Understanding the psychology of scam victims

Frank Stajano and Paul Wilson (wearing suits... up to something?)

The paper

I have a particular interest in the human aspects of systems security. With Paul Wilson, co-author and co-presenter of the BBC TV show The Real Hustle, in this study we help you understand the psychology of scam victims in order to improve systems security.

Frank Stajano and Paul Wilson. "Understanding scam victims: seven principles for systems security". University of Cambridge technical report UCAM-CL-TR-754, August 2009.
(click paper title to download full text)

Abstract
The success of many attacks on computer systems can be traced back to the security engineers not understanding the psychology of the system users they meant to protect. We examine a variety of scams and “short cons” that were investigated, documented and recreated for the BBC TV programme The Real Hustle and we extract from them some general principles about the recurring behavioural patterns of victims that hustlers have learnt to exploit.
We argue that an understanding of these inherent “human factors” vulnerabilities, and the necessity to take them into account during design rather than naïvely shifting the blame onto the “gullible users”, is a fundamental paradigm shift for the security engineer which, if adopted, will lead to stronger and more resilient systems security.

This work is featured as an invited talk at Usenix Security 2010 and an abridged version of the report has been accepted for publication in Communications of the ACM.

The principles

• Distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won't notice.
• Social Compliance principle. Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.
• Herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they're all conspiring against you.
• Dishonesty principle. Your larceny is what hooks you initially. Thereafter, anything illegal you do will be used against you by the fraudster.
• Deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.
• Need and Greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.
• Time principle. When you are under time pressure to make an important choice, you use a different decision strategy. Hustlers steer you towards one involving less reasoning.

Here is a summary of how the principles (columns) are used in the scams (rows) described in the full paper. A full dot means the principle is of major importance for that scam, while a hollow dot means it's used but less important.

In a follow-up work, of which we presented a preliminary version at Security and Human Behaviour 2010, we revise this taxonomy based on a comparison with the related ones compiled by Cialdini in Influence: science and practice and by Lea et al in their OFT report on the psychology of scams.

The comments

This paper has been bouncing around the blogosphere a little:

• Schneier on security
• Memex 1.1
• Boingboing
• Psyblog
• Tech Republic
• Simoleon Sense
• Statistical Modeling, Causal Inference, and Social Science
• Marginal Revolution
• How Publishing Really Works
• Help net security
• Haziq

I am probably missing quite a few references but you may find plenty more by asking Google.

The Real Hustle (TV show)

People often ask me where they can watch the episodes of the show. Easy if you are in the UK: watch them on BBC3, either on digital tv or through iplayer. Episodes from older seasons are frequently aired again, next to new ones. I wish they produced DVDs of the various seasons but so far they have not. Unofficially, you can find many clips on youtube.

Episode titles

Wikipedia has a useful list of episodes, with brief synopses. Here is my own independently-compiled index of episode titles (only Series 1 for the moment). The timestamp, which I find useful to locate individual clips, indicates when the title is displayed on the screen, relative to the start of the show, so the actual story usually starts a little earlier. The title is in (round brackets) if it is only said rather than displayed, and in [square brackets] if I had to make one up because no title was displayed or announced.

Series 1

S1-E1
02:02 the monte
08:22 the jewellery shop scam
12:45 a proposition bet
17:05 the keylogger scam
21:51 the art of the pickpocket:
22:51 ...the mustard dip
23:47 (the flat rental scam)

S1-E2
01:22 (the postal scam)
06:08 a proposition bet
08:42 the lottery scam
15:43 [airport security laptop switch]
19:00 the art of the pickpocket:
19:32 ...the window tap
20:21 (the bogus agency scam)

S1-E3 
01:55 the customs sieze [sic] scam
08:18 a proposition bet
11:34 the jam auction
19:12 [fairground scam - burst the balloons]
21:07 the art of the pickpocket:
21:56 ..."mind my bag"
23:39 the wifi scam

S1-E4 
01:21 the ring reward rip-off
08:49 the black money blag
13:23 a proposition bet
16:20 the art of the pickpocket:
16:58 ...the postman scam
19:48 the poker scam

S1-E5
01:48 the hire-car scam
09:11 (the counterfeit cash con)
11:18 the bluetooth scam
13:45 a proposition bet
19:18 the art of the pickpocket:
20:20 ...the pinch-push pocket-pick
22:37 [the skimmer]

S1-E6
01:19 the melon drop
08:09 [fruit machines]
11:00 the courier con
18:13 a proposition bet
20:45 the art of the pickpocket:
21:31 ...the booster bag scam
23:34 the car park con

S1-E7 
01:52 the i.d. theft hustle
07:07 the art of the pickpocket:
08:00 ...the map scam
09:39 the sob story scam
16:04 a proposition bet
18:59 the change raising con
23:53 [fairground scam - tin can alley]

S1-E8
01:25 the rigged dice rip-off
06:06 a proposition bet
09:35 the psychic scam
17:17 a pool hustle
20:11 [summary: uniforms / technology / fake agencies / props / bar bets]

The presentations

The results of this research, based on real-world scams and frauds as documented and reconstructed for hidden cameras in Paul's TV show, are instructive and entertaining. I have been giving an evolving version of this popular presentation in three continents. Great fun!

Countries where I was invited to give this talk

• 2009-06-11: Boston, MA, USA. SHB 2009 (10-min version).
• 2009-06-25: London, UK. WEIS 2009 rump session (5-min version).
• 2009-09-30: London, UK. Google tech talk.
• 2009-10-08: Athens, Greece. Athens University of Economics and Business seminar
• 2009-10-30: Cambridge, UK. Stack Overflow DevDays invited talk.
• 2009-11-09: Munich, Germany. Google tech talk.
• 2009-11-17: Cambridge, UK. University of Cambridge security seminar.
• 2010-02-10: Zurich, Switzerland. ETH security seminar.
• 2010-03-17: Pittsburgh, PA, USA. CMU Cylab CUPS seminar.
• 2010-03-25: New York City, NY, USA. Columbia University seminar.
• 2010-05-17: Gold Coast, QLD, Australia. AusCERT 2010 invited talk.
• 2010-06-21: Rome, Italy. Università La Sapienza seminar.
• 2010-08-12: Washington, DC, USA. Usenix Security invited talk.

Back to Frank Stajano's home page or Paul Wilson's blog

(recheck) (recheck)