The ability to recognize people who want to take advantage of you is core to survival. Researchers studying the evolution of cognition suggest that we begin to develop generic "cheating detection algorithms" through exposure to the types of deception that occur day to day (Cosmides and Tooby, 1989; Cheng and Holyoak, 1985; Vasek, 1986) In a general way, we learn to suspect deception and become cautious when there is a notable inconsistency between what is happening and what we expected to happen.
Yet, consumers' ability to spot fraud in the Internet is still not very good. This is because our ability to hone our generic "cheater detectors" depends on specific or "mediating knowledge" of the deception environment. When you think about it, it's not hard to imagine why. Even savvy users find it hard to keep up with the newest scam. Can you define Phishing? How about Pharming?
Here are the Wikipedia definitions for these Internet deception methods:
And there's more:
And, with all the excitement about phishing and pharming, people forget about just plain fraud.
Its not surprising that people have a hard time identifying Internet deception. The specific cues you use to detect fraud in the rest of your life work don't really apply in cyberspace. In bricks-and-mortar transactions you can see who you are dealing with. In cyberspace, grifters are harder to spot... if they are even there at all.
The good news is that as consumers learn more about how the Internet works they will, by extension, learn more about how Internet deception works. It will become much harder to dupe them. Like magic, deception is usually not so tricky if you know where to look. The challenge then, is to help consumers learn where to look.
Organizations like Consumer WebWatch, the Internet arm of Consumer Union, have published reports intended to guide consumers to correctly identify the characteristics of a credible Internet site. One problem is that not enough consumers read their reports. And of those that do read them, not enough actually check the cues. Another problem is that those who practice Internet fraud do seem to read the reports.
Researchers like Grazioli are taking a different route. Grazioili's work (and his work with colleagues like Jarvenpaa) contrasts the differences between the behavior of successful and unsuccessful deception detectors.¬†Consumers good at detecting deception on the Internet evaluate on assurance cues¬†‚Äď concrete parameters of an organization or its business model that can be evaluated for truthfulness (e.g., the phone number) or legal validity (e.g., a warranty). In contrast,¬†consumers who fail to notice deception tend to assign credibility based on trust cues¬†‚Äď self-report marketing elements (e.g., customer testimonials or product sales reports) which are difficult to verify, at best.
Grazioli observed these differences in a controlled study of deception detection. In this study, 80 "business and IT savvy¬†participants were asked to visit a specific used laptop reseller site and help a friend to decide if purchasing a $625 laptop from that particular site was a good idea ‚Äď essentially to give a second opinion about the credibility of a site. If the participant felt comfortable with the site, he or she would then purchase the laptop using the friend's credit card number.
Half of the participants in Grazioli's study visited an active and functioning laptop reseller Web site. The other were "page-jacked" to a "deception" site. The deception site was identical to the base site, except that six known deception cues (Yamagishi and Yamagishi, 1994) had been added or altered. The altered cues included:
After viewing the site and purchasing the laptop (or not), participants completed a survey exploring whether they perceived the site to be deceptive or not... or were unsuccessful at detecting deception.
Participants were considered successful if they were suspicious of the altered site or recognized the real site as trustworthy. Unsuccessful deception detectors either failed to register suspicion of the altered site or perceived significant deception even on the trustworthy site.
Overall, even these business and IT savvy users were not able to discriminate between the trustworthy and the deceptive site. 55% of participants trusted the deceptive site (30% correctly suspected; 15% were not sure). Only 38% correctly trusted the good site (32% were suspicious; 30% were not sure).
In this study the deception cues were abundant but they were subtle. Participants could establish that the altered cues were deceptive by:
In his study, Grazioli also noticed that successful deception detectors focused on a different set of cues than those who failed.¬†Deception detectors focused on assurance cues¬†(trust seals, warranties, physical location).¬†In contrast, those who missed the deception focused on trust cues¬†(customer testimonials). To validate trust cues you must trust the company. To validate assurance cues, you must go to organizations outside the one you are seeking to do business with.
Chasing validation at this level seems like a lot of work. Perhaps that's because for most of us, strategies for identifying bad risks don't include looking outside the business itself. For a bricks and mortar establishment we go to the address. We talk to the employees. We see the customer service/returns desk. We hold the receipt and warranty in our hands. On the Internet, those ‚Äď largely implicit ‚Äď cues are missing. Our general strategies for detecting deception in the world may work, but our ability to detect deception on the Internet still needs fine tuning.
Cheng P.W. and Holyoak, K.J., (1985). Pragmatic Reasoning Schemas.¬†Cognitive Psychology¬†17, 391‚Äď416.
Grazioli, S., (2004). Where Did They Go Wrong? An Analysis of the Failure of Knowledgeable Internet Consumers to Detect Deception Over the Internet.¬†Group Decision and Negotiation¬†13, 149‚Äď172.
Grazioli, S. and S. Jarvenpaa. (in press). Deceived: Under Target on Line.¬†Communications of the ACM.
Tooby, J. and L. Cosmides. (1989). Evolutionary Psychology and the Generation of Culture, Part 1.Ethnology and Sociobiology¬†10, 29‚Äď49.
Vasek, M. E. (1986). Lying as a Skill: The Development of Deception in Children. In R.W. Mitchell (Ed.),Deception, Perspectives on Human and Non-Human Deceit. NY: State University of New York Publishing.
Yamagishi, T. and Yamagishi, M., (1994). Trust and Commitment in the United States and Japan.Motivation and Emotion¬†18 (2), 129‚Äď165.
1) Wikipedia's definition is slightly misleading: phishing is a special case of carding, which can include many aspects of credit card fraud, rather than a synonym, while spoofing has many other meanings in computer security.
2) The application of the concepts of assurance cues and trust cues is important in this context, but it applies in many Internet contexts. The really interesting question is why 419s and chainmail/hoaxes, which are usually crudely engineered compared to the "better" phishing and money mule recruitment scams and have been around a lot longer, continue to reel in so many victims. There are many reasons for this, but clearly long-term publicity and education hasn't stopped people being distracted by trust cues in these contexts.
3) Practical solutions are (or would be) highly desirable. But the examples of creative thinking (eBay and PayPal) are also examples of heavily phished organizations confusing the end user with the mixed signals that result when understanding of the problems is not uniform across all staff ‚Äď classically, there is often an enormous dissonance between security and marketing personnel. Many phished organizations compound the problem by using email distribution practices that blur the distinction between phish and legitimate marketing mail.
Your article provided some important and very helpful information ‚Äď thank you.
Sign up to get our Newsletter delivered straight to your inbox
HFI may use ‚Äúcookies‚ÄĚ or ‚Äúweb beacons‚ÄĚ to track how Users use the Website. A cookie is a piece of software that a web server can store on Users‚Äô PCs and use to identify Users should they visit the Website again. Users may adjust their web browser software if they do not wish to accept cookies. To withdraw your consent after accepting a cookie, delete the cookie from your computer.
HFI believes that every User should know how it utilizes the information collected from Users. The Website is not directed at children under 13 years of age, and HFI does not knowingly collect personally identifiable information from children under 13 years of age online. Please note that the Website may contain links to other websites. These linked sites may not be operated or controlled by HFI. HFI is not responsible for the privacy practices of these or any other websites, and you access these websites entirely at your own risk. HFI recommends that you review the privacy practices of any other websites that you choose to visit.
HFI is based, and this website is hosted, in the United States of America. If User is from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law and User is registering an account on the Website, visiting the Website, purchasing products or services from HFI or the Website, or otherwise using the Website, please note that any personally identifiable information that User provides to HFI will be transferred to the United States. Any such personally identifiable information provided will be processed and stored in the United States by HFI or a service provider acting on its behalf. By providing your personally identifiable information, User hereby specifically and expressly consents to such transfer and processing and the uses and disclosures set forth herein.
In the course of its business, HFI may perform expert reviews, usability testing, and other consulting work where personal privacy is a concern. HFI believes in the importance of protecting personal information, and may use measures to provide this protection, including, but not limited to, using consent forms for participants or ‚Äúdummy‚ÄĚ test data.
HFI may use personally identifiable information collected through the Website for the specific purposes for which the information was collected, to process purchases and sales of products or services offered via the Website if any, to contact Users regarding products and services offered by HFI, its parent, subsidiary and other related companies in order to otherwise to enhance Users‚Äô experience with HFI. HFI may also use information collected through the Website for research regarding the effectiveness of the Website and the business planning, marketing, advertising and sales efforts of HFI. HFI does not sell any User information under any circumstances.
HFI may disclose personally identifiable information collected from Users to its parent, subsidiary and other related companies to use the information for the purposes outlined above, as necessary to provide the services offered by HFI and to provide the Website itself, and for the specific purposes for which the information was collected. HFI may disclose personally identifiable information at the request of law enforcement or governmental agencies or in response to subpoenas, court orders or other legal process, to establish, protect or exercise HFI‚Äôs legal or other rights or to defend against a legal claim or as otherwise required or allowed by law. HFI may disclose personally identifiable information in order to protect the rights, property or safety of a User or any other person. HFI may disclose personally identifiable information to investigate or prevent a violation by User of any contractual or other relationship with HFI or the perpetration of any illegal or harmful activity. HFI may also disclose aggregate, anonymous data based on information collected from Users to investors and potential partners. Finally, HFI may disclose or transfer personally identifiable information collected from Users in connection with or in contemplation of a sale of its assets or business or a merger, consolidation or other reorganization of its business.
If a User includes such User‚Äôs personally identifiable information as part of the User posting to the Website, such information may be made available to any parties using the Website. HFI does not edit or otherwise remove such information from User information before it is posted on the Website. If a User does not wish to have such User‚Äôs personally identifiable information made available in this manner, such User must remove any such information before posting. HFI is not liable for any damages caused or incurred due to personally identifiable information made available in the foregoing manners. For example, a User posts on an HFI-administered forum would be considered Personal Information as provided by User and subject to the terms of this section.
Information about Users that is maintained on HFI‚Äôs systems or those of its service providers is protected using industry standard security measures. However, no security measures are perfect or impenetrable, and HFI cannot guarantee that the information submitted to, maintained on or transmitted from its systems will be completely secure. HFI is not responsible for the circumvention of any privacy settings or security measures relating to the Website by any Users or third parties.
Human Factors International, Inc.
PO Box 2020
1680 highway 1, STE 3600
Fairfield IA 52556
HFI reserves the right to cancel any course up to 14 (fourteen) days prior to the first day of the course. Registrants will be promptly notified and will receive a full refund or be transferred to the equivalent class of their choice within a 12-month period. HFI is not responsible for travel expenses or any costs that may be incurred as a result of cancellations.
$100 processing fee if cancelling within two weeks of course start date.
4 Pack + Exam registration: Rs. 10,000 per participant processing fee (to be paid by the participant) if cancelling or transferring the course (4 Pack-CUA/CXA) registration before three weeks from the course start date. No refund or carry forward of the course fees if cancelling or transferring the course registration within three weeks before the course start date.
Individual Modules: Rs. 3,000 per participant ‚Äėper module‚Äô processing fee (to be paid by the participant) if cancelling or transferring the course (any Individual HFI course) registration before three weeks from the course start date. No refund or carry forward of the course fees if cancelling or transferring the course registration within three weeks before the course start date.
Exam: Rs. 3,000 per participant processing fee (to be paid by the participant) if cancelling or transferring the pre agreed CUA/CXA exam date before three weeks from the examination date. No refund or carry forward of the exam fees if requesting/cancelling or transferring the CUA/CXA exam within three weeks before the examination date.
There will be no audio or video recording allowed in class. Students who have any disability that might affect their performance in this class are encouraged to speak with the instructor at the beginning of the class.
The course and training materials and all other handouts provided by HFI during the course are published, copyrighted works proprietary and owned exclusively by HFI. The course participant does not acquire title nor ownership rights in any of these materials. Further the course participant agrees not to reproduce, modify, and/or convert to electronic format (i.e., softcopy) any of the materials received from or provided by HFI. The materials provided in the class are for the sole use of the class participant. HFI does not provide the materials in electronic format to the participants in public or onsite courses.