The psychology of cyber fraud: Beware the bait

30 September 2022

Cyber fraud typically boils down to one thing – a hacker trying to con you by using impersonation. It’s thought as much as 90% of all cyber-attacks start with some form of manipulation1.

Of course, there are always whiz-kid hackers looking to find back doors into your data networks. But in reality, most cyber criminals want to walk straight in through the front door – simply by exploiting human behaviours – to steal your confidential information or hard-earned cash.

“And this is where the problem lies,” says Paul Maskall, Fraud and Cybercrime Prevention Manager at UK Finance. “Most hackers set out to leverage your weaknesses. But because you think you’ll never fall for it, you don’t spend any time protecting against it. So, it’s never an issue until it is.”

These social engineering attacks look to play on your vulnerabilities and anxieties. They use various tricks and tactics, often by creating a false sense of urgency to lower your natural defences. And even the most sophisticated cyber defences are hard-pressed to stop people from falling victim.

Gone phishing

Phishing is the most common type of social engineering attack. It involves individuals unwittingly giving over personal details or information that can then be used for nefarious purposes. Cyber criminals do this by creating a bogus website, fake email or SMS message that appears to be from a genuine source (we wrote about this last year in a separate article, Tips to protect against phishing).

There are also other variations along similar themes – from investment scams to diversion theft, to baiting, honey traps and more. All use the art of deception to trick their victims.

“Everybody is vulnerable to these scams at some point,” says Maskall. “You may be having a tough time at work or at home. This can then colour the world around you – making you more susceptible to not necessarily thinking objectively and clearly.

“Have you ever taken a text message the wrong way from a partner, or an email the wrong way from a colleague? Of course, you read things the way you want to read it based on your emotions at the time.

“It could also be the people who work for you or are around you who are caught off guard. They could have anxiety issues, mounting pressures at home or are struggling to cope with the cost-of-living crisis. If they are fixated on these issues, their intuition may be handicapped in a work environment, and they are much more likely to click on a dodgy link.

“It’s why fraud and cyber is so much more of a human issue than we give it credit for because of our susceptibility to manipulation.”

Less speed, more haste

In the 2011 book ‘Thinking, Fast and Slow’, the Nobel Prize-winning psychologist Daniel Kahneman gives a ground-breaking tour of the mind – explaining that our brain essentially has two operating systems. System One is fast and intuitive, whereas System Two is slower and more rational. He stresses the importance of knowing when to engage each mode of thinking, especially as the more instantaneous System One can often be more prone to making errors.

Thinking slowly, identified as System Two in the book – although it requires more mental effort – can be one of the best ways to protect against social engineering attacks.

“Individuals are more susceptible to falling for scams when emotion trumps logic,” says Archie Nelson, Operational Requirements Lead at XCyber, a cyber-security firm that protects people, data, brands and reputation in the digital domain.

“That’s why attackers will use scarcity, authority and social proof as emotional bait. If you take the bait, you are less likely to think and more likely to do – whether that’s clicking on the link, downloading something, opening an attachment, or transferring money.

“The key is to slow down and ensure logic trumps emotion. Was the email unexpected? Does it make you feel something? Does it ask you to do something? If so, exercise extreme caution.”

The importance of managing emotions

Most cyber-criminals are cynically efficient, starting with what they perceive to be the low-hanging fruit that’s easiest to exploit. And, of course, there are always proactive steps you can take to reduce the risk of an attack – having the latest anti-virus software, updating devices, maintaining security hygiene around passwords, and protecting your digital footprint, to name a few. But cyber security 101 can only go so far.

“This may be controversial, but while technology is advancing all the time, it isn’t really the enemy when it comes to cyber-crime,” says Maskall at UK Finance. “Rather, it’s the relationship we have with technology that could do with some work. We can talk about all the latest cyber trends, but the style in which hackers try to manipulate you hasn’t changed for thousands of years.

“So, I can always give you a list of things that can make you safer online, but I can’t make you any less emotional in that moment. That’s the real issue, especially as there’s always a flavour of fraud for everyone.”

Related articles

This communication is general in nature and provided for information/educational purposes only. It does not take into account any specific investment objectives, the financial situation or particular needs of any particular person. It not intended for distribution, publication, or use in any jurisdiction where such distribution, publication, or use would be unlawful, nor is it aimed at any person or entity to whom it would be unlawful for them to access.

This communication has been prepared by Barclays Private Bank (Barclays) and references to Barclays includes any entity within the Barclays group of companies.

This communication:

(i) is not research nor a product of the Barclays Research department. Any views expressed in these materials may differ from those of the Barclays Research department. All opinions and estimates are given as of the date of the materials and are subject to change. Barclays is not obliged to inform recipients of these materials of any change to such opinions or estimates;

(ii) is not an offer, an invitation or a recommendation to enter into any product or service and does not constitute a solicitation to buy or sell securities, investment advice or a personal recommendation;

(iii) is confidential and no part may be reproduced, distributed or transmitted without the prior written permission of Barclays; and

(iv) has not been reviewed or approved by any regulatory authority.

Any past or simulated past performance including back-testing, modelling or scenario analysis, or future projections contained in this communication is no indication as to future performance. No representation is made as to the accuracy of the assumptions made in this communication, or completeness of, any modelling, scenario analysis or back-testing. The value of any investment may also fluctuate as a result of market changes.

Where information in this communication has been obtained from third party sources, we believe those sources to be reliable but we do not guarantee the information’s accuracy and you should note that it may be incomplete or condensed.

Neither Barclays nor any of its directors, officers, employees, representatives or agents, accepts any liability whatsoever for any direct, indirect or consequential losses (in contract, tort or otherwise) arising from the use of this communication or its contents or reliance on the information contained herein, except to the extent this would be prohibited by law or regulation.