The statistics are staggering. Nearly everyone in the UK has come across an online scam. And according to surveys something like 10 per cent of adults admit falling for one: an investment opportunity, a phishing email, an HMRC tax-rebate, a romance scam.
I suspect the numbers are higher. Over the years I have spoken to dozens if not hundreds of victims of online crime, and the overriding emotions are embarrassment and shame - which can be worse even than any financial or emotional loss. Just yesterday I spoke to someone whose highly-educated partner had fallen for a low-grade internet investment scam, and didn’t tell her for months.
There is no shame attached to being burgled or mugged – we all blame the perpetrator. Maybe because online scams typically involve some action from the victim – clicking that link, replying to that email, even falling in love – it seems different. But it shouldn’t.
There are three reasons you shouldn’t feel bad about falling for an online scam. In fact, you should shout about it from the rooftops.
The first is that it can happen to anyone. Some of the smartest, most internet savvy people I know have fallen for them. In fact, anyone who thinks ‘it would never happen to me’ are probably the most likely to fall victim, since their guard is down. I have been at security conferences where top IT security professionals admit having clicked a dodgy link. I know someone with a degree in finance who invested money into OneCoin, which is one of the most transparent Ponzi schemes of the last 20 years. As I wrote about here, I too have lost money on cryptocurrency. And I too have always been hesistant to admit it.
The second reason you should not feel bad is because you are up against some of the smartest people in the world, whose sole purpose in life is to fool you. Scammers read books about psychology. Some have PhDs in international Law. Others are highly respected company CEOs. They are clever people, who carefully apply well-tested techniques of social engineering to exploit our common cognitive weaknesses: anchoring bias, fear of missing out, a sense of urgency. They will attempt invoice fraud at 4.30pm on Friday afternoon just as everyone is leaving the office and the boss is on a flight. They will send phishing links which claim to be from the security team the day after the company has run an IT workshop. They will push you an SMS notification for a Coronavirus booster jab the day after a novel strain is reported in the news. In short, they will do everything to force the irrational side of your brain to override the rational. And we are all capable of falling for that if the conditions are right.
But the third reason is the most important of all. Being honest helps everyone else learn. In the case of OneCoin, many investors felt stupid that they had invested so much money (and often recruited others) in a Ponzi. That created a culture of silence, which meant new victims made the same mistake. That is also happening with cyber-crime more generally. A victim’s silence makes us all less safe.
This is not helped by a culture of secrecy and punishment within certain companies. Too often people who processes a fraudulent invoice or click the malware link will worry they’ll be in trouble. And companies generally prefer to stay quiet about any security breach. (The British Library, to its credit, recently admitted they’d been hit by a ransomware attack).
To get on top of cyber-crime, which gets more sophisticated by the hour, will require a new approach to mistakes. Each error should be framed as a chance for the organisation (or person) to learn a valuable lesson: what happened, what went wrong, what did we miss? Learning through mistakes is doubly important because they are often quite emotionally charged stories. And that’s what sticks with people. Dry powerpoint slides or training materials are no match for the manipulative talents of scammers. But hearing the testimony of your close colleague – the horror and the guilt of falling for a scam – just might. It is also a useful reminder that everyone and anyone can fall for this. No – you really aren’t too smart.
I fell for a payment terminal scam once. On returning home from holiday, I spotted a mysterious £2,500 credit card payment. I called the bank who told me I’d entered my pin number – so no refund. Here’s what I think happened: the local merchant had told me I was paying in Rupees. I didn’t bother to check – and I had in fact paid in Sterling. Two-and-a-half grand is a lot of money for breakfast, but I learnt an important lesson. I knew all about payment terminal scams – I’d read up on them. But I still fell for it, because like most people I can be lazy. But I will never fall for that again.