| 'Cyber felons rely on mind games to scam users' |
| BS Report / Mumbai July 4, 2007 |
| The next time you have an urge to open an email that reads "Urgent Security Notification" or "Your billing account records are out of date", be on your guard. Cyber criminals are increasingly using psychological games and other tactics in social engineering scams that are spread through junk email, reveals a study by security solutions provider McAfee. In the study, titled "Mind Games", the primary author James Blascovich, Professor of Psychology at the University of California, Santa Barbara, says: "Scam spam works best by providing recipients with a sense of familiarity and legitimacy. Once the victim opens the email, criminals use two basic motivational processes, approach and avoidance, or a combination of the two, to persuade victims to click on dangerous links, provide personal information, or download risky files." Blascovich reports on a category of scam emails that targets consumers who are promotion-focused (want to "get ahead") and/or capitalise on consumers' greed. These messages have such subject lines as "You Won" to entice consumers into thinking they may have won a lottery or sweepstakes, "90% discounts" to trick consumers into thinking they are getting great promotional pricing, or "You Are Approved" to target consumers who need a loan or have money woes. Yet another popular lure involves messages that play on feelings of love and loss. A subject like "Why spend another week lonely?" works by preying on the sensitivities of those feeling vulnerable. And finally, there's the voice- of-authority approach: "Attention! Several Credit Card databases have been LOST" and others like it are designed to make consumers feel a sense of urgency and obligation. Once the victim opens the email, criminals use two basic motivational processes: approach and avoidance -- or a combination of the two -- to persuade victims to click on dangerous links, provide personal information or download risky files. An important key to the crooks' success is familiarity. One example is phishing scams which fraudulently acquire sensitive information, such as usernames, passwords, and financial data, by masquerading as a familiar or nationally recognised bank, credit card company or even an online auction site. McAfee Avert Labs recently discovered that the number of phishing Web sites increased by 784 percent in the first half of 2007. Popular sites are also increasingly victimised. In December of 2006, cyber criminals targeted MySpace and used a worm to convert legitimate links to those that lured consumers to a phishing site designed specifically to obtain personal information. "Along with the alarming increase in phishing emails, we are also seeing more sophisticated messages that can fool all but the most highly trained surfer," said David Marcus, security research and communications manager, McAfee Avert Labs. "While earlier phishing emails often included typos, awkward language and minor graphical mistakes, newer scams appear to be more legitimate, with slicker graphics and copy that closely mirrors the language used by respected institutions." In addition to tactics that build on familiarity to create the illusion of legitimacy, phishing scams also target consumers with fear tactics, such as through subject lines like "Urgent Security Notification" and "Your billing account records are out of date." Other lures, such as "Must Complete and Submit" or "You Are Missing Out," are less blatant but similarly trick users into thinking that without a specific action on their part, they're going to lose out. Blascovich points out that by scamming $20 from just half of one percent of the US population, cyber criminals can earn $15 million each day and nearly $5.5 billion in a year, a powerful attraction for skillful scam artists. Indeed, no one likes to think of himself or herself as a |
