The Psychology of Cybercrime

07/05/2022
G DATA Blog

A good criminal needs to know what makes people tick. There is a great deal of psychology involved in criminal activities - especially when it comes to establishing contact with potential victims.

Many cyberattacks are successful because cyber criminals misuse human interaction online. For example, cybercriminals send fake invoices to retrieve passwords or fake text messages from a parcel service to cheat victims out of money. Humans are therefore usually the weak link. Cybercriminals know this like no other and use psychological tactics to trick victims; we also call this social engineering.

But why do people click on dangerous links en masse, when we know the risks? And why are we so quick to give our confidential information to cybercriminals? According to behavioural researcher Robert Cialdini, there are six universal principles of influence that determine human behaviour. Social engineers use these principles of influence to manipulate their potential victims and induce certain behaviour. The six principles of influence are: reciprocity, consensus, consistency, sympathy, authority and scarcity.

Willems’ Second Law

In my book ‘Cyberdanger’ (2019, Springer, English updated version from the original Flemish edition ‘Cybergevaar’ published in 2013 and also available in German ‘Cybergefahr’) I always described that any cybersecurity issue or problem is a direct result of a combination of technological and human factors. Most malware and cyberattacks would not stand a chance without naivety, curiosity or other human weaknesses such as the six principles laid out in this article.

In my book it’s described as Willems’ (Second) Law : CSP = TF x MF

Where CSP stands for a cybersecurity problem, TF for the technological factor (malware, vulnerability, exploit, etc ) and MF for the human factor (human behaviour).

The six principles of influence

  1. The principle of reciprocity means that people feel indebted in some way towards someone who has either done something for them or has offered or given them something without explicitly expecting a return. One possible example is the Good Samarithan approach. Picture a scenario where you receive a message at work stating that does to something you did, a really major issue was caused. But the sender claims to “want to keep this quiet” in hopes to “resolve the situation without involving the upper management”. This is where you come in. You might then be asked to do something, like logging on to a supposed internal website with your login data. So instead of letting the supposed issue blow up in your face, this "Good Samaritan" (who in reality is a criminal) has taken time out of their day to warn you and to offer you a way out of something you might perceive to be an embarrassment or even a career-ending threat. If this does not create moral debt to that person, I do not know what does.
  2. Another principle is consensus. When people are uncertain, they try find others to help them formulate an opinion. Even if they are sure of their convictions, consensus opinions can be very persuasive. For example, when there is a disaster, cybercriminals often pose as charities to collect donations. We have seen this most recently in the wake of the war in Ukraine.
  3. The principle of consistency is based on the fact that we like to act consistently with our previously held views. Through commitment, we feel a certain pressure to behave in a certain way. Do we not? If not, we feel uncomfortable. Most people value integrity because of this. We admire honesty and reliability in others, and we try to put this into practice in our own lives. Cybercriminals take advantage of this by posing as IT managers and saying they need you to perform certain actions (such as entering your access credentials on a fake internal website, or download and run a file), supposedly for cyber security, which then gives them easy access to the network.
  4. Sympathy: Cybercriminals often use their charms. By appearing sympathetic on the phone, they try to get victims to comply with a request to provide sensitive information. Herein lies the issue: The criminals seem very likeable characters that you want to chat with.
  5. Sometimes they also play on the principle of authority by sending a fake e-mail from a CEO, for example, asking him to 'just' transfer an invoice for €15,000. People tend to comply, as the request supposedly comes from a high-ranking person. Another classic example: Criminals claiming to write to you on behalf of your bank, stating that in order to comply with new security regulations you need to “verify” your information unless you want to risk your account being suspended / terminated.
  6. The last principle is scarcity. When people have the idea that either a certain article in a web shop is scarce or that the time to respond to a certain request is very scarce, they are more willing to comply. An example are phishing mails supposedly from the tax authorities, requesting people to respond quickly by clicking on a link, otherwise they risk being fined.

Psychological impact on victims

Besides these psychological tactics, cybercrime also has a psychological impact on victims. Most people think that the impact of an online crime is smaller, but recent research by the NSCR shows this not to be the case. Digital crimes appear to have a similar impact on victims as traditional forms of crime. Generally, people find it difficult to understand that someone can become a victim of cybercrime. This while online crimes take place on a large scale and anyone can become a victim. Due to the lack of understanding, victims of online crime are more likely to experience victim blaming. Victims receive reproachful comments from friends, family or colleagues as well as random strangers on the internet who are known for getting on a high horse, while in reality cybercrime can happen to anyone. It is therefore important to raise the level of knowledge about online crime so that victims can count on support and recognition. An e-learning training course, such as the G DATA Security Awareness Training, is ideal for this.

Don’t blame the victim

In addition we shouldn’t always blame the victims too hard. A user is indeed a weak potential link in your network environment. But instead of pointing fingers and bemoaning the situation, one might as well turn this perceived liability into an asset and offer training and education to the users. Governments in the EU have created some anti-phishing commercials and this can and should be applauded.

 

As a lot of cyberattacks are successful due to human error, it is important to pay more attention to the psychological aspects. For example, little is known about the impact of cybercrime on victims. In addition, more scientific research needs to be done on how to prevent people from clicking on links and taking the correct decisions which ultimately may reduce the number of victims of online crime. Maybe the ultimate solution could be to use Artificial Intelligence (AI) to make the right decisions for us and to make software much more secure by design from the beginning. This is already happening but it still will take a lot of time to arrive in a safer world.

 

Image credit: Pixabay

Eddy Willems
Security Evangelist