Security firm McAfee has said that cybercriminals are using increasingly sophisticated social-engineering techniques, and that IT managers need to make users aware of the psychological tricks that make the techniques work.
The vendor worked with University of Leicester forensic psychologist Professor Clive Hollin to analyse why users fall for online scams.
According to Hollin, the first part of the process is persuading the user that an email comes from a respectable source. People tend to respond to authority — for example, a lawyer — but will also respond to endorsements from trusted sources, as well as familiarity and banter.
Once trust has been gained, fraudsters attempt to get users to click on a link which takes them to malicious websites by either threatening an unwanted event, such as legal action, or by offering a reward, such as a commodity for a bargain price, said Hollin.
Users who fall for scams are not necessarily technophobes or the innocent, said the psychologist. Risk-takers might be fooled by the prospect of high gain, while the tech-savvy might be vulnerable due to over-confidence.
"Given the right conditions in terms of the persuasiveness of the communication and the critical combination of situational and personal factors, most people may be vulnerable to misleading information. This point is true both for experienced and inexperienced computer users; while naivety may be a partial explanation, even sophisticated users can be deceived and become suggestible to misleading messages," said Hollin.
McAfee's Sal Viveros said IT managers should let end users know the kind of social-engineering tactics that cybercrooks use. "Enforcing policy and education helps to minimise threats," he said.
While the psychological tricks used by cyberfraudsters may play on human nature, Viveros said that the techniques being used are increasingly sophisticated.