Money is the motivation for scam-spam. The motivation for clicking on it is far less straightforward, and none of us is immune.
“Its not like certain people are going to be nailed by spam all the time. Or that there are certain motivations that will just [always] trigger people [who respond] to spam scams. Its really the interplay between personality and motivation, emotion—all sorts of things,” said Dr. James Blascovich, professor of psychology at UC Santa Barbara and co-director of the universitys Research Center for Virtual Environments and Behavior.
“Its a little more complex, but not much different from the complex interplay of psychological factors that get people to succumb to any sort of scam.”
The idea that none of us are immune is the main takeaway from a report titled “Mind Games: A psychological analysis of common e-mail scams,” that Blascovich and McAfee published on June 25.
While the motivations to click on spam arent much different than those that motivate people to play Three-card Monte, the pool of potential marks—targets of a scam—is far larger on the Internet.
McAfee, of Santa Clara, Calif., throws around figures like these: If half of the population in the United States (about 150 million people) use e-mail on a daily basis, and if only half of them (75 million) are gullible, and only 1 percent (750,000) buy into scam-spam on a given day, and if those victims were to cough up a mere $20 per scam, the potential market amounts to $15 million a day, or $105 million per week, or nearly $5.5 billion per year in just the United States.
According to the report, many—or even most—e-mail users think that in addition to installing spam-filtering software tools and tagging suspect e-mail, they can mentally filter spam via subject line. McAfee notes two problems with this assumption: First, users are less likely to tag spam so as to take advantage of filtering tools. “In the short run, it is simply easier to delete a message than to take the time to remember what to do to tag and add it to a spam filter list, even though in the long run, it would save deleting never-ending repetitions of messages from the same source,” the report notes.
The second problem is that subject lines have simply become more sophisticated, making successful mental filtering tricky even for sophisticated users, according to the report.
These problems with mental filtering make it more important than ever to recognize the mental games spammers play, said McAfee and Blascovich.
One of the most obvious psychological characteristics necessary for scam-spam to succeed is naiveté. Among computer-savvy, young e-mail users, naiveté tends to surround legitimate business practices—i.e., the methods with which legitimate companies and organizations conduct business. Business-savvy older people, on the other hand, tend to be less computer savvy and more trustful of apparent, virtual e-businesses than younger people, according to the report.
Beyond gullibility, lack of intelligence or rationality, there are other psychological factors that trip up e-mail users.
Manipulating motivational processes of “approach and avoidance” are the most basic tricks spammers employ, according to the report. Scam-spam often attempts to motivate click-throughs via pleasure/positive goals/positive outcomes, via avoidance of negative or unpleasant goals or outcomes, or with a combination of both.
The researchers give the example of no-effort weight loss guarantees or cant-miss stock tips as examples of “approach” motivation, whereas the danger of a compromised checking account is an example of “avoidance” motivation. Promotion of sexual enhancement products are an example of a play that employs both types of motivation, the researchers say, with the “approach” motivation being a sexual boost and the “avoidance” motivation being getting away with not having to ask a doctor for a prescription.
Psychologists who study motivation have found that some people are predisposed to either of those two major forms of motivation. Those people predisposed to having their approach motivation piqued, for example, are known as “promotion-focused individuals” who focus on getting ahead, while those prone to avoidance are known as “prevention-focused” and tend to try to avoid falling behind, the report says.
Beyond motivation, however, scammers must work to overcome skepticism, according to the report. They do so by trying to convince recipients of their legitimacy, which can be garnered via many means, including intimacy/familiarity (“Is it you?” or “Hi from Lenny Cabrera”) or authority (“Must Complete and Submit”).
Other psychological tricks scam-spam employs include the use of curiosity (“The report says”), freebies (“Unlimited Adobe Downloads”), current affairs (“Mothers Day,” “Valentines Day”), emotion/love/loss (“another week lonely”), auction fraud (“Brighton handbags”), employment scams (“Instant Payouts”), competition winner (“YOU WON”), and embarrassment (“attack obesity,” “VIAGRA”).
With nobody being immune to this array of mind tricks, how does an enterprise or individual protect itself? By behavioral modification, Blascovich said.
“People just have to realize there are certain things they should just never, ever, ever do, even when they know a correspondent is absolutely legitimate, because there are people trying to install [keystroke] capture software [or other malware] on peoples computers,” he said.
Specifically, McAfee recommends users do the following to starve the e-mail scam industry and to protect individuals and organizations:
- Dont unsubscribe from mail if you dont recognize the sender or company sending the mail.
- Dont publish your e-mail address on any Web site or discussion forum. If necessary, obfuscate e-mail address: for example, write an e-mail address as “myname at mycompany dot com.”
- Use a separate e-mail address to sign up for newsletters, online posting and trade shows. If the mailbox gets unwieldy, you can delete it or filter it more aggressively.
- Use anti-spam software.
- Dont unsubscribe immediately. After a few weeks, compare the messages you want to unsubscribe from and look for common traits, such as common strings of text that you can use to block further mail.
- Dont reply to spam.
- Dont buy anything from spammers.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.