In this episode, Tripwire's Senior UX Researcher, Martina Dove, uses her psychology research to explain to us how the brain operates when presented with a cyberscam. She also discusses her model for identifying fraud susceptibility and what we can do to prevent falling for these scams.
Tim Erlin: When we speak about cybersecurity, we often focus on many of the technical aspects of how to secure our businesses as well as our personal lives. Whether it is through a new device to guard the now-nebulous perimeter or a set of controls, there is no shortage of technical methods to secure the environment. Sadly, the topic of user awareness and more specifically the underlying psychology of cybercrimes is superficially discussed. Recently, I had the fortunate experience of speaking with Martina Dove, who is a senior User Experience (UX) researcher at Tripwire. She is also a psychologist with a background in fraud psychology, which gives her a deeper understanding about the mechanics of fraud—especially when it pertains to cybercrime. Welcome, Martina.
Martina Dove: Thank you, Tim. I'm really pleased to be here.
TE: The psychological aspect of cybercrime is fascinating, as it reveals a lot about human motivations. We often see its impact mentioned in many of the industry reports. For example, the most recent Verizon Data Breach Investigations Report (DBIR) points out that social engineering was the most common pattern of attack. You have actually developed a model of fraud susceptibility as part of your PhD. Can you tell us more about what drove you to decide to develop that model?
MD: Of course. I started my PhD, and I wanted to do something around the topic of gullibility because that is what I focused on for my Master’s Degree. I always found the idea of gullibility very interesting. Have you ever wondered what makes people gullible and what gullibility really is? I didn't quite know where to take that until I read an article by two researchers who looked at the psychology at play in phishing emails, and they outlined all of the psychological tricks and persuasive techniques that scammers use when creating phishing emails. This field of study was relatively new, and there weren't a lot of researchers looking into that. Back in 2012, phishing started to become a popular attack technique. Everybody was getting spam and phishing emails. It all piqued my interest, so I pursued it towards earning my PhD.
TE: Most fascinating is that you turned your research into a book. Tell us more about that.
MD: The book explores the persuasive techniques used in scamming operations. It also explains exactly what makes us all vulnerable. There are so many factors such as a personality, circumstances, and thought processes that we utilize when we were processing information. All of these can sometimes make us vulnerable.
TE: Can you describe more about the model for fraud susceptibility that you developed?
MD: I didn't actually start out thinking I was going to develop a model. The model emerged as part of the research. I set out to make a measurable scale of fraud, susceptibility, or vulnerability. I wanted to come up with a questionnaire that could be scored to reveal which parts of a person’s personality makes them a little bit more vulnerable to fraud. I started by interviewing victims and then creating the questionnaire and validating it with experts in the field. I tested it in a couple of large survey experimental studies with phishing emails to test it against, and the model just jumped out of all that research.
It was fascinating to discover that I could map out some of these factors and come up with a model that explains what happens to people when they receive a fraud offer as well as how some of these factors come together to influence a person’s compliance and eventual vulnerability to that offer. There is also a component of repeated vulnerability where some people go on to be defrauded again. What my model reveals is that people actually formulate strategies after they have been scammed. Some of these strategies are better than others towards personal protection.
TE: That's interesting. Is the protective response a conscious strategy like a decision they make, or is it more of an unconscious process where they come up with a strategy that isn't necessarily thought through?
MD: Yeah, that's an interesting question. The model indicates that it was mostly a conscious decision because fraud has a really big impact on victims, and a lot of the times, this gets overlooked because there are no physical injuries. Many people have this view that being defrauded of some money is not injurious. But that victimization has a huge negative impact on a person’s self-esteem. Everybody likes to think of themselves as being an intelligent human being. This is something that I've heard a lot. So, a lot of the times after the fraud has happened, victims tend to ruminate over what happened, and they try to protect themselves. I think that's a natural reaction to any pain or negative experience. A lot of it is very, very conscious. They make a very conscious decision to changing their behaviors or usually changing some aspects of their behavior to protect themselves.
TE: Did you see a difference in how people respond to fraud depending on their own self-evaluation of fraud susceptibility? For example, people who work as information security practitioners would tend to think that they're less likely to get fooled by a phishing email. Do they have a different response than someone who doesn't have that experience and would feel like they're more likely to be victimized?
MD: Yeah. There is a known factor that can protect you or enhance vulnerability, and that's background knowledge. Basically, you would presume that somebody in cybersecurity would have good background knowledge about how phishing emails are delivered, how they persuade, and some of the signs to watch for. That's definitely protective. But then there's a flip-side of this background knowledge. The more knowledge a person has, there is the risk of slipping into complacency. This may result in less careful scrutiny, which can also create an unintended vulnerability.
TE: Does it change how people respond once they've been defrauded? For instance, does a trained cybersecurity professional experience a greater sense of victimization than an untrained individual?
MD: Nobody likes to see themselves as somebody who would fall for scams. I've seen that as a recurring pattern with any type of victim. While I don’t have any specific data about cybersecurity professionals, if we look to the financial sector, for example, there have been people who have extensive background knowledge in financial investments who have fallen for financial scams even though they may be an expert in a field. So, it's not a far stretch to say that there would be some cybersecurity professionals who could similarly be fooled by a crafty phishing scheme.
Some studies have also shown that some people just have a propensity for engaging with scams whether they think it's a feeling of a quick win or they view themselves as functioning adults. There's nothing wrong with them in terms of how they make decisions in other areas of the life. They are just more likely to go along with scams. A good approach would be to just be aware that everybody is vulnerable to fraud no matter what their personal experience is.
TE: This takes us back to the model itself. So, when you talk about having a model to identify fraud susceptibility, what are the characteristics that we're talking about? What makes someone more susceptible to fraud in that model?
MD: The model takes several aspects into consideration. To start with an overview of what happens when a scam takes place, I found that a scam tends to have three major stages. First, there are the precursors to the scam. Those are the things such as your emotional state, your social situation, your personal circumstances, your demographic, and other traits that have nothing to do with the scam itself. They are influential. Once a person has engaged with the scam, the second stage introduces different factors that originate from the scammer. The scammer will use persuasive techniques based on the person’s known traits to force that person to respond. The third stage is the post scam phase where the victim comes to terms with what happened and formulates protective strategies to implement in the future
In terms of how fraud occurs, first and foremost, if you find yourself in certain circumstances that could make you more vulnerable to fraud, you need to pay attention to those signals. For example, a lot of times, people are in social settings where an entire group may be inclined to go along with what appears to one person as an obvious fraud, but that person does not want to go against the group for fear of being perceived as a contrarian. A circumstance like that can be convincing enough to make a previously skeptical person evaluate the fraud more favorably.
Once a person decides to go along with a fraudulent offer, this is where individual characteristics come into play. If the person is a compliant individual, it increases the rate of influence of vulnerability to fraud because a naturally compliant person is not necessarily ignorant that something's not good for them. They just can't help the resistance to comply with others' wishes. It's a very potent kind of fraud influence. Another factor is impulsivity. People who are more impulsive may not critically assess a risky situation. Low vigilance also places a person in a position of not evaluating other people's motives, and that can greatly influence whether a person goes along with something or not. Time is also a factor in susceptibility. How long a person takes in the decision-making process. By that, I mean, is the person the type who rushes into decisions to avoid evaluating pros and cons, or are they more about seeing what may come down the road as a result of the decisions?
Interestingly enough, I also found a totally unanticipated factor. I found that a belief in justice – the idea that justice prevails, criminals get what they deserve, and bad things happen to bad people and good things happen to good people – also make a person more vulnerable. That was an interesting finding because it's a way that we exercise control over our environment. We control our environment by believing that bad things only happen to bad people. If we believed it could happen to us, you know, we would be miserable. It definitely makes sense to think that “this wouldn't happen to me, and if it did, the police would be on it.” A high belief in justice can actually make a person less likely to spot a phishing email.
TE: All of this gets me to thinking about the phishing and cybersecurity awareness training that we have all attended and how it really focuses on that vigilance characteristic. It emphasizes vigilance, but it doesn't touch upon the characteristics of the compliant personality – impulsivity, decision-making, time, certainly, or a belief in justice. Intuitively, that seems like a bit of an outlier, which is what makes it interesting, but it makes me wonder what phishing training would train around those characteristics.
MD: I totally agree with you, and I think my model probably isn't even exhaustive enough. I'm pretty sure that if I was to expand the research, there are other characteristics, as well. One of the things that can also impact the vulnerabilities is whether a person is very open to social proof. Somebody who listens to friends and family can also become vulnerable in some aspects. Someone who obeys authority can be quite influenced by some types of scams. So, it's really interesting to just know that there is a whole host of factors that can have an impact on how people process certain information.
Another important point is that scammers are very good at evoking primal drives such as fear, excitement, and sexual desire to get a person enrolled in scams. When under the influence of these strong primal drives, it's very difficult to access even more rational components such as self-reflection or decision-making. Some scams are specifically designed to evoke that first quick emotion and bypass the clear kind of thinking. So, even highly vigilant people when may act outside of how they would normally act if it was the right type of scam that evokes a lot of emotion or fear. We need to see a more holistic picture – it's very complicated.
TE: As we talk through these characteristics, we can see how some of the scams align along that spectrum. For instance, there's a business email compromise scam where a person receives a message that purports to be from the boss requesting an urgent transfer of money. A person who has that compliance characteristic is more likely to become a victim without seeking that additional step for confirmation. Evoking fear is a popular method used in sexploitation scams.
MD: Definitely, in business email compromises, a lot of the times it's not even just compliance. It's also obedience to authority. We all are taught to respect people that are higher in a hierarchy than us. Some professions such as doctors, lawyers, and police officers are more trusted, and people just don't scrutinize them in that way. With the fake boss emails, that authority comes to play; a person wouldn't just question the boss. Scammers prey on what makes us highly functional humans.
TE: Different types of scans scams are going to have different rates of effectiveness depending on the type of organization that is targeted. In an organization that has a strong hierarchical nature, that type of scam is more likely to be successful than in one where equality of position is more the norm, I suppose.
MD: Yeah, and culturally, as well. Some cultures are more sensitive to hierarchical structures.
TE: What can cybersecurity practitioners learn by understanding this model? How is it relevant to their day-to-day jobs trying to defend against these scams?
MD: One of the things that I've heard a lot from cybersecurity professionals is that the human is always the weakest link. By understanding that and appreciating that any system will always be weak if it's a system designed for a human, we can craft our education accordingly. We can invest a little bit more in understanding what makes us human and how we are vulnerable. Our brains work a certain way, and sometimes, we can be tricked into taking shortcuts in our thinking. This is just how we are wired. So, we can educate around how scams exploit those kinds of heuristics that we have and how our decision-making processes and personalities are exploited. Making the training a little bit more interactive, more personalized, and a little bit more “human” instead of just a checklist to follow. Make it a safe space so that people can admit near-misses, discuss near-misses, and do stuff like that.
TE: Yeah. One of the challenges with scams, and phishing in particular, is that people, people don't want to admit that they fell victim to it. As a consequence, they may not report that it happened, and they may not report something that looked suspicious. That makes it actually much harder to defend against it. So creating that culture of acceptance that these things might happen, and it's not a person’s fault, or a source of shame, ultimately helps with defense.
MD: There's a lot of secrecy and a lot of stigma around being a victim of fraud of any kind. Too often, fraud victims are labelled as stupid, and as deserving of what happened to them. We need to remember that fraud is a crime. We wouldn't treat a robbery victim with such a level of disrespect. We need to really need to be a little bit more mindful of the language that goes around that, and make it a bit more mainstream, like talking about fraud.
TE: Do you have some practical advice for potential victims?
MD: In my book, I developed a checklist you can follow. I remind people to carefully scrutinize all the correspondences, just taking into an account “how does it make you feel?” A lot of the times, fraud – any kind of fraud communication – is written to evoke strong emotions. So, as soon as you react to it, know that this could potentially be a scam, and then just look for clues. Is the sender using a certain language that's making you feel bad? Are they offering you links to follow that you can conveniently click to resolve an issue? Then, even if you feel strongly that the message is authentic, and you have to resolve the issue, try and not do it from the email. Log into your account, your bank account, or your Amazon account independently to check what's going on.
First and foremost, understand the feeling in the moment. Emotion is often exploited in phishing emails. And a lot of the times, it's that emotion that takes over the rational thinking. So, stalling just for the day, deciding to not do anything about the problem for a day, or asking for advice from friends and family can stop a person from going along with the fraud, because you'll just remove yourself from that situation and that emotion for a little while.
TE: I can't help but think about the wisdom in that kind of a response in any emotional situation, whether it's a scam, or not taking that time to actually scrutinize the correspondence. Consider the emotions you're feeling, get in tune with your emotional state. Think about it for a while, maybe take time before you respond. Those all seem like good practices for any kind of difficult situation at work, or personally, really.
MD: I totally agree. It's not always easy. People don't all process emotions the same way. Some people are more emotionally charged. So, obviously, it's going to have a greater impact on them. It's not always easy to moderate, but an awareness how scams evoke these emotions can help.
TE: This is a super interesting conversation. The work you have done is really fascinating. There really are some strong connections from the work that you've done to cybersecurity, whereas, we started out with social engineering as the top of the list of attack patterns that we're seeing. Martina, I want to thank you for the time.
MD: Thank you!
Check out Martina’s book here: https://www.amazon.com/Psychology-Fraud-Persuasion-Scam-Techniques/dp/0367859564
Check out her blog articles on State of Security: