Department of Computer Science and Technology

Technical reports

Understanding scam victims: seven principles for systems security

Frank Stajano, Paul Wilson

August 2009, 22 pages

An updated, abridged and peer-reviewed version of this report appeared in Communications of the ACM 54(3):70-75, March 2011 [doi:10.1145/1897852.1897872]. Please cite the refereed CACM version in any related work.


The success of many attacks on computer systems can be traced back to the security engineers not understanding the psychology of the system users they meant to protect. We examine a variety of scams and “short cons” that were investigated, documented and recreated for the BBC TV programme The Real Hustle and we extract from them some general principles about the recurring behavioural patterns of victims that hustlers have learnt to exploit.

We argue that an understanding of these inherent “human factors” vulnerabilities, and the necessity to take them into account during design rather than naïvely shifting the blame onto the “gullible users”, is a fundamental paradigm shift for the security engineer which, if adopted, will lead to stronger and more resilient systems security.

Full text

PDF (0.3 MB)

BibTeX record

  author =	 {Stajano, Frank and Wilson, Paul},
  title = 	 {{Understanding scam victims: seven principles for systems
  year = 	 2009,
  month = 	 aug,
  url = 	 {},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-754}