By Stacey Wood, Professor of Psychology, Scripps College, and Yaniv Hanoch, Professor in Decision Science, University of Southampton. Cross-posted from Alternet.
Online fraud is today’s most common crime. Victims are often told they are foolish for falling for it, but fraudsters use psychological mechanisms to infiltrate the defences of their targets, regardless of how intelligent they are.
So it’s important to keep up with the latest scams and understand how they work.
Recently, consumer protection magazine Which? identified some of the most convincing scams of 2023. These scams all have one thing in common – they insidiously take advantage of people’s cognitive biases and psychological blind spots.
They included “pig butchering” a way of fattening up victims with affection, the missing person scam which involves posting fake content on social media pages, the traditional PayPal scam, and a new scam called the “fake app alert” in which malware is hidden on apps that look legitimate.
Pig Butchering
In our work as fraud psychology researchers we have noticed a trend towards hybrid scams, which combine different types of fraud. Hybrid scams often involve crypto investments and sometimes use trafficked labour In the US alone, the FBI recently reported that people lost US $3.3 billion (£2.6 billion) in 2023 to investment fraud.
Pig butchering is a long-term deception. This type of scam combines elements of romance scams with an investment con. The name comes from the strategy of “fattening up” a victim with affection before slaughter.
It will usually begin with standard scam approach like a text, social media message, or an introduction at a job board site.
Victims may have their guard up at first. However, these scams can unfold over months, with the scammer slowly gaining the victims’ trust and initiating a romantic relationship all the while learning about their vulnerabilities.
For example, details of their financial situation, job stresses, and dreams about the life they want. Romance scammers often saturate their targets with affection and almost constant contact. Pig butchering sometimes involves several trafficked people working as a team to create a single persona.
Once the victim depends on the scammer for their emotional connection, the scammer introduces the idea of making an investment and uses fake crypto platforms to demonstrate returns. The scammers may use legitimate sounding cryptocoins and platforms. Victims can invest and “see” strong returns online. In reality, their money is going directly to the scammer.
Once a victim transfers a substantial amount of money to the con artist, they are less likely to pull out. This phenomenon is known as the “sunk cost fallacy”. Research has shown people are likely to carry on investing money, time and effort in activities they have already invested in and ignore signs the endeavour isn’t in their best interests.
When the victim runs out of money or tries to withdraw funds, they are blocked.
The victim is left with not only financial devastation, but also the loss of what they may imagine to be their most intimate partnership. They are often too embarrassed to discuss the experience with friends and family or to report to the police.
PayPal Scams
Fake payment requests are a common attack that works by volume rather than playing the long game. Payment requests appear to come from a genuine PayPal address. Fraudulent messages typically begin with a generic greeting, an urgent request and a fake link.
For example, Dear User: You’ve received a payment, or you have paid too much. Please click link below for details. Users are directed to a spoofed website with a legitimate sounding name such as www.paypal.com/SpecialOffers and asked to enter their account information and password.
Both of us have received these scam requests – and even we found them difficult to discern from legitimate PayPal request emails. These scams work through mimicry and play on the human tendency to trust authority. Legitimate PayPal correspondence is usually automatic bot language, so it is not difficult to imitate.
But remember, genuine messages from PayPal will use your first and last name.
The Missing Person Scam
This seems to be a new scam that exploits a person’s kindness. In the past, charity scams involved posing as charitable organisation responding to a recent, real calamity.
The new missing person scam is more sophisticated. The initial plea is a fake missing person post that generates likes and shares, increasing its credibility and exposure. Then the fraudster edits the content to create an investment scheme which now has the veneer of legitimacy.
This scam may work because the initial consumers are unaware that the content is fraudulent, and there is no obvious request. In psychology, this type of persuasion is known as “social proof” – the tendency of individuals to follow and copy behaviour of others.
Fake App Alerts
People post mobile apps, designed to steal users’ personal information, on the Google Play or Apple app store.
The app often has a legitimate function, which gives it a cover. Consumers unknowingly jeopardise their private information by downloading these apps which use malware to access additional information.
Although there has been media coverage of Android security issues, many users assume malware cannot bypass app store screening. Again, this scam plays on people’s trust in authority figures to keep them safe.
Discuss any investment opportunities with friends, family members or professionals. It’s much easier said than done, but exercising caution one of the best strategies to reduce the chance of becoming a fraud victim.
Scammers count on people paying little to no attention to their emails or messages before clicking on them or providing valuable information. When it comes to scams, the devil is in the missing details.
I get the occasional e-mail phishing attack purporting to be either PayPal, Amazon, or recently, Etsy. I have learned to double check the originating “internet address” almost automatically. Those long strings of digits and letters are a dead giveaway.
I have joked before that we “consumers” need a Stuxnet of our own to feed back to the scammers. The progression of such a program would be very edifying. Imagine the shady intersections of the criminal underworld and “official” government surveillance systems that would show up. If the CIA can self-fund it’s “Black Ops” through the drugs trade, why not also through the ‘Nigerian Prince Network?’
What a world we live in.
Star Dot Star is your friend. Stay safe.
I think the major component is that the net has driven the cost of sending to virtually zero.
Before the net such scams were limited by geography and the cost of postage.
Call me snippy, but I just don’t like this piece. Starts will a bald claim “Online fraud is today’s most common crime” from a 2017 Experian-UK piece which actually just claims explicitly that “fraud is now the most common crime in the UK” and attempts to conflate fraud with cybercrime. There are other frauds, such as the Covid business funding frauds from 2 years ago, with very high $s.
Also, the statement “But remember, genuine messages from PayPal will use your first and last name” is just dumb, because it suggests that a message using your name can be trusted. People’s correct names correlated to email addresses are obtained all the time by breaches.
It didn’t have a common paypal scam – I’ve had 8 or so messages in the last year – its an invoice for stuff like purchase of McAfee or other security software or buying crypto – to the tune of $300 to $400 – and that they will be charging you AND taking money from your paypal account that day and if they give a number to call if you want to query the transaction.
Naturally you get all steamed up since you never bought this stuff – you look in paypal and indeed they’ve sent an “invoice” to your paypal account that paypal has dutifully recorded AND forwarded the invoice to you – so its an email from paypal with an additional message from the scammer.
BUT, paypal won’t pay it off just like that. this isn’t like an automatic debit transactions like monthly utility bills etc.
Since I know that I just ignore the whole thing and don’t call the number the scammer has given. If somebody’s called the number I’d love to know ‘the rest of the story’.
Here’s an example :
FWIW I’ve gotten similar emails about credit cards, something like “Thank you for your purchase. Your credit card will be charged $500.” with a link. I assume if you click the link (I haven’t) you’ll be taken to some site that will try to get your credit info. At least with this scam you can verify independently if your card was charged (so far no).
Maybe it’s just me, but there’s a wrinkle on this approach where I’ve received pretty much the same message, only with an attached excel (.xlsx) file containing my invoice.
Someone may want to correct me, but such a file is the equivalent of a bomb (Trojan horse), that might then do anything to or with your computer.
I have received some very clever scamming messages — one was an absolutely perfect page from a bank, the only giveaway being a single letter in a URL. However, some I haven’t yet figured out. A few years ago, someone used Paypal to send me a substantial amount of money (for me, anyway). I had not requested it and knew nothing about the donor. I do not solicit donations. I let it sit there (in my account) for a few months, and then the mysterious “transaction” was mysteriously “canceled”. I wrote to Paypal about it but they had no useful information. I can only speculate as to how the game was supposed to work.
My brother runs computer/network security for a fortune 500 company. It’s a constant battle. Even when they don’t go after the AP staff directly, the vendors can get hacked and try to redirect payment. His CEO is pretty supportive; last year they did a full-on exercise in the front office for a ransomware attack scenario.
I like the ones that tell me they’re freezing bank accounts that I don’t have due to “suspicious activity.” But if I just log in – using this convenient link – I can make it all right.
Seeing an uptick in the ones that LifelongLib describes, too – “Your card will be charged for … “