We think it’s other people that fall for online scams

The rise in cybersecurity attacks during the coronavirus pandemic has been well documented. It’s been a perfect storm of vast swathes of people working from home on devices that are perhaps not as secure as they’re used to at work, a huge amount of uncertainty regarding physical and financial wellbeing, and a recession providing that little bit more incentive for people to turn to criminal acts to put food on the table.

Despite this rise in cybercrime, new research from New York University (NYU) suggests that most of us think it’s a problem that largely affects other people. In a stunning example of the Dunning-Kruger effect in action, the researchers found that we’re generally pretty confident in our ability to withstand the lure of phishing scams, with this undue confidence in our abilities only undermining our actual ability to do so.

Gut instinct

The researchers believe this false sense of confidence is largely because we tend to overlook any data that could help us to better identify and assess the riskiness of our own behavior online, yet we consistently apply that data when we assess the riskiness of other people’s behavior.

This is especially important as so many of us have been working from home during the coronavirus pandemic, and there is every likelihood that this in itself is making us more vulnerable to cyberattacks. Of course, it requires us to be aware of, and absorb, that fact for the risk to be taken seriously.

"This study shows people 'self-enhance' when assessing risk, believing they are less likely than others to engage in actions that pose a threat to their cybersecurity - a perception that, in fact, may make us more susceptible to online attacks because it creates a false sense of security," the researchers write.

Working from home

In the United States alone, it’s estimated that around two million federal employees were told to work from home. They were joined by millions more from state and local government and even more from across the private sector. This represents a tremendous change in working conditions for large swathes of the population, not least in terms of the increased risk this represents for cybercrime. It was a risk that the Department of Homeland Security appreciated, with its Cybersecurity and Infrastructure Security Agency issuing a joint alert with the UK’s National Cyber Security Centre that highlighted the dangers posed by working from home.

“As the COVID-19 outbreak continues to evolve, bad actors are using these difficult times to exploit and take advantage of the public and business. Our partnerships with the NCSC and industry have played a critical role in our ability to track these threats and respond," Bryan Ware, CISA Assistant Director for Cybersecurity said. “We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails and look to trusted sources for information and updates regarding COVID-19. We are all in this together and collectively we can help defend against these threats.” 

Despite warnings such as these, the NYU research highlights how poor many of us are at assessing the risk we ourselves face. The research consisted of a number of experiments whereby volunteers were shown various emails that were similar to those used in phishing scams. Each volunteer was told that the emails, which requested the volunteer click links, update passwords, or download files, were above board and legitimate. What’s more, each volunteer was told that if they complied with each request, then various good outcomes would result, including restoring access to their account, or even that they’d be entered into a draw to potentially win an iPad.

The volunteers were split into two groups, with one group asked what actions they themselves would take, and the second group asked what actions they would recommend someone else to take. The volunteers were guided by information that showed the percentage of people who typically complete the activity being requested of the volunteer. For instance, the message might read that “37% of students clicked the link to download an illegal movie because they thought it was required for their class”.

Ignoring the data

To determine whether this data was used, the researchers used eye-tracking software to monitor the eye movements of each volunteer, and it emerged that people were much less likely to do so when they were determining their own likelihood of pursuing a particular action. These people also thought they were less likely to fall for such phishing scams than others.

The researchers believe that we do this because we don’t believe that the data we’re seeing is relevant for our own circumstances, or applies to our own personality, hence we discard it as useless.

"The patterns of social judgment we observed may be the result of individuals' biased and motivated beliefs that they are uniquely able to regulate their risk and hold it at low or nonexistent levels," the researchers conclude. "As a result, they may in fact be less likely to take steps to ensure their online safety."