Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Two Squid T-Shirts |
| Cyberwarfare Policy »
November 30, 2009
The Psychology of Being Scammed
This is a very interesting paper: "Understanding scam victims: seven principles for systems security," by Frank Stajano and Paul Wilson. Paul Wilson produces and stars in the British television show The Real Hustle, which does hidden camera demonstrations of con games. (There's no DVD of the show available, but there are bits of it on YouTube.) Frank Stajano is at the Computer Laboratory of the University of Cambridge.
The paper describes a dozen different con scenarios -- entertaining in itself -- and then lists and explains six general psychological principles that con artists use:
1. The distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won't notice.
2. The social compliance principle. Society trains people not to question authority. Hustlers exploit this "suspension of suspiciousness" to make you do what they want.
3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they're all conspiring against you.
4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you've been had.
5. The deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.
6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.
It all makes for very good reading.
Two previous posts on the psychology of conning and being conned.
EDITED TO ADD (12/12): Some of the episodes of The Real Hustle are available on the BBC site, but only to people with UK IP addresses -- or people with a VPN tunnel to the UK.
Posted on November 30, 2009 at 6:17 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
There appears to be no link to the paper - are we able to read it online?
Thanks for the link. Reading it now.
Frank also lists a seventh - the time priniciple:
"When you are under time pressure to make an important choice, you use a different decision strategy. Hustlers steer you towards a strategy involving less reasoning"
@Thom: "Hustlers steer you towards a strategy involving less reasoning"
This is so common- and in circumstances other than straight hustles- that I've found you can make a solid rule out of it. If somebody tries to force you to make a decision by an arbitrary deadline, you're better off passing.
The "Time Principle" is also employed by sales-people, and is in my view an important factor on sites such as ebay. Who else remembers the gift-cards offered on ebay that ended up getting sold for _more_ than their value?
I think some gift cards on eBay are 'worth' slightly more than face value because they're not available in some locations. iTunes gift cards in particular carry a slight premium and are bought be people in countries where they can't otherwise get them.
I've had the 'Time Principle' used on me twice recently. Amazing how that sales pitch just goes on and one even though it's dinner time and your toddler is getting cranky. Unfortunately, I fell for it one of the times.
Some of the TV episodes are available on the BBC I-Player web site. You're not meant to access these from outside the UK, but I don't know if they actually block non-UK IP addresses.
Interesting. But has anyone done any studies of the people who do NOT fall for such scams?
While "The real hustle" is a nice show, i think it itself is the real scam. It is very obvious that most of the scenes shown are not real but staged.
Russel: Yes, they do block non-UK IPs. A reason why i have a VPN tunnel to the UK.
Rule #1 for all hustlers:
"you can't cheat an honest person"
Followed closely by: "never give a sucker an even break" and "never smarten up a chump".
The time principle always applies when the salesperson makes you believe that you are getting a better deal by completing the transaction *now* instead of waiting. Especially topical with Black Friday just behind us. Talk about the "special 4 am only doorbuster deals". Just call something a special limited offer, and some people will buy what they don't need.
False Impressions, a book on art forgery, says that "need, greed, and speed" are how people are likely to get conned.
The only issue that I have with the study is the inclusion of pickpocketing. While, I do realize it falls under the distraction element, I would think a key element to a scam is someone voluntarily parting with the valued item. Pickpocket is just mugging without the violence.
I like Scam School http://revision3.com/scamschool better. It's paid for itself in free drinks.
@dbcooper "Rule #1 for all hustlers:
"you can't cheat an honest person""
This is just self-justifying tosh. Marks aren't victims they are willing participants. It's how they sleep at night if they have a moral sense.
"The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you."
And db Cooper wrote: "you can't cheat an honest person"
While many fascinating scams involving exploiting the mark's greed, I think the currently widespread claim that it is an essential feature is, itself, a scam to lower contempt for conmen.
I find that most of the really common (and hence little studied) scams do NOT involve exploiting greed, and in fact do involve cheating an honest person. For example, the number one most common scam in my neighbourhood recently works like this:
1. Man dressed in overalls and tool-belt cold-calls a house, usually that of a frail pensioner;
2. Tells pensioner he was doing a job on a house across the road, and whilst working on the roof he noticed a serious problem with the victim's roof. It needs to be fixed at once as it is a serious safety hazard, but as it is a quick job and he is already in the area, he can do it straight away.
3. "Tradesman" climbs up on roof and bangs around for a bit, doing no actual work, then comes down and demands money from the mark.
4. Repeat a few houses down the street, citing victim no. 1 as the job he was doing when he noticed the next problem.
This scam does not rely on: victim's greed or dishonesty; distraction; herding; nor social compliance (unless we broaden the term "authority" to mean any kind of trust whatsoever, such as expecting tradesmen to be competent).
It does involve deception, but of a very simple and crude sort: a frail pensioner is unlikely to climb a ladder to their own roof, so they are obligated to accept other people's reports of problems with it.
The only one of Stajano's principles employed here is the one which, as Thom noted, was not mentioned above: time. The critical feature of the scam is the time pressure created because the bogus tradesman is able to the job right now before he goes home. Roger Moore notes that this time pressure should often in itself be a warning sign of a hustle; but in this case it arises perfectly naturally, because in many areas it can take a long time to get a real tradesman out to look at a problem.
This combines with the real driver of the scam, which is fear -- fear of the unknown, because many people know little or nothing about the basic architectural features of their own private space.
Yet despite having so few features in common with the elaborate "stings" covered by Stajano, this sort of scam is far more common. Don't get me wrong: I think Stajano's work is very useful, and in an area that needs a lot of this sort of work. But we do victims a disservice if we pretend that their moral failings are an essential feature of scams. In reality, the essential feature of scams is pure, simple, and often surprisingly crude deception. Everything else is window dressing to impair the victim's judgement. That impairment can be as elaborate as a "long con" or as simple as too much booze.
How do I know that you have not been using any of these psychological principles on us? I am so confused.
As others have pointed out, you CAN cheat honest folks. That aside, you'll never go wrong for passing up partnership in an illegal scheme, whether it's "legitimate" or not. Perhaps the most common way of cheating honest folks is with fake charities, like those that people are peddling right now, during the holidays.
Someone asked about counter-measures. The problem with counter-measures is that successful ones become widespread, and widespread counter-measures get circumvented (because you can't run a good con if nobody is buying). But one of my own personal counter-measures is to double-check myself and others even when I'm 100% sure that I'm right. More than once, I've tested things and had them proven wrong.
This can be as simple as confirming information you already believe to be true, even when you have no reason to believe it's wrong, or more complex, where you sit down and research something you thought you knew pretty well.
Another counter-measure is to estimate things. It could be as simple as figuring out exactly how much longer it will take to get to work, or something more complex, like trying to infer a product's likely profit margin from its price history. I actually used this against a car salesman several times, especially when I kept multiplying the monthly payment by the length of the loan to calculate the actual cost (they want you to focus on a payment amount, to hide actual costs--it helps if you do it in your head, because you can round up and then they feel obligated to calculate it on their PC to prove that it's not *that* much). Another fun time was when I pointed out that the laser etching couldn't possibly cost $200, because I know of a factory where they wholesale cut glass for about $1/sqft, and the average unit is ~10 sqft, so they'd go horribly broke if it cost that much per unit when they can produce up to 10,000 units/day. When they tried to argue, I told them that I could save them a ton of money by introducing them to the makers of the laser logo machines that were, seemingly, several orders of magnitude cheaper to operate than their setup.
If they can sell 300 cars/month, and I can change $100/car (half their quote) to pennies, and the machine costs maybe $1-2k, it will pay for itself in the first month and make them more than the cost of my car in a year's time. So they should give me the car for free for that information! :-)
"You can't cheat an honest person" is something that scammers tell potential victims to soften them up.
Thanks for posting this, Bruce.
All these comments are extremely interesting and I'm interested in everyone's thoughts on the subject.
That said, I must point out that people shown on The Real Hustle ARE scammed for real and are never aware that they are being filmed for the show. While there are scams within the scams to make everything come together at the right time and place, the actual con games are absolutely not staged on the UK show.
This is essential for myself, Alex and Jess as people only behave correctly when they are unaware that they are being conned. The simple truth is, people can't act.
Once someone has been scammed, a few elements, that were missed during the "live scam", are often re-shot but this is only natural - remember, it's difficult to get someone to hit their marks when they don't know they're being filmed. Other than a few pick-ups, the rest is completely real.
It's also important to remember that we clearly state that people are cheated for real at the top of the show and BBC compliance rules are extremely strict. Our producers must always prove that the scam was genuine.
It's not worth staging either for the sake of the material or the future of the show. Take my word for it (as a con man), to the marks on the show, it's a real hustle.
@ Brandioch Conner,
"Interesting. But has anyone done any studies of the people who do NOT fall for such scams?"
I'm almost certain they have. Only it's not in their interests to publish.
Such is the working life of a con-man they know when their con does not work. However nobody else is sure it's a con in the first place, and if the con man publishes what does and does not work when and why it will probably all stop for him ;)
I think it would be really tough to measure when someone does not fall for a scam.
It is the scams that work that get reported, and why they work is studied and documented.
When someone doesn't fall for a scam, it is very unlikely it is reported. They may not even have realized someone was trying to scam them, or if they suspected it they may not be able to prove it.
If anyone finds any studies, though, I'd like the link. Sounds very interesting.
You wouldn't need to check con men for whether a scam worked or not.
Just use the same techniques shown in the various shows where people do fall for the scams.
Then interview the people who don't fall for it and find out why not.
What is with the recent comments that duplicate a previous poster's message body? Is that perhaps a bug with the blog software?
The most powerful weapon against con, fraud, etc. is Acesss to information. The time element is often used to prevent that access. I have found that accessing the web from my phone whenever I have to make a decision gives me information and , if I am talking to a con man, freaks them out. Cons go for easy marks, someone tapping everything you say into google is dangerous for a con artist and often makes them move onto another target. Saved me from my greedy self on more than one occasion.
The real hustle is great, real piece of public information well. Scam school is not bad but not in the same ball park.
BBC iplayer does use GEOip but I think you might have more luck with Youtube's GeoIP system.
So that's why I get scammed so rarely. I'm immune to 2-4 and resistant to 5, and hustlers never know what I really want so they have trouble using 6. That just leaves 1.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.