We all have a good laugh when we hear of the Iowa lawyer who fell for the Nigerian Prince Scam. How can anyone be so stupid! Yet, smart people are scammed everyday.
The stereotype of the easy scam victim is an elderly person who just got their first computer or smartphone. “Look,Homer! Our Joey is on this internet machine, and, what’s this? He’s in Ukraine and someone stole all of his money.”
Sure, the elderly are scammed, but, believe it or not, they do not constitute the main victim demographic. That award goes to… Millennials. But how is this possible? This is the generation that grew up on the internet and came permanently attached to a smartphone. The answer to the dilemma, according to the Better Business Bureau (BBB), is something called, ‘optimism bias.’ In simple terms, optimism bias is the belief that everyone, except you, is stupid. Others may fall for scams, but you are more sophisticated than that.
Let’s make it clear that scams are different from hacks. Scams actively try to promise something to the victim for performing some action. They do not try to covertly gain control of your device. Scams have an emotional trigger which is most often greed, love/sex, or fear. Send me some money and you’ll get more money (greed i.e. Nigerian Prince Scam). I saw your profile online and… (love/sex i.e. romance scam). If you don’t pay, I will tell your boss/contacts what I know about you (fear i.e. extortion scam). Those possessing an optimism bias believe that they can see through such scams. But can they really?
People with optimism bias will brush aside any advice about safe online behavior. After all, they already know how to be safe. “I drive better after a few drinks.” Or, as one IRS scam victim wrote:
“If anyone should have known better, it was me. I’m a somewhat experienced adult, with more than one degree from an Ivy League university. In my career as a journalist, I’ve researched the ways our minds fall for tricks like this. I’ve even reported on scams that cheated people out of big down payments on houses and tricked others into buying previously wrecked cars. But the truth is that I fell for this scam — almost completely.”
The fact that this optimism-biased victim admitted he was scammed is unusual. Since optimism-biased individuals have the axiomatic belief that scam victims are stupid, admitting to being a victim themselves is tantamount to their admitting they aren’t as intelligent as they thought. This is why many scam victims never report the scam that tricked them. They are, in a sense, victims of their own narcissism.
The stereotype of a scam victim that arises from such a belief in one’s own perfection is of a person that must be the complete opposite of who they are. The BBB confirmed this by asking over 2000 people who they thought would be the perfect scam victim. Here are the results of that survey.
Thus, the standard scam victim is perceived to be an older, uneducated woman of low intelligence. The study also found that older, lonely, females elicited sympathy, while young, ignorant victims met with scorn.
However, true scam victims produced a completely different profile from the stereotype. When the BBB identified recent scam victims, they found that they were, in fact, between 25 and 45 years old, with 25 to 34-year-olds being scammed out of the most money.
Not only that, scam victims with a college degree were far more likely to be scammed, and scammed out of more money, than any other demographic.
How to Deal with Optimism Bias
I try to write on any new scam that is making the rounds. However, it appears, from this research, that the people who need to know most about a new scam are those who are most likely to ignore it. There is a wall of narcissistic resistance to such information that is difficult, if not impossible, to breach.
This optimism-bias attitude is frustrating both for those of us who try to warn people about scams and businesses that try to warn employees to be careful online. As one expert writes,
“It has taken me 12 years in information security to realize that as loud as our industry is shouting, we’re mainly only being heard by ourselves. For all the effort we are putting into education, information and awareness, we’re just playing to the beat of our own drum. It’s a depressing realization.”
Educating employees is often given as a solution to preventing a cyber attack. However, this only works in so far as the employees believe they need the education. It may be that cybersecurity is not an educational problem but a psychological problem. Bruce Schneier goes so far as saying, “I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.”
This suggests another approach that does not depend on employee education. It suggests a need for technology that allows people to behave stupidly while protecting the company or organization. Such technology exists, but most companies still believe that cybersecurity training is the silver bullet. It’s not.
So, the next time you hear about a new scam, just don’t brush the information aside. You may, in fact, be very clever in seeing the angle in a new scam but, there is also a good chance that you really aren’t.