I'm always a little annoyed when people bring out the old “There's a sucker born every minute” quote. The world isn't universally divided between geniuses and fools, yet that seems to come up far too often when discussing scams online. I can go into the comments section on any news article about a phishing scam and find people blaming the victims and calling out that “common sense” would have protected them.
Most people suffer terribly from the “just world fallacy.” For anyone that managed to avoid Psychology 101, this is a trend that is endemic throughout most of the world. Basically, when something bad happens to someone, others rationalize it away by assuming that they would have been able to avoid the situation entirely or handle it better. No one likes to admit that sometimes people are just in the wrong place at the wrong time, or that even really smart people can make innocent little mistakes with big consequences.
This isn't helping anyone, and it's a terrible idea to get into your head. Yes, there are some truly idiotic scams that just make you roll your eyes. A number are fairly understandable though, if you actually put yourself into the victim's place. So, the next time you read about a big scam and wonder “What idiot would fall for this?”, remember that the answer is you, me and any of the other billions of people online.
Scams Target Emotions
One negative undercurrent to discussions on scams is the idea that someone was “outsmarted.” Not all scams are based on outmaneuvering someone. Scams aren't usually some grand con that are based on outsmarting the mark. Usually they just try to get you to make an emotional decision, and unless you're a robot, everyone is vulnerable to that.
Let's just cover the emotions that they target. Lust is a big one, as you would expect. Videos promising wardrobe malfunctions have drawn in tons of people. Apparently something involving Marika Fruscio has been tricking people for about a month now, according to Sophos' Blog. The setup is simple. They promise a video, then fake the page and get you to click on a share link or download a rogue application. While yes, it is incredibly foolish to just click on a video link like this, that's partially the point. They just want to catch someone who's not thinking clearly.
If you're smart enough not to blindly trust a “Hot women past this, we promise” link, then they'll just go for other emotions. Just this month, there have been scams involving supposed videos of Amy Winehouse's death, the Oslo bombing, Casey Anthony's confession, nasty spider bites and a dark humor bit about a father dropping his daughter so that he could catch a home run ball.
At rough count, that's gossip, fear/genuine news, gross out and humor/outrage, and that's just a brief selection over the past month. You can go through the Sophos Blog for Social Networking Scams and find a new one every few days that hits the same basic ideas.
And that's just video links. People send messages from hacked accounts all the time that play on similar emotions. These can simply promise cool links, if they're simple, or they go to another level. Some recent scams claims that a blog or wall post says something bad about you, hoping that your vanity will overcome your rationality.
The truly nasty will claim an account and then send messages out to family members saying that they're stranded in a foreign country, another state or in jail and that they need money now.
Regardless of how they do it, they'll find a way to target your emotions that will work. Everyone has a weak spot. It's not that hard to slip past some side of your rationality shield.
Scams Subvert Rationality
There's an old phrase about it being quite easy to be a Monday morning quarterback. The reason for that isn't just because you have the benefit of hindsight. It's because you don't have anything riding on the situation. You can sit down and calmly think of alternatives and other paths. That's a benefit that the victims of scams didn't have.
As covered above, if they can manage to hit the right emotion, they can elicit a snap decision. That's the best outcome for them. Once you're hooked emotionally you're far less likely to heed warning signs. They're effectively using your own curiosity against you. They use an emotional hook to snag you, and then throw a small obstacle in your path. They ask you to click the “Jaa” button to confirm your interest (which is just a trick, “Jaa” means share in Finnish, so you're just agreeing to spam your friends with it). Or they ask you to confirm your age, download an app or grant them slightly greater access. It's the same field of marketing tricks that even legitimate applications do. Just think of how all those annoying Facebook quizzes work. They try to hook you by mentioning that a friend took it, and then force you to take it to see their results.
And of course, the emotional hooks often have the added benefit of your friend's word. If they're tricked into clicking the share button, the like button or their account is compromised, then this scam will appear to be a personal message from a friend. Even the most rational person isn't going to be as suspicious of something if their friend seemingly vouches for it.
Scams Can Be Subtle
One of the biggest issues that there is with phishing and scams is that people just assume that they'll be easy to spot. Just because the classic scam email or message is a grammatical nightmare doesn't mean that all of them are.
Scammers can be incredibly smart when they want to be. I'd like to just drive home one fairly simple, but brilliant scam. Last month, Simon Pegg's twitter account was hacked. Instead of taking the opportunity to hawk Viagra or diet pills, the hacker was actually smart. They merely posted a tweet saying that all of his fans would probably like a new screensaver from the movie Paul. A large number of followers followed the link and downloaded it. Those lucky enough to have active virus scanners found that the file was infected with some nasty malware. Pegg would later jump on to delete the tweet and warn his followers of what happened, but a number of them were infected before the mistake was realized.
That's just one. Rogue applications are out there that aren't just blatant information grabs. One such example is a brilliant app, which promises to pull up the first wall post of users. Of course, once you give it access to your computer and account it bleeds you dry. But this wasn't one of the usual suspects, there are applications that legitimately perform similar functions, and it certainly isn't odd for them to request greater access.
You cannot just group together all scams as high school cons. Some are obvious or preventable in hindsight, but quite convincing in the moment.
Scams Only Need One Mistake
The final note I'd make about all of this is that scams work in a kind of reverse confirmation bias. The 100 scams you ignore don't really matter. You're just part of a vast majority that was “smart” enough to not fall for it.
The people that fall for scams are the ones that had a gut emotional response just one time. The ones that were tired and didn't process their mental warnings. The ones that panicked when they read that their sister was trapped at the Canadian border waiting for them to send her $100 for customs fees. The ones that forgot to highlight the link before clicking on it, or check Google, or read Sophos' latest reports, or update their virus scanner, etc.
One little mistake can make you the victim of a fairly big phishing scam, or a more traditional trick. So, the next time that you shrug and say that your common sense would have helped you avoid a scam remember:
The “idiots” falling for these are usually no different than you or me.
Sophos Naked Security Blog, Simon Pegg's Twitter Hacked