Cyber Victims Psychology: It’s Not Just Ones and Zeros

Georgia State University Chair of Criminal Justice Richard Wright notes in his recent TEDTalk that there’s a dramatic crime shift from street crime to digital crime. Accordingly, we have a whole new class of victims. In fact, frauds on the Internet are increasing exponentially. In one scam alone, the FBI estimates that victims paying ransoms for their data hijacked via encryption increased from $41 million in last quarter of 2015 to $209 million in first quarter of 2016. This loss is calculated from the victims willing to report to law enforcement; actual losses are likely substantially higher.

In a recent blog, I wrote about the Psychology of the Cyber Hacker Now, let’s consider the psychology of the victim. In particular, the victim of the financial hacker.

Financial crimes on the Internet are quite diverse. Many frauds occur because a victim is deceived into clicking on a link containing malware. The horrors to follow can include their data being hijacked by malware. The malware can also be a man-in-the-middle attack (bad actor is between victim computer and third party) where banking credentials or other sensitive data are captured and resold on the dark web. An attack can also involve stealing intellectual property or personally identifiable information of customers.

Probably the most harmful scam currently propagating around the Internet is the business email compromise (BEC) that the FBI currently estimates exceeds $2 billion in losses. This fraud involves either a spoofed email or a hacked company email account whereby the fraudster advises a financial executive to wire transfer funds unwittingly to an account controlled by the bad actor. This scam is particularly effective if a hacker has penetrated a company’s email system and can insert a bogus email into a conversation between the CEO and controller with fraudulent instructions.

Romantic interest is another avenue to exploiting someone for financial gain. One looking for companionship on the Internet may quickly run into the fraudster proclaiming love for the victim . . . and a need to send money for any number of bogus reasons.

Another common Internet fraud is the decades-old Nigerian 419 scam that has moved from the mailbox to the email inbox. The term 419 comes from the Nigerian Criminal Code that makes this scam illegal. You probably have seen the scam in an email from someone proclaiming to be a Nigerian oil minister that wants your bank account number so he can wire-transfer you $10 million or some other such nonsense. Despite its notoriety and apparent absurdity, victims continue to fall for the scam.

These and other Internet scams all exploit the psychology of the victim. For example, our tendency to trust authority figures may cause us to fall for emails from a boss, doctor, attorney, or the IRS with instructions to forward funds for what appears to be a legitimate purpose. Others may fall prey to the social proof or herd principle. If the victim is led to believe others are doing the same thing, it is much easier to click on the malware link or take other harmful action. Other ploys include time or scarcity issues. You must act now: There is a limited supply. The victim is operating under the FOMO principle – fear of missing out. Lastly, the fraudulent email is even more convincing when the victim’s social media has been mined for intelligence so that the attack email is laced with personal information making it incredibly convincing.

These psychological ploys more easily overcome our human defenses when we are behind a keyboard and in the safety of our offices or homes. Even more pernicious, in the digital world there are fewer social cues – – no sixth sense to tell us that the person we are dealing with has bad intentions.

Interestingly enough, the fraudsters themselves can fall prey to these same psychological pitfalls. There are examples of victims engaging the fraudsters in communications leading them to believe the scheme is working. The victim then encourages the fraudster to travel to a foreign country and open up bank accounts at great expense to the fraudster. Note: While this is a satisfying example of street justice, this should not be tried without the assistance of law enforcement, as these fraudsters can also be very dangerous.

As crime has moved from the street to the Internet, the criminal’s modality has moved from a gunpoint to a mouse click. While all of these frauds are preventable, the solution lies in the HR department, not the IT department. Fraud is a human act, and the victim is unwittingly complicit. This does not have to be the case. Awareness training is effective, cost efficient, and can greatly reduce these cyber frauds.