Guest spot: Barclays Bank: Psychology - the art of the scam
25 April 2018
Social engineering scams have come more into focus through the Take Five campaigns run by Financial Fraud Action UK, and industry participants and regulators. They typically focus on the warning signs to look out for, rather than explaining why they continue to work.
As a behavioural economist, Dr. Peter Brooks Head of Behavioural Finance Barclays Wealth and Investments, has an interest in the tactics the scammers use to defraud an organisation. Social engineering scams are effective because they recognise that the weakest point in a security procedure is often human psychology. The study of behavioural economics has many demonstrations of how our decisions can be manipulated. In this article, he looks at why social engineering can be so effective by examining the CEO fraud scam.
In this scam someone claiming to be the CEO unexpectedly approaches a colleague in the finance department to make a prioritised payment. This pulls three psychological levers which can lower our defences against the scammers: authority, urgency and consequence. When combined, they create an effective way to defraud an individual.
In the 1960’s psychologist Stanley Milgram conducted experiments into how individuals respond to orders from someone in a position of authority. The rather uncomfortable (and somewhat controversial) experiment involved a participant trying to teach pairs of words to a fellow participant.
If the ‘learner’ got the pair wrong then the ‘teacher’ would have to administer larger and larger electric shocks. In fact, the learner was an actor and there were no electric shocks involved. However, the experiments found that many individuals would continue to apply the electric shocks even after the actor had stopped describing the pain of each shock and had fallen quiet. When questioned, the experimenter just informed the teacher to continue the experiment.
In the CEO fraud scam the scammer establishes their position of authority (albeit falsely) and makes an instruction. If the Milgram experiments are to be believed, we tend to be obedient rather than defiant in a situation like this. The success of this element of the scam depends upon how successfully the scammer can trick you into thinking they are the CEO. Once that is done, the scam has a good chance of succeeding.
Another important element that will likely increase obedience is to create a sense of consequence upon the person being targeted. This is often done through the threat of a complaint or some other disciplinary measure – an important tool in the scammer’s armoury. We all naturally tend to avoid the possibility of bad outcomes, or in other words, we are loss-averse. Here the scammer will try to make you focus on the personal downsides of not complying with their instruction. That triggers an emotional reaction and our psychology takes over to look for ways of limiting downside. Of course, one way to limit that downside is to carry out the instruction – exactly the result the scammer is trying to guide you towards.
Thinking fast and slow
We will all recognise that we normally make better decisions when we take some time to think things through. In the CEO fraud scam the scammer will often introduce an element of urgency to apply more stress on their target. Nobel Prize winning psychologist Daniel Kahneman described how we make decisions in his book Thinking Fast and Slow.
Kahneman described how the majority of our decisions are taken by our instinctive and fast-thinking processes. For instance, when you happen to touch something hot, you don’t actively think – you just move your hand quickly away from the heat. Our more thoughtful and slow thinking processes sit in the background validating instinctive actions and doing what we all recognise as thinking when we need a little more contemplation. The scammer knows that their chances are diminished if you get time to think so they will apply pressure, urgency and stress to get you to make a quick decision.
Authority, personal consequence and urgency are important to the scammer’s toolkit because they can collectively pull many of our psychological levers. The effects of psychological manipulation are difficult to defend against but awareness and training provide a starting point. Can you better establish that the request is coming from a person of authority rather than accepting it at face value? Is the threat of a personal consequence reasonable or just someone trying to trick you into doing something? How can you build more time and prompts into business processes so that the slower parts of our thinking processes are given a better chance of catching the warning signs? A little understanding of how humans are influenced by scammers gives us a better opportunity to change our way of thinking and make scams less effective.
The scammer’s toolkit
Create a sense of authority: We tend to comply with authority rather than follow our conscience
Create a sense of consequence: We tend to be loss-averse and will seek to avoid a negative consequence
Create a sense of urgency: We make worse decisions under stress and time pressure
Appeal to our vanity or greed: We struggle to resist opening that email attachment which promises to tell us how much our colleagues get paid
To find out how Barclays can help your business, please contact Relationship Director, Rob Mills on 07775 543570 or email firstname.lastname@example.org
The views expressed in this article are the views of the author alone and do not necessarily reflect the views of the Barclays Bank PLC Group nor should they be taken as statements of policy or intent of the Barclays Bank PLC Group. The Barclays Bank PLC Group takes no responsibility for the veracity of information contained in the third party guides or articles and no warranties or undertakings of any kind, whether express or implied, regarding the accuracy or completeness of the information given. The Barclays Bank PLC Group takes no liability for the impact of any decisions made based on information contained and views expressed. Barclays Bank UK PLC. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 759676). Registered in England. Registered no. 9740322 Registered Office: 1 Churchill Place, London E14 5HP. May 2018+ Please note: this is a mobile phone number and calls will be charged in accordance with your mobile tariff.