investment in cyber security infrastructure are essential in the digital age.

It is easy to underestimate how crucial the internet is to our everyday lives. It has become an essential tool in the way we communicate with others and conduct business both at home and abroad. More than 1.6m people work in the digital sector or in digital tech roles in the United Kingdom and the internet continues to provide individuals and businesses with huge opportunities.

However, we know that criminals seek to exploit the many benefits of the internet for their own personal gain, often at great expense to others. The WannaCry ransomware attack, which hit the NHS as well as other organisations, highlights the seriousness of the threat and reinforces the need to properly protect ourselves online.

In the recent Cyber Security Breaches Survey 2017, just under half (46 per cent) of all businesses identified at least one breach or attack in the last year. Although it is difficult to put an exact figure on how much this cost the UK economy, it is likely to be in the billions.

We are also all too aware of attacks by hostile state actors who look to exploit the UK through intellectual property theft, in order to further their own interests and prosperity. We take these attempts to disrupt our national security very seriously.

That is why this the government set up the National Cyber Security Centre (NCSC), which provides cyber security at a national level. In its first year of being operational, the NCSC responded to 590 significant cyber incidents, more than 30 of which were sufficiently serious to require a cross-government response.

It is not just large organisations and our national infrastructure that are targeted by online criminals; individuals also face the daily threat of being scammed in their own homes. It is now the case that British citizens are 20 times more likely to be defrauded at their computer than mugged in the street.

It is a threat we all face. I strongly believe that we – individuals, businesses and the government – must play our own part to mitigate the risk and ensure that the internet is a safe and secure space for everyone. The government has legislated within the Serious Crime Act 2015 to create a new offence that applies where an unauthorised act in relation to a computer results in serious damage to the economy, the environment, national security or human welfare, or a risk of such damage occurring.

Legislating against online criminality goes some way to tackling the problem; however, close collaboration between the government, business and international partners is essential in combating the increasingly sophisticated attacks that the UK faces.

We work closely with the NCSC, which acts as a bridge between industry and government, providing a unified source of advice and the management of cyber-related incidents. It is at the heart of the government’s 2016 National Cyber Security Strategy, which is supported by £1.9bn of transformational investment to 2021.

Our law enforcement agencies across England and Wales also play a vital role in disrupting the activities of cyber criminals and bringing them to justice. They now operate as a single networked resource with the National Crime Agency (NCA) and Regional Cyber Crime Units using shared intelligence and capabilities. The NCA also has a dedicated Dark Web Intelligence Unit which targets those criminals who exploit hidden areas of the internet.

But we also want people to take their own preventative measures, so that they don’t become a target by criminals operating in the cyber space. We are running a series of campaigns and programmes which aim to encourage individuals and businesses to adopt more secure online behaviours.

Cyber Aware works with over 320 public and private sector partner organisations to encourage us all to take simple steps to protect ourselves online including using a strong, separate password for our email accounts and installing the latest software and app updates on our electronic devices.

The NCSC has also recently launched expert guidance on how small businesses can easily avoid common online breaches and attacks. Should organisations seek to improve their cyber security further, they can get certification through the Cyber Essentials Scheme.

To further support the efforts of SMEs in improving their cyber security, regional cyber crime prevention coordinators engage with businesses and members of the public to provide customised cyber security advice based on the latest technical guidance from the NCSC.

We must also look to the future – we now have a whole generation that have grown up immersed in tech. It is hugely important that we harness their talents and put them to good use rather than letting them wander down a path towards criminal online activities.

We must train and engage with the next generation of cyber security experts and is why the NCSC is taking a leading role in promoting a culture where science and technology subjects can flourish within the education system. Their CyberFirst programme identifies and nurtures young talent through a series of summer workshops and competitions. In addition, their CyberUK 2018 programme focuses on encouraging more women to enter into the technology industry, a sector that is largely seen as male-dominated.

There is a great effort across government and law enforcement to pursue online criminals, prevent
those that are headed on a path towards criminal activity, protect the public and prepare for the many threats we face online. We will continue to invest in law enforcement capabilities at a national, regional and local level to ensure agencies have the capacity to deal with the increasing threat from cyber crime.

However, this is not a threat that we can tackle alone. It is everybody’s responsibility, from top to bottom, to follow the guidance provided and increase their awareness of cyber security in order to create a safe space to communicate and conduct business online.