Understanding the psychology of scam victims

Frank Stajano and Paul
Frank Stajano and Paul Wilson (wearing suits... up to something?)

The paper

I have a particular interest in the human aspects of systems security. With Paul Wilson, co-author and co-presenter of the BBC TV show The Real Hustle, in this study we help you understand the psychology of scam victims in order to improve systems security.

Frank Stajano and Paul Wilson. "Understanding scam victims: seven principles for systems security". University of Cambridge technical report UCAM-CL-TR-754, August 2009.
(click paper title to download full text)

The success of many attacks on computer systems can be traced back to the security engineers not understanding the psychology of the system users they meant to protect. We examine a variety of scams and “short cons” that were investigated, documented and recreated for the BBC TV programme The Real Hustle and we extract from them some general principles about the recurring behavioural patterns of victims that hustlers have learnt to exploit.
We argue that an understanding of these inherent “human factors” vulnerabilities, and the necessity to take them into account during design rather than naïvely shifting the blame onto the “gullible users”, is a fundamental paradigm shift for the security engineer which, if adopted, will lead to stronger and more resilient systems security.

This work is featured as an invited talk at Usenix Security 2010 and an abridged version of the report has been accepted for publication in Communications of the ACM.

The principles

Here is a summary of how the principles (columns) are used in the scams (rows) described in the full paper. A full dot means the principle is of major importance for that scam, while a hollow dot means it's used but less important.

Matrix of scams and principles

In a follow-up work, of which we presented a preliminary version at Security and Human Behaviour 2010, we revise this taxonomy based on a comparison with the related ones compiled by Cialdini in Influence: science and practice and by Lea et al in their OFT report on the psychology of scams.

The comments

This paper has been bouncing around the blogosphere a little:

I am probably missing quite a few references but you may find plenty more by asking Google.

The Real Hustle (TV show)

People often ask me where they can watch the episodes of the show. Easy if you are in the UK: watch them on BBC3, either on digital tv or through iplayer. Episodes from older seasons are frequently aired again, next to new ones. I wish they produced DVDs of the various seasons but so far they have not. Unofficially, you can find many clips on youtube.

Episode titles

Wikipedia has a useful list of episodes, with brief synopses. Here is my own independently-compiled index of episode titles (only Series 1 for the moment). The timestamp, which I find useful to locate individual clips, indicates when the title is displayed on the screen, relative to the start of the show, so the actual story usually starts a little earlier. The title is in (round brackets) if it is only said rather than displayed, and in [square brackets] if I had to make one up because no title was displayed or announced.

Series 1

02:02 the monte
08:22 the jewellery shop scam
12:45 a proposition bet
17:05 the keylogger scam
21:51 the art of the pickpocket:
22:51 ...the mustard dip
23:47 (the flat rental scam)

01:22 (the postal scam)
06:08 a proposition bet
08:42 the lottery scam
15:43 [airport security laptop switch]
19:00 the art of the pickpocket:
19:32 ...the window tap
20:21 (the bogus agency scam)

01:55 the customs sieze [sic] scam
08:18 a proposition bet
11:34 the jam auction
19:12 [fairground scam - burst the balloons]
21:07 the art of the pickpocket:
21:56 ..."mind my bag"
23:39 the wifi scam

01:21 the ring reward rip-off
08:49 the black money blag
13:23 a proposition bet
16:20 the art of the pickpocket:
16:58 ...the postman scam
19:48 the poker scam

01:48 the hire-car scam
09:11 (the counterfeit cash con)
11:18 the bluetooth scam
13:45 a proposition bet
19:18 the art of the pickpocket:
20:20 ...the pinch-push pocket-pick
22:37 [the skimmer]

01:19 the melon drop
08:09 [fruit machines]
11:00 the courier con
18:13 a proposition bet
20:45 the art of the pickpocket:
21:31 ...the booster bag scam
23:34 the car park con

01:52 the i.d. theft hustle
07:07 the art of the pickpocket:
08:00 ...the map scam
09:39 the sob story scam
16:04 a proposition bet
18:59 the change raising con
23:53 [fairground scam - tin can alley]

01:25 the rigged dice rip-off
06:06 a proposition bet
09:35 the psychic scam
17:17 a pool hustle
20:11 [summary: uniforms / technology / fake agencies / props / bar bets]

The presentations

The results of this research, based on real-world scams and frauds as documented and reconstructed for hidden cameras in Paul's TV show, are instructive and entertaining. I have been giving an evolving version of this popular presentation in three continents. Great fun!

Countries where I was invited to give
this talk
Countries where I was invited to give this talk

Back to Frank Stajano's home page or Paul Wilson's blog

Valid HTML 4.0! (recheck) Valid CSS! (recheck) Best Viewed With Any Browser