Week 10:  Psychology of scams and how to reduce your risk: 

Definition of a Scam: A scam is a dishonest scheme designed to trick people into giving up their money, personal information, or time. Scams can take many forms, from phishing emails to investment fraud or lottery scams.

Why People Fall for Scams: Human psychology is often exploited in scams. Cognitive biases, emotional manipulation, and social influences are used to influence behavior and decision-making. Understanding these psychological principles is crucial to recognizing and avoiding scams.

Scams are not just about trickery; they are rooted in psychological manipulation. People’s trust and emotions are often targeted to make them more susceptible.

How do cognitive biases, such as the anchoring effect, confirmation bias, and the scarcity principle, make individuals vulnerable to scams?

Cognitive biases play a critical role in decision-making and can make people vulnerable to scams. Scammers manipulate biases such as urgency, desire for gain, and preexisting beliefs.

How do scammers use emotional manipulation, such as fear, greed, and empathy, to exploit victims?

1. Fear-based Manipulation:

○      Scammers often use fear as a tactic to coerce victims into action. The fear of financial loss, legal consequences, or missing out can cloud judgment and cause people to make impulsive decisions.

○      Example: An email or phone call from a scammer claiming the victim owes money to the IRS, threatening arrest unless immediate payment is made.

2. Greed and Desperation:

○      Scammers prey on people’s desires for wealth or relief from financial struggle. They promise large returns on investment or offer fake opportunities for quick money.

○      Example: A scammer presents an investment that promises large returns with little risk, appealing to people who want to solve financial difficulties quickly.

3. Empathy and Helping:

○      Scammers can exploit victims' desire to help others, particularly when emotional appeals are involved. This is often seen in charitable donation scams.

○      Example: A scammer creates a fake charity for disaster relief, asking for donations during a crisis. Victims, motivated by empathy, unknowingly contribute to fraudulent organizations.

Scammers exploit basic human emotions like fear, greed, and empathy. Emotional manipulation is often more powerful than logical reasoning in decision-making.

Let’s learn how authority, social proof, and reciprocity influence behavior and contribute to scam 

1. Social Proof:

○      People often look to others for cues on how to behave, especially in uncertain situations. Scammers use fake testimonials or social media accounts to create the illusion of credibility.

○      Example: A scammer sets up a fake website with positive reviews and testimonials to convince potential victims that their product or service is legitimate.

2. Authority:

○      People are more likely to trust and comply with someone they perceive as an authority figure. Scammers use this by impersonating professionals or government officials.

○      Example: A scammer calls a victim, posing as a bank representative, and convinces them to transfer money for "security purposes."

3. Reciprocity:

○      The principle of reciprocity means that people feel compelled to return favors. Scammers often give small "gifts" or offers to create a sense of indebtedness, making it more likely the victim will comply with larger, fraudulent requests.

○      Example: A scammer offers a free trial of a service, and later pressures the victim into signing up for a paid subscription.

Understand the emotional and psychological impact of falling for a scam.

The emotional aftermath of being scammed can be profound, leading to shame, loss of trust, and mental health challenges. Victims may avoid reporting scams due to feelings of embarrassment or fear of judgment.

Let’s learn practical strategies to identify, resist, and protect oneself from scams.

1. Recognizing Red Flags:

○      Look for warning signs such as unsolicited communication, high-pressure tactics, or offers that seem "too good to be true."

○      Example: Be cautious if you're asked to provide personal information or money in an unsolicited email or phone call.

2. Critical Thinking and Skepticism:

○      Always question the legitimacy of offers and requests for personal or financial information, especially when there is an element of urgency.

○      Example: If you receive an email claiming you've won a prize, verify the source before clicking any links or sharing personal details.

3. Report Scams:

○      Report any suspicious activity to the appropriate authorities, such as consumer protection agencies or law enforcement, to help prevent others from becoming victims.

○      Example: Report a phishing scam to the Anti-Phishing Working Group (APWG) or your local consumer protection agency.

4. Educate Others:

○      Share knowledge about common scams and warning signs with friends and family to create a more aware and resilient community.

○      Example: Encourage older family members to be cautious about unsolicited offers and to verify any suspicious communication.

Awareness and skepticism are key in avoiding scams. Reporting and educating others can help reduce the impact of scams on vulnerable populations.

Think of phishing like fishing in a lake. While there are good fish, there are also dangerous ones lurking beneath the surface. Just like a fish hook hides a sharp trap, phishing emails may look legitimate but contain hidden threats designed to steal your personal details.

Here are some common types of phishing:

1. Promotional Emails: Bulk ads for products or services.

2. Financial Scams: Emails related to financial services, but from sources you didn’t opt into.

3. Fraudulent Offers: Scams promising large sums of money for small upfront payments.

4. Malware: Emails with malicious attachments or links.

5. Fake Prizes: Claims that you’ve won a lottery or prize but need to pay fees to claim it.

6. Tech Support Scams: Claims that your computer is infected and offers paid support.

How can you tell if an email is real or a phishing attempt? Watch out for these signs:

1. Sender Address: Official emails usually come from company domains (e.g., @company.com), while phishing emails may use misspelled or public email addresses (e.g., @gmail.com).

2. Personalization: Legitimate emails address you by name; phishing emails often use generic greetings like "Dear Customer."

3. Urgency: Phishing emails often create a false sense of urgency (e.g., “Your account will be locked!”) to prompt quick action.

4. Links and Attachments: Be cautious of links or attachments asking for personal information.

5. Grammar and Spelling: Official emails are usually well-written; phishing emails may contain errors.

6. Requests for Sensitive Info: Legitimate companies rarely ask for sensitive data via email.

1. Check the Sender: Look for subtle misspellings in the sender’s email.

2. Look for Personalization: Legit emails will include your name or account details.

3. Hover Over Links: Before clicking, hover over links to check the URL.

4. Beware of Urgency: Don’t act hastily—phishers want to rush you.

5. Use Official Channels: Instead of clicking links, go directly to the company’s website.

6. Enable Two-Factor Authentication: Add an extra layer of security to your accounts.

7. Update Software Regularly: Keep all devices and apps updated with the latest security patches.

●      Verify the sender before clicking links or downloading attachments.

●      Use Multi-Factor Authentication (MFA) to enhance security.

●      Report phishing attempts to your email provider or IT team.

●      Contact the sender directly through official channels if you're unsure.

●      Keep antivirus software and email security settings up to date.

By staying vigilant and knowing how to spot phishing attempts, you can protect yourself from online scams and keep your personal information safe.

Here are a few examples of common phishing attempts:

●      PayPal Account Suspension: Emails claiming your PayPal account has been suspended and urging you to "verify" your information.

●      Apple ID Locked: Messages stating your Apple ID has been locked and asking you to "confirm" your details.

●      Bank Account Compromise: Alerts about unusual activity on your bank account asking you to verify transactions.

●      Microsoft 365 Scams: Fake emails claiming to be from Microsoft 365 or SDCCD asking you to verify your account. Remember, Microsoft will NEVER ask for sensitive information via email.

How to freeze your credit:

Equifax

Create a myEquifax account online at equifax.com

Log in and select "Place a Freeze" under the Freeze section

Follow the instructions to place the freeze

Alternatively, you can call Equifax at (888) 298-0045 or send a written request by mail.

Experian

Visit experian.com/freeze

Click "Add a security freeze"

Follow the prompts to create an account and place the freeze

You can also call Experian at 1-888-EXPERIAN (1-888-397-3742) or mail your request.

TransUnion

Go to transunion.com/credit-freeze

Click "Add a freeze"

Create an account and follow the steps to place the freeze

TransUnion also offers phone (888-909-8872) and mail options.

■      Freezing your credit is free at all three bureaus.

■      You'll need to provide personal information to verify your identity.  Use your home computer and do not use a public network.

■      Each bureau requires a separate freeze request.

■      Remember to temporarily lift or remove the freeze when applying for new credit.

■      Consider freezing your credit reports with secondary bureaus like Innovis and NCTUE for additional protection.

A passkey is a new authentication technology that uses public key cryptography to enable users to log into websites and apps without having to enter a password. Instead, users authenticate the same way they unlock their phones and tablets.  This can include  their fingerprint, face or other biometrics,  by using a swipe pattern,  or by entering a PIN. For purposes of convenience, most people will opt for biometric authentication.

Instead of creating a password to log into an account, users generate a passkey  which is actually a pair consisting of one private and one public key which uses  an “authenticator.” This “authenticator” can be a device, like a smartphone or a tablet, a web browser, or a password manager that supports passkey technology.

Before generating a passkey, the authenticator will require that the user identify themselves using a PIN, swipe pattern or biometrics. The authenticator then sends the public key (which is roughly equivalent to a username) to the account web server for storage, and the authenticator securely stores the private key locally. If the authenticator is a smartphone or other device, the private key will be stored in the device keychain. If the authenticator is a password manager, the private key will be stored in the password manager’s encrypted vault.

Passkeys are more secure than passwords, for numerous reasons:

■      For passwords to work, account servers must store them – or at least their hashes – so they can compare the stored data with the password the user enters. As mentioned in the previous section, passkey technology doesn’t require account servers to store users’ private keys, only their public keys. If the account server is breached, threat actors will access only public keys, which are useless without the accompanying private keys.

■      Most people have poor password hygiene. They use passwords that are too short, or contain dictionary words, or biographical information that’s easy to guess. They reuse passwords across multiple sites. And instead of using a password manager, they store their passwords on sticky notes or in unencrypted text files. Passkeys, on the other hand, are generated by the user’s authenticator, so they’re always highly complex and unique to every user and every account, every time.

■      Many people also don’t secure their accounts with two-factor authentication (2FA). Passkeys depend on 2FA by design; to use a passkey, an end user must have their authenticator close by, satisfying the criteria of something you are (the biometric) and something you have (the authenticator).

■      Unlike passwords, passkeys can’t be compromised in phishing schemes, because it’s impossible to trick a user into entering a passkey on a phony lookalike site.

Despite the advantages of passkeys, they are still not readily available across all platforms and companies.  There are also drawbacks when using different systems and devices when accessing, since the passkey is tied to a device.  Nevertheless, it is an exciting direction, especially when considering the alternative (remembering every password).

1. Stay Informed About Common Scams: Familiarize yourself with prevalent scam tactics, such as phishing, impersonation, and fraudulent investments. The Federal Trade Commission (FTC) provides comprehensive information on various scams and how to recognize them.
   consumer.ftc.gov
   
   

2. Verify the Legitimacy of Communications: Be cautious of unsolicited emails, calls, or messages, especially those requesting personal information or money. Legitimate organizations typically do not ask for sensitive data through these channels. If in doubt, contact the organization directly using official contact information.
   consumer.ftc.gov
   
   

3. Use Security Software and Keep It Updated: Protect your devices with reputable security software that includes antivirus and anti-malware features. Ensure the software updates automatically to defend against new threats.
   consumer.ftc.gov
   
   

4. Be Cautious with Financial Transactions: Before making financial decisions or 4. sharing payment information, research the recipient's legitimacy. The Better Business Bureau (BBB) offers a Scam Prevention Guide to help consumers identify warning signs of fraud.
   bbb.org
   
   

5. Report Suspected Scams: If you encounter a scam, report it to appropriate authorities to help prevent others from falling victim. The FTC provides guidance on recognizing and avoiding phishing scams, as well as steps to take if you've been targeted. https://reportfraud.ftc.gov/

Better Business Bureau Scam Prevention Guide

The BBB Scam Prevention Guide helps consumers make smart buying decisions and identify the warning signs of online scams and fraud. If you are interested in learning more about ways to help protect yourself from online scams, choose from the menu below to start your journey.

https://www.bbb.org/all/scam-prevention?utm

Federal Trade Commission Consumer Advice

How to Recognize and Avoid Phishing Scams

Scammers use email or text messages to trick you into giving them your personal and financial information. But there are several ways to protect yourself.

https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams?utm

Federal Trade Commission Consumer Advice

Scams: Avoiding and Reporting Scams

The FTC will never threaten you, say you must transfer your money to “protect it,” or tell you to withdraw cash or buy gold and give it to someone. That’s a scam.

https://consumer.ftc.gov/scams?utm

Federal Trade Commision Report Fraud

https://reportfraud.ftc.gov/

Lo, M. L., & Hasan, A. M. Z. (2015). Scam and deception in online transactions. Journal of Business Ethics, 127(1), 89-102. https://link.springer.com/article/10.1007/s10551-015-2777-0

Fong, T. A. O., & Fong, J. V. S. (2020). Fraud and scams in the digital economy. Cybersecurity Review, 5(3), 45-58. https://www.journals.elsevier.com/cybersecurity

Fiske, T. P., & McGee, H. M. (2016). Cognitive biases and decision making: Insights into fraud victimization. Journal of Behavioral Economics, 58(2), 123-135. https://www.journals.elsevier.com/journal-of-behavioral-economics

Lister, M. W., & Roberts, K. R. (2018). The psychology of scams: Why people fall for fraudulent schemes. Journal of Consumer Research, 45(1), 85-98. https://academic.oup.com/jcr/article/45/1/85/5326822

Habermas, M. J. E., & Bradshaw, R. S. (2017). Emotional manipulation in consumer fraud: The role of trust and emotion. Journal of Social Psychology, 157(5), 583-599. https://www.tandfonline.com/doi/full/10.1080/00224545.2017.1339302

Greenfield, A. L., & Thompson, J. C. (2019). The psychology of fraud: Understanding the mechanisms behind scams. Psychology & Marketing, 36(3), 253-267. https://onlinelibrary.wiley.com/doi/full/10.1002/mar.21195

Kirkpatrick, D. S., & Kelly, E. B. (2021). Deception and fraud in the digital age: Psychological insights. Journal of Cyberpsychology, 17(2), 123-138. https://www.tandfonline.com/toc/ucy120/current

Hogg, P. J., & Cook, K. S. (2015). The role of social influence in fraudulent schemes. Social Influence, 10(4), 287-299. https://www.tandfonline.com/doi/full/10.1080/15534510.2015.1060424

Davis, R. S., & Garcia, T. M. (2020). Victimization and psychological trauma: The impact of scams on mental health. Journal of Applied Psychology, 106(7), 1150-1165. https://journals.sagepub.com/home/apl

Cavusoglu, H., & Raghunathan, S. (2020). The impact of phishing on online users: A cognitive model of phishing attacks. Journal of Cybersecurity, 8(3), 201-215. https://doi.org/10.1093/cybsec/tyaa017

Myles, S., & Bennett, A. (2019). Phishing: A growing threat in digital communications. International Journal of Information Security, 21(1), 45-56. https://doi.org/10.1007/s10207-019-04682-1

Dhamija, R., Tygar, J. D., & Hearst, M. A. (2006). Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 581-590). https://doi.org/10.1145/1124772.1124853

Jansen, W. (2018). Phishing: Detection and prevention methods. Information Systems Security, 27(4), 143-155. https://doi.org/10.1080/1065898X.2018.1472524

Dodge, A. (2017). The hidden dangers of phishing: How to identify and avoid scams. Journal of Internet Security, 22(3), 12-21. Retrieved from https://www.jstor.org/stable/24676372

Apple. (2023, September 18). Passkeys: The future of passwordless sign-in. Apple Support. Retrieved from https://support.apple.com/en-us/HT213080