Information is power and, when it comes to the criminal underground, it might as well be gold. Scammers who pick up chuncks of information about you can quickly pick your pocket.
An effective phishing scam almost always involves trickery and deception. A message in your email inbox is not what it first appears.
For example, the Federal Deposit Insurance Corporation (FDIC) says scammers have been posing as officials of that agency for the last 10 years, contacting consumers at random and asking for highly sensitive personal information.
Two professors at the University of Alabama in Huntsville (UAH) have studied a wide range of phishing scams, measuring which ones are most effective and why. Their findings might help you avoid falling into one of these traps.
Finding an effective warning
“We’re trying to have people be more careful with the personal information they divulge online,” said Dr. Sandra Carpenter, a psychology professor at UAH. “The problem is what is it you can say to them that will be an effective warning?”
Carpenter, and her colleague Dr. Feng Zhu, found that scammers running a phishing operation will routinely use one or more social influencing strategies commonly used in marketing, like promising a reward. Consumer advocates often warn “if something is too good to be true, it usually is.” But that warning often gets lost when a consumer focuses on the promised reward.
Scammers also employ fear as a motivating factor. Posing as a feared authority, like the Internal Revenue Service, the scammer may use intimidation as a means to pry loose information. A frightened consumer might not think it through, realizing no government agency would demand sensitive information in an unsecure email.
The challenge, then, is to find a way to identify these bogus pitches/threats and warn consumers before they make a costly error in judgment.
The researchers are using eye trackers to pinpoint where a user’s eyes are on a screen and how long they stay at any point. They're studied the research on which warnings work in industry for toxic chemicals and other dangers.
They're using the Communication Human Information Processing (CHIP) model to discover what kind of warnings will get consumers' attention and alerting them to the danger.
“CHIP indicates the stream of processes a person goes through in order to accept a warning,” Carpenter said.
It can be a complicated process. The researchers say your response to a warning is based on the strength of the authority issuing it. In addition, you have to understand it, remember it, change your attitude and be motivated enough to change your behavior.
Early experiments highlighted the problem. The 2 researchers subjected groups of consumers to inquiries for information. Some were legitimate, some were phishing attacks. Some were warned about phishing attacks, some were not.
“When they are under attack with an effective warning, we find that people disclose at about the rate of those not being attacked,” Carpenter said. “We are currently trying to see which warning words work best and we are testing now to see which source is more credible and effective for the warning.”
In other words, very often a warning doesn't work. For that reason a 2009 industry study found phishing attacks to be highly effective. For example, 45% of bank customers who were redirected to a phishing site gave up their log-in information.
Carpenter and Zhu are still trying to find an effective warning, but what they have figured out is that phishing is not just a problem of technology, though fixes are normally offered only in those terms. Rather, a lot of it involves psychology.
Scammers, it seems, have always known that.