How online scammers learnt to prey on our emotions

Tom Ough, The Independent

Sophie* had just moved house, so it made sense to her mother to receive a message from her daughter asking for money for an urgent bill. “Hi Mum it’s me,” said the message, explaining that she had broken her phone and was using a different one. “She dropped everything to sort it out,” says Sophie of her mother, who had begun the process of transferring £3,000. But the message was not to be trusted. The transfer was destined for a scammer. At that moment, Sophie — the real Sophie — happened to text her mother with an update on her new kitten, which they had picked up together a few days earlier.

Sophie’s mother rang her “in blind panic, convinced she had just been talking to me.” Fortunately, Sophie’s mother alerted her bank and Action Fraud; although she hadn’t yet sent any money, the scammer now had her account details. In the end, no financial loss was incurred, but some embarrassment was. “It made me angry that afterwards she felt embarrassed by it,” says Sophie, “when the whole point of the scam is to exploit a parent’s instinct.” Not so long ago, online fraud seemed most often to take the form of an email from a Nigerian prince. He’d ask in broken English for a loan that would enable him to unlock his fortune, with your help entitling you to a large share of the princely proceeds. It was a simpler time, the era of the temporarily embarrassed Nigerian royal, and it was, at least in terms of online fraud, a safer one. You skimmed the email, dismissed it, and carried on with your business. You didn’t quite shake the hand of the scammer as you parted ways, but nor (by and large) did you get conned.

Today, though, online fraud is resurgent. The princes have been deposed. Modern scams include the parcel you need to pay a delivery fee for; the job offer sent via WhatsApp; the “Hi Mum” sent from an unfamiliar number. All in all, human-initiated fraud attacks rose 92 per cent last year, an analysis found. Email-based fraud has largely had its day, explains security awareness advocate Javvad Malik, because it has been hampered by spam filters and improved public awareness of email scams. Meanwhile, we have come to use instant messaging near-constantly, making our SMS and WhatsApp inboxes the more happening destination for modern scammers. Hence the inundation. “Even if you’re using it for work purposes,” says Malik, who represents the security awareness company KnowB4, “your phone still feels like a personal thing. So people are more likely to respond [to fraudulent messages], especially in the context of multitasking.”

This means that scammers catch people when they’ve just woken up, when they’re in a rush, when their mind’s on other things — times, in short, when we’re not as vigilant as we ought to be. Those suspicious messages you receive — those in which scammers pretend that they’re holding a parcel for you, or that they’re offering you a job, or that they’re the taxman, or a potential romantic partner, or your child, stranded in Morocco and short of a few grand — are all attempts to catch you off-guard. Naturally, it’s always urgent; the requests flood you with panic, giving you little chance to think things over carefully.

And as far as the scammers are concerned, the wider the net they cast, the better their chances of success. Fraud is the most commonly experienced crime in the UK; we are spammed by scams. “On my phone, I use the ‘Report’ feature a lot” — says Malik, referring to the reporting option on WhatsApp — “so that blocks it. But I will get these bursts where sometimes I might even get two or three a day, for a few weeks at a time.”

The messages are likely to come from call centres run by criminals in the developing world. These centres seem to be increasingly active, but it’s not just the frequency of these scam attempts that has changed; it’s their emotional sophistication. “That’s a result of the technologies becoming more mature,” says Malik. “To directly bypass security controls is really difficult. So criminals have spent a lot more time focusing on how they bypass the human.”

In the old days, says Richard de Vere, that was as simple as sending an email saying, “Hi, I work in the tech department. Can I have your password please?” That is a method that has often worked for de Vere, who plays the role of scammer in his work at the business IT company Ultima, which tests companies’ security with methods used by fraudsters. These days, employees don’t fall for the “Can I have your password?” trick. But they still fall for more subtle cons. “A classic one, that almost never fails, is: ‘Hey, I’m just wondering about what company device you have. We’re doing some upgrades and we have some iPhone 15s available.”

Because iPhones are widely desired, “it’s a great way of getting under the skin of people”. And it’s illustrative of de Vere’s theory of effective scamming. He shows me a slide of Maslow’s hierarchy of needs, a pyramid with our most basic needs — food, shelter — at the bottom, and our most profound — morality, creativity, confidence, respect for others — at the top. Scammers might not be aware of Maslow’s work, says de Vere, but their most effective work enacts it. People on lower incomes might be more likely to be targeted with claims that, for example, a direct debit isn’t going to be met. Those whose most basic material needs are met might be more likely to fall for scams that fit into the “Love and Belonging” tier of the Maslow pyramid. These are scams of the “Hi Mum” variety, the kind that swindled an elderly woman out of almost £3,500 when she fell for a four-day impersonation of her daughter conducted via WhatsApp.

As for society’s very wealthiest, look to the top of the pyramid. “If you think Jeff Bezos is getting an email about his kid’s last £100 quid,” says de Vere, “forget it. Jeff Bezos is going to be targeted with something like, ‘Be an ambassador for our charity.’”

The broad-brush psychological savviness of digital fraud is being supplemented by technological progress. Imagine the horror you’d feel if you received a call in which your daughter, screaming, told you she was being kidnapped. This is the reality of a particularly pernicious new scam, which uses artificial intelligence to mimic real voices. Hearing a loved one in distress, says Sabrina Gross, triggers an immediate reaction. “You won’t think. You will spring into action and try to save them.”