Fraud Intelligence, March 2023
Why people fall prey to fraudsters deserves much more study, say academics. Paul Cochrane looks at how much we already know and some of the gaps still to be filled.
Psychologists have called for more spending on research into what personality types may be more susceptible to fraud, given over £4 billion (US$4.billion) was lost by victims in the UK, in 2022, according to a Money.co.uk study. (1) In the USA, consumer fraud alone caused losses of US$8.8 billion in 2022, up more than 30% on 2021, according to the Federal Trade Commission. (2)
The 'Big Five'
Yaniv Hanoch, Professor in Decision Science at the UK’s University of Southampton argues that not enough money is being spent on studies of fraud vulnerabilities taking account of personality types: “There is a pandemic of fraud. The statistics show about one in 10 people are victims of fraud. Imagine if one in 10 houses were broken into, there would be an uproar. What this means is that we are all vulnerable,” he said: “Scams are causing enormous financial and psychological harm to millions of people around the world, so why are we not investing more money to prevent it?”
Such work would build on some real progress on the issue. Researchers at the University of Arkansas, USA, have proposed a ‘Phishing Susceptibility Framework’, assessing combinations of the ‘Big Five’ personality traits: openness, conscientiousness, extraversion, agreeableness and neuroticism. Personal factors, such as gender, age and culture, also need to be considered, as well as experiential factors that have shaped a person’s life, said the researchers. (3)
Dr Martina Dove, a US-based researcher and author of ‘The Psychology of Fraud, Persuasion and Scam Techniques,’ (4) said findings showed that agreeableness and extraversion could be associated with phishing vulnerability: “Agreeableness contains a trust dimension, which could mean that agreeable people could be more trusting, while extraversion might be connected to how much information is shared online (e.g. more extraverted people would likely share more),” she wrote in her book. “Neuroticism, too, could prevent phishing attacks, because those high in neuroticism may be more private with sharing their details online,” she wrote.
A 2022 study, 'Predicting User Susceptibility to Phishing Based on Multidimensional Features', used the Big Five personality traits in a phishing experiment involving 1,105 volunteers. It found that “personality is the most important factor influencing the susceptibility to phishing. This shows that, despite being knowledgeable and experienced, when people encounter something new, their personality has a very strong influence on their behaviour”. Other factors were cognitive processes and computer knowledge. (5)
Another study from 2022, 'Spear-Phishing Susceptibility Stemming From Personality Traits', (6) showed that “significant relationships have been found between the Big Five personality factors and behaviour, and the more pronounced a trait is, the more it manifests in behaviour.” The report went on to the note that “the personality profile of an individual represents an essential instrument, especially in the context of current advances in artificial intelligence-based personality profiling, where an attacker can identify a target’s personality traits by using publicly available social media information. Consequently, there is a need to personalise the next generation of phishing prevention solutions.” (6)
Cognitive biases such as a belief in justice can also lead to phishing vulnerability. “Belief in justice was found to be connected to greater trust in authority, greater impulsivity and inability to correctly identify a phishing email, all of which can enhance vulnerability to fraudulent messages,” noted Dove in her book. (7)
Older, not wiser
Personality and vulnerability changes with age also, she noted, with those most at risk of being exploited are the elderly, which is considered one of the biggest growth areas in fraudulent activity, according to the American Bankers Association, especially in ageing societies such as the USA, Europe and the Far East. (8)
“Elderly people are targeted more and fall for scams more,” said Dove to Fraud Intelligence, although she cautioned that the data could be skewered by fraudsters assuming the elderly are more vulnerable and hence, they “are also more targeted”. There is variance, however. The Money.co.uk study, focused on the UK, found that, in 2022, the 30-39 age group were targeted the most by fraudsters and cybercriminals, whereas in 2021 the 20-29 age group faced the most cybercrime. The study found that the under 60s were most commonly victims of online shopping and auctions fraud, while older age groups experienced more computer software fraud, advance fee and door-to-door sales fraud.
Inopportune mix
“Ultimately, there are factors that make you vulnerable, how good a scammer is, the circumstances they catch you in, and the personality traits that may make you more vulnerable to certain types of scams. Are you someone who is open to unsolicited messages, are you aware of the motivations of others, do you double check information? Do you learn from your mistakes? It is about the fine interplay of factors,” said Dove.
People can lessen their risk by being more aware of their own personality traits and vulnerabilities, she noted. Victims can sometimes react by no longer going online or using the phone: “They are too focused on the delivery of the scam rather than what made them vulnerable,” she said.
Go slow
One way to prevent scammers evoking primal drives such as greed, fear and sexual desire is to take a step back, advised Hanoch. (8) “You need to slow down. What the scammers don’t want you to do is precisely what you should do - talk to your bank, call the person supposedly in distress, and do not rush to send over money,” he said, adding: “I don’t think there is more psychology in any specific scam than another. It might just be different kinds of buttons that are pressed to get a reaction.”
Given the scale and complexity of the problem, and even though researchers have been making headway on the topic, Hanoch thinks there needs to be far more research in the psychology field into the human factors behind fraud.
Why? now
“Research on fraud is mainly from the computer science and technology side, but far less on psychological behaviour. Look at research on preventing smoking for example, there are a million and one papers on quitting techniques, but for scams, even the scientific literature is extremely thin on what helps prevention,” said Hanoch. “Ultimately, the human is probably the weakest link, and we’re not going to solve that easily. We cannot change our psychology, but we can try to find out the best ways to prevent fraud.”
Dr Dove agreed on the need to broaden research: “The cybersecurity field doesn't quite know how to deal with the social engineering side of fraud, such as susceptibility to phishing. Fraud specialists are interested, but they don't always look at it from the victim's perspective, because they focus on fraud prevention from the perpetrator's side, and mostly deal with organisational fraud, rather than personal fraud,” she said.
Research constraints
Dove argued that many fraud prevention specialists ignore psychological and persuasive factors: “Spotting fraud in an organisation is not just numbers but also behaviour. The problem is that a lot of the time it is difficult to interview perpetrators unless they’re caught and interrogated, which happens mostly with perpetrators of organisational or white-collar type fraud, rather than with personal fraud.”
Moreover, inducing perpetrators to explain their actions to researchers is not an easy task, while victims often do not report fraud because they are embarrassed, or fear being painted as gullible or stupid, said Dove. The fact that many frauds are not get reported to the authorities also affects qualitative and quantitative research, she added.
Research into the human factors behind fraud, too, can be fraught: “One has to mimic a scam, which is not always easy or ethical, and has proven to be problematic,” said Dove.
While deepening research into susceptibility might be useful, Hanoch warned that this was not without risk: “There are some indications, such as people being risk takers or being a bit impulsive, but I would hate to point the finger. This can reduce the alertness of people who think ‘it will not happen to me’. Fraud can and probably will happen to you. You have to be vigilant no matter what your personality type is.”
Weak points
Dove cautioned again viewing personality vulnerability in isolation: “A scam is not any one thing but a combination of social, circumstantial, situational and individual factors. For instance, you wouldn’t hitch-hike as it’s dangerous, but if you were stranded in the middle of nowhere you would. It is a complicated matrix that comes into place for any one scam,” she said.
The psychology at play depends both on the type of scam and the aforementioned factors. How someone is scammed therefore varies. In certain circumstances, a person may be more vulnerable - they have lost a job or be in financial difficulties, so less risk adverse than normally. A person might be impulsive, increasing the chance of becoming a scam victim, but if they are also vigilant, this may act to mitigate the risk. “It really is a combination of factors,” said Dove.
Demographics and experience are important: younger people may be less circumspect but cognitive functions can decline with age. “There is a sweet spot,” said Dove, “when a person has optimal experience and cognitive functions, but even people in that spot fall for scams.”
Moreover, knowing too much or too little, equally, can render one vulnerable to fraud. Ignorance of a topic automatically puts one at a disadvantage when dealing with a persuasive person who apparently knows more. However, a degree of expertise may make for complacency and over-confidence, Dove warned.
NOTES
1) https://ifamagazine.com/article/brits-lost-4-billion-to-fraudsters-in-2022/
3) A Personality Based Model for Determining Susceptibility to Phishing Attacks - http://swdsi.org/swdsi2009/Papers/9J05.pdf
4) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8786481/#sec6
No comments:
Post a Comment