Science·Analysis

Why we keep falling for online phishing scams and downloading viruses

Why do so many of us fall prey to phishing attacks and online scams? We hear warnings about the dangers of opening untrusted files and cautionary tales of the repercussions of falling for nefarious internet hoaxes. And yet, the problem persists.

Social networks favour the fast, encouraging users to repost and retweet content before it passes them by

A 2017 report by Verizon found one in 14 users were tricked into following a link or opening an attachment, without giving a second thought to what they're clicking on. (Damien Meyer/AFP/Getty Images)

Why do so many of us fall prey to phishing attacks and online scams? We hear warnings about the dangers of opening untrusted files and cautionary tales of the repercussions of falling for nefarious internet hoaxes. And yet, the problem persists.

Take, for example, the opening of this viral message that spread like wildfire across Facebook last weekend:

"Please tell all the contacts in your messenger list not to accept Jayden K. Smith friendship request. He is a hacker and has the system connected to your Facebook account."

While it turned out to be a harmless hoax, what's notable is how many people fell for it and passed it on.

'What's really amazing here is the speed with which rumours spread,' says Daniel Berkal of the Palmerston Group in Toronto. (LinkedIn)

"There have always been large scale untruths. The internet hasn't changed that," says Daniel Berkal, an ethnographer with the Palmerston Group, a boutique market research firm in Toronto.

"What's really amazing here is the speed with which rumours spread."

From rumours to fake news to hoaxes like Jayden K. Smith, our social networks favour the fast, encouraging users to repost and retweet content before it passes them by in an ever-updating timeline.

The heightened pace at which untruths spread has to do with the ubiquity of the internet and the way content can be shared from one person to the next with a simple swipe or click — often without the sender even being fully aware of what he or she is sending.

What's especially concerning is how often people are falling for these kinds of scams — and in some cases, with far more alarming outcomes.

Attachments are made to look legitimate by masking them as official communication from trusted sources, including banks and social networks. Once opened, they can compromise an entire computer system, in some cases encrypting files. (Damien Meyer/AFP/Getty Images)

According to a 2017 data breach investigation report by Verizon, 80 per cent of hacking-related breaches leveraged either stolen or weak passwords. One in 14 users were tricked into following a link or opening an attachment, without giving a second thought to what they're clicking on.

The irony in the Jayden K. Smith hoax is that while the Facebook users who were fooled into passing on the message were concerned with the possibility of a dangerous hacker on the loose, they also leapt to share the message without stopping to question its validity. While no harm was done this time, often these kinds of hoaxes can be far more nefarious.

"If one does not critically think about each opportunity to click a link online, one could absolutely open oneself up to malware or other viruses," warned Jaigris Hodson, an assistant professor and head of the Interdisciplinary Studies program at Royal Roads University in Victoria.

Why so gullible?

We hear about them all the time: the phishing scam where someone pretending to be from your company's IT department emails to notify you about a system upgrade, saying all they need to finalize the process is your password. It's the easiest way to breach a system, because the victim is fooled into literally handing over the password.

Then there's malware, which could be disguised as an invoice, a receipt for a purchase from Apple, or even a LinkedIn request.

These attachments are made to look legitimate by masking as official communication from trusted sources, including banks and social networks. But once opened, they can compromise an entire computer system, in some cases by encrypting files so that the owner no longer has access to them.

"The systems that hackers use to infect your computer often rely primarily on psychological tricks — that is, tricking people into clicking on a particularly compelling link," says Hodson.

A business professor at Harvard University told Business Insider that our decision to trust someone comes down to just two criteria: warmth and competence. (Robyn Beck/AFP/Getty Images)

Perhaps that's partly why people fell for this particular hoax: we're so inundated by phishing attempts and malware attacks that these kinds of scams are front of mind. When a friend passes on an alert, it's understandable that someone's first instinct would be to consider the message credible and assume that their friend is passing on good information.

"What we call 'gullible' is actually a combination of several interesting human traits," says Berkal.

"On the simplest level, it's a way of showing that we are a part of community and that we have a genuine interest in protecting others. It communicates a helplessness to others that is disarming and unthreatening. It showcases our honest fear for 'the unknown' and the unfamiliar."

Desire to please

It turns out that context is also key to why we fall for scams. In fact, research shows that it's not technological illiteracy that causes people to fall prey to these kinds of hoaxes.

Rather, the more regularly people use Facebook, the more likely they are to fall for a phishing scam and give away their personal information, thanks to a mixture of complacency and a desire to please.

Amy Cuddy, a business professor at Harvard University, told Business Insider in an interview last year that our decision to trust someone comes down to just two criteria: their warmth and their competence. And while her research pertains to the way we size people up when we meet them face to face, it's telling as to why we fall for hoaxes online, too.

Nigerian prince

The fact that the Jayden K. Smith hoax was passed from friend to friend through Facebook messenger was part of what lent it credibility.

After all, we're inclined to trust the people we know. We may be wary of a billion dollar email offer from a Nigerian prince, but because of a feeling of warmth toward our relatives, friends and colleagues, there is a natural inclination to assume the information they pass on is credible.

And as for competence, the more legitimate something looks, or sounds, the more likely we are to be fooled. If something looks official, with for instance, the branding of a trusted company like LinkedIn or iTunes, we're less inclined to question its validity.

Proof to that point: "Invitation to Connect on LinkedIn" is one of the most widely used subject lines in phishing scams.

All to say, it's up to users to be vigilant and be on the lookout for tell-tale signs that something may not be what it seems.

"It's important when you see anything online that you feel emotionally compelled to share, that you first exercise caution and critical thinking," Hodson said.

ABOUT THE AUTHOR

Ramona Pringle

Technology Columnist

Ramona Pringle is an associate professor in Faculty of Communication and Design and director of the Creative Innovation Studio at Ryerson University. She is a CBC contributor who writes and reports on the relationship between people and technology.