The psychology of phishing: why do we fall for terrible email scams?

New research suggests that it isn’t the technologically illiterate who fall for the promise of a legacy from a Nigerian prince – the more you use Facebook, the more likely you are to click that link.

Sign Up

Get the New Statesman's Morning Call email.

Maybe your bank wants you to update your password; maybe a new Facebook friend wants to show you a funny web page. Maybe a Nigerian lawyer wants to pass on a legacy from a long-lost relative.

What all of these people are really after, of course, are your password, bank details and, ultimately money. Such phishing scams, says Microsoft, are costing the world as much as $5bn a year. For some reason, the UK is a favourite hunting ground for the phishers: here, says security firm Proofpoint, unsolicited email is almost three times more likely to contain a malicious link than in the US.

But who falls for these scams? Well, you do. While it’s easy to assume that only the technologically illiterate will be vulnerable, new research shows that in fact the reverse is true.

A team of US scientists recruited a group of 150 students at the University at Buffalo and surveyed them about their online activity. Six weeks later, each received a Facebook friend request from a stranger. Those who accepted – and this was most of them – was then sent a message designed to mimic a phishing attack, grammatical errors and all.

It read:

I got internship from my friend and she’s looking for more people urgently!!! If you are interested to intern and would like more details, please reply with you Student ID No., UB Email User name, Date of Birth (dd/mm/yy) within the next three days.”

The team found that the more regularly the students used Facebook, the more likely they were to fall for the phishing scam and give away their personal information, thanks to a mixture of complacency and a desire to please.

“Perhaps being connected to a large number of people makes it difficult to discern a friend from a stranger; or frequently interacting with the platform makes individuals more likely to overlook the nuances in the message that might reveal deception,” the authors write.

“Hence, habitual Facebook users appear significantly more likely to be inattentive and automatically provide the information requested by a phisher.”

Other studies have shown that women are more susceptible to phishing scams than men, as are people between 18 and 25 – this latter presumably explained by the same complacency that the Buffalo researchers revealed.

In terms of the scams themselves, the more urgent the message appears, the more likely people are to fall for it. And, earlier this year, Proofpoint researchers established the most effective email subject lines for phishers, and found that invitations to connect on LinkedIn came top – they were twice as likely to get the victim clicking as any other scam email. The fraudsters read these research reports too, which is why “Invitation to connect on LinkedIn” is now the most widely-used subject line in phishing scams.

But why are so many phishing emails so deeply implausible? One currently doing the rounds, for example, purports to come from Janet Yellen, the recently appointed chair of the US Federal Reserve Bank. Quite an important woman, then – so, surely, suspicions would be aroused when she writes: “I have your file here in my office and it says that you are yet to receive your fund valued at $850,000”. Many are even more unlikely, littered with spelling and grammatical errors.

The answer is that the implausibility is a useful tool for the scammers. An entirely believable email would get millions of people falling for the bait – most of whom would catch on later when the scammers started requesting private banking details. This way, the fraudsters can avoid wasting their time on no-hopers, knowing that any replies they do receive are from people at the more naive end of the spectrum. As Microsoft researcher Cormac Herley has pointed out: “Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify.”

There’s little to be done to stop the scammers – they’re scattered around the world and good at evasion – but some people are at least having fun trying.

A group called “491eater”, named for the section of the Nigerian penal code that deals with fraud schemes, serves as a forum for tips on scamming the scammers themselves. Members invent their own banks – Plunder & Flee Incorporated is a favourite – and even go so far as to set up meetings overseas, mocking up fake flight booking documents and demanding that the scammer book them a four-star hotel room.

“For the most part these criminals are not ‘poor people trying to scratch a living’, but are indeed very prosperous compared to their law-abiding countrymen, and many operate in highly organised, and highly successful criminal gangs,” says the site’s creator – who naturally prefers to remain anonymous.

“Millions of dollars are stolen on a daily basis, with absolutely no thought given to victims, who are losing vast amounts of money, homes, relatives, jobs and worse. Contrary to popular belief, it is not just ‘greedy and stupid people’ that fall for these scams.”