Speaking of Psychology - Online Risks (SOP61)
Episode Date: July 25, 2018Every day, we are all called on to make online security decisions. Psychologist Emma Williams studies the contexts in which we make these decisions in an effort to develop safer practices. APA is cur...rently seeking proposals for APA 2020, click here to learn more https://convention.apa.org/proposals Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hello and welcome to Speaking of Psychology, a podcast produced by the American Psychological Association.
I'm your host, Kim Mills.
Speaking of Psychology is a podcast for anyone with an interest in the science of psychology.
We talk to psychological researchers, practitioners, and educators about any and every aspect of psychology and its application to the world around us.
Dr. Emma Williams teaches psychology.
at the University of Bristol in the United Kingdom. Her research interests include understanding
how people perceive, consider, and make decisions about risk in relation to emerging technologies
and online activities. In particular, she studies how these judgments may be influenced by a range
of real-life factors. She also studies how best to help people understand their risks online
so they can make informed choices, and she explores how and why people are susceptible to online
scams like fishing and other situations that put their security and privacy at risk.
Thanks for joining us today, Dr. Williams.
No problem.
Happy to.
So let's start by talking about the reasons why people fall for these kinds of dirty tricks.
Well, I think there's a little bit of a misconception sometimes that these things are obvious
to spot.
So with fishing emails, people tend to think about what's known as the Nigerian prints
kind of scams. Oh, it's really obvious. Someone's clearly offering me a million pounds to
move some money into my account. And the reality is that that's not what scams actually are
anymore necessarily. So that's an aspect. But the advent of technology is meant that they can
actually create fake pages, fake emails that look very much like the real thing. So they can
use particular logos. They can have email addresses that pretty much look identical to the genuine
thing. So it's very hard for people to actually spot the difference.
And obviously we have limited kind of cognitive abilities to be able to actually do multiple things at once.
So when you're checking your emails, someone's talking to you in the background,
you've got to kind of be able to spot these tiny little errors, if you like, in that information,
while simultaneously doing other things that are going on in your daily life.
So from your research, what do you know about the characteristics of people who are likely to fall for these scams?
And people tend to think that it's senior citizens who always succumb,
but I bet that's not true.
No, not really, yeah.
I think as well people are generally quite confident themselves
that they won't fall for scams,
but obviously then people do,
and they were the ones who potentially were quite confident
that they wouldn't be the type of person.
So it just highlights that anybody can fall victim to scams.
You also do tend to see scams that are tailored
to potentially particular demographics.
So, for instance, people who are currently looking for love
in online dating sites
would be the target potentially of online romance,
scams. You can have older adults who potentially have got retirement income might be targeted by
investment scams if they've got lump sums coming out of pensions and things like that. In the UK,
we see a lot of younger adults being targeted by things related to rental properties and things
like that. So in terms of susceptibility, it's probably less about the characteristic type of person
who's vulnerable to these things. And more about the fact that the scammers know what certain
types of people might be interested in, so they might target particular demographics with kind of
tailored scam kind of techniques, if you like. And also, the fact is that anyone can be vulnerable
to these types of things. So if we're in a hurry, if we're distracted, they tend to know just how
to turn on those buttons. So they use quite well-established social influence techniques of Chaldini,
who's a, I think, well-known psychologist from the 50s and 60s. Yes, Robert Chaldini, sure.
So things linked to authorities, they'll claim to be from known institutions.
things people are familiar with, or that have a degree of, I suppose, a degree of authority about them.
So banks, the police have been kind of mimicked in some email scams and things.
They'll also do a sense of urgency.
There's always a deadline.
There's usually something to make someone panic.
So it's very much like, if you don't update your account within the next 24 hours,
you're going to lose access to something.
And obviously, people don't want to lose access to an account that they actually genuinely use and genuinely need.
so it can make them panic, and then they rely on different types of information,
kind of processing when they make their decisions.
They tend to rely on these kind of mental shortcuts and heuristics,
rather than kind of taking a step back and thinking through,
is it possible that this is not a genuine communication?
They tend to rely on the fact that people might panic
and instantaneously respond to something,
or at least some kind of emotional reaction
that will just maximise the chances that someone's going to click on that email
before they've actually had a chance to go,
actually, you know, there was a little error
there and that is a little bit suspicious. So what can consumers do to protect themselves?
Definitely always take a bit of time before responding to things. They do very much focus on
worrying people, on panicking them and wanting them to respond fast. So if you feel that you're
feeling pressured to respond to something in any situation, whether that's online or even face-to-face
or on the phone, then actually just take a step back and think, why would that be the case? I'm feeling
pressured, so we almost need to kind of take a moment and actually think, is it possible that this
isn't legitimately what it's claiming to be? We tend to assume that things are truthful, they're
trustworthy, so it's being a little bit more suspicious, which is a sad thing to say, but it is
the reality. And also asking someone else who's away from the situation, whether that is a
friend or a neighbour, or whether that's actually contacting the company who's claiming to contact you
via another means, another route, because sometimes you can feel sucked into the situation.
And once you're in it, you can kind of panic a little bit and not spot things.
Whereas other people who are outside of that, they're not feeling that emotion,
might immediately say, that doesn't sound right, actually.
And it can give you a little bit more confidence that that's actually not correct
and you shouldn't respond to it.
Have you done any research into these scams where people are able to actually hold you hostage
and demand ransom.
You won't get your photos back.
We now own everything on your hard drive.
Ransomware.
Yes.
I've not done any direct research on ransomware,
but obviously what you have to remember with ransomware is it's kind of the end state.
So it's how have they got that onto your machine potentially.
So if your machine has become infected,
usually that's started with something like a fishing email.
You've visited a website potentially that's had what's called,
I think it's drive-by download of malware.
So if you've visited certain suspicious websites.
So it's all about how that's originally got there.
So you don't want that ransomware on your machine.
If you are in a situation where you have ransomware on your machine,
obviously that's where you really want to try and contact some kind of technical
authority or law enforcement agency that might be able to help you.
I'm not sure what they are in the US.
In the UK, we have very particular things called action fraud,
which is a police reporting for online fraud and things like that,
and they can actually potentially help in what to do
if you're a victim of a ransomware attack in particular.
But it's really about being careful and avoiding that happening
by not clicking on things, not opening attachments to emails
that you're not expecting that might actually contain the malware
that can lead to attacks like that.
What do you see as the next wave?
I mean, as you're looking at these kinds of scams
and the way people behave around them.
I mean, how do we stay one step ahead of the bad guys?
That's always really hard
because unfortunately the bad guys are quite good
at anticipating how people are behaving.
In terms of staying one step ahead,
we're trying to educate people as much as possible
and make people aware that online,
the risks are just as great as they are offline.
Obviously, now people tend to lock their doors
if they're worried about their security.
And it's about trying to get that mindset
of keeping your life secure, if you like, in terms of online activities.
So this kind of stuff is always developing.
Unfortunately, scammers do tend to evolve in line with kind of the victims that they're
targeting.
So if people become more suspicious of certain types of things or stop responding to
certain types of scams, and they're probably going to try something else.
So it is going to be a constant battle of educating yourself about the scams that are
out there.
there are a lot of awareness, online awareness campaigns and things like that.
There are a lot of groups and bodies that are trying to kind of help people.
So keep yourself educated, make yourself aware.
And we are very much trying to obviously not only identify how these scams work
so we can better educate people about them.
But as research is trying to anticipate where they might go next with emerging technologies,
obviously wearables, other types of devices coming out,
then potentially the crimes that relate to those are going to develop in the future.
So we're just trying to anticipate them a little bit and building better security features around those.
So how do you secure your wearables?
I mean, are there programs now where you can do that?
The organisations that create these things are now being pressured to build in security by default.
Because the idea is that traditionally they've relied on people protecting themselves.
So they'll push a product out there.
and they will very much say the security really is up to you.
Change your default password.
Make sure you do any security updates, etc.
And obviously putting quite a lot of onus on the consumer to make those decisions,
whereas there's a bit of a movement now to try and pressure the manufacturers
to make security better in their products before they're released,
to build in what's known as security by default,
so that in theory, the consumer shouldn't have to worry
about the fact that they need to do all these things.
it should just do it automatically as a default.
So hopefully if they do that, then.
But who knows whether they will.
Challenge.
Have we lost the battle already, though?
I mean, you know, every day we find out about Cambridge Analytica
and how many Facebook accounts have been compromised
and another department stores tells us that 500,000 credit cards have been stolen.
I mean, what can we do?
I don't think we've lost the battle already.
what's almost happened is that all this technology rolled out, all this new forms of data,
new forms of interacting rolled out, things like security weren't really considered,
things like privacy weren't really considered. Obviously, it was a new way of people communicating
with each other, so people just weren't aware of the risks around it that much.
And it's almost like that's now just starting to catch up. So you've had a period of time
if something new has been rolled out, oh, yeah, let's have a go, let's see. And now we're suddenly
starting to see all these stories because obviously the criminals are a way.
that they can exploit certain things or other people are aware they can exploit certain things.
And I think we're almost now at a point where all of these risks are now circulating and
people are aware of them.
So Cambridge Analytica, that's quite a good example of something that's massively in the media
led to all these stories in newspapers and stuff, oh, do you need your Facebook account?
Maybe we should stop doing Facebook.
How can you secure it?
So it made people very aware of the fact that actually that was data and that data that
you're putting on social media is used by other people and can be used.
It's been massively helpful to make people understand that actually the stuff they put online
is sensitive information potentially and can be used by this.
So I actually think we're almost at a point where maybe the battle was being lost a little bit,
but it's almost starting to catch up again.
There's a new impetus.
There's obviously a lot of regulation, focus on improving regulations and stuff like that.
So, you know, how can we now have regulation that catches up with these new forms of data?
So I think we're almost at a, I don't always say a tipping point, that's very strong,
but a kind of turning point where it's like, okay, now the risks are very real,
and people are seeing that, and we're starting to see a more societal response.
So how that will play out, I don't know, but I think we're now a point where, yeah,
maybe we're doing better in the battle.
I would hope.
So what are you studying now?
What are you looking at for the future?
So we're doing a few different things.
We're looking at how people perceive risks around emerging technologies,
so things like autonomous vehicles,
whether they actually perceive any security risks associated with that,
how willing they would be to use those technologies if they became available.
So we're kind of trying to understand, well, what risks are people worried about?
Can we actually, almost, before these technologies get rolled out mainstream,
let's actually look at how they might be,
exploited or manipulated, how people perceive risks around them and almost kind of then build it,
build it into the system so that we can prevent those risks almost becoming a reality.
We're also doing some work around how we can better inform people around digital risks,
online risks.
So it's quite a technical thing to understand sometimes.
The online world is really complicated.
It's a very complex, abstract beast, really, to try and get your head around.
So we're trying to look at, well, how do people want to be informed about digital risks, online risks?
How can we empower them to make decisions?
What kind of information do they want to know?
How can we best present it to actually encourage them to really make decisions that are going to be in their best interests, I suppose.
So we're very early stages trying to look at, as opposed, slightly, a conversation about how people want to be talked about their data and how we're going to be.
we can better design kind of awareness interventions and things to really encourage people to engage with those materials and actually change their behaviour slightly.
So they're not quite there yet?
No, gosh, no, no.
I think we're very early stage.
So I've only just started doing this work at the University of Bristol.
So I started there last November.
So before then, I was at the University of Bath doing work around fishing emails and what makes people susceptible to them.
So that was the stuff focused on influence techniques and whether people notice differences in,
cues and what factors might affect that in the work environment and stuff. Whereas now we're very
much moving into the, since I've started at the University of Bristol, moving into this,
okay, how do people perceive risks? How do they consider them in relation to the online space?
How do they understand them? And if they actually consider it to be quite risky, then
what will actually change their behaviour? Because people are concerned about their privacy,
but then they still share information. They still do things that kind of counter to what
they say they care about. So it's really trying to understand how people are making those judgments.
And that's something we still don't really have a grasp from, I don't think. So you said you mentioned
Robert Chaldini earlier and he's done a lot around green behavior, people who are aware of the
environment and how to make people make decisions that would be earth friendly. Is that the kind of
information you're looking at? How does that apply to online behavior? Yeah, yeah, I think so. Well,
in some ways there's quite a lot of parallels. So obviously when we talk about things like
environmental behaviours, again, it can be something that's quite far down the line as a potential
if we take climate change as a potential risk. That's something that people might not necessarily
see as happening to me right now in front of me. It's a potential risk in the future. It's something
that's quite abstract. It's quite big. Who knows who it will apply to or how? So it can be quite
hard when people are actually making a decision in the here and now to engage in a behaviour that
they want to engage in but might be counter to obviously environmental, pro-environmental behaviour,
but they really want to do that. And because the other thing is quite far away and quite abstract,
then maybe they won't actually make the decision that's in those best interests, hence why
obviously Chaldean is interested in kind of almost nudging people into that. So there is work around
how we can nudge people in a similar way in online behaviour,
but it's still quite early stages.
And I think we've got a slight issue in the fact that although there are a lot of similarities,
so it's quite a big issue again, online risk potentially.
If you decide to click on a link in an email or visit a website that might be fraudulent,
whether you're going to see an immediate impact on yourself, who knows,
particularly in a work environment, it might be an impact that's where,
down the line, you don't really understand how it's going to work. Again, it's quite abstract.
Is it going to really impact me? Potentially not. I don't understand how it will. So there's all
these similar types of parallels. So I would say that we are starting to try and apply exactly
the same approaches, but whilst also understanding that technology keeps changing, and that's part
of the problem, because it's advancing so fast. If you look at people's behavior in one space,
suddenly they're using a new technology, or they're using a new social media platform
or even, for instance, Facebook's changed.
So actually even the layout of one year might be very different to what they're doing next year.
And that makes it very hard to keep up.
So it's slightly different in that respect, I would say, if that makes sense.
No, it does.
It does.
And you never know.
There's a new app next week that you suddenly are enamored of and who knows what it's doing.
So basic advice, change your passwords off.
keep them really complicated. Don't write them down where anybody can find them. Yeah, basic things
like that. Although there is advice now in the UK that actually suggests you shouldn't change your
password that often anymore because it's making it very difficult to the fact that you need
complicated passwords is important. So if you're also requiring people to change them really often,
there's a little bit of a school of thought that the two don't marry up. You can't keep
changing your passwords and have complicated passwords and remember them. So if you encourage people
to change their passwords too often, then they'll maybe just make them simpler so that they can
remember them easier. So they actually have more of a school of thought now that you don't
need to change them that often. But what you do need to do is have very different passwords for
different types of things. So make sure you have very different passwords for, for instance,
your banking or something that is very, potentially has very sensitive information about yourself
to an online account for something, I don't know, maybe social media or something where you don't
have all that information linked to it. It's almost about understanding the risk. What if someone
had that password? What is the worst they could do? Potentially, or if they have my Twitter
password, what's the worst they could do? And certainly don't use the same passwords across
different types of accounts.
That's the big one.
Yeah.
If they get into your Twitter,
you know,
and then they can also get into your banking,
then it's really not good.
All right,
well,
that's a lot to worry about.
Well, thank you.
I hope I've not terrified, aren't they?
It's not all bad.
We're getting that.
Good.
I appreciate that.
And thank you so much
for being with us today.
No problem.
No problem at all.
Thank you for inviting.
So thank you for joining us today
on our podcast, Speaking of Psychology.
This is part of the APA podcast network,
which includes other great podcasts,
such as APA journals dialogue
about the latest and most exciting
psychological research,
and progress notes,
which discusses the practice of psychology.
You can find all APA podcasts on iTunes,
Stitcher, and pretty much wherever you get your podcasts.
You can also go to our website,
www.
www.
speakingof psychology.org to listen to more episodes
and to see more resources.
sources on the topics we discuss. I'm Kim Mills with the American Psychological Association,
and this is Speaking of Psychology.