Assessing product documentation

Documentation is a vital part of many products as services, especially software services. It helps customers to get started with the product, teaches them about features and guides them to use if successfully. Documentation can, therefore, be as important as the product itself, but companies often don’t invest as much time and effort in making sure product documentation is written in a way that can facilitate, rather than hinder the process of learning about the product.

 
Screen Shot 2021-07-25 at 10.45.12 AM.png

However, when I tried to find out how to best test the documentation for the new product, I could not find much in terms of best practices. There are articles on testing content, mostly website content, but information that features in product documentation is different. It is not only informational in nature but also instructional. And it often has dependencies on other information in the documentation. Therefore, I found that guidance on how to test general content is not completely applicable to product documentation. I had to come up with a way to do this on my own, borrowing from best practices for testing content and figuring out the rest.

First, I wanted to see if documentation is easy to understand and does it convey important information about the product, on its own.

So I set out to find out if:

Screen Shot 2021-07-25 at 10.58.06 AM.png
 

1.     Documentation makes sense out of context
If a potential customer looked at the documentation without seeing the product, is the documentation telling the right story about the product? 

2.     People can find what they are looking for easily
If a potential customer was curious about a feature or how something works in the product, would they be able to find this information easily?

3.     People understand what is written
Once the potential customer finds the information, would they be able to understand what they read or is the information written in a way that is confusing?

4.     It facilitates learning
Is the documentation written in a way that helps new customers learn quickly and if not, what can be done to improve it?

I also wanted to know how effective is it in helping people use the product when they are stuck. In order to explore this, I devised a task based research plan that comprised of two studies: in and out of the product.
As always, it is important to recruit participants that represent potential customers you want to attract.


Study 1 of 2

I started a session by giving participants a scenario, which gave a brief overview of what the product does, without going into detail. Then I asked participants to take some time to scan the documentation, get familiar with its contents and let me know when they are ready to proceed to a task. I created a series of tasks that explored different areas and watched participants search through the documentation to accomplish the tasks.

I structured the tasks around these topics:

Screen Shot 2021-07-25 at 10.44.35 AM.png

1. Can information be easily found
Tasks in this category asked participants to find certain information. I followed up each task with a single ease question (SEQ scale), asking participant to rate, on a scale of 1-7, how easy or difficult was it to find the information they were looking for.

I also wanted to know how participants perceived the information they found, and if they think it is easy to understand, so I asked them to tell me if the information they just read was easy to understand, on a scale of 1-7, 1 = not easy to understand and 7 = easy to understand.

2. Is the information understandable
Tasks in this category asked participants to tell me about the things they read. What people say and do are two different things so I also wanted to know if the ratings about whether information was easy to understand would match their understanding. So I asked them to tell me about the information they read and noted if they misunderstood the information.

Screen Shot 2021-07-25 at 10.44.47 AM.png

3. How does product documentation appear at first sight
Finally, I spent some time exploring first impressions on look and feel of the documentation. Here I learned a lot about participants’ learning preferences and what they wanted to see included in product documentation and why, such as screenshots and videos. For example, participants shared with me that having screenshots and videos helps them remember vital information more easily.

However, I also know that often such content is not included readily because it takes more effort to maintain screenshots, with product changing slightly with new updates or design changes, but this might be a vital component in providing seamless onboarding for customers.


Study 2 of 2

Next I invited the same participants to a usability session, in which they get to use the product, alongside documentation. I did this because I expected that, once they start using the product, documentation will be scrutinized more readily, and I was right. I also wanted to compare the impressions from previous study with this study to see how the impressions change between just browsing the documentation and actually using it to help accomplish tasks.

 I organized the tasks in this order:

Screen Shot 2021-07-25 at 11.28.15 AM.png

1.     I told participants to do whatever they are curious about first
I did this because this is the closest to real life scenario that a usability session can get.
I heard, in other research studies, participants say that they learn by getting stuck in the product and playing with it, slicing and dicing data, only searching for help if needed. So I knew this is probably how the majority of new customers would start using the product.

I watched participants go into the documentation when and if they got stuck and asked them to talk aloud as they completed the task, so I can understand what they are thinking.

Screen Shot 2021-07-25 at 11.32.27 AM.png

2.     Next I followed up with 3-4 tasks which varied in difficulty
I started with easy tasks and moved to more complex ones. For all of the tasks, including the previous one, I asked participants how easy or difficult it was to complete the tasks and noted whether they referred to the documentation.

This is where you need to think carefully about the tasks. If the tasks are too easy, participants may accomplish them without having to seek guidance from the product documentation, so make sure you have tasks that are harder, which will get them looking for guidance too.

Screen Shot 2021-07-25 at 11.47.27 AM.png

3.     Finally, I created a task which was vague and ambiguous on purpose.
I wanted to see if participants can find the right information and conclude confidently that something can or cannot be done in product. Often people have an idea what they want to do but, as new customers, don’t always know if the product can do this. So they start from a slightly ambiguous position of trying to figure out what is possible.


As expected, these sessions yielded lower SEQ scores than tasks in the documentation alone, and I started to see additional behavior, such as the use of the search function, which was not used previously, when documentation was given to participants outside of the product. Participants were a lot less forgiving and patient, if they could not locate the right information quickly or if the search yielded results that were not applicable to the task. Not all tasks were completed successfully. Participants also spotted gaps, where additional information should be given or where things appeared ambiguous and not very clear.

Benchmarking and tracking progress

This research allowed me to assess how our product documentation appears to potential customers who are just browsing for products and want to learn more about a product (first impressions) and how it would facilitate them in successfully using the product. Scores (task completion and SEQ scores) can be used for benchmarking, to track progress, as you make changes that are needed and test again.


Dark patterns or fraud: Obtaining customer data by deception

Recently I came across a Croatian news website, which seems to use dark patterns to avoid being GDPR compliant. Dark patterns are design tricks that companies use to make us do something we didn’t want to do while browsing products. For example, forcing us to close a pop up window only for that little x, which is meant to make it disappear, opening a new page. Why do this? Well, there is almost always a purpose. In the case of the pop up window - it is most likely that website gets paid for advertising and a clicking on a advertisement means money. So they trick the user in clicking something on the pop up window.

These practices are extremely annoying for users but can often be more sinister. So I was reading Croatian news recently and came across a website which seems to use dark patterns principles to cheat a user out of their GDPR rights. GDPR stands for General Data Protection Regulations. These regulations give people more power when it comes to what data is collected from them and how it is used. It is mandatory across most of the Europe (EU) but many companies worldwide are adopting it, because it is an ethical way of treating customers’ data respectfully. Croatia is in the European Union and has to adhere to these regulations.

Typically, this means that a user, when they visit a website, will be alerted to use of the cookies and asked if they are OK with that. Often websites break it down to specific data use (how the cookies are used for different purposes) and the user can pick those uses they agree with (e.g., agreeing to let the company use if for site improvement but not sharing with others). Most companies seem to be honest and make these choices visually equal for a user so the two choices - ‘I agree’ and ‘I don’t agree’ are equal in terms of how they appear on the screen - neither choice is trying to influence a decision.

 
Source: pepco.hr

Source: pepco.hr

Other companies use more suggestive format by informing about cookies and presenting one button that says ‘I agree’. However, a user can easily dismiss the banner by clicking the X and use the site without agreeing to data collection.

 

This is certainly persuasive because it makes the ‘Accept’ button the most appealing and in a haste, users will likely click that button.

 
Source: poslovni.hr

Source: poslovni.hr

But I saw something even more suggestive.

Here a user is given a pop up with two buttons and no option to dismiss. The black button says “ Agree and close” and the greyed out button says “Find out more”. The way these two buttons are designed, a user would rightfully think that their only viable option is the black button or agreeing to cookies, because the other button seems inactive. Apart from that, it is almost invisible so those who have vision problems may not even notice it.

 

But it is not inactive. You can click it and it will lead to another pop up - yet another state to persuade you to accept rather than reject their cookies.

The list on the left explains all the ways of sharing your data. Below, a summary of how this data will be shared with partners is given. They offer a list of data sharing partners (very pale font above the buttons), which they obviously don’t want you to check out because the list is very very very long. All these partners will be getting your data and your data will be used to connect your devices to what you browse, read or do online, in order to target you with specific offers.

Companies often sell your data, making a profit. Data = money.

Many companies like you to think data collection is for your own good, to improve the experience, but many companies use it for more nefarious purposes. Customer data is lucrative and there are companies that sell data packages based on some quality, such as whether you buy lots of Christmas decorations, handbags, vitamins etc. These packages are based on the data collected about you online. Data from various sites you visit is connected by your IP address and your computer ID. There are companies specializing in connecting data.

 
Source: poslovni.hr

Source: poslovni.hr

Even on this pop up the ‘I disagree’ button is so pale you can hardly see it. And if you see it, you may think you cannot click it as it is inactive. At least now you can dismiss this pop up without agreeing, as there is a X in the right hand corner. No, you can’t - it leads to the previous pop up, making a loop from which there is no escape.

Source: poslovni.hr

Source: poslovni.hr

This is likely going to frustrate the user who may, after fighting with it for a bit, admit defeat.

 

Data privacy regulations are awesome and they empower people to have more control over their data, but are they useful when companies are allowed to deceive people into giving the rights to their data, especially if this data is then sold to other companies? And is this a type of fraud? Obtaining data by deception.

Fraud definition: ”Intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right”.
(Merriam-Webster)

Is this not what is happening here? In this case, users are persuaded to surrender their legal right to data privacy, while the company remains compliant with GDPR specifications. I wonder how many people fall for this technique and how outraged would they be if they found out how their data is used by predatory companies that sell and misuse our data for their gain. Even worse, people can be disadvantaged by the data collected about them. There are cases where customer data collected by the company was used against the customer in court, or led to an arrest (read about it). This is why personal data should be used with care and companies that must abide by the GDPR laws should not be resorting to fraud techniques to get customers to part with their rights on data privacy.

Responsible AI: Should companies be more accountable for their AI algorithms?

AI is the future. AI can help with jobs that are time consuming and tedious, but there is a price to pay. AI algorithms are as good as the information you consider while you train the model and the intent of the business that creates the model. That intent itself may not be inherently bad, but can still affect some group of groups of people.  Often, companies use AI without considering who may be affected. Whether this is on purpose, which is highly unethical, or unintentional, businesses should do more to use AI in a responsible way. I was fortunate to work in the AI space at Microsoft for the past year, where I learned a lot about how AI can, even unintentionally, affect people (see Microsoft’s responsible AI guidance). 

Recently I was one of those people, negatively affected by an AI algorithm and I want to share my story.

In September we listed our condo for sale. Like many people, my husband and I found ourselves working from home and wanting to buy a house, where we can each have a dedicated working space. At the time of the listing, Redfin estimated our condo to be worth $1, 016.000, so we listed it for $999.950 thinking that was a fair price. I know that real estate prices are based on more than just Redfin estimates, however, many people, when looking for real estate, start with sites like Redfin and Zillow and judge value by looking at their estimates. I know I do. If the listing price is much higher than the estimate, I immediately think the property is overpriced and therefore, not good value. I may even consider not going to see it, thinking that even if I like the property, offering a price that is much lower than the listing price (but in line with Redfin estimate) would be insulting. And the owner has missed out on a potential sale. This is what I used to think, until I listed my condo and observed what Redfin does.

When my condo was listed, we had some viewing but given the fact that we are mid pandemic, which is unprecedented in terms of real estate, and the fact that people that can, now work from home, market for condos was extremely slow. Seems that everyone wanted to do what we wanted to do – sell their condo and buy a house. As soon as we listed the condo, Redfin adjusted the estimate to under the listing price. Now my condo was no longer a relatively good deal. Surely their AI algorithm cannot be that simple that it just tracks the listed price?

We dropped the price to $979.000, somewhat to incentivize the potential buyers but also because we were conscious of Redfin’s new estimate. The moment we adjusted the price, Redfin dropped their estimate to $969.000. Again, my property now did not seem such a great value and any offer I may get would probably reflect their estimate but this change happened instantly with my price adjustment, so unlikely that it was a reflection of the more complex algorithm, which considers other prices or sales in the area – which would actually make sense.

It was still slow on the market front and since it has been 6 weeks, we decided to lower the price to $950.000, mostly because we moved out and were motivated to sell and move on with our lives. At that price, our condo was extremely good value and I thought, with Redfin estimate now at $969.000, this price will be attractive to buyers. But, as you are probably guessing now, as soon as the price was adjusted to $950.000, Redfin instantly adjusted its estimate to $938.000. And even at that price, which made my condo a good price, my agent was asked by people coming to an open house if there is scope to lower the price. Why wouldn’t they ask, after all Redfin estimate says it’s worth less. Quite frankly, if I was thinking of buying it I would do the same.

Source: Redfin  Redfin re writes estimate history to make their algorithms seem more accurate

Source: Redfin
Redfin re writes estimate history to make their algorithms seem more accurate

But I realized at this point that I will never win over Redfin estimate, it was a game of wack-a-mole. Not only that, their 5 year tracker adjusted accordingly too. Surely a 5 year tracker should track, accurately, what they predicted each given month in the past, and not give you information that is based on lies and adjustments? It seems as if I am not alone in thinking this is grossly unfair to people selling their properties in what is already, pretty tough market. Comments on Blind reflected my thoughts:

I think the worst part about the estimates is that Redfin retroactively smoothes them out. Throughout most of 2019, when real estate was dipping in Seattle, instead of representing a dip, they went back and erased the 2018’s peak, smoothing it out to make it look like a consistent upward trend. It was downright dishonest.
— Quote from Blind’s ‘ Redfin estimates are BS and manipulative’ thread
 
 
Redfin has a conflict of interest, which is that it does better when it sells more homes. Users are more comfortable investing in a home if they believe the value is steady appreciating over time, rather than depreciating, or growing but with great volatility. It is inherently dishonest to rewrite historical trends to create the illusion that home prices are trending up when they actually are trending down, and Redfin financially benefits from this trend smoothing. Estimates should indeed reflect the best guess with the current information at that time, as you say. An estimate should represent “this is what we think the price is, at this time, with this information.
— Quote from Blind’s ‘ Redfin estimates are BS and manipulative’ thread
Redfin retroactively changes all their price estimates and retains no history. Example, in May, Redfin said my house was worth $860 in May. Today, it says my house was worth $802 in May, but is worth $808 today. I do not mind that they use an estimate. I mind that they opaquely change an historical estimate and do not retain what the estimate was at that point in time or disclose why the historical estimates changed. It feels very manipulative, like false advertising, and should not be legal.
— Quote from Blind’s ‘Is Redfin seriously misleading the market?’ thread
 
 

Imagine having to sell your property because, like so many people, you lost your job or business due to the pandemic, and your house is now the only asset you have. How much would you have to devalue it for Redfin to stop lowering the price each time you do?

Photo by Rowan Heuvel on Unsplash

What might happen if I lowered my condo’s listing price to something ridiculous? Like $100.00? Has anyone tried? Tell me what happened. Additionally, people listing with Redfin agents have a different problem, which also seems unethical:

 
The Redfin estimate is a joke. I used to have a condo and the value of the identical condos in the building varied by +/- 15%. They also clearly use the list price in their calculation which completely invalidates their estimate as a data point. They also seem to inflate the estimate for their own listings. I listed with them and my own estimate inflated by $50k the day the listing went live and dropped back down the day I pulled the listing.
— Quote from Blind’s ‘Is Redfin seriously misleading the market?’ thread

It seems I am not the only one that noticed redfin’s unethical and misleading practices – see this detailed article. In 2017, Redfin’s press release boasted that their estimates are the most accurate but I wonder if that still holds.

And I know that there are no regulations on this issue and technically, what Redfin does may not be illegal but I believe businesses should have a moral and ethical compass guiding them through their use of the AI technology. First and foremost, they should ensure their algorithms are fair and transparent.

People should not be put in a desperate situations where they have to accept low offers for their property because Redfin’s estimate is not programmed to be fair.

And companies should be accountable for how they conduct their business when it comes to AI. This is also good business sense. A bad AI algorithm can ruin your company’s reputation, which may then be irreparable. This happened to Amazon more than once (see here and here).

My own story of selling my condo did not result in a happy ending. We decided to take the condo off the market and move back in, having incurred losses on the rental we moved in to. I know that if the market was more buoyant right now, people would take less notice of Redfin estimates because of the demand. But we are going through tough times right now and it seems that, when people are already struggling to sell their properties, which some are forced to do, Redfin kicks them when they are down. And guess what, as soon as the condo was delisted, Redfin’s estimate shot to over a million within 24 hours. That’s right, my property jumped in value by over $60.000 almost overnight. Maybe to incentivize me to list it again so they can screw me again? Since then it dropped again. It keeps me on my toes, that’s for sure.

I wonder how long will it take before Redfin loses credibility and gets replaced by another, more ethical company, who care about their effect of people. Responsible AI practices are becoming more desirable and many companies are already doing their best to uphold them. It’s a shame Redfin is not one of them. Personally, I know that I will never use Redfin again as a way or gaging property values. Once bitten, twice shy as they say. And whenever possible, I will make sure I never use their services.

Preference testing: Sometimes preference is about performance

I came across a very informative article on color contrast requirements and how this impacts accessibility. The conversation in the comments centred around the difference between preference (as in, what users prefer) and performance (is it easy to read). What this may mean, is that people may prefer certain color contrasts, but what about performance - does the contrast ratio actually help visibility and how would you separate that from preference for certain color combinations (e.g. white text vs black text on an orange button)?

Contrast ratio = 1.36

Contrast ratio = 1.36

This got me thinking, because I have done many preference tests (A/B version), whether just testing color combinations on buttons or look of certain elements, usually online. And after asking participants to choose which design do they prefer I always also ask them to justify their decision by asking why they chose the one they did. And on many occasions participants mention the preference related to how accessible the design is for them. What do I mean by that? Frequently participants reflect that preferred version was ‘easier to read’ or ‘clearer’.

Below is an example of the two buttons I tested in the past for a small start up. They are clearly very different and I worked out the contrast ratio for both for the purpose of this experiment. Both buttons came close in terms of preference. The comments are participants’ own comments and I highlighted performance related comments green and preference ones red. I did this to illustrate that often, in preference testing, users decisions can be true preference (e.g. I like that one better, I like the colour), performance (e.g. easier to read) or even both.

When I asked users which button they prefer and why, I got a mixture of both: performance and preference related comments

When I asked users which button they prefer and why, I got a mixture of both: performance and preference related comments

This shows me that sometimes preference is not only about whether you like certain colours or not. For many people preference will be dependent on functionality and accessibility. If you are just looking to get opinions on wether users like the colours then you should be clear about what you’re asking. Asking them what they prefer may confound the results if you only want to find out about colour choices. This is why I always like to follow up with a “tell me why” or “tell me what made you say that”. Some users will prefer something without knowing why, even when asked. In face-to-face usability testing, they may be encouraged to concentrate and elaborate on certain elements but in online preference testing, this is lost. But majority of the users will have an idea about why they prefer something, and often their preference will also be down to how well the design performs.


Credits: Jellyfish photo by Chitbhanu Singh on Unsplash

Applicant Tracking Software - Useful tool or survival of the fittest?

Early this year I casually started to look for work in Seattle. I attached my resume to jobs I would find on LinkedIn and also contact interesting small companies direct, because they tend to list key people and their contact details on their website. While I almost always heard back from small companies, even to just have an informal conversation about what I am after and what they do or to inform me that there are no positions open, I did not receive one call back from companies I applied to on LinkedIn. This puzzled me but I thought it was just that they might have had an influx of job seekers and I just didn’t make the cut.

However, I was just not aware of Applicant Tracking Software (ATS) that most of the companies use. I found out about ATS when I attended the workshop by Jobscan. The speaker said something like: “The resumes that fare the worst are usually those designed by designers, the most beautiful ones with different layouts and sections.” I felt like someone punched me in the stomach. My resume was creatively designed by my husband, who is an interaction designer. During the same workshop, we were encouraged to log into the jobscan.co website and enter our resumes and a job description for a job we felt we were qualified for to see how we fit.

Screenshot 2019-10-23 at 09.21.25.png

The whole workshop gasped when most of us scored below 45%. One woman commented she is only 33% match for a role she has been doing for years. It’s all about keywords and layout and avoiding formats that are not recognised by ATS. I found out that abbreviations, such as my PhD, might not be recognised by some ATS systems, immediately rejecting me for roles I was applying for. If you are not familiar with how ATS works, here is a quick summary: recruiter would typically get a document with resumes listed in order of matching qualities. resumes below 85% are probably immediately rejected and never even seen by a human. And this score comes down to keywords programmed for a particular job.


This made me think about it a lot. What is actually important to companies hiring for these roles? And are they getting the best candidates for the role by using ATS systems, or just those that are clever enough to play the system? Sure, using ATS saves time, because a human would take a while reading 200+ resumes to determine who might be the right fit for the company and the role. But what are the disadvantages? 

First of all, you may miss candidates that you want because their resume did not, in some way, pass the ATS. Perhaps they missed a few keywords or used different terms and this gave them lower rating, which means they will never be seen by the right person. You may also have lots of unsuitable candidates that have figured out how to beat the system by loading their resumes with the right keywords while not really being suitable for the role. And the keywords are often right there in the job description.


A while back I was doing some freelance work for a company using AI within their product, and while testing the product, I was pretending to be a customer. I soon realised how the system worked and instead of real answers I could just load lots of right keywords and get the desired results. When read, they made no sense.
I am sure no one intended for it to be used in this way but it gave me better results this way.

Screenshot 2019-10-23 at 09.35.19.png

And keywords are everywhere and they are everything. I am writing a book on my PhD subject at the moment and the initial excitement, felt when I was offered a book deal by my first choice publisher, was soon tarnished by the fact that my title needs to carry as many keywords as possible and as such, has to be chosen by the marketing department and not me. Same with chapter titles. It’s all about the search results. 


One can look at it from an evolutionary point of view and say that beating the system is a sign that the candidate is smart and resourceful and as such, might be right for the role. But I can’t help wondering how many people are there, sitting in the ATS reject folder who would be awesome candidates, yet they never came to the attention of the right person because they used the wrong formatting, a wrong abbreviation or did not use carefully chosen key words.

Data Privacy and social media: What do social media users think and how do they feel about GDPR?

Data privacy

Internet has changed the way we shop, communicate and socialize. It made the world fit into the screen of our computer and opened avenues of communication that did not exist previously. Social media sites are especially popular. They created a way of communicating with friends and family on a daily basis, in a way that did not exist, by sharing photographs, anecdotes and media. They also created a way of advertising services and promoting business and bringing people together based on some shared element (e.g. opinions, likes and dislikes), all of which made the world a smaller place. But living our lives online has also presented some challenges, primarily how the data we share is used and by whom and how this data is stored and treated by organisations we trust with our data. 


Screenshot 2020-01-06 at 21.40.01.png


What is data privacy? In a nutshell, data privacy concerns collection and dissemination of personal data. The laws around data privacy and data protection often differ country to country, therefore the implementation of General Data Protection Regulation (GDPR) aimed to simplify data protection law for online users by creating a regulation that deals with data protection and privacy within European Union and European Economic area. This regulation also addressed the import of users’ personal data outside this given area and aimed to give customers and users more power over their data. One facet of GDPR is to do with empowering users when it comes to their data, primarily the regulation of disclosure of data collection, its retainment and use and if the users’ data is shared with third parties or outside the area of jurisdiction. Under this regulation, users and customers have been given the right to request to see data held on them by organisations they are dealing with. 


But what do users actually think about this and generally, how important is privacy to people who use social media sites where they may share more data about themselves than on other sites (e.g. shopping). The insights in this report are based on results of a short survey looking into users’ attitudes and behaviour regarding data privacy.

Methodology

Survey was used to capture people’s opinion regarding the privacy on social media sites and how this will be affected by GDPR. Participants were also asked to leave qualitative comments and elaborate on questions, to better understand their wishes and preferences.

Who are the users?

A total of 50 social media users participated in this survey, consisting of 32 women and 
 17 men between ages of 18 and 67. 


It’s important to have a clear picture of users’ wishes, opinions and behaviours. 


In order to better understand participants in this survey, short user profiles were created to illustrate different personalities in this survey.

Many participants reported sharing either only a little amount of data on social media (43%) or a moderate amount (33%) and only small number admitted to sharing a great deal (4%).

How important is data privacy to social media users?

Screenshot 2020-01-06 at 21.47.40.png

Many people report that data privacy on social media sites is important to them, but end up not protecting the data they share on such sites.

However, many also reported sharing a lot of personal information online (63%), with location and family photographs being the most shared data on social media. Some users also reported sharing date of birth (33%), phone number (20%), information about hobbies and activities and work related things and even intimate details (13%).
When asked what they do to safeguard their data, some users admitted they don’t do much to safeguard their data. This may be due to the fact that users don’t always know how to safeguard their data online. Often they don’t understand or know about all the privacy settings available to them or they simply are not aware how privacy can be compromised and data used for nefarious purposes, such as to commit fraud.

Following other people’s behaviour

Although majority of users are aware that sharing contests and prizes online can be risky, some reported only doing it if their friends do it too. Seeing others, and especially our friends, do something is like ‘word of mouth’ and therefore, it is likely to lower risk and lead to less caution (social proof), while attaining followers and likes is how fraudsters enhance credibility online. Asking for shares on social media may also help advertise fraudulent activities.

Those that report safeguarding their data cited not sharing too much personal information, checking privacy settings, having strong passwords, not commenting on public posts or adding unknown people as friends on Facebook, removing location tracking and using 2 factor authentication.

Control over data

To many users, it was very important to have control over who sees their data or things they choose to share or that their data is not shared with advertisers or third parties without their knowledge. One user commented that they would like a percentage of funds paid to organisations by third parties or advertisers in order to get users’ data.

Having robust systems in place to safeguard data against cybercrime was also highly important to users, as many reported not being confident that social media accounts effectively protect their data (76%).

What are the most important privacy related features to users?

Privacy features that users find the most important to them were controls over who sees what they post and that their data is not shared with third parties. Good data protection, such as robust cybersecurity was also important.

Requesting own data

Under the GDPR, any customer or user is able to request to see the data held on them by any organisation and question its retainment and use. But how useful is this to users and what do users hope to gain by asking to see this data.

Many users reported this feature to be of great importance to them (41%) but many also reported being undecided on the issue (37%). Small percentage felt that this wasn’t something that was important to them (22%). When asked to elaborate on their answers and verbalize why requesting own data would be important to them, many provided important insights.

Many participants reported wanting this data for self-reflexion, in order to see if they are inadvertently sharing too much information about themselves online, and if this information may be used to harm them in some way. Some felt the ability to legally request to see this data without being refused would lead to more transparency and force organisations to treat users’ and customers’ data more responsibly.

Because I feel like big companies have a tendency to be deceptive when obtaining permissions. For example, they may word things differently than the consumer expects so that data falls under the criteria without the consumer realising it. Allowing the consumer to see what is being shared allows transparency and for making informed decisions.
— Survey participant

Summary

Users want to feel more secure on social media sites especially with regards to targeted advertising and third party sharing. This indicates that for many users, customers or consumers, data privacy is important. So is being able to request own data from organisations, because it offers an opportunity to examine own behaviour online and serve as a learning curve. In addition, this may also offer desired transparency on how personal data is collected, retained and used and reassure users that are concerned about privacy, that their data is used according to their wishes.

Extortion and sextortion - how they evolved to haunt us

Extortion and especially sextortion emails are on the rise so what are they? Extortion emails are emails that use some kind of threat, which are sent to potential victims in order to extort money. Extortion correspondence may focus on different elements, such as exposing the victim’s activities in real life (e.g. cheating on a partner) or online (e.g. visiting porn sites or masturbating) to colleagues, friends and family. Some even threaten to harm or kill the victim, with blackmailers frequently asking for payment in cryptocurrency.

Extortion in cyberspace is not a new concept. As more and more data is stored electronically, potential for cyber extortion increases. In the past, cyber extortion typically affected businesses targeted by criminals using malware, which may disrupt or compromise operating systems, but this is now extending to private individuals. Sextortion is also not a new concept. In the past, victims were usually women and tended to be younger, blackmailed either by their ex partner, whom they met and dated in real life and who was in possession of private or sexual images of them, or a perpetrator they met online, who either obtained the images from the victim or by some other means. Research also shows that this type of crime is not all about the money, sometimes victims are blackmailed into supplying pornographic video of themselves and threats can be real.  However, in recent times, it seems that (s)extortion attacks have evolved, targeting private individuals, who have never had any prior contact with their perpetrator, and asking for payments in bitcoin. The reason for this may be that bitcoin, as virtual money, has little or no legal regulation across different countries, making it a perfect choice for criminal activities.


Fear and shame

The new variants of extortion and sextortion emails frequently mention victim’s visit to porn sites, which was recorded (hacked) by the scammer, but sometimes they are kept purposely vague, referring only to a ‘dirty secret’. This could be a deliberate tactic as keeping the content vague allows the scammer to catch more victims, because vague content will be applicable to greater number of people.
Potential victims are threatened and the threats in such emails can be elaborate. Direct threats, such as telling the victim that the data collected on them will be distributed to friends, family and/or work colleagues and implied threats, which talk about shame a victim might feel if their secret was to be made public.

“I don’t think that playing with yourself is really awful but when all colleagues relatives and friends receive video record of it is definitely terrible news.”

Or in emails that refer to extortion that is not connected to sexual acts, such as those that inform the victim someone has paid to have them harmed and offer to reverse this for a fee, the threats are implied by explaining what the blackmailer does for a living:

“ I have got a personal website that includes all kinds of services which actually I give in dark net. Just about anything from totally wrecking a persons business to physical injury.”

Victims are also reminded about the potential breakdown of an existing relationship, should the ‘secret’ come out.

These threats serve a purpose – to evoke fear. Fear is a visceral influence, or a primal drive, under which careful thinking is compromised.
Fear has two components: physiological (e.g. adrenaline levels rise to prepare us to fight or flight a situation) and emotional. This emotional reaction to fear is usually unique to each person, with some people being more averse to fear while others even enjoy feeling some fear (e.g. watching a scary movie or doing extreme sports). Therefore reaction to this type of fraud will be highly individual and people may not be affected in the same way. For example, fear averse individuals may be more likely to comply with the requests in order to avoid the negative emotional response evoked by such correspondence. Additionally, these types of emails contain elements of shaming, which will further intensify the fear and which may have different cultural or societal meanings to different people. For example, while some people consider visiting porn sites to be shameful and would prefer this to be hidden from their friends and family, others may not think there is anything wrong with it and will therefore feel less fear when threatened with exposure of such behaviour on their part. Scammers also include references to social norms in such correspondence (e.g. ‘your taste is so weird’ or ‘you’re a big pervert’) in order to shame potential victims.

 
24899910_10154989544335918_3123697299230813397_n.jpg

Majority of people

will feel intense fear and shame when they receive such correspondence, which may stop them seeking help and advice

 


Persuasion elements

Additionally to evoking strong emotional response, sextortion emails use several persuasive components in order to encourage immediate compliance. Typically they contain an explanation on how the computer was hacked and the victim’s data collected. To most people who have limited cybersecurity or computer knowledge, these will appear credible. Look at this example:

” The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296).  I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time.  Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you. “

I don’t know about you, but I don’t know enough about computers to know if this is possible and I know a lot about fraud. But I do have talented friends who work in cybersecurity, whom I often ask for advice. To most people who don’t have this luxury, this may appear highly credible.

Then there are time limits imposed (“you have 24 hours”), which add urgency. Urgency is a known persuasion technique. The key is to not allow the victim to properly think about it or share the news with someone who may advise them not to comply. Some perpetrators even draw attention to and apologise for the spelling mistakes, offering an explanation for their poor grammar.

”I am apologise for my grammar, I’m from China”

Since many people have come to associate bad spellings in unsolicited emails with scams, this may be a specific new technique to get around this association and make the correspondence appear more credible.

Frequently, such correspondence also includes references that equate scam victimisation to a normal transaction (e.g. ‘it’s confidentiality fee’) and scammers even plead with a victim not to hate them, as they are only doing their job.

“Don’t be mad at me, everyone has their own work.”

Some of the emails also point out that the amount asked for is reasonable and not likely to affect the victim a great deal financially. The amounts asked for vary greatly, from $200 to many thousands. This may make some victims, especially when amounts are kept low, more likely to pay the ransom and less likely to report it as frauds that result in smaller losses are not reported as frequently. Therefore, some scammers purposely keep the amounts low to avoid detection.

Bizarrely, some scammers also adopt a role of a friend or an advisor and offer the victim advice on security.

“I also ask you to regularly update your antivirus in the future. This way you will no longer fall into a similar situation.”

Sometimes they berate the victim like a friend or a parent would.

”It’s a pity that people did not learn to use the Internet safely. There are too many different specifications about safe Internet using - Proxy servers, the newest antivirus base, close that camera... In your opinion it is not necessary”

This is a known scam technique but feels ill placed for this type of fraud, especially as the communication is based on threats rather than exploiting social norms (e.g. where a scammer places a victim in a role of a friend and asks for help, or where a scammer acts as a friend to the victim in order to exploit them). However, I have found out that scammers sell ‘scamming manuals’ on the dark web for thousands of dollars so using this may just be ‘let’s throw everything in there’ approach.


Inducing helplessness

Perhaps the most worrying component of such emails is that they are designed to induce helplessness, or loss of control over the situation. Scammer reminds the potential victim that, although they can report the blackmail to the police, their efforts would be futile because they are located in another country or they are undetectable. Some also concentrate on the fact that investigation is likely to last a long time, therefore the victim will run out of time and be exposed. Therefore, they have little control over their situation apart from paying the ransom.

”At this point you may be thinking 
‘I’ll just go to the cops’, which is why I have used a fake name fake return address and taken steps to ensure this letter cannot be traced back to me.”

“I am an immigrant, so there is no way out to find out my location precisely.”

“You are able to complain to police but I don’t think that they can solve your problem. The Inquisition will last for one year.”

Why is this important? If a potential victim feels helpless, they are more likely to remain passive, accept the situation and agree to the terms of the blackmail. Therefore inducing helplessness may be a deliberate tactic in such correspondence, designed to render the victim silent, discourage reporting and ensure compliance.


Making (s)extortion fraud prevention count

Often fraud prevention advice fails because it doesn’t adequately address the emotional reactions some frauds evoke. (S)extortion emails, when they reach a vulnerable target, evoke visceral influence (panic, fear). Telling someone not to panic in this situation is the same as telling a starving person not to think about food. Rationally it makes sense but not when you are in a highly emotional or visceral state. When one is in a visceral state, they focus on addressing the goals associated with the current state. Persuasive elements such correspondence is likely to use will further impair judgments and influence decision making. Finally, such emails induce helplessness. In this state, potential victim is likely to surrender the fight and this is even more true of people averse to fear. Therefore simple warnings may not be sufficient. So what should be done?

Fraud prevention practitioners should concentrate on explaining persuasive elements in such correspondence instead of issuing authoritarian warnings (e.g. ‘never respond to such emails’ or ‘don’t panic’) as they are more likely to be effective when someone receives such correspondence. For example, research found that when people get explanations about why security advice is important, as opposed to vague warnings, they are more likely to listen to it. Explaining the reasons for emotional responses evoked by such emails and how they impair judgments may reduce impulsive reactions people typically have in such situations. Pointing out the fact that these ‘visceral’ reactions are temporary and scammers use them in conjunction with time limits in order to take advantage of the visceral (i.e. irrational) response, may teach people to be more aware of how their emotions affect them and teach them to wait it out. Finally, explaining how scammers purposely induce helplessness in such correspondence will empower victims to fight and not flight the situation and report or share their experience with others, who may offer knowledge vital for making optimal decisions.



This article is based on thematic analysis of 60 different extortion emails. I will be presenting the results at the 9th Annual Counter Fraud and Forensic Accounting Conference at University of Portsmouth, UK on 6th June. Hope to see you there.


Successful layering

Scams can be extremely sophisticated, yet for many people, a typical scam is a Nigerian prince asking for help to launder money or a desperate, and dare I say naive, scammer that was talked into holding ‘I can’t believe it’s not butter’ sign, hoping this would get them some funds. But the reality is much darker. Good scammers are very good at psychology and often design frauds by layering different fraud techniques, all designed to complement each other for greater success. For example, scams that evoke visceral influence (fear, panic or greed) will usually have time limits attached to them also (e.g. offer expires, you have 24 hours etc.). This is to ensure that the potential victim has no time to regain composure. Under visceral influence, careful deliberation is compromised and we tend to focus on superficial things, like the size of the reward, attractiveness of the offer or even on the scammer, many of whom are polished, charming and will appear trustworthy. Any inconsistencies will be disregarded in favour of these superficial cues, because when one is under the visceral influence, they are likely to focus on goals associated with that influence. This is why you are always told not to go shopping for groceries hungry and it’s equally true of acting on anything when intense fear or excitement has been evoked.

Scams that appeal to social norms, often use altercasting too. Altercasting is another persuasive technique, where a perpetrator will put a victim in a specific role that is congruent with their goals. For example, I have seen advance fee scams that use narratives where either an orphan girl, a widow or even a pastor appeals for help (social norms) and the victim is placed in a role of a friend or a confidante, where a perpetrator will trust the victim with confidential or deeply personal information before asking for funds down the line. By that time the victim has been acting as a friend or an advisor and this role is likely to help facilitate the fraud, because they will be more likely to help.

Screenshot 2019-03-18 at 10.09.25.png


Scammers often layer persuasion techniques for greater impact.

In conjunction with other individual factors, these techniques can be very effective.

 

Other factors also come into play. Different circumstances, for example, have been known to influence compliance in certain scam situations. Or certain individual characteristics, such as lack of vigilance or impulsivity. For example, if you are down on your luck, looking for work and you are running out of money, you will be more likely to take risks and consider financial opportunities that don’t look very sound. You may be more likely to concentrate on potential rewards instead of any negatives associated with high return investments. If you are also more compliant in general, it is even more likely that, when persuaded to do so, you will decide to go along with something you have some reservations about. Of if you are more impulsive, you may act quickly, without allowing the time to think about your decision. All of these factors combine (or layer) to produce a unique vulnerability score.

Many frauds are still relatively simple. Badly constructed phishing email that will bring a smile to your face, for example, but many are far from simple. It all comes down to how good the scammer is and how motivated they are in developing a highly credible looking, psychologically designed frauds that create situations that can be highly persuasive, and how they go about executing them. The more effort they invest, the more lucrative the venture will be, so it’s good to be vigilant and not underestimate what fraudsters are able to do by concentrating only on badly designed scams that are easy to spot.

Good customer service can make your organisation vulnerable to social engineering attack?

Many companies invest a great deal in security systems but very little in training their staff. They feel that having protocols in place means that protocols will always be followed and that this offers robust protection against fraud. This is not true. Humans are extremely vulnerable to social engineering attacks and employees trained to follow protocol are no exception to this. If you don’t believe, please read and watch this.

So what is social engineering in terms of fraud?  It can be defined as a deception to manipulate and coerce individuals into divulging confidential or personal information, which is then used for fraudulent purposes. Not everyone is equally susceptible to social engineering attack. My own research found that some people are more compliant, impulsive or less vigilant and those traits will make them more likely to succumb to fraudulent attacks. Understanding and addressing these vulnerabilities is the key to fraud prevention. Equally, detecting and understanding scam techniques used in social engineering attacks is also extremely important. See this example – induced urgency (baby crying) will encourage customer service agent to rush decisions and likely compromise the company protocol. This is not an employee problem. Everyone is vulnerable to social engineering attacks under certain circumstances. Continuous education and awareness are the keys to tackling this problem.

Just as it is important to understand how your employees can be vulnerable to social engineering attacks, it is also important to understand that any decision or protocol implemented by an organisation may create a loophole or an opportunity for fraudsters to infiltrate the system. Take customer service, for example.

Expecting excellent customer service from your employees is desirable, but can make it easier for fraudsters to compromise your protocols.

Expecting excellent customer service from your employees is desirable, but can make it easier for fraudsters to compromise your protocols.

It has become customary to ask a customers for feedback each time they receive a service or contact customer service for help. This feedback often leads to incentives for employees providing customer service and frequently may also be used to penalise employees that have unsatisfied customers. Reality is that you cannot please all of the people all of the time and customers can sometimes  demand impossible things. But having these ‘feedback systems’ in place can influence how your employees behave when they provide customer service and this can compromise safety of customers and affect your company’s reputation. For example, if a customer is unreasonable and wishes to source some personal information details they forgot or misplaced, would you expect your employees to breach company protocol to make that customer happy? Probably not, right? But if you also have systems in place where your employees are always monitored and encouraged to have impeccable customer satisfaction record, you create anxiety and encourage company protocol to be broken to achieve this. And this makes you an ideal target for any fraudster that wishes to source personal information that will likely be used for fraudulent activities somewhere else.

It is likely that this types of attacks will be happening more and more. They are extremely lucrative to criminals and can often lead to customers’ bank accounts being compromised and funds stolen, therefore a lot of effort goes into designing these attacks. This can leave your organisation open to lawsuits in the future. Don’t assume basic training and protocol is enough to protect your organisation from social engineering. Always seek better preventative measures, keep on top of new fraud techniques and never underestimate what fraudsters are capable of doing.

 

A friend in need is friend indeed: How scammers exploit social norms

We all have had our email hacked at least once.  When my email was compromised, my scammer/hacker did little more than spam my friends with adverts for electronic goods with a personalised message from (supposedly) me, saying that I just bought this amazing stereo system and my friends should use the link to do the same, at a reduced price.  Knowing me too well (I would never brag about a stereo system like I would do about a Mulberry handbag or a nice scarf), my friends alerted me quickly.  I changed the password for that email and that was the end of my advertising. However, some hacking is not so innocent.  Scammers can be sophisticated, often combining several persuasion techniques to get you to send them money, and not small amounts either. What can start with a simple password hacking can quickly turn into sophisticated persuasion technique and I will explain how. 


We are all brought up to be nice to others and help our friends and family.  Society as a whole is built on those fundamental unspoken rules and this is ingrained in us. We help our friends and family and they help us, when in need. Scammers know this. They also know that, where one would usually be suspicious to get an email from a stranger, asking for money, they would be less cautious if that email came from a friend.

17917187_10154413012650918_4569783566057610658_o.jpg

Humans are social beings. Our lives are built on helping those we care about.

The scam usually consists of an email from your friend (whose email has been compromised), or a person that you know well, telling you they have been stranded on holiday, their possessions stolen and they need some money to get new passports and to get home. Naturally, you are horrified and consider helping. They tell you to wire money to them via Western Union in a particular country to help them get their affairs in order. If you do, money is lost forever and there is little anyone can do for you.  Research found that phishing emails are much more successful when coming from a friend than a stranger, which means that if a scammer invests a bit of time to research things about you before launching a phishing attack, they will be way more successful in attaining funds. Since this is costly to the perpetrator, amounts are usually considerable. This type of scam can be perpetrated via phone, email or social media.

If you ever get an email from a close friend asking for help, if you can, give them a call instead to check the facts first, even when the email tells you they cannot be reached. If you cannot get hold of them, you could respond to the email expressing your concern but also asking a random question such as " how is your son coping?' - when you know that this particular friend doesn't have a son.  Chances are that the scammer will not know this and will respond saying that the son is distressed etc.  Or something similar.  If it is a genuine request by a friend, they won't mind and you will get a warning sign if it is not a genuine friend of yours.  It is also good to let your friend know by some other means that their account has been compromised and urge them to change passwords connected to that email.  This also means passwords connected to any social media that they use with the email in question, just to be sure. 

Phishing emails are usually obvious but every now and again, they can surprise you. Using social component of our lives against us makes them that much more convincing. We trust our friends where we would never trust a stranger, which can be turned against us. Trust is good. It’s an integral part of social relationships, allowing us to make bonds with people we care about. But in this day and age, it can also be our downfall. Trust but verify.

'Fake it till you make it' - psychology in fake reviews

Online customer reviews have revolutionised the way we shop. Having instant feedback about a product, service or a customer can help one avoid bad purchases and guide decisions. People are attracted to reviews. However, scammers are too. Why is that?

As human beings, we shape our beliefs and our behaviours by observing others, how they behave and what they believe in. This is known as social proof. Exchanging and sharing experiences, talking about our likes and dislikes, about what makes us happy and what makes us angry. We are social. This is why reviews can be so influential. In real life, this translates to word of mouth, which is harder to fake, but online, creating a fake review is relatively easy.

13575907_10153652269590918_2725800473080399008_o.jpg

We look to others to define our reality.


There are several good guides how to spot fake reviews .There are plenty of reviews online that are shill reviews (or covert advertising), planted by marketing teams to excite people about a particular product. Shill reviews can also be left on social media or forums as this adds credibility and companies may even offer the product free of charge or offer discounts in return for a review, which in some cases, such as on websites that specify whether the reviewer has purchased the product, can add additional credibility to the review.

Many companies that offer a platform on which sellers and buyers come together (e.g. eBay, Amazon, AirBnB) will have problems with fake reviews, but may also have problems with fraudulent activities that exploit the review system to appear legitimate. For example, a fraudulent account that is selling substandard products purporting to be quality or branded products may initiate several verified reviews by pretending to be both, a seller and a buyer. The initial costs associated with that process (such as eBay fees) are irrelevant given the credibility and legitimacy it creates (a product reviewed by satisfied customers will appear legitimate and foster trust). Therefore it is easy to see why some people fake reviews. Fake reviews can also be part of new ‘brushing scams’, where people receive parcels and goods they never ordered so that fake reviews can be generated.


Why is it important to look at fake reviews through psychology?


By understanding motivation behind fake reviews and the persuasive techniques used to create them, we can learn to spot what is real and what is fake.

Slide1.jpeg
 

So what is psychology behind fake reviews?

Fake reviews employ something known as ‘social proof’ or tendency to look at others to define our reality. As stated above, we look to others to see what they do, how they behave and what they believe in and we adjust our behavior accordingly. People will trust things that are backed by other people. What a fake review does is establishes a dialogue with a desired customer, where a person leaving a review is able to persuade someone reading that review that the product they are looking at is just what they need. There are several persuasion techniques that allow this. If a desired audience can be identified, parallels can be drawn with that audience in a review, emphasizing similarities between a reviewer and a potential customer (this is a known scam technique). Then, a reviewer may concentrate on statements that emphasize life changing properties of the product, which are made specifically to evoke positive emotions. fake reviews may even mention risks or a high cost, but these will be minimized quickly by concentrating on the fact that the risk was worth taking. When people see others take risks, they feel more confident in taking the risk themselves.


These techniques and the way they are executed are frequently adapted or modified by scammers, especially when they become well known and predictable, therefore it is imperative to research and evaluate them frequently and adapt fraud prevention measures accordingly.

Are security warnings making us fatigued?

Internet security, software and anti-virus updates - we are all aware of these and many of us frequently ignore them and now there is some research on why that is. People may be experiencing ‘security fatigue’ due to the amount of security warnings out there, and this may be dangerous as it leads to less caution. Having so much security or fraud advice from different sources, can confuse and intimidate users to the point that they ignore all advice. For example, in real life, we have limited time for making decisions. When there is too much information to consider, it’s easier to ignore all information than trying to figure out which security advice should be followed.

17155483_10154294576425918_3362219899975784474_n.jpg

Badly designed security warnings are largely ignored

In a research study by Egelman, Cranor & Hong, participants that willingly gave their details to a fraudulent website created for the experiment, explained they did so because they did not understand the risks and said they frequently ignore security advice. Therefore, warnings barked at people without properly explaining why there is a need to be cautious may not be the best way forward. Having simple advice, concentrating on fraud elements that are mostly stable (e.g. scam techniques or personal vulnerabilities), as well as individual factors (e.g. personality or circumstances that influence fraud compliance) may be a better way in fight against fraud. This is supported by research that looked at how individual differences impact privacy attitudes (Egelman & Peer, 2015).


Designing good security advice is an art. Just as criminals use specific persuasion techniques to influence compliance, security advice that is not compelling will be largely ignored.
For example, research by Modic & Andersen found that security warnings that used concrete (explanation of what malware does to a computer), rather than vague (message saying access is blocked due to security concerns) threats were more effective.  They also found that adding cues to authority (e.g. security team has identified this site is dangerous) to a security message was more effective than social cues (e.g. your friends have already been scammed). This means that people seem to appreciate concrete advice coming from those that they perceive are experts in the field, rather than being inundated by vague or conflicting security advice that can be found in abundance online.

 

There is another aspect to consider and that is a potential for alienating customers. Many companies invest money in fraud prevention measures that reduce revenue lost to fraud but forget about fraud prevention advice for their customers. This is often just an afterthought and I have seen many legitimate emails contain really outdated scam advice within their content. This includes telling customers that they can trust emails that have their name in the content or to pay attention to spelling. Fraud is an organized crime and scammers have realized that a little bit more effort invested in designing phishing content tends to pay big dividends. Often this means that they get some data on the potential victim and can offer personal information as a way of enhancing credibility of the correspondence.

If your customer receives a phishing email bearing your logos, and they remember your outdated phishing advice, which is no longer valid, they may get scammed.

Once this happens they will forever have a negative view of your brand. They will no longer trust you.

Many fraud victims I interviewed told me about lack of trust following victimization. And sometimes this mistrust gets attached to companies whose credentials were misused by scammers. The best you can do for your customers is keep any fraud prevention advice current and relevant.

When a person is defrauded, they suffer great psychological distress. It is not just about the lost funds, it is about deception, about morals. On a rational level, a victim of a phishing attack bearing your company logo will know that you did not cause this but on an emotional level, they will forever associate your brand with not being able to trust you. This is why it’s important to have the best possible fraud prevention advice for your customers, to make it engaging, relevant and personal and to update it frequently.

Miracle cures and clairvoyant scams

In 1800s, a magician and a showman Phineas Taylor Barnum wrote a book called “Humbugs of the world”. By ‘humbugs’ he was referring to old fashioned swindles and scams. Many are still being used today, such as fake lotteries, miracle cures and clairvoyant scams, which just goes to show that scams have always been lucrative. In fact, Barnum was such a great trickster, that one of the cognitive biases (the original Forer effect) was renamed after him.

Picture credit: https://www.pinterest.co.uk/pin/35043703324205786/

Picture credit: https://www.pinterest.co.uk/pin/35043703324205786/

P.T. Barnum was a magician and a showman in the 1800s. He wrote a book about old fashioned scams, many of which are still used today.

The Barnum effect

The Barnum effect refers to the acceptance of vague personality feedback that could apply to anyone, as highly accurate description of one’s personality. Giving vague feedback is often a component of clairvoyant scams, where a victim will be given universally valid description of their personality as proof that a clairvoyant is genuinely able to see things. Description will be accurate because it is vague and it is true of almost everyone. In the original experiment, psychologist named Bertram Forer used sentences he collected from daily horoscopes and gave them to participants as bona fide personality feedback following psychometric tests. All participants received the same feedback. He then asked participants to rate how accurate the feedback is and was surprised to find that participants were rating it as highly accurate. This is how clairvoyants or psychics can make you feel that they know something about you, when in fact, they are providing such vague feedback, which can apply to anyone and not just you.

Miracle cures

I wanted to also explain a bit about scams people don’t often hear about, unless they have a health problem or an issue they feel too embarrassed to talk to their doctor about - scams offering ‘miracle cures’. Miracle cure scams tend to target people who are either desperate because they have tried everything without success (and this often sadly includes terminally ill people) or those that have chronic or embarrassing conditions. Research found that these types of scams often purport to have cures for diabetes, cancer, baldness, obesity, impotence and loss of libido.

Miracle cures often target embarrassing conditions and use fake testimonials.

Fake testimonials provide social proof we, as humans, often seek when making decisions.

Screenshot 2019-01-31 at 09.15.22.png

Some miracle cure scams may have professional or legitimate looking appearance, such as being endorsed by health clinics or doctors, but they are largely ineffective and could also be dangerous. Scams selling cures often use social proof cues, such as fake testimonials. Social proof is a known scam technique and is highly effective.
People define their reality by looking to others, how they behave, what they do and what they believe in and act accordingly. Therefore fake reviews and testimonials can be highly effective, especially when we are desperate to believe in something, such as a miracle cure to an embarrassing problem.

These types of scams affect women more than men and are rarely reported, which is why they are not talked about as much as some other types of scams (e.g. financial or romance). Often, people may not know they have been defrauded when it comes to clairvoyant or miracle cures scams, because the product was received (e.g. vitamins or supposed cures) but purchasing a product that claims to cure a disease when it actually does nothing is also fraud and should always be reported to the authorities.

Wrong fraud advice can make one more vulnerable to fraud

There are fraud warnings advertised on various websites. Almost every organisation and every business affected by fraud issues some sort of advice to their customers. There are also those that purport they are experts on scams, calling themselves ‘experienced scam baiters’. There are warnings that describe recent scams, websites that log emails scammers are using, experiences shared by victims. This is all good, it is important to be aware of different scams out there. It is important to share your experience so that a quick Google search may help someone else but the real trick is to be smarter than a scammer. And this is where things get hard.

What makes quality fraud advice? First of all, any advice is better than none but outdated fraud advice can be very dangerous. For example, I recently saw and email from quite a prominent organisation that deals with safe money transactions and it contained fraud advice which is terribly outdated. Telling customers that ‘phishing’ emails will never address them by their name is no longer applicable. Technology has moved on and so did criminals. Frequently, individual’s stolen data is used to make phishing emails look genuine or a fraudster may also compromise a legitimate company and send you emails that will then ask you to follow links to malicious sites. Making phishing emails look legitimate is highly profitable, therefore many fraudsters invest time and effort in spoofing or faking genuine details so that a phone call or an email will look highly legitimate. Giving outdated fraud advice can therefore, make one more vulnerable to fraud. And a customer that follows advice given by your organisation and is then defrauded will forever have a negative view towards your brand.

13698235_10153675358355918_5313228235563767227_o.jpg

Rather than being a life line, outdated fraud advice can make you more vulnerable

So what is my advice?  Rely on yourself.  Your intuition, your gut feelings, your intellect. And verify as much as you can. Why?  Because fraudsters invest time and effort into their craft, coming up with new scams all the time.  And because, despite of all the warnings, forums and help agencies out there, we will always be one step behind fraudsters.

Successful scam relies on the element of surprise, something you can’t Google, something that is not flashing up anywhere.  Just have a look at some of the forums, the plethora of scams on offer is both ingenious and deadly. Knowing an email a known scammer used can only help you until they generate another one and start from the beginning. So what would be better advice, better warning then?  Be vigilant, check everything and try to understand how scammers design and execute different frauds and what effect will that likely have on you so you can modify your reactions and your behaviour. It takes a smart person to be a successful scammer so don’t underestimate them.  Learn to think critically and pay attention to all the details you are given. Ask questions, delay decisions, Google things, ask others for advice… Look at your own weaknesses and address them. Do you act on impulse? If so, make a rule to sleep on it before you buy or reply to things. Do you struggle to say no? Then say not right now instead. Are you unmotivated to read terms and conditions? This can lead to you agreeing to things you didn’t want to do. Scrutinise information. Cross reference. Take a moment to understand what you are feeling - scammers often evoke strong emotions to encourage impulsive decisions.

Another valid advice is, no matter what the email is, never to click links in emails. Verify by logging to your accounts independently. Sadly, social media has made us automatically click links, because this is how we share information with our friends. But automatic link clicking has also made us more vulnerable to fraud offers, especially if the email is spoofed and appears to be coming from a friend.

Grooming techniques in fraud

In the olden days when scammers relied on selling you something, an overpriced double glazing or a miracle product, they were usually easily spotted due to their fake smiles, polished suits and a skill, not unlike that of a python, of being able to squeeze every last penny out of you.  They were ruthless, arrogant, forceful, and it was easier to spot the warning signs of being scammed.  We have all heard scary stories about window salesmen who refused to leave your home hours after they have given you a quote for the new windows and you told them you would like them to leave at least 50 times.  But what people don’t realise is that modern scammers have evolved. They are no longer forceful or arrogant and they often address our needs. Hope of a large investment on your pension savings, hope of finding your one true love, hope of a miracle oil that will help your loved one battle cancer when their oncologist has run out of hope or hope of buying a time share apartment that will bring you nothing less but a secure income in old age. Scammers have become slick, smart, calculated, embracing innovation and using psychology to get the victims to comply.  

For example, research into dating scams found that scammers invest hours upon hours of communication with their victims. Sometimes lasting several months and sometimes very intense communication, which helps to cultivate an interpersonal relationship between a victim and a scammer, which is hard to override.  Frequently they send gifts in the beginning too, making the relationship seem genuine and loving, even to victim’s friends and family. The more the victim communicates with the scammer, the easier it becomes for the scammer to get what they want in the end.  And before the blame is placed on the victims being gullible, let me explain how this exchange might work.  

17990471_10154415279710918_5490147654963895127_o.jpg

Fraud victims are often groomed, sometimes for months

As children we were brought up to share, be nice and return favours.  These are simple societal rules that help us nurture relationships we have with others.  When a stranger asks us to give them money out of the blue, we have no problem saying no.  But when a friend asks, especially if they have done us favours in the past, we will feel obliged to help them.  It’s known as reciprocity and it’s ingrained in us. Those that don’t observe this rule are thought of as selfish or uncivilised.  Reciprocity rule is a strong evolutionary tool which helped us survive, form bonds, keep friends… but it is also a powerful tool for a scammer and is a known scam technique. Scammers, and this is especially true of dating scams in which women are victims, often send small presents to their victims, flowers, perfume, small tokens of love. This ensures that somewhere down the line, the victim feels bad about not reciprocating. In dating scams, the usual technique is for scammers to claim to be in different countries as doctors or soldiers. When they eventually ask for money for an operation or the plane ticket or a solicitor or some other worthy cause, the lengthy communication, the attention, the gifts that the victim received will make them feel obliged to help the scammer even if they feel uncomfortable about it. This is because we have been pre programmed to return kindness.

Scammers can groom victims in many ways. For example, some financial scams perpetrated over the phone would use grooming techniques. A scammer would typically call the victim daily and befriend them, even sharing details of their lives (usually mimicking victim’s circumstances, beliefs or likes). This not only fosters trust between a victim and a perpetrator but also makes it difficult for the victim to report the crime once they start to suspect something is wrong, because they feel guilty. This means that the scammer can go on scamming more people in the meantime. Often, scammers will also ask the victim to keep the transaction or a relationship a secret. This also plays into their hands and avoids detection.

It is often difficult to detach yourself once you are involved in a pattern but if you suspect you might be groomed by a scammer, talk to your friends and family about it, ask for help and search online for fraud advice which may make things clearer and make it easier to report fraud.

Nigerian scams are still very much alive

Nigerian or advance fee - 419 scams have been around for decades.  They usually contain a story of a bank official who has spotted an account with funds that are unclaimed and needs someone to help him get the money out of the account without it being in his name. This is somewhat illegal and he needs help of someone who can receive the money in their account and be paid for it.  Sometimes it is a royal person, a distant prince, rich widow unable to leave money to anyone, someone dying of cancer with wealth to give away and so on.   Once the victim replies, they request conversations, befriending the victim and eventually ask for fees to process legal papers.  The victim never sees the money they were promised.  Worse still, sometimes the victim will receive a fake cheque and cash it, wire the money to the person that is asking them to launder money and then find out the cheque was fake after few days, losing funds they sent. 

Sometimes victims are not even after money but simply believe they are helping the person as the stories are often elaborate.  In the past, Nigerian scams were executed via postal means, incurring a cost to the scammer.  With the invention of the fax and the phone, they became more prevalent and the Internet finally allowed them to become almost an everyday occurrence for most people while not costing much to execute.  Research also stipulates that they are now so well known that they are purposely used to identify the most vulnerable victims, whose details are then sold to other scammers too. 

Recently I have been contacted by someone asking me to warn about a scam purporting to be a girl from a refugee camp, but upon reading the email, I realised it was a spin off, a Nigerian type scam with a new twist to fit the current times. Briefly, the story is about a girl who is in a Syrian refugee camp and needs someone to help her get the money that her late and wealthy father deposited in the bank. This is a complex story and I decided to explain why it is complex and how it is written with a view to persuade in the future.  The initial emails asks only that the victim listens to the story but even acknowledging the email might be dangerous if you are uncomfortable saying no. Here is why:


The story starts with an account how the girl lost her mother and father to a violent murder and her consequent life in a refugee camp.  She prays to get out of her situation.  Without explaining what she wants from the victim yet, she asks for trust and not to be betrayed and asks to know more about the potential victim.  This part is likely to elicit empathy towards her situation - who would not feel empathy when someone tells you about their parents' murder.  Asking to know about you is likely to induce feelings of familiarity and closeness, as if you are friends, once you share this information and people help their friends.  She asks for trust and not to be betrayed. You may not think about these words at this point but when the request comes you may feel uncomfortable saying no, because you will feel as if you are betraying her, despite the doubts you might feel. 

persuasive elements in Nigerian type scams

persuasive elements in Nigerian type scams

Second part tells more about her situation in the camp and the pastor who is helping her to email a random person across the globe.  It also gives the pastor's telephone number.  The victim will probably not use it but if they do, it will add credibility to the story. The endearments used are to evoke feelings of closeness, the mention of the secret too - we tell secrets to those we are close to so potential victim might feel privileged they were entrusted with the secret.  She then explains about her father's fund that contains millions, that she cannot access and makes a request.

Scammers often put victims in a position of trust, by making themselves appear vulnerable. This gives the victim a feeling of power but in reality, the scammer holds all the strings.  The girl in this story follows up by reminding you that she requested you to be trustworthy.  Scammers are good at altercasting.
Altercasting, a persuasion technique, is where a person puts the victim in a specific position, often targeting the ego of the person (calling for a man of vision for example) or social norms (understanding and honest people). These types of scams often don’t ask for more than few details and for the recipient to respond to correspondence, which is also a known scam technique. Once invested, it’s harder to back out.

Microsoft research argues that Nigerian type scams are still around and purposely say they are from Nigeria because everyone knows about them. Therefore those that respond and engage with these types of scams are likely to be extremely vulnerable, which means they will, sadly, be a sure thing for a scammer. Their details are harvested and sold to other scammers who will further exploit them. If you have elderly or isolated neighbours, especially if they are not so internet savvy, talk to them about scams. Often knowing something about scams can be enough to protect from becoming a victim.

Why are elderly people so aggressively targeted by scammers?

The reason why scammers target elderly people so aggressively has to do with cost effectiveness to the scammer. When the scammer invests the time to go around houses, selling bogus products, or calling around, they make sure they target specific audience that is likely to produce a yield. With age, just as our bodies slowly develop aches and pains and we can no longer drink like we used to and not suffer the effects, we also experience diminishing cognitive functions. This varies across people and is also exacerbated by things like dementia or Alzheimer's, something more prevalent as people age.  Even without those present, ageing affects our information processing power, sometimes also affected by hearing loss, we get more easily confused, need more time to make decisions and so on.  You could say we are no longer so finely tuned as we once were. This is precisely why scammers target elderly people, usually with door-to-door scams that need instant decisions or creating urgency, such as the courier scam. 

14086339_10153773770415918_2887326521489871013_o.jpg

As we age everything slows down and gets a little bit more difficult. Just as you may have a bad knee that needs special attention, we need to be mindful that the same might happen to our cognitive functions.

 

Elderly people also might not be as active online, where most of the scam prevention advice lies. Or if they do use the internet, they might not be using social media, again, where this advice is abundant. Even if they are, the amount of the advice that is out there can be overwhelming, therefore it is often after the scam has taken place that they seek help and their family become involved. 

The problem with the declining cognitive functions is that they decline very slowly and are difficult to diagnose at first. Most people notice when it is happening but, because they were once a competent and intelligent, highly functioning person, they feel ashamed to admit this to their loved ones and they try to hide it.  Some people may also be bereaved after a long marriage or have relatives living far from them, making it hard to 'talk things over' with someone who might offer a different perspective or advice.  Loneliness has been found to be a factor in scam compliance across all ages, not just the elderly but this is even more pertinent with regards to aging population due to other factors that contribute to scam susceptibility mentioned above. 

With age, we acquire experience and wisdom but often 'thinking on our feet' goes. This is not the end of the world, it just means that you may need to implement some rules in order to protect from scams.

Scams are now designed to fit almost anyone. Students, working people, businesses, people of a certain age, marital status etc. and the important thing is to understand what makes us vulnerable. I mention few tips below but these are by no means exhaustive. They also apply to anyone, not just elderly people but I have concentrated on door-to-door techniques here.

 

1. Always delay decisions, if you are able to

Go away and give yourself a day to think about anything.  If you are dealing with a salesman that is pushy and tells you the deal is off the table if you don't act straight away - be sure that this is a scam
or at least a technique to get you to comply. 

2. Lie

A white lie goes a long way. My favorite is: " I just want to run it past my dad/son/friend who is a police officer. Please call me tomorrow." You can bet that if it is a scam - they will not ring you back and if it is a legitimate deal, they will.  Same with people calling you, ask them to tell you who they are and say you will ring them back after you seek advice. 

 

3. Never buy from people who come to your door

Ask them to leave you some information and Google the company or talk to friends and neighbors before you call them back.  If they say they have no information to leave you, it is likely that they rely on aggressive, predatory sales tactics and this means they are, at a very least, not concerned with ethics.

4. Ask your neighbors, friends and family for advice

Don't be ashamed to admit you made a mistake or have been scammed.  By talking about it, information is shared and you are more likely to hear of similar scams, which may protect you in the future.  If you don't have many people to talk to, social media can be a great asset. Often certain neighborhoods have local groups where you can post for advice on something and receive different opinions. There are probably legal advice services in your area that you can access on the internet too. The main point here is to take your time and involve other people.

 

There is nothing wrong about not being sure about something and asking for advice is always good, if nothing, to give you time to think about it.  Often we are put under pressure to buy something we don't want to buy and allowing some time to pass, it is easier to say no, especially when dealing with pushy scammers or salesmen. Sometimes just saying you need to run something past your family will make the scammer leave you alone as they tend to drop people that seem non compliant with their requests.  It is also normal to get confused as we get older and as long as we are aware this is taking place, we can make sure we allow for this by putting simple rules in place.  And my advice always is; if you have even a tiniest doubt - walk away from it. 

Do you suffer from a lack of 'NO'

Do you have difficulty saying no to people?  Especially if they are assertive and forceful?  You are not alone.  I will explain how scammers exploit our inability to say no in more ways than one. 

Some people have difficulty saying firm 'NO' to people that are forceful, whereas some get rebellious when they encounter those with arrogant or forceful personalities.  If you recognise yourself as someone who has difficulty with strong personalities, you may be vulnerable to specific scam techniques, especially when the scam is executed face to face.  Scammers look for victims that are going to comply and often can tell within a few seconds of meeting you, whether you are likely to be a victim.  If you find confrontations uncomfortable and have been known to go along with things that you don't want to do when people assert themselves over you, then you are particularly vulnerable to forceful scam techniques employed by scammers that usually target people door to door.  Often we are brought up to be polite and saying no somehow registers as being rude, especially if we feel that we have wasted someone's time.  This is why double glazing salesmen come to your home for 3 hour demonstration; after 3 hours you are likely to feel guilty you wasted their time, despite the fact you don't owe them anything and it is up to them how long they take demonstrating.  Many people have difficulties saying no for this reason.  So what can you do about it?  First of all, it is good to be aware of individual vulnerability and look for ways of adapting to avoid situations that would lead to compliance with unwanted purchases/deals.  


25299705_10155005441605918_146184627938350371_o.jpg

Saying no can feel like being rude or disrespectful.

It’s not.

1. Practice saying 'no, thank you'.  It is perfectly OK to say no to people.  If they are selling something and spent time telling you about it, don't feel guilty as this is their job.  You only need to decide if you want what they are selling.   


2. Understand that this will make you vulnerable to similar things forever and think of ways of getting out of situations that force you to feel uncomfortable.  One of the people I spoke to that had a similar problem told me that he lies to people in such situations, telling them he has no money at present.  You can also say you need someone else to make a decision before going ahead.  If the salesmen mocks you for wanting to run a decision past someone first, please be aware this is also a persuasion technique and don't give in.  Who cares what a random stranger selling you something thinks of you.  


3. Another thing you can do is to tell them to come back when someone else is with you.  This is not a no, it is more 'not now'.  Genuine salesmen will respect this and come back another time.  Ask them to make a solid appointment or give you the number to call to make an appointment when you arrange with a friend/family member to be present.  

If you think that only people who have difficulty with pushy scammers are vulnerable, think again.  Even if you react to forceful and aggressive people pushing you to do something you don't want to do, you can still be caught out by inability to say no, but it will be more subliminal. 

We tend to comply more when a person before us is affable, likeable or appears to be similar to us.  This is how scammers get our trust quickly.  In the absence of any solid experience with the person in front of us, our brain will make short cuts and concentrates on certain features; attire, politeness and so on.  We all make judgements on daily basis and often these judgments need to be quick, therefore they are based on our previous experience.  For example; if you dealt with a person of a certain religion, race and so on and you had good experience, it is likely that you will assign that good experience to a whole religion or race until you get a different experience.  Same with people who seem similar to us in some way.  Scammers often impersonate their victims for this reason; they may say they grew up locally, know someone from the country you are from and so on.  They may ask you questions about your life style and tell you they feel the same about certain things you tell them.  All of this will make you like them more and the more you like them, the less able you will be to say no when they make a request for a payment.  So what can you do in such situations? 


1. Understand that saying no to someone who is trying to sell you something is not the same as saying no to someone who helped you many times before and is an established friend.  You don't owe them anything, even if you feel that you do, this is just psychology.  


2. Be extra careful if someone you are dealing with (where large sums of money are involved or where someone asks you for money) seem to be 'your kind of person' or seems to click with you, especially in a short time frame.  This is especially true of romance scammers - they will often be great listeners and the more you tell them about what you need/want, they more they will appear to be just what you are looking for.  You can lie and say you have no money just now.  Or talk it over with friends and family to get a non biased opinion, but also listen to their opinion.  Many people disregard their friends or family's opinion.  As they say... two heads are better than one.  It really is true. 


3.  A truly nice salesman will always be as friendly the next day or next week.  Make a rule to never do anything in the moment.  Come back tomorrow or arrange another meeting if you really want the product.  Use the time to think about the product/investment away from the person selling it.  When you separate the two, you may realise that you liked the product because you actually liked the person selling it.  


And always, use the time away to check the facts in every possible way before you commit to parting with your money. 

There should be no shame in the 'fraud' game

Many fraud victims, when defrauded, feel intense shame and embarrassment and this often stands in the way of them reporting the fraud to the authorities. In my own research I heard victims tell me they ‘felt like a fool’, that it was their fault, that they didn’t want to go to the police because what would the police tell them - that they were stupid or greedy?  Even when the fraud is extremely sophisticated victims tend to blame themselves.

And they are not alone.  Fraud is an organized crime, which annually claims billions of victims, but people still erroneously believe that scams only happen to gullible people, people who deserve to be taught a lesson, and that it could never happen to them.  

Fraud can make people feel isolated

Fraud can make people feel isolated

We tend to think that we can control our environment or the events that happen to us. 

By blaming crime victims, we retain an illusion of control over our own lives. If we think bad things only happen to those who somehow deserve it, then we could prevent bad things happening to us.

This belief, that people somehow get what they deserve is known as ‘belief in just world’.  But bad things frequently happen to good people and fraud is no exception.  Fraud can also happen to those that are careful and cautious.  Many types of fraud (e.g. whale phishing) are so sophisticated that it’s difficult to tell them apart from a genuine situation.  Therefore we should strive to make fraud something we openly talk about.

 


Fraud is often not reported, especially if a victim is a repeat victim or the amount lost is relatively low.

Research has found that fraud victimization can be incredibly harmful to the victim, even leading to suicide, yet it is vastly under reported and this is often down to feelings of shame and humiliation. This is especially true of repeat victims.  Those with good social ties as well as victims that have lost larger sums of money tend to report more frequently than other victims.  But reporting fraud when the amount lost is relatively insignificant is also very important. 

Scammers frequently keep the amounts low to avoid detection and prosecution.  By targeting a large number of victims with small amounts scammers make it more likely that people will take the risk and see if the offer is genuine and will be less likely to report it to the authorities when they realise they have been defrauded.  This ensures the scam can be successful over a longer period of time.  

 

Reporting fraud every time if happens, even if it doesn’t lead to police investigation is important because the data gathered will allow the government to see the bigger picture and record levels of fraud more accurately, which leads to more funds being allocated for fraud prevention.  It also makes it more likely that a prolific scammer will be caught and prosecuted and ensures that, once they are prosecuted, there is more evidence against them, leading to tougher sanctions.  Being open and honest about fraud victimization also makes it more likely that others will avoid the same type of scam in the future.


There is no shame in being defrauded. 
It’s a crime. 

Let’s shame perpetrators instead.

Psychology of phishing

Everyone gets phishing emails. For scammers, it is probably the most cost effective way of scamming people. Sometimes phish emails are relatively harmless, but often they can be extremely harmful and trick you into parting with you personal passwords, log in details and bank information.   I wanted to collect a few to show you the types of phishing emails and psychology behind them, language they use and how the message will make you feel and want to react. 


First of all, the biggest and most important message and one I think every fraud agency should use is that phishing emails will have one fundamental thing in common; something to click, be that a link or an attachment. Clicking anything in an email is bad, even if it came from your friends, as people's email accounts can be easily hacked. What you should look for in that case is whether this is out of character for your friend. If so, don't click it. 


Let's examine the most frequent phishing emails and how they persuade. Most phishing emails are designed to evoke visceral states. Visceral states are sexual arousal, hunger, greed, fear and so on. When we are under visceral influence, we are likely to bypass careful information processing and act without proper thinking - because we are acting on that visceral influence. When you are starving, you are likely to eat stuff you would reject otherwise, when you are scared of something, you will do anything to save yourself from danger, when you are attracted to someone, you will do anything to get them... so let's see the language used by phishing emails. 

Screen Shot 2016-08-24 at 19.19.23.png

Emails offering refunds work by evoking excitement at a prospect of getting money we didn’t expect.

The offer of free money often puts one in a visceral state of excitement and/or greed and this is precisely what the scammer wants. They want you to get excited at the prospect of free money enough to act straight away. Who doesn't like a tax refund.

Notice this one also have an expiration date, which will further influence you to act in the moment, fearful that you will miss a deadline.


Emails offering free prizes are similar to refunds. They evoke excitement.

Free prizes are difficult to resist. They work by compromising careful thinking because emotions take over. But it pays to pay careful attention to warning signs. Keeping the vague will reach a greater number of people. See how postcode is not specified in this one?

Also, this email does not have a typical ‘link’ button. Instead, clicking on yes and no buttons does nothing - so you have to click a link under them, confused that you cannot activate the buttons. Scams offering free prizes often use other scam techniques, such as limiting time to respond, which will also compromise information processing.

Emails offering free prizes

Emails offering free prizes

malware.png

Malware emails tend to work by keeping it relevant

Lucky, most virus software filters flag malware attachments these days but note how they targeted me at my university email and they made it very relevant - academics are likely to go to conferences. The more relevant the email appears, the more likely it is that the scammer will be successful so don’t be surprised to see phishing emails that appear highly believable.

 

Emails that evoke fear

Emails suggesting your account has been suspended, compromised or hacked will induce panic and fear and make you want to sort out the problem as soon as possible. When we are in a state of fear, careful thinking is compromised and therefore, vital clues missed. If you did not initiate this download, you will frantically click the link saying cancel and support. In a state of panic, as this is all you can think about.

Phishing emails that prey on your fears

Phishing emails that prey on your fears

This email mentions initiating a download few times, so you get the message that all you have to do is confirm you did not do it yourself and all will be fine.  There is another link lower down and that one will probably lead to a legitimate site - scammers are very good at making everything else look exactly so. 

I still see advice such as 'hover over a link' to see if it is legitimate but this is now outdated.  Good scammers can fake everything, the link will give you an appearance of going to a legitimate place. Email will seem fine.
The only reason why you would need to click a link in an email is if you subscribed to something that minute and you need to verify email or you requested a password change and you need to follow a link.

Scammers cannot get to your details if you don't click links but it helps to understand psychological states the emails are designed to put you in, so you act against your best interests. 

If you are worried about your accounts being compromised, call/log in from another source, never use a link.  

Any unsolicited emails with links are probably not good news.