Spam Victim Behavior Research

We all know what spam is. Taking a closer look:

“Spam” is unsolicited email sent in massive quantities simultaneously to numerous users, generally trying to advertise or publicize certain products or services. This junk mail is also often used as a bridgehead for other types of cyber-crime, such as phishing or email scams.

http://www.pandasecurity.com/homeusers/security-info/cybercrime/spam/

There are seemingly endless tricks and methods cybercriminals use to trick a seemingly endless number of victims. And, of course, this commands the attention of many agencies who attempt to protect and safeguard victims and track down and prosecute cybercriminals. Briefly, see 12 spam research projects that might make a difference. Of note, one section that pertains to scam e-mails:

The practice of scamming e-mail recipients by convincing them to input personal or financial information into a Web site that then steals the information is nothing new, but continues to be of particular interest as phishers relentlessly modify their tactics to net more victims.

Carnegie Mellon University (CMU) has been researching why phishing attacks work and learned that a little bit of education regarding online fraud goes a long way. Early findings of the research, presented in October at the Anti-Phishing Working Group’s eCrime Researchers Summit in Pittsburgh, showed that phishers are often successful because e-mail users ignore information that could help them recognize fraud.

http://www.networkworld.com/article/2289064/lan-wan/12-spam-research-projects-that-might-make-a-difference.html

And a study that delves into educating e-mail users to recognize fraud:

Antiphishing education requires real-world techniques

…phishers are often successful because e-mail users ignore information that could help them recognize fraud.

In one study, three groups of 14 participants each received e-mail messages that included spam and phishing attacks as well as legitimate mail. Two of the groups were presented with educational material about how to prevent being phished; but only one group received the material after having fallen for the phishing e-mails and entered personal information into a fraudulent Web site. According to researchers, that group spent twice as much time studying the material as those participants who hadn’t been phished.

The group that was given educational materials but hadn’t been phished were no better at spotting phishing attacks that the third group, which received no educational materials at all, researchers say.

When researchers ran through the exercise one week later, 64% of the phishing attacks sent to participants who had been phished were correctly identified as such, whereas only 7% of the phishing e-mails were correctly identified by the other two groups.

http://www.networkworld.com/article/2286495/lan-wan/antiphishing-education-requires-real-world-techniques.html

What I am interested in knowing is if there is research into how successful scammers are in their messages as a function of how many victims (percentage) fall for the scam. This goes to the behavior of victim pools. I – as I’m sure most – receive spam/scam e-mails daily. We’re familiar with the relative of some rich person in some African country who needs our help to gain access to a huge inheritance, and for help we get hundreds of thousands or millions of dollars. And there are many other “scenarios.” See the message I received today:

My Dear Friend

Please i want you to read this letter very carefully and i must apologize for barging this message into your mail box without any formal introduction due to the urgency and confidential of this issue and i know that this message will come to you as a surprise i finally registered your master card ATM sum of 2.5m usd to DHL courier service company with your code no (Code: (06634) / $2.5 Millon United State Dollars ) contact them immediately with the info below send this detail to director Mr. Larry Ellison  for fast delivery of your atm visa card.

Bellow is his contact.

Name: Mr. Larry Ellison

Why would people fall for this grammatically incorrect, run-on sentence with no punctuation, misspelled “usd” for “used”, “Bellow” for “below”, “Millon” for “Million”, and small “i” instead of “I?”

There’s more in the message including the following request for personal information:

Full Name…………………………………………………………….
Home Address or office……………………………..
Country………………………………………………….
P.O. Box Address……………………………..
Postal Address:……………………. …….
Telephone Number…………………. ..
Age and Sex………………………….

Aside from the fact that the message makes no sense (they are looking to gain access via a reply e-mail and as much information as the victim foolishly divulges), would “Larry Ellison” be more successful if the above errors were corrected and more victims responded? What about the amount? Would a victim be more or less inclined to get hooked with a large amount such as $2.5 million, or would a smaller sum and even a much smaller amount such as $5,000.00 be easier to hoodwink someone?

Anything about demographics and victim populations?

Anything about the timing: e.g. closer to holidays; during holidays; different seasons; etc.?

Ultimately, what role can we as psychologists play in victim behavior research and in educating the public based on the results of such research?

Comments/thoughts are welcome.

Roy

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s