Online fraud is today’s most common crime. Victims are often told they are foolish for falling for it, but fraudsters use psychological mechanisms to infiltrate the defenses of their targets, regardless of how intelligent they are.
So it’s important to keep up with the latest scams and understand how they work. Recently, consumer protection magazine Which? identified some of the most convincing scams of 2023. These scams all have one thing in common – they insidiously take advantage of people’s cognitive biases and psychological blind spots.
They included “pig butchering” a way of fattening up victims with affection, the missing person scam which involves posting fake content on social media pages, the traditional PayPal scam, and a new scam called the “fake app alert” in which malware is hidden on apps that look legitimate.
In our work as fraud psychology researchers we have noticed a trend towards hybrid scams, which combine different types of fraud. Hybrid scams often involve crypto investments and sometimes use trafficked labour In the US alone, the FBI recently reported that people lost US $3.3 billion (£2.6 billion) in 2023 to investment fraud.
Confidence tricks exploit characteristics such as greed, dishonesty, vanity, opportunism, lust, compassion, credulity, irresponsibility, desperation, and naïvety. As such, there is no consistent profile of a confidence trick victim; the common factor is simply that the victim relies on the good faith of the con artist.
Victims of investment scams tend to show an incautious level of greed and gullibility, and many con artists target the elderly and other people thought to be vulnerable, using various forms of confidence tricks. Accomplices, also known as shills, help manipulate the mark into accepting the perpetrator’s plan.
In a traditional confidence trick, the mark is led to believe that he will be able to win money or receive some benefits by doing some task. The accomplices may pretend to be strangers who have benefited from performing similar tasks in the past.
Fraud has rapidly adapted to the Internet. The Internet Crime Complaint Center (IC3) of the FBI received 847,376 reports in 2021 with a reported loss of money of $ 6.9 billion in the US alone. The Global Anti Scam Alliance annual Global State of Scam Report, stated that globally $47.8 billion was lost and the number of reported scams increased from 139 million in 2019 to 266 million in 2020.
Government organizations have set up online fraud reporting websites to build awareness about online scams and help victims make reporting of online fraud easier. Examples are in the United States (FBI IC3, Federal Trade Commission), Australia (ScamWatch ACCC), Singapore (ScamAlert), United Kingdom (ActionFraud), Netherlands (FraudeHelpdesk). In addition, several private, non-profit initiatives have been set up to combat online fraud like AA419 (2004), APWG (2004) and ScamAdviser (2012).
Phishing attacks often involve creating fake links that appear to be from a legitimate organization. These links may use misspelled URLs or subdomains to deceive the user. It can appear to the untrained eye as though the URL will take the user to the example section of the yourbank website; actually this URL points to the “yourbank” (i.e. phishing subdomain) section of the example website (fraudster’s domain name).
Another tactic is to make the displayed text for a link appear trustworthy, while the actual link goes to the phisher’s site. To check the destination of a link, many email clients and web browsers will show the URL in the status bar when the mouse is hovering over it. However, some phishers may be able to bypass this security measure.
Internationalized domain names (IDNs) can be exploited via IDN spoofing or homograph attacks to allow attackers to create fake websites with visually identical addresses to legitimate ones. These attacks have been used by phishers to disguise malicious URLs using open URL redirectors on trusted websites.Even digital certificates, such as SSL, may not protect against these attacks as phishers can purchase valid certificates and alter content to mimic genuine websites or host phishing sites without SSL….
- Phishing for phishing awareness”. Behaviour & Information Technology.
- “Phishing attacks and countermeasures”. In Stamp, Mark; Stavroulakis, Peter (eds.). Handbook of Information and Communication Security.
- “Internet Crime Report 2020” (PDF). FBI Internet Crime Complaint Center. U.S. Federal Bureau of Investigation. Retrieved 21 March 2021.
- “The Phishing Guide: Understanding and Preventing Phishing Attacks”. Technical Info. Archived from the original on 2011-01-31. Retrieved 2006-07-10.
- “The Big Phish: Cyberattacks Against U.S. Healthcare Systems”. Journal of General Internal Medicine
- “Security Usability Principles for Vulnerability Analysis and Risk Assessment”. Proceedings of the Annual Computer Security Applications Conference 2007 (ACSAC’07).
- Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content”. ACM Transactions on Computer-Human Interaction.
- “2019 Data Breach Investigations Report” (PDF). PhishingBox. Verizon Communications. Retrieved 21 March 2021.
- “Fifteen years of phishing: can technology save us?”. Computer Fraud & Security.
- The Black Market for Netflix Accounts”. The Atlantic. Retrieved 21 March 2021.
- “Spear phishing”. Windows IT Pro Center. Retrieved March 4, 2019.
- “Spear Phishing: Who’s Getting Caught?”.
- “NSA/GCHQ Hacking Gets Personal: Belgian Cryptographer Targeted”. Info Security magazine. 3 February 2018. Retrieved 10 September 2018.
- “RSA explains how attackers breached its systems”. The Register. Retrieved 10 September 2018.
- “Epsilon breach used four-month-old attack”. itnews.com.au. Retrieved 10 September 2018.
- What Phishing E-mails Reveal: An Exploratory Analysis of Phishing Attempts Using Text Analyzes”.
- “Threat Group-4127 Targets Google Accounts”.
- “How the Russians hacked the DNC and passed its emails to WikiLeaks”. The Washington Post.
- Phishing attacks: A recent comprehensive study and a new anatomy”. Frontiers in Computer Science.
- Fake subpoenas harpoon 2,100 corporate fat cats”
Marketing Programs You May Like: