There are a few basic psychological tricks that phishing attacks and phone scams attempt to use against us – and the pandemic has provided the perfect environment for them.
Over the past few weeks, I've received several unsolicited messages on my phone. There was what appeared to be a bank, warning me of impending fraud: Request for NEW payee MR A HANKIN has been made on your account. If this was NOT done by you, visit…
What followed was a web address that looked like that included the name of a major commercial bank.
Then there was a voicemail, claiming that I had been implicated in a crime: This call is in regards to illegal activity with your National Insurance number. Ignoring this phone call may lead to legal trouble.
Finally, I received the following SMS from a local doctor's surgery:
Dear Mr ROBSON,
You have been invited to book your Covid-19 vaccinations. Please click the link to book your first vaccination, or to tell us you've already booked elsewhere: accurx.thirdparty.nhs.uk/r/
The content of each appeared to be helpful and the web links looked strange, but plausible enough to lead the unwary to visit them. But only the vaccination appointment proved to be genuine. The other two were scams, trying to lure me to type my personal details onto fraudulent websites. The contents of the honest and deceitful messages were extremely similar, making it hard to know which to trust.
Like me, you may have noticed a recent uptick in potentially fraudulent messages – and there is some data to support this idea. The UK's National Cyber Security Centre, for instance, noted a 15-fold rise in the removal of online campaigns in 2020, compared with 2019, while the FBI have noted that complaints of internet crime in the US rose by nearly 70%. Every day, the media seems to offer a new story of the scams.
The pandemic, it seems, has created a unique crucible for online fraud to flourish, as scam artists capitalise on our fears and anxieties during a time of great uncertainty and isolation. To avoid being duped ourselves, we need a much greater awareness of specific ways they bypass our critical thinking.
The rules of deception
Online fraud has, of course, been a problem since the early days of the internet. The term "phishing" was reportedly invented after attempts to capture details from AOL accounts in the mid-90s. Today, you're probably very familiar with the blanket – and often error laden – emails offering a huge windfall from an unknown relative or wealthy benefactor, who just needed your bank details to transfer the funds.
But phishers' tactics have become more sophisticated over time. Using data from social media, it is now relatively easy to personalise the details of the messages to make them seem more convincing – a process called "spear phishing". Fraudsters are also taking advantage of increasing reliance on smart phones, with a greater number of SMS phishing (also called "smishing") attempts.
The field of psychology is now catching up with this problem, with various studies analysing the contents of these attacks to reveal some simple rules of deception.
The first is superficial: they'll try to use some familiar elements – like the name or logo of a famous brand – to gain your immediate trust. Most scams will then try to elicit a strong emotional response that stops us thinking logically. That might be the promise of an immediate reward, or a potential threat. (As I found, scam artists can get meta – warning you of an impending fraud that needs immediate action, accessible only with your bank details.
In some of the most dastardly schemes, fraudsters pretend to be a lawyer or doctor, representing a family member or colleague in need of urgent financial help. "Often negative emotions are most effective," says Cleotilde Gonzalez, a professor of decision science at Carnegie Mellon University in Pittsburgh, Pennsylvania.
Thirdly, most scams present a "time limited" situation that demands an immediate response. This is essential, since it increases the chance that you will act before you engage your critical thinking skills. You are in such a rush not to miss the opportunity, that you forget the possibility of deceit.
Many scams involve a potent mix of all three factors. Consider the calls purporting to be from a local tax authority or national crime agency, warning that you will face a fine or court action unless action is taken urgently (which usually involves handing over bank account details). Faced with that immediate threat, it's very hard to think clearly.
"Your guard automatically drops in those situations, and your emotions will override rational decision making," says Gareth Norris, a psychologist at Aberystwyth University in the UK, who recently reviewed the scientific research on phishing for the Journal of Police and Criminal Psychology.
Worryingly, our smartphones may have made us even more vulnerable to these attacks. For one thing, the screens are smaller, making it harder for us to scrutinise the details. Secondly, we spend so much time communicating on our phones that we may be more likely to read and respond to a message, compared to emails arriving on a desktop PC, which are more likely to be ignored, at least initially.
One researcher even went as far as to describe a "Pavlovian behavioural loop", in which the sound of a new notification triggers a small mood boost followed by the itching desire to respond. And we are less likely to give something deep thought if it provokes a habitual behaviour. Social media like Facebook seem to raise particular risks, with phishers enjoying a much higher hit rate – perhaps because they can glean more information to personalise their messages, and because we are so keen to build our friendship group. Quite simply, the more you use a particular social network, the more likely you are to fall for a scam on that app.
To make matters worse, we often use our smart phones when we're feeling distracted – either because we're on the go, responding to someone else, or consuming media. It's not uncommon to scroll through our phones while we are on the bus, watching a film or even talking to a friend, after all, and we often switch between apps and tasks, without really focusing on what we're doing.
One study that monitored 50 smartphone users over a week found they switched apps an average of 101 times a day, while only spending about two hours and 30 minutes looking at the screen. As a result of this multitasking, we're going to pay less attention to the details – which again, makes it easier for a fraudster to pull the wool over our eyes.
"If you are on an iPhone, looking at a Facebook message or quickly trying to figure out what an SMS is telling you, there is a higher chance that you are going to fall into the trap of a phishing attempt," says Gonzalez.
Given that many people now spend more screen time on their phones or tablets than their desktop PCs, it's little surprise that mobile devices have been increasingly targeted by hackers and fraudsters.
You might think that you are simply too smart to fall for an attack – but we should be wary of this over-confidence, Norris says: many very intelligent and educated people can still fall for scams. He's also sceptical of the idea that senior citizens are automatically at a higher risk than millennials or Generation Z.
"We have this stereotypical image of these very gullible older people, but older people use technology less and are a bit more suspicious of it, [whereas] younger people use technology all the time, they're on the phones all the time," says Norris. "And actually, they give information out quite freely, and they're not too worried about it."
In these ways, the threat of a scamdemic was already growing well before the Covid-19 pandemic – and those scammers quickly found new ways to exploit the situation. Thanks to the lockdowns and lack of contact with our friends and family, many people have been feeling a mix of uncomfortable emotions that make rational thought more difficult. Fear, for example, has been shown to muddy our ability to make decisions.
Scams offering the promise of early vaccinations, or the hope of financial assistance, are one obvious manifestation of the attempts to exploit our vulnerabilities during the pandemic. One study, examining Instagram and Twitter during the early months of the pandemic in 2020, recorded thousands of posts tied to commercial scams or fraudulent treatments, as well as products linked to Covid-19. Another study examined the launch of cyberattacks during the first few weeks of the pandemic. The researchers found that some days saw the launch of 3-4 new large-scale campaigns – the bulk of which were phishing attempts – as hackers attempted to exploit the fast-moving government policy changes in response to Covid-19.
Our low mood and loneliness might have also rendered us vulnerable to many other schemes that appear to be only tangentially related to the pandemic. Fake messages from online retailers or delivery companies, for example, have played on the small excitement of receiving an unexpected package or gift – something that was much more meaningful when we were stuck in our homes.
"The pivot to COVID-19-related hoax is really indicative of how fast and how efficiently fraudsters can adapt to changes in the world around them," says Detective Chief Inspector Gary Robinson, who heads the Dedicated Card and Payment Crime Unit for the City of London Police.
Thanks to the lockdowns, we are also more reliant than ever on online communication – whether it's to maintain contact with our friends and family, to work from home, or to order our shopping remotely. As a result, we will be more responsive than ever to all kinds of messages. This has given scammers a greater chance that we'll fall for their bait, says Gonzalez.
"There are just a lot more people using electronic media to communicate with each other now," she says. Importantly, the ratio of authentic messages to phishing scams is still high enough that we forget to be vigilant, she says.
Gonzalez worries that the increased risks are not well-enough known. "End users are becoming a little bit more aware of these scammers and are able to detect more attacks, but their learning is still very slow compared to what the attackers are doing," she says.
While there are no fool-proof ways of protecting ourselves, Norris and Gonzalez both suggest that we should start by weaning ourselves off the habit of responding immediately to every message we receive. "Just give yourself time and think, is this real?" says Norris. And if there is a link within the message, we should type it out manually, rather than automatically clicking. That will help us to spot any anomalies in the URL.
Ultimately, we need to have constant vigilance – and to remember that the scammers will always be one step ahead of us with a new ingenious scheme. "When the Covid-19 pandemic comes to some kind of conclusion, you'll see that fraudsters will pick up on some kind of other hook to get people in," says Robinson.