Are security warnings making us fatigued?

Internet security, software and anti-virus updates - we are all aware of these and many of us frequently ignore them and now there is some research on why that is. People may be experiencing ‘security fatigue’ due to the amount of security warnings out there, and this may be dangerous as it leads to less caution. Having so much security or fraud advice from different sources, can confuse and intimidate users to the point that they ignore all advice. For example, in real life, we have limited time for making decisions. When there is too much information to consider, it’s easier to ignore all information than trying to figure out which security advice should be followed.

17155483_10154294576425918_3362219899975784474_n.jpg

Badly designed security warnings are largely ignored

In a research study by Egelman, Cranor & Hong, participants that willingly gave their details to a fraudulent website created for the experiment, explained they did so because they did not understand the risks and said they frequently ignore security advice. Therefore, warnings barked at people without properly explaining why there is a need to be cautious may not be the best way forward. Having simple advice, concentrating on fraud elements that are mostly stable (e.g. scam techniques or personal vulnerabilities), as well as individual factors (e.g. personality or circumstances that influence fraud compliance) may be a better way in fight against fraud. This is supported by research that looked at how individual differences impact privacy attitudes (Egelman & Peer, 2015).


Designing good security advice is an art. Just as criminals use specific persuasion techniques to influence compliance, security advice that is not compelling will be largely ignored.
For example, research by Modic & Andersen found that security warnings that used concrete (explanation of what malware does to a computer), rather than vague (message saying access is blocked due to security concerns) threats were more effective.  They also found that adding cues to authority (e.g. security team has identified this site is dangerous) to a security message was more effective than social cues (e.g. your friends have already been scammed). This means that people seem to appreciate concrete advice coming from those that they perceive are experts in the field, rather than being inundated by vague or conflicting security advice that can be found in abundance online.

 

There is another aspect to consider and that is a potential for alienating customers. Many companies invest money in fraud prevention measures that reduce revenue lost to fraud but forget about fraud prevention advice for their customers. This is often just an afterthought and I have seen many legitimate emails contain really outdated scam advice within their content. This includes telling customers that they can trust emails that have their name in the content or to pay attention to spelling. Fraud is an organized crime and scammers have realized that a little bit more effort invested in designing phishing content tends to pay big dividends. Often this means that they get some data on the potential victim and can offer personal information as a way of enhancing credibility of the correspondence.

If your customer receives a phishing email bearing your logos, and they remember your outdated phishing advice, which is no longer valid, they may get scammed.

Once this happens they will forever have a negative view of your brand. They will no longer trust you.

Many fraud victims I interviewed told me about lack of trust following victimization. And sometimes this mistrust gets attached to companies whose credentials were misused by scammers. The best you can do for your customers is keep any fraud prevention advice current and relevant.

When a person is defrauded, they suffer great psychological distress. It is not just about the lost funds, it is about deception, about morals. On a rational level, a victim of a phishing attack bearing your company logo will know that you did not cause this but on an emotional level, they will forever associate your brand with not being able to trust you. This is why it’s important to have the best possible fraud prevention advice for your customers, to make it engaging, relevant and personal and to update it frequently.

Wrong fraud advice can make one more vulnerable to fraud

There are fraud warnings advertised on various websites. Almost every organisation and every business affected by fraud issues some sort of advice to their customers. There are also those that purport they are experts on scams, calling themselves ‘experienced scam baiters’. There are warnings that describe recent scams, websites that log emails scammers are using, experiences shared by victims. This is all good, it is important to be aware of different scams out there. It is important to share your experience so that a quick Google search may help someone else but the real trick is to be smarter than a scammer. And this is where things get hard.

What makes quality fraud advice? First of all, any advice is better than none but outdated fraud advice can be very dangerous. For example, I recently saw and email from quite a prominent organisation that deals with safe money transactions and it contained fraud advice which is terribly outdated. Telling customers that ‘phishing’ emails will never address them by their name is no longer applicable. Technology has moved on and so did criminals. Frequently, individual’s stolen data is used to make phishing emails look genuine or a fraudster may also compromise a legitimate company and send you emails that will then ask you to follow links to malicious sites. Making phishing emails look legitimate is highly profitable, therefore many fraudsters invest time and effort in spoofing or faking genuine details so that a phone call or an email will look highly legitimate. Giving outdated fraud advice can therefore, make one more vulnerable to fraud. And a customer that follows advice given by your organisation and is then defrauded will forever have a negative view towards your brand.

13698235_10153675358355918_5313228235563767227_o.jpg

Rather than being a life line, outdated fraud advice can make you more vulnerable

So what is my advice?  Rely on yourself.  Your intuition, your gut feelings, your intellect. And verify as much as you can. Why?  Because fraudsters invest time and effort into their craft, coming up with new scams all the time.  And because, despite of all the warnings, forums and help agencies out there, we will always be one step behind fraudsters.

Successful scam relies on the element of surprise, something you can’t Google, something that is not flashing up anywhere.  Just have a look at some of the forums, the plethora of scams on offer is both ingenious and deadly. Knowing an email a known scammer used can only help you until they generate another one and start from the beginning. So what would be better advice, better warning then?  Be vigilant, check everything and try to understand how scammers design and execute different frauds and what effect will that likely have on you so you can modify your reactions and your behaviour. It takes a smart person to be a successful scammer so don’t underestimate them.  Learn to think critically and pay attention to all the details you are given. Ask questions, delay decisions, Google things, ask others for advice… Look at your own weaknesses and address them. Do you act on impulse? If so, make a rule to sleep on it before you buy or reply to things. Do you struggle to say no? Then say not right now instead. Are you unmotivated to read terms and conditions? This can lead to you agreeing to things you didn’t want to do. Scrutinise information. Cross reference. Take a moment to understand what you are feeling - scammers often evoke strong emotions to encourage impulsive decisions.

Another valid advice is, no matter what the email is, never to click links in emails. Verify by logging to your accounts independently. Sadly, social media has made us automatically click links, because this is how we share information with our friends. But automatic link clicking has also made us more vulnerable to fraud offers, especially if the email is spoofed and appears to be coming from a friend.

Psychology of phishing

Everyone gets phishing emails. For scammers, it is probably the most cost effective way of scamming people. Sometimes phish emails are relatively harmless, but often they can be extremely harmful and trick you into parting with you personal passwords, log in details and bank information.   I wanted to collect a few to show you the types of phishing emails and psychology behind them, language they use and how the message will make you feel and want to react. 


First of all, the biggest and most important message and one I think every fraud agency should use is that phishing emails will have one fundamental thing in common; something to click, be that a link or an attachment. Clicking anything in an email is bad, even if it came from your friends, as people's email accounts can be easily hacked. What you should look for in that case is whether this is out of character for your friend. If so, don't click it. 


Let's examine the most frequent phishing emails and how they persuade. Most phishing emails are designed to evoke visceral states. Visceral states are sexual arousal, hunger, greed, fear and so on. When we are under visceral influence, we are likely to bypass careful information processing and act without proper thinking - because we are acting on that visceral influence. When you are starving, you are likely to eat stuff you would reject otherwise, when you are scared of something, you will do anything to save yourself from danger, when you are attracted to someone, you will do anything to get them... so let's see the language used by phishing emails. 

Screen Shot 2016-08-24 at 19.19.23.png

Emails offering refunds work by evoking excitement at a prospect of getting money we didn’t expect.

The offer of free money often puts one in a visceral state of excitement and/or greed and this is precisely what the scammer wants. They want you to get excited at the prospect of free money enough to act straight away. Who doesn't like a tax refund.

Notice this one also have an expiration date, which will further influence you to act in the moment, fearful that you will miss a deadline.


Emails offering free prizes are similar to refunds. They evoke excitement.

Free prizes are difficult to resist. They work by compromising careful thinking because emotions take over. But it pays to pay careful attention to warning signs. Keeping the vague will reach a greater number of people. See how postcode is not specified in this one?

Also, this email does not have a typical ‘link’ button. Instead, clicking on yes and no buttons does nothing - so you have to click a link under them, confused that you cannot activate the buttons. Scams offering free prizes often use other scam techniques, such as limiting time to respond, which will also compromise information processing.

Emails offering free prizes

Emails offering free prizes

malware.png

Malware emails tend to work by keeping it relevant

Lucky, most virus software filters flag malware attachments these days but note how they targeted me at my university email and they made it very relevant - academics are likely to go to conferences. The more relevant the email appears, the more likely it is that the scammer will be successful so don’t be surprised to see phishing emails that appear highly believable.

 

Emails that evoke fear

Emails suggesting your account has been suspended, compromised or hacked will induce panic and fear and make you want to sort out the problem as soon as possible. When we are in a state of fear, careful thinking is compromised and therefore, vital clues missed. If you did not initiate this download, you will frantically click the link saying cancel and support. In a state of panic, as this is all you can think about.

Phishing emails that prey on your fears

Phishing emails that prey on your fears

This email mentions initiating a download few times, so you get the message that all you have to do is confirm you did not do it yourself and all will be fine.  There is another link lower down and that one will probably lead to a legitimate site - scammers are very good at making everything else look exactly so. 

I still see advice such as 'hover over a link' to see if it is legitimate but this is now outdated.  Good scammers can fake everything, the link will give you an appearance of going to a legitimate place. Email will seem fine.
The only reason why you would need to click a link in an email is if you subscribed to something that minute and you need to verify email or you requested a password change and you need to follow a link.

Scammers cannot get to your details if you don't click links but it helps to understand psychological states the emails are designed to put you in, so you act against your best interests. 

If you are worried about your accounts being compromised, call/log in from another source, never use a link.  

Any unsolicited emails with links are probably not good news.