Beyond gullibility, lack of intelligence or rationality, there are other psychological factors that trip up e-mail users.
Manipulating motivational processes of "approach and avoidance" are the most basic tricks spammers employ, according to the report. Scam-spam often attempts to motivate click-throughs via pleasure/positive goals/positive outcomes, via avoidance of negative or unpleasant goals or outcomes, or with a combination of both.
The researchers give the example of no-effort weight loss guarantees or cant-miss stock tips as examples of "approach" motivation, whereas the danger of a compromised checking account is an example of "avoidance" motivation. Promotion of sexual enhancement products are an example of a play that employs both types of motivation, the researchers say, with the "approach" motivation being a sexual boost and the "avoidance" motivation being getting away with not having to ask a doctor for a prescription.
Psychologists who study motivation have found that some people are predisposed to either of those two major forms of motivation. Those people predisposed to having their approach motivation piqued, for example, are known as "promotion-focused individuals" who focus on getting ahead, while those prone to avoidance are known as "prevention-focused" and tend to try to avoid falling behind, the report says.
Beyond motivation, however, scammers must work to overcome skepticism, according to the report. They do so by trying to convince recipients of their legitimacy, which can be garnered via many means, including intimacy/familiarity ("Is it you?" or "Hi from Lenny Cabrera") or authority ("Must Complete and Submit").
Other psychological tricks scam-spam employs include the use of curiosity ("The report says"), freebies ("Unlimited Adobe Downloads"), current affairs ("Mothers Day," "Valentines Day"), emotion/love/loss ("another week lonely"), auction fraud ("Brighton handbags"), employment scams ("Instant Payouts"), competition winner ("YOU WON"), and embarrassment ("attack obesity," "VIAGRA").
With nobody being immune to this array of mind tricks, how does an enterprise or individual protect itself? By behavioral modification, Blascovich said.
"People just have to realize there are certain things they should just never, ever, ever do, even when they know a correspondent is absolutely legitimate, because there are people trying to install [keystroke] capture software [or other malware] on peoples computers," he said.
Specifically, McAfee recommends users do the following to starve the e-mail scam industry and to protect individuals and organizations:
- Dont unsubscribe from mail if you dont recognize the sender or company sending the mail.
- Dont publish your e-mail address on any Web site or discussion forum. If necessary, obfuscate e-mail address: for example, write an e-mail address as "myname at mycompany dot com."
- Use a separate e-mail address to sign up for newsletters, online posting and trade shows. If the mailbox gets unwieldy, you can delete it or filter it more aggressively.
- Use anti-spam software.
- Dont unsubscribe immediately. After a few weeks, compare the messages you want to unsubscribe from and look for common traits, such as common strings of text that you can use to block further mail.
- Dont reply to spam.
- Dont buy anything from spammers.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.