McAfee, Inc. released the results of a groundbreaking study that details the psychological games and other tactics cyber criminals use in social engineering scams propagated through junk email. In the study titled "Mind Games," the primary author, Dr. James Blascovich, Professor of Psychology at the University of California, Santa Barbara, offers analyses of multiple common scam emails and provides surprising insights into how cyber criminals use fear, greed and lust to methodically steal personal and proprietary financial information.
The same psychological practices used by cyber criminals were also investigated in a European report, commissioned by McAfee(R) in association with leading forensic psychologist, Professor Clive Hollin, based at University of Leicester in the United Kingdom.
"Scam spam works best by providing recipients with a sense of familiarity and legitimacy, either by creating the illusion that the email is from a friend or colleague, or providing plausible warnings from a respected institution," Dr. Blascovich noted. "Once the victim opens the email, criminals use two basic motivational processes, approach and avoidance, or a combination of the two, to persuade victims to click on dangerous links, provide personal information, or download risky files. By scamming $20 from just half of one percent of the U.S. population, cyber criminals can earn $15 million each day and nearly $5.5 billion in a year, a powerful attraction for skillful scam artists."
An important key to the crooks' success is familiarity. One example is phishing scams which fraudulently acquire sensitive information, such as usernames, passwords, and financial data, by masquerading as a familiar or nationally recognized bank, credit card company or even an online auction site. Recently, McAfee Avert(R) Labs found that the number of phishing Web sites increased by 784 percent in the first half of 2007.
Popular sites are also increasingly victimized. In December of 2006, cyber criminals targeted MySpace and used a worm to convert legitimate links to those that lured consumers to a phishing site designed specifically to obtain personal information.
"Along with the alarming increase in phishing emails, we are also seeing more sophisticated messages that can fool all but the most highly trained surfer," said David Marcus, security research and communications manager, McAfee Avert Labs. "While earlier phishing emails often included typos, awkward language and minor graphical mistakes, newer scams appear to be more legitimate, with slicker graphics and copy that closely mirrors the language used by respected institutions."
In addition to tactics that build on familiarity to create the illusion of legitimacy, phishing scams also target consumers with fear tactics, such as through subject lines like "Urgent Security Notification" and "Your billing account records are out of date." Other lures, such as "Must Complete and Submit" or "You Are Missing Out," are less blatant but similarly trick users into thinking that without a specific action on their part, they're going to lose out.
Dr. Blascovich also reports on a category of scam emails that target consumers who are promotion focused (want to "get ahead") and/or capitalize on consumers' greed. These messages have such subject lines as "You Won" to entice consumers into thinking they may have won a lottery or sweepstakes, "90% discounts" to trick consumers into thinking they are getting great promotional pricing, or "You Are Approved" to target consumers who need a loan or have money woes.
Yet another popular lure involves messages that play on feelings of love and loss. A subject like "Why spend another week lonely?" works by preying on the sensitivities of those feeling vulnerable. And finally, there's the voice- of-authority approach: "Attention! Several Credit Card databases have been LOST" and others like it are designed to make consumers feel a sense of urgency and obligation.
Additional in-depth information on top phishing scams and security threats is available at the McAfee Threat Center at http://www.mcafee.com/us/threat_center/default.asp.
The "Mind Games," report is available online at http://www.mcafee.com/us/threat_center/white_paper.html.