Internet security, software and anti-virus updates - we are all aware of these and many of us frequently ignore them and now there is some research on why that is. People may be experiencing ‘security fatigue’ due to the amount of security warnings out there, and this may be dangerous as it leads to less caution. Having so much security or fraud advice from different sources, can confuse and intimidate users to the point that they ignore all advice. For example, in real life, we have limited time for making decisions. When there is too much information to consider, it’s easier to ignore all information than trying to figure out which security advice should be followed.

In a research study by Egelman, Cranor & Hong, participants that willingly gave their details to a fraudulent website created for the experiment, explained they did so because they did not understand the risks and said they frequently ignore security advice. Therefore, warnings barked at people without properly explaining why there is a need to be cautious may not be the best way forward. Having simple advice, concentrating on fraud elements that are mostly stable (e.g. scam techniques or personal vulnerabilities), as well as individual factors (e.g. personality or circumstances that influence fraud compliance) may be a better way in fight against fraud. This is supported by research that looked at how individual differences impact privacy attitudes (Egelman & Peer, 2015).

Designing good security advice is an art. Just as criminals use specific persuasion techniques to influence compliance, security advice that is not compelling will be largely ignored.
For example, research by Modic & Andersen found that security warnings that used concrete (explanation of what malware does to a computer), rather than vague (message saying access is blocked due to security concerns) threats were more effective.  They also found that adding cues to authority (e.g. security team has identified this site is dangerous) to a security message was more effective than social cues (e.g. your friends have already been scammed). This means that people seem to appreciate concrete advice coming from those that they perceive are experts in the field, rather than being inundated by vague or conflicting security advice that can be found in abundance online.

Many fraud victims I interviewed told me about lack of trust following victimization. And sometimes this mistrust gets attached to companies whose credentials were misused by scammers. The best you can do for your customers is keep any fraud prevention advice current and relevant.

When a person is defrauded, they suffer great psychological distress. It is not just about the lost funds, it is about deception, about morals. On a rational level, a victim of a phishing attack bearing your company logo will know that you did not cause this but on an emotional level, they will forever associate your brand with not being able to trust you. This is why it’s important to have the best possible fraud prevention advice for your customers, to make it engaging, relevant and personal and to update it frequently.