'Fear, Greed, Lust' Drive Mind Games Used To 'Scam' Internet Users

A new study details the psychological games and other tactics cyber criminals use in social engineering scams propagated through junk email. In a recently released study titled "Mind Games," Dr. James Blascovich, Professor of Psychology at the University of California, Santa Barbara, gave his analysis on multiple common scam emails and showed how cyber criminals use fear, greed and lust to methodically steal personal financial information.

"Scam spam works best by providing recipients with a sense of familiarity and legitimacy, either by creating the illusion that the email is from a friend or colleague, or providing plausible warnings from a respected institution," Dr. Blascovich noted. "Once the victim opens the email, criminals use two basic motivational processes, approach and avoidance, or a combination of the two, to persuade victims to click on dangerous links, provide personal information, or download risky files. By scamming $20 from just half of one percent of the U.S. population, cyber criminals can earn $15 million each day and nearly $5.5 billion in a year, a powerful attraction for skillful scam artists."

An important key to the crooks' success is familiarity. One example is phishing scams that fraudulently acquire sensitive information, such as usernames, passwords, and financial data, by masquerading as a familiar or nationally recognized bank, credit card company or even an online auction site. A recent report by McAfee Avert Labs showed the number of phishing Web sites increased by 784 percent in the first half of 2007. Popular sites are also being victimized. In December of 2006, cyber criminals targeted MySpace and used a worm to convert legitimate links to those to lure consumers to a phishing site designed specifically to obtain personal information.

Along with the alarming increase in phishing emails, the researchers said they are are also seeing more sophisticated messages that can fool all but the most highly trained surfer. While earlier phishing emails often included typos, awkward language and minor graphical mistakes, newer scams appear to be more legitimate, with slicker graphics and copy that closely mirrors the language used by respected institutions.

In addition to tactics that build on familiarity to create the illusion of legitimacy, phishing scams also target consumers with fear tactics, such as through subject lines like "Urgent Security Notification" and "Your billing account records are out of date." Other lures, such as "Must Complete and Submit" or "You Are Missing Out," are less blatant but similarly trick users into thinking that without a specific action on their part, they're going to lose out.

Dr. Blascovich reported on a category of scam emails targeting consumers who are promotion focused (want to "get ahead") and/or capitalize on consumers' greed. These messages have such subject lines as "You Won" to entice consumers into thinking they may have won a lottery or sweepstakes, "90% discounts" to trick consumers into thinking they are getting great promotional pricing, or "You Are Approved" to target consumers who need a loan or have money problems.

Yet another popular lure involves messages that play on feelings of love and loss. A subject like "Why spend another week lonely?" works by preying on the sensitivities of those feeling vulnerable. And finally, there's the voice- of-authority approach: "Attention! Several Credit Card databases have been LOST" and others like it are designed to make consumers feel a sense of urgency and obligation. The "Mind Games," report is available online at http://www.mcafee.com/us/threat_center/white_paper.html. Listen to a podcast on phishing and crimeware: https://www.bankinfosecurity.com/podcasts.php?podcastID=18


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network