First Thing, Daily Maverick's flagship newsletter

Join the 230 000 South Africans who read First Thing newsletter.

We write for you

It’s a public service and we refuse to erect a paywall and force you to pay for truth. Instead, we ask (nicely and often) that those of you who can afford to, become a Maverick Insider and help with whatever you can. In order for truth not to become a thing of the past, we need to keep going.

Currently, 18,000 (or less than 0.3%) of our brave and generous readers are members; which says a lot about their characters and commitment to our country. These people are paying for a free service in order to keep it free for everyone.

They are the true South AfriCANs.(Sorry, we couldn’t help ourselves.)

Support Daily Maverick→
Payment options

Email scams are getting more personal

Maverick Life

THE CONVERSATION

Email scams are getting more personal – they even fool cybersecurity experts

Image: Solen Feyissa / Unsplash

Email fraud is getting more personal and con artists have developed new, chilling tactics. In fact, scammers are getting so good at it that even cybersecurity experts are taken in.

We all like to think we’re immune to scams. We scoff at emails from an unknown sender offering us £2 million, in exchange for our bank details. But the game has changed and con artists have developed new, chilling tactics. They are taking the personal approach and scouring the internet for all the details they can find about us.

Scammers are getting so good at it that even cybersecurity experts are taken in.

One of us (Oliver Buckley) recalls that in 2018 he received an email from the pro-vice chancellor of his university.

“This is it, I thought. I’m finally getting recognition from the people at the top. Something wasn’t right, though. Why was the pro-vice chancellor using his Gmail address? I asked how I could meet. He needed me to buy £800 worth of iTunes gift cards for him, and all I needed to do was scratch off the back and send him the code. Not wanting to let him down, I offered to pop down to his PA’s office and lend him the £5 note I had in my wallet. But I never heard back from him.”

The infamous “prince of Nigeria” emails are falling out of fashion. Instead, scammers are scouring social media, especially business-related ones like LinkedIn, to target people with tailored messages. The strength of a relationship between two people can be measured by inspecting their posts and comments to each other. In the first quarter of 2022, LinkedIn accounted for 52% of all phishing scams globally.

Human tendencies

Psychologists who research obedience to authority know we are more likely to respond to requests from people higher up in our social and professional hierarchies. And fraudsters know it too.

Scammers don’t need to spend much time researching corporate structures. “I’m at the conference and my phone ran out of credit. Can you ask XXX to send me report XXX?” runs a typical scam message.

Data from Google Safe Browsing shows there are now nearly 75 times as many phishing sites as there are malware sites on the internet. Almost 20% of all employees are likely to click on phishing email links, and, of those, a staggering 68% go on to enter their credentials on a phishing website.

Globally, email spam cons cost businesses nearly US$20 billion (£17 billion) every year. Business consultant and tax auditor BDO’s research found that six out of ten mid-sized businesses in the UK were victims of fraud in 2020, suffering average losses of £245,000.

Targets are normally chosen based on their rank, age or social status. Sometimes, spamming is part of a coordinated cyber attack against a specific organisation so targets are selected if they work or have connections to this organisation.

Fraudsters are using spam bots to engage with victims who respond to the initial hook email. The bot uses recent information from LinkedIn and other social media platforms to gain the victim’s trust and lure them into giving valuable information or transferring money. This started over the last two to three years with the addition of chatbots to websites to increase interactions with customers. Recent examples include the Royal Mail chatbot scamDHL Express, and Facebook Messenger. Unfortunately for the public, many companies offer free and paid services to build a chatbot.

And more technical solutions are available for scammers these days to conceal their identities such as using anonymous communication channels or fake IP addresses.

Social media is making it easier for scammers to craft believable emails called spear phishing. The data we share every day gives fraudsters clues about our lives they can use against us. It could be something as simple as somewhere you recently visited or a website you use. Unlike general phishing (large numbers of spam emails) this nuanced approach exploits our tendency to attach significance to information that has some connection to us. When we check our full inbox, we often pick out something that strikes a chord. This is referred to in psychology as the illusory correlation: seeing things as related when they aren’t.

How to protect yourself

Even if you’re tempted to bait email scammers, don’t. Even confirming your email address is in use can make you a target for future scams. There is also a more human element to these scams compared with the blanket bombing approach scammers have favoured for the last two decades. It’s eerily intimate.

One simple way to avoid being tricked is to double-check the sender’s details and email headers. Think about the information that might be out there about you, not just about what you receive and who from. If you have another means of contacting that person, do so.

We should all be careful with our data. The rule of thumb is if you don’t want someone to know it, then don’t put it online.

The more advanced technology gets, the easier it is to take a human approach. Video call technology and messaging apps bring you closer to your friends and family. But it’s giving people who would do you harm a window into your life. So we have to use our human defences: gut instinct. If something doesn’t feel right, pay attention. DM/ML 

This story was first published in The Conversation.

Gareth Norris is a Senior Lecturer in the Department of Psychology at Aberystwyth University. Max Eiza is a Senior Lecturer in Computer Security at Liverpool John Moores University. Oliver Buckley is an Associate professor in cyber security at the University of East Anglia.

Gallery

Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

All Comments 1

  • Ever since I joined the government database -CSD to be a vendor, I get no less then 2 scams to all email addresses made available to them. Exactly like the email says, they target sending me Request For Quotes for my product range. Fortunately, they are using non-governmental email addresses.
    Then one fool sends a fake email to all 30 of us so you can see all the recipients in the cc field. I just delete his email address and write to the other 29 and tell them it is fake. Please be careful and take not of this article – “A fool knows what he knows. A genius knows what he does not know”.

Please peer review 3 community comments before your comment can be posted