Extortion and sextortion - how they evolved to haunt us

Extortion and especially sextortion emails are on the rise so what are they? Extortion emails are emails that use some kind of threat, which are sent to potential victims in order to extort money. Extortion correspondence may focus on different elements, such as exposing the victim’s activities in real life (e.g. cheating on a partner) or online (e.g. visiting porn sites or masturbating) to colleagues, friends and family. Some even threaten to harm or kill the victim, with blackmailers frequently asking for payment in cryptocurrency.

Extortion in cyberspace is not a new concept. As more and more data is stored electronically, potential for cyber extortion increases. In the past, cyber extortion typically affected businesses targeted by criminals using malware, which may disrupt or compromise operating systems, but this is now extending to private individuals. Sextortion is also not a new concept. In the past, victims were usually women and tended to be younger, blackmailed either by their ex partner, whom they met and dated in real life and who was in possession of private or sexual images of them, or a perpetrator they met online, who either obtained the images from the victim or by some other means. Research also shows that this type of crime is not all about the money, sometimes victims are blackmailed into supplying pornographic video of themselves and threats can be real.  However, in recent times, it seems that (s)extortion attacks have evolved, targeting private individuals, who have never had any prior contact with their perpetrator, and asking for payments in bitcoin. The reason for this may be that bitcoin, as virtual money, has little or no legal regulation across different countries, making it a perfect choice for criminal activities.


Fear and shame

The new variants of extortion and sextortion emails frequently mention victim’s visit to porn sites, which was recorded (hacked) by the scammer, but sometimes they are kept purposely vague, referring only to a ‘dirty secret’. This could be a deliberate tactic as keeping the content vague allows the scammer to catch more victims, because vague content will be applicable to greater number of people.
Potential victims are threatened and the threats in such emails can be elaborate. Direct threats, such as telling the victim that the data collected on them will be distributed to friends, family and/or work colleagues and implied threats, which talk about shame a victim might feel if their secret was to be made public.

“I don’t think that playing with yourself is really awful but when all colleagues relatives and friends receive video record of it is definitely terrible news.”

Or in emails that refer to extortion that is not connected to sexual acts, such as those that inform the victim someone has paid to have them harmed and offer to reverse this for a fee, the threats are implied by explaining what the blackmailer does for a living:

“ I have got a personal website that includes all kinds of services which actually I give in dark net. Just about anything from totally wrecking a persons business to physical injury.”

Victims are also reminded about the potential breakdown of an existing relationship, should the ‘secret’ come out.

These threats serve a purpose – to evoke fear. Fear is a visceral influence, or a primal drive, under which careful thinking is compromised.
Fear has two components: physiological (e.g. adrenaline levels rise to prepare us to fight or flight a situation) and emotional. This emotional reaction to fear is usually unique to each person, with some people being more averse to fear while others even enjoy feeling some fear (e.g. watching a scary movie or doing extreme sports). Therefore reaction to this type of fraud will be highly individual and people may not be affected in the same way. For example, fear averse individuals may be more likely to comply with the requests in order to avoid the negative emotional response evoked by such correspondence. Additionally, these types of emails contain elements of shaming, which will further intensify the fear and which may have different cultural or societal meanings to different people. For example, while some people consider visiting porn sites to be shameful and would prefer this to be hidden from their friends and family, others may not think there is anything wrong with it and will therefore feel less fear when threatened with exposure of such behaviour on their part. Scammers also include references to social norms in such correspondence (e.g. ‘your taste is so weird’ or ‘you’re a big pervert’) in order to shame potential victims.

 
24899910_10154989544335918_3123697299230813397_n.jpg

Majority of people

will feel intense fear and shame when they receive such correspondence, which may stop them seeking help and advice

 


Persuasion elements

Additionally to evoking strong emotional response, sextortion emails use several persuasive components in order to encourage immediate compliance. Typically they contain an explanation on how the computer was hacked and the victim’s data collected. To most people who have limited cybersecurity or computer knowledge, these will appear credible. Look at this example:

” The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296).  I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time.  Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you. “

I don’t know about you, but I don’t know enough about computers to know if this is possible and I know a lot about fraud. But I do have talented friends who work in cybersecurity, whom I often ask for advice. To most people who don’t have this luxury, this may appear highly credible.

Then there are time limits imposed (“you have 24 hours”), which add urgency. Urgency is a known persuasion technique. The key is to not allow the victim to properly think about it or share the news with someone who may advise them not to comply. Some perpetrators even draw attention to and apologise for the spelling mistakes, offering an explanation for their poor grammar.

”I am apologise for my grammar, I’m from China”

Since many people have come to associate bad spellings in unsolicited emails with scams, this may be a specific new technique to get around this association and make the correspondence appear more credible.

Frequently, such correspondence also includes references that equate scam victimisation to a normal transaction (e.g. ‘it’s confidentiality fee’) and scammers even plead with a victim not to hate them, as they are only doing their job.

“Don’t be mad at me, everyone has their own work.”

Some of the emails also point out that the amount asked for is reasonable and not likely to affect the victim a great deal financially. The amounts asked for vary greatly, from $200 to many thousands. This may make some victims, especially when amounts are kept low, more likely to pay the ransom and less likely to report it as frauds that result in smaller losses are not reported as frequently. Therefore, some scammers purposely keep the amounts low to avoid detection.

Bizarrely, some scammers also adopt a role of a friend or an advisor and offer the victim advice on security.

“I also ask you to regularly update your antivirus in the future. This way you will no longer fall into a similar situation.”

Sometimes they berate the victim like a friend or a parent would.

”It’s a pity that people did not learn to use the Internet safely. There are too many different specifications about safe Internet using - Proxy servers, the newest antivirus base, close that camera... In your opinion it is not necessary”

This is a known scam technique but feels ill placed for this type of fraud, especially as the communication is based on threats rather than exploiting social norms (e.g. where a scammer places a victim in a role of a friend and asks for help, or where a scammer acts as a friend to the victim in order to exploit them). However, I have found out that scammers sell ‘scamming manuals’ on the dark web for thousands of dollars so using this may just be ‘let’s throw everything in there’ approach.


Inducing helplessness

Perhaps the most worrying component of such emails is that they are designed to induce helplessness, or loss of control over the situation. Scammer reminds the potential victim that, although they can report the blackmail to the police, their efforts would be futile because they are located in another country or they are undetectable. Some also concentrate on the fact that investigation is likely to last a long time, therefore the victim will run out of time and be exposed. Therefore, they have little control over their situation apart from paying the ransom.

”At this point you may be thinking 
‘I’ll just go to the cops’, which is why I have used a fake name fake return address and taken steps to ensure this letter cannot be traced back to me.”

“I am an immigrant, so there is no way out to find out my location precisely.”

“You are able to complain to police but I don’t think that they can solve your problem. The Inquisition will last for one year.”

Why is this important? If a potential victim feels helpless, they are more likely to remain passive, accept the situation and agree to the terms of the blackmail. Therefore inducing helplessness may be a deliberate tactic in such correspondence, designed to render the victim silent, discourage reporting and ensure compliance.


Making (s)extortion fraud prevention count

Often fraud prevention advice fails because it doesn’t adequately address the emotional reactions some frauds evoke. (S)extortion emails, when they reach a vulnerable target, evoke visceral influence (panic, fear). Telling someone not to panic in this situation is the same as telling a starving person not to think about food. Rationally it makes sense but not when you are in a highly emotional or visceral state. When one is in a visceral state, they focus on addressing the goals associated with the current state. Persuasive elements such correspondence is likely to use will further impair judgments and influence decision making. Finally, such emails induce helplessness. In this state, potential victim is likely to surrender the fight and this is even more true of people averse to fear. Therefore simple warnings may not be sufficient. So what should be done?

Fraud prevention practitioners should concentrate on explaining persuasive elements in such correspondence instead of issuing authoritarian warnings (e.g. ‘never respond to such emails’ or ‘don’t panic’) as they are more likely to be effective when someone receives such correspondence. For example, research found that when people get explanations about why security advice is important, as opposed to vague warnings, they are more likely to listen to it. Explaining the reasons for emotional responses evoked by such emails and how they impair judgments may reduce impulsive reactions people typically have in such situations. Pointing out the fact that these ‘visceral’ reactions are temporary and scammers use them in conjunction with time limits in order to take advantage of the visceral (i.e. irrational) response, may teach people to be more aware of how their emotions affect them and teach them to wait it out. Finally, explaining how scammers purposely induce helplessness in such correspondence will empower victims to fight and not flight the situation and report or share their experience with others, who may offer knowledge vital for making optimal decisions.



This article is based on thematic analysis of 60 different extortion emails. I will be presenting the results at the 9th Annual Counter Fraud and Forensic Accounting Conference at University of Portsmouth, UK on 6th June. Hope to see you there.


Successful layering

Scams can be extremely sophisticated, yet for many people, a typical scam is a Nigerian prince asking for help to launder money or a desperate, and dare I say naive, scammer that was talked into holding ‘I can’t believe it’s not butter’ sign, hoping this would get them some funds. But the reality is much darker. Good scammers are very good at psychology and often design frauds by layering different fraud techniques, all designed to complement each other for greater success. For example, scams that evoke visceral influence (fear, panic or greed) will usually have time limits attached to them also (e.g. offer expires, you have 24 hours etc.). This is to ensure that the potential victim has no time to regain composure. Under visceral influence, careful deliberation is compromised and we tend to focus on superficial things, like the size of the reward, attractiveness of the offer or even on the scammer, many of whom are polished, charming and will appear trustworthy. Any inconsistencies will be disregarded in favour of these superficial cues, because when one is under the visceral influence, they are likely to focus on goals associated with that influence. This is why you are always told not to go shopping for groceries hungry and it’s equally true of acting on anything when intense fear or excitement has been evoked.

Scams that appeal to social norms, often use altercasting too. Altercasting is another persuasive technique, where a perpetrator will put a victim in a specific role that is congruent with their goals. For example, I have seen advance fee scams that use narratives where either an orphan girl, a widow or even a pastor appeals for help (social norms) and the victim is placed in a role of a friend or a confidante, where a perpetrator will trust the victim with confidential or deeply personal information before asking for funds down the line. By that time the victim has been acting as a friend or an advisor and this role is likely to help facilitate the fraud, because they will be more likely to help.

Screenshot 2019-03-18 at 10.09.25.png


Scammers often layer persuasion techniques for greater impact.

In conjunction with other individual factors, these techniques can be very effective.

 

Other factors also come into play. Different circumstances, for example, have been known to influence compliance in certain scam situations. Or certain individual characteristics, such as lack of vigilance or impulsivity. For example, if you are down on your luck, looking for work and you are running out of money, you will be more likely to take risks and consider financial opportunities that don’t look very sound. You may be more likely to concentrate on potential rewards instead of any negatives associated with high return investments. If you are also more compliant in general, it is even more likely that, when persuaded to do so, you will decide to go along with something you have some reservations about. Of if you are more impulsive, you may act quickly, without allowing the time to think about your decision. All of these factors combine (or layer) to produce a unique vulnerability score.

Many frauds are still relatively simple. Badly constructed phishing email that will bring a smile to your face, for example, but many are far from simple. It all comes down to how good the scammer is and how motivated they are in developing a highly credible looking, psychologically designed frauds that create situations that can be highly persuasive, and how they go about executing them. The more effort they invest, the more lucrative the venture will be, so it’s good to be vigilant and not underestimate what fraudsters are able to do by concentrating only on badly designed scams that are easy to spot.

A friend in need is friend indeed: How scammers exploit social norms

We all have had our email hacked at least once.  When my email was compromised, my scammer/hacker did little more than spam my friends with adverts for electronic goods with a personalised message from (supposedly) me, saying that I just bought this amazing stereo system and my friends should use the link to do the same, at a reduced price.  Knowing me too well (I would never brag about a stereo system like I would do about a Mulberry handbag or a nice scarf), my friends alerted me quickly.  I changed the password for that email and that was the end of my advertising. However, some hacking is not so innocent.  Scammers can be sophisticated, often combining several persuasion techniques to get you to send them money, and not small amounts either. What can start with a simple password hacking can quickly turn into sophisticated persuasion technique and I will explain how. 


We are all brought up to be nice to others and help our friends and family.  Society as a whole is built on those fundamental unspoken rules and this is ingrained in us. We help our friends and family and they help us, when in need. Scammers know this. They also know that, where one would usually be suspicious to get an email from a stranger, asking for money, they would be less cautious if that email came from a friend.

17917187_10154413012650918_4569783566057610658_o.jpg

Humans are social beings. Our lives are built on helping those we care about.

The scam usually consists of an email from your friend (whose email has been compromised), or a person that you know well, telling you they have been stranded on holiday, their possessions stolen and they need some money to get new passports and to get home. Naturally, you are horrified and consider helping. They tell you to wire money to them via Western Union in a particular country to help them get their affairs in order. If you do, money is lost forever and there is little anyone can do for you.  Research found that phishing emails are much more successful when coming from a friend than a stranger, which means that if a scammer invests a bit of time to research things about you before launching a phishing attack, they will be way more successful in attaining funds. Since this is costly to the perpetrator, amounts are usually considerable. This type of scam can be perpetrated via phone, email or social media.

If you ever get an email from a close friend asking for help, if you can, give them a call instead to check the facts first, even when the email tells you they cannot be reached. If you cannot get hold of them, you could respond to the email expressing your concern but also asking a random question such as " how is your son coping?' - when you know that this particular friend doesn't have a son.  Chances are that the scammer will not know this and will respond saying that the son is distressed etc.  Or something similar.  If it is a genuine request by a friend, they won't mind and you will get a warning sign if it is not a genuine friend of yours.  It is also good to let your friend know by some other means that their account has been compromised and urge them to change passwords connected to that email.  This also means passwords connected to any social media that they use with the email in question, just to be sure. 

Phishing emails are usually obvious but every now and again, they can surprise you. Using social component of our lives against us makes them that much more convincing. We trust our friends where we would never trust a stranger, which can be turned against us. Trust is good. It’s an integral part of social relationships, allowing us to make bonds with people we care about. But in this day and age, it can also be our downfall. Trust but verify.

Are security warnings making us fatigued?

Internet security, software and anti-virus updates - we are all aware of these and many of us frequently ignore them and now there is some research on why that is. People may be experiencing ‘security fatigue’ due to the amount of security warnings out there, and this may be dangerous as it leads to less caution. Having so much security or fraud advice from different sources, can confuse and intimidate users to the point that they ignore all advice. For example, in real life, we have limited time for making decisions. When there is too much information to consider, it’s easier to ignore all information than trying to figure out which security advice should be followed.

17155483_10154294576425918_3362219899975784474_n.jpg

Badly designed security warnings are largely ignored

In a research study by Egelman, Cranor & Hong, participants that willingly gave their details to a fraudulent website created for the experiment, explained they did so because they did not understand the risks and said they frequently ignore security advice. Therefore, warnings barked at people without properly explaining why there is a need to be cautious may not be the best way forward. Having simple advice, concentrating on fraud elements that are mostly stable (e.g. scam techniques or personal vulnerabilities), as well as individual factors (e.g. personality or circumstances that influence fraud compliance) may be a better way in fight against fraud. This is supported by research that looked at how individual differences impact privacy attitudes (Egelman & Peer, 2015).


Designing good security advice is an art. Just as criminals use specific persuasion techniques to influence compliance, security advice that is not compelling will be largely ignored.
For example, research by Modic & Andersen found that security warnings that used concrete (explanation of what malware does to a computer), rather than vague (message saying access is blocked due to security concerns) threats were more effective.  They also found that adding cues to authority (e.g. security team has identified this site is dangerous) to a security message was more effective than social cues (e.g. your friends have already been scammed). This means that people seem to appreciate concrete advice coming from those that they perceive are experts in the field, rather than being inundated by vague or conflicting security advice that can be found in abundance online.

 

There is another aspect to consider and that is a potential for alienating customers. Many companies invest money in fraud prevention measures that reduce revenue lost to fraud but forget about fraud prevention advice for their customers. This is often just an afterthought and I have seen many legitimate emails contain really outdated scam advice within their content. This includes telling customers that they can trust emails that have their name in the content or to pay attention to spelling. Fraud is an organized crime and scammers have realized that a little bit more effort invested in designing phishing content tends to pay big dividends. Often this means that they get some data on the potential victim and can offer personal information as a way of enhancing credibility of the correspondence.

If your customer receives a phishing email bearing your logos, and they remember your outdated phishing advice, which is no longer valid, they may get scammed.

Once this happens they will forever have a negative view of your brand. They will no longer trust you.

Many fraud victims I interviewed told me about lack of trust following victimization. And sometimes this mistrust gets attached to companies whose credentials were misused by scammers. The best you can do for your customers is keep any fraud prevention advice current and relevant.

When a person is defrauded, they suffer great psychological distress. It is not just about the lost funds, it is about deception, about morals. On a rational level, a victim of a phishing attack bearing your company logo will know that you did not cause this but on an emotional level, they will forever associate your brand with not being able to trust you. This is why it’s important to have the best possible fraud prevention advice for your customers, to make it engaging, relevant and personal and to update it frequently.

Miracle cures and clairvoyant scams

In 1800s, a magician and a showman Phineas Taylor Barnum wrote a book called “Humbugs of the world”. By ‘humbugs’ he was referring to old fashioned swindles and scams. Many are still being used today, such as fake lotteries, miracle cures and clairvoyant scams, which just goes to show that scams have always been lucrative. In fact, Barnum was such a great trickster, that one of the cognitive biases (the original Forer effect) was renamed after him.

Picture credit: https://www.pinterest.co.uk/pin/35043703324205786/

Picture credit: https://www.pinterest.co.uk/pin/35043703324205786/

P.T. Barnum was a magician and a showman in the 1800s. He wrote a book about old fashioned scams, many of which are still used today.

The Barnum effect

The Barnum effect refers to the acceptance of vague personality feedback that could apply to anyone, as highly accurate description of one’s personality. Giving vague feedback is often a component of clairvoyant scams, where a victim will be given universally valid description of their personality as proof that a clairvoyant is genuinely able to see things. Description will be accurate because it is vague and it is true of almost everyone. In the original experiment, psychologist named Bertram Forer used sentences he collected from daily horoscopes and gave them to participants as bona fide personality feedback following psychometric tests. All participants received the same feedback. He then asked participants to rate how accurate the feedback is and was surprised to find that participants were rating it as highly accurate. This is how clairvoyants or psychics can make you feel that they know something about you, when in fact, they are providing such vague feedback, which can apply to anyone and not just you.

Miracle cures

I wanted to also explain a bit about scams people don’t often hear about, unless they have a health problem or an issue they feel too embarrassed to talk to their doctor about - scams offering ‘miracle cures’. Miracle cure scams tend to target people who are either desperate because they have tried everything without success (and this often sadly includes terminally ill people) or those that have chronic or embarrassing conditions. Research found that these types of scams often purport to have cures for diabetes, cancer, baldness, obesity, impotence and loss of libido.

Miracle cures often target embarrassing conditions and use fake testimonials.

Fake testimonials provide social proof we, as humans, often seek when making decisions.

Screenshot 2019-01-31 at 09.15.22.png

Some miracle cure scams may have professional or legitimate looking appearance, such as being endorsed by health clinics or doctors, but they are largely ineffective and could also be dangerous. Scams selling cures often use social proof cues, such as fake testimonials. Social proof is a known scam technique and is highly effective.
People define their reality by looking to others, how they behave, what they do and what they believe in and act accordingly. Therefore fake reviews and testimonials can be highly effective, especially when we are desperate to believe in something, such as a miracle cure to an embarrassing problem.

These types of scams affect women more than men and are rarely reported, which is why they are not talked about as much as some other types of scams (e.g. financial or romance). Often, people may not know they have been defrauded when it comes to clairvoyant or miracle cures scams, because the product was received (e.g. vitamins or supposed cures) but purchasing a product that claims to cure a disease when it actually does nothing is also fraud and should always be reported to the authorities.

Wrong fraud advice can make one more vulnerable to fraud

There are fraud warnings advertised on various websites. Almost every organisation and every business affected by fraud issues some sort of advice to their customers. There are also those that purport they are experts on scams, calling themselves ‘experienced scam baiters’. There are warnings that describe recent scams, websites that log emails scammers are using, experiences shared by victims. This is all good, it is important to be aware of different scams out there. It is important to share your experience so that a quick Google search may help someone else but the real trick is to be smarter than a scammer. And this is where things get hard.

What makes quality fraud advice? First of all, any advice is better than none but outdated fraud advice can be very dangerous. For example, I recently saw and email from quite a prominent organisation that deals with safe money transactions and it contained fraud advice which is terribly outdated. Telling customers that ‘phishing’ emails will never address them by their name is no longer applicable. Technology has moved on and so did criminals. Frequently, individual’s stolen data is used to make phishing emails look genuine or a fraudster may also compromise a legitimate company and send you emails that will then ask you to follow links to malicious sites. Making phishing emails look legitimate is highly profitable, therefore many fraudsters invest time and effort in spoofing or faking genuine details so that a phone call or an email will look highly legitimate. Giving outdated fraud advice can therefore, make one more vulnerable to fraud. And a customer that follows advice given by your organisation and is then defrauded will forever have a negative view towards your brand.

13698235_10153675358355918_5313228235563767227_o.jpg

Rather than being a life line, outdated fraud advice can make you more vulnerable

So what is my advice?  Rely on yourself.  Your intuition, your gut feelings, your intellect. And verify as much as you can. Why?  Because fraudsters invest time and effort into their craft, coming up with new scams all the time.  And because, despite of all the warnings, forums and help agencies out there, we will always be one step behind fraudsters.

Successful scam relies on the element of surprise, something you can’t Google, something that is not flashing up anywhere.  Just have a look at some of the forums, the plethora of scams on offer is both ingenious and deadly. Knowing an email a known scammer used can only help you until they generate another one and start from the beginning. So what would be better advice, better warning then?  Be vigilant, check everything and try to understand how scammers design and execute different frauds and what effect will that likely have on you so you can modify your reactions and your behaviour. It takes a smart person to be a successful scammer so don’t underestimate them.  Learn to think critically and pay attention to all the details you are given. Ask questions, delay decisions, Google things, ask others for advice… Look at your own weaknesses and address them. Do you act on impulse? If so, make a rule to sleep on it before you buy or reply to things. Do you struggle to say no? Then say not right now instead. Are you unmotivated to read terms and conditions? This can lead to you agreeing to things you didn’t want to do. Scrutinise information. Cross reference. Take a moment to understand what you are feeling - scammers often evoke strong emotions to encourage impulsive decisions.

Another valid advice is, no matter what the email is, never to click links in emails. Verify by logging to your accounts independently. Sadly, social media has made us automatically click links, because this is how we share information with our friends. But automatic link clicking has also made us more vulnerable to fraud offers, especially if the email is spoofed and appears to be coming from a friend.

Nigerian scams are still very much alive

Nigerian or advance fee - 419 scams have been around for decades.  They usually contain a story of a bank official who has spotted an account with funds that are unclaimed and needs someone to help him get the money out of the account without it being in his name. This is somewhat illegal and he needs help of someone who can receive the money in their account and be paid for it.  Sometimes it is a royal person, a distant prince, rich widow unable to leave money to anyone, someone dying of cancer with wealth to give away and so on.   Once the victim replies, they request conversations, befriending the victim and eventually ask for fees to process legal papers.  The victim never sees the money they were promised.  Worse still, sometimes the victim will receive a fake cheque and cash it, wire the money to the person that is asking them to launder money and then find out the cheque was fake after few days, losing funds they sent. 

Sometimes victims are not even after money but simply believe they are helping the person as the stories are often elaborate.  In the past, Nigerian scams were executed via postal means, incurring a cost to the scammer.  With the invention of the fax and the phone, they became more prevalent and the Internet finally allowed them to become almost an everyday occurrence for most people while not costing much to execute.  Research also stipulates that they are now so well known that they are purposely used to identify the most vulnerable victims, whose details are then sold to other scammers too. 

Recently I have been contacted by someone asking me to warn about a scam purporting to be a girl from a refugee camp, but upon reading the email, I realised it was a spin off, a Nigerian type scam with a new twist to fit the current times. Briefly, the story is about a girl who is in a Syrian refugee camp and needs someone to help her get the money that her late and wealthy father deposited in the bank. This is a complex story and I decided to explain why it is complex and how it is written with a view to persuade in the future.  The initial emails asks only that the victim listens to the story but even acknowledging the email might be dangerous if you are uncomfortable saying no. Here is why:


The story starts with an account how the girl lost her mother and father to a violent murder and her consequent life in a refugee camp.  She prays to get out of her situation.  Without explaining what she wants from the victim yet, she asks for trust and not to be betrayed and asks to know more about the potential victim.  This part is likely to elicit empathy towards her situation - who would not feel empathy when someone tells you about their parents' murder.  Asking to know about you is likely to induce feelings of familiarity and closeness, as if you are friends, once you share this information and people help their friends.  She asks for trust and not to be betrayed. You may not think about these words at this point but when the request comes you may feel uncomfortable saying no, because you will feel as if you are betraying her, despite the doubts you might feel. 

persuasive elements in Nigerian type scams

persuasive elements in Nigerian type scams

Second part tells more about her situation in the camp and the pastor who is helping her to email a random person across the globe.  It also gives the pastor's telephone number.  The victim will probably not use it but if they do, it will add credibility to the story. The endearments used are to evoke feelings of closeness, the mention of the secret too - we tell secrets to those we are close to so potential victim might feel privileged they were entrusted with the secret.  She then explains about her father's fund that contains millions, that she cannot access and makes a request.

Scammers often put victims in a position of trust, by making themselves appear vulnerable. This gives the victim a feeling of power but in reality, the scammer holds all the strings.  The girl in this story follows up by reminding you that she requested you to be trustworthy.  Scammers are good at altercasting.
Altercasting, a persuasion technique, is where a person puts the victim in a specific position, often targeting the ego of the person (calling for a man of vision for example) or social norms (understanding and honest people). These types of scams often don’t ask for more than few details and for the recipient to respond to correspondence, which is also a known scam technique. Once invested, it’s harder to back out.

Microsoft research argues that Nigerian type scams are still around and purposely say they are from Nigeria because everyone knows about them. Therefore those that respond and engage with these types of scams are likely to be extremely vulnerable, which means they will, sadly, be a sure thing for a scammer. Their details are harvested and sold to other scammers who will further exploit them. If you have elderly or isolated neighbours, especially if they are not so internet savvy, talk to them about scams. Often knowing something about scams can be enough to protect from becoming a victim.

Psychology of phishing

Everyone gets phishing emails. For scammers, it is probably the most cost effective way of scamming people. Sometimes phish emails are relatively harmless, but often they can be extremely harmful and trick you into parting with you personal passwords, log in details and bank information.   I wanted to collect a few to show you the types of phishing emails and psychology behind them, language they use and how the message will make you feel and want to react. 


First of all, the biggest and most important message and one I think every fraud agency should use is that phishing emails will have one fundamental thing in common; something to click, be that a link or an attachment. Clicking anything in an email is bad, even if it came from your friends, as people's email accounts can be easily hacked. What you should look for in that case is whether this is out of character for your friend. If so, don't click it. 


Let's examine the most frequent phishing emails and how they persuade. Most phishing emails are designed to evoke visceral states. Visceral states are sexual arousal, hunger, greed, fear and so on. When we are under visceral influence, we are likely to bypass careful information processing and act without proper thinking - because we are acting on that visceral influence. When you are starving, you are likely to eat stuff you would reject otherwise, when you are scared of something, you will do anything to save yourself from danger, when you are attracted to someone, you will do anything to get them... so let's see the language used by phishing emails. 

Screen Shot 2016-08-24 at 19.19.23.png

Emails offering refunds work by evoking excitement at a prospect of getting money we didn’t expect.

The offer of free money often puts one in a visceral state of excitement and/or greed and this is precisely what the scammer wants. They want you to get excited at the prospect of free money enough to act straight away. Who doesn't like a tax refund.

Notice this one also have an expiration date, which will further influence you to act in the moment, fearful that you will miss a deadline.


Emails offering free prizes are similar to refunds. They evoke excitement.

Free prizes are difficult to resist. They work by compromising careful thinking because emotions take over. But it pays to pay careful attention to warning signs. Keeping the vague will reach a greater number of people. See how postcode is not specified in this one?

Also, this email does not have a typical ‘link’ button. Instead, clicking on yes and no buttons does nothing - so you have to click a link under them, confused that you cannot activate the buttons. Scams offering free prizes often use other scam techniques, such as limiting time to respond, which will also compromise information processing.

Emails offering free prizes

Emails offering free prizes

malware.png

Malware emails tend to work by keeping it relevant

Lucky, most virus software filters flag malware attachments these days but note how they targeted me at my university email and they made it very relevant - academics are likely to go to conferences. The more relevant the email appears, the more likely it is that the scammer will be successful so don’t be surprised to see phishing emails that appear highly believable.

 

Emails that evoke fear

Emails suggesting your account has been suspended, compromised or hacked will induce panic and fear and make you want to sort out the problem as soon as possible. When we are in a state of fear, careful thinking is compromised and therefore, vital clues missed. If you did not initiate this download, you will frantically click the link saying cancel and support. In a state of panic, as this is all you can think about.

Phishing emails that prey on your fears

Phishing emails that prey on your fears

This email mentions initiating a download few times, so you get the message that all you have to do is confirm you did not do it yourself and all will be fine.  There is another link lower down and that one will probably lead to a legitimate site - scammers are very good at making everything else look exactly so. 

I still see advice such as 'hover over a link' to see if it is legitimate but this is now outdated.  Good scammers can fake everything, the link will give you an appearance of going to a legitimate place. Email will seem fine.
The only reason why you would need to click a link in an email is if you subscribed to something that minute and you need to verify email or you requested a password change and you need to follow a link.

Scammers cannot get to your details if you don't click links but it helps to understand psychological states the emails are designed to put you in, so you act against your best interests. 

If you are worried about your accounts being compromised, call/log in from another source, never use a link.  

Any unsolicited emails with links are probably not good news.