Thoughts on cybersecurity in the age of information overload and maintaining a well-balanced life

Highlights:

• For individuals – Know your strengths, they may be your weaknesses
• For designers (and businesses) – Know the lives (and I mean ‘multiple lives’) of your users, make interaction fool proof wherever possible

As a privacy researcher, I shouldn’t be saying this. But, on Saturday I was scammed. I really don’t know how it happened. Or, let’s put it this way, I know how it happened, but I have no idea how I fell for it. In theory, I know that you treat all emails with caution. You do not open attachments, you do not click on links. And, of course, you do not give your credit card and banking details – ever. So easy to remember. So easy to usually do.

We read about these victims (in our minds, the elderly, children, people with varied abilities, the uneducated, and many more terms…) and think, “How did they do it?” In his LinkedIn blog cyber security advocate Andrew Hartley (2021) states that anyone can be a victim. There are, however, stronger tendencies in various population groups. These include: 1) Age-related factors – people over 65 compose a significant number of victims to cybercrime, with a growing number of people under 25 years old (Millennials and GenZers – supposed digitally connected natives); 2) Poor overall security management – mainly weak and heavily repeated (single) passwords (see also Woods and Sipponen, 2018); and 3) The Uber connected – those who rely heavily on their connected products (i.e., smart phones and other devices) and also those who readily share extensive information in e.g., social media.

The types of high tech involved in cybercrime include (Europol, 2022), but are not limited to:

• botnets (robot networks) – many computers communicating with each other over the internet
• rootkits – collections of programmes enabling administrator-level access to computers and networks
• worms – replicating themselves throughout a computer network, performing malicious actions with no human guidance
• trojans – posing as legitimate programmes, yet designed for malicious purposes (spying, data theft, file deletion, expanding botnet, and performing DDoS (distributed denial of service) attacks)
• file infectors – infect executable files (e.g., .exe) via overwriting or integrated infected code disabling them
• backdoor/remote-access trojan (RAT) – access computer systems and devices remotely. These can be used to install other malware, giving total control to attackers performing: monitoring, executing commands, file sending, keystroke logging, taking screenshots
• ransomeware – stop users from accessing devices
• scareware – fake antivirus software
• spyware – to monitor activity
• adware – displaying advertising and pop-ups

Then, of course there are the common types of cybercrime including phishing (social engineering to manipulate receivers into giving sensitive information such as credit card information and banking credentials), hacking (breaking into accounts, shutting down and misusing websites and networks), identity theft, spreading hate (inciting terrorism), grooming (building up relationships to manipulate and exploit individuals), and spreading child pornography (Government of the Netherlands, n.d.).

As human beings our quickest mode of cognition (thinking) and behaving (acting) occurs through our affective emotional processing. Daniel Kahneman (2011) famously called this mode of thinking System 1, as compared to System 2 that sees people delve into deeper, information rich and associative modes of thought. System 2 is slower and is characterized for being responsible for higher order cognition, in other works, the types of thought processes enabling expertise. There is a myriad of theoretical cognitive-affective explanations of the differences between primal, or lower order, and higher order modes of thinking in the field of cognitive science. This intricate relationship between cognition and emotional states have often been talked about in relation to i.e., Appraisal Theory (e.g., Ellsworth, 2013; Frijda, 1993) and Core Affect Theory (e.g., Russell, 2003). Appraisal for instance, is very much about how humans appraise or evaluate perceived information against ‘concerns’ (criteria or interests, concern for survival and wellbeing), which also involves ‘fast’ (primal) and ‘slow’ (higher order) processing, very much tied into theories of basic and higher level (associative) emotions (see also, Ekman, 1992; Ortony, 2022).

Depending on what our priorities are, the ways in which we emotionally process information differs, particularly in instances of cybercrime. For some, a phone call from an anonymous number with an urgent voice at the end stating that the caller is from Microsoft and your account has been hacked, you need to give your credentials in order for ‘us’ to rectify the situation, may trigger an immediate panic state, resulting in the disclosure of user names and passwords. For others, like me on Saturday, that trigger was, “I have already paid, you can go into Tori.fi through this link to retrieve the 60 euros.”

My mode of processing was, “This man has already paid me money. I (owe him) need to go in and retrieved and send the products as soon as possible.” I did not want to ‘muck the customer around,’ so fell for the trap hard and fast. I kept looking at the URL that stated ‘Tori.fi’ with the ‘lock sign’ to reassure myself that I was giving my details to the right source. If I would have stopped to think I would never have arrived at this situation. And actually, at first my reaction was, “I have chosen not to send the products, I will just respond ‘No’,” but then thought, “Why not? If it’s easy, it’s easy, and he’s already, and stating “I paid”” I have a sense of ‘duty’ that does not always make sense at times. This sense of duty was my downfall.

Thus, my 5 cognitive-affective tips for future personal privacy and cyber security practices are:

• Know your strengths and weaknesses, not just in terms of behavior, but also values – what makes you strong as a person, giving you high integrity, may be your downfall when faced by dishonest people;
• Don’t do ANY financial business via email – with strangers you may even consider CASH ONLY ALWAYS;
• Put yourself in machine mode – have a silent rule, or even physical/digital constraint that does not allow you to answer or act upon emails within 24 hours, and perform a ‘two-point verification process’. This means that if money (buying/selling) is in question, no matter how simple the issue seems, your machine (you) don’t work without verification from another, responsibly thinking adult;
• If you’re out of your comfort zone, don’t go there – go with your first instinct, the one you had when you carefully considered your mode of action, the safe mode that you can map out well in your mind. DON’T MAKE ANY SUDDEN MOVES;
• For designers, developers and businesses – know people well and focus on user/customer vulnerabilities to identify and remove ANYTHING that possesses anticipated slip-ups.

For instance, when I contacted Tori.fi about the incident (after being told by the credit card and account closure helpline that Tori.fi is FILLED with scammers and these types of incidents are occurring ALL THE TIME), their reply was:

One thing that can affect the fact that you receive more scam messages than usual is that if your email address matches the nickname/screen name/username visible in Tor (e.g. first name/last name combination).
 
Based on that, fraudsters come up with a mass e-mail in all combinations using first name, last name, username, nickname, screen name or other predictable title as the front of the e-mail and then put one of the well-known e-mail endings (e.g. (at)gmail.com, (at)hotmail.com) at the end.
In other words, this is how fraudsters generate a large number of contacts with the help of automation and hope that at least one of them will go through.
 
 
In light of the recent phishing attempts and scams of payment card information that looks very genuine coming to the phone, together with the authorities (banks and the police), we have ended up hiding and limiting the display of the phone numbers of private operators in Tori announcements.

For this reason, I wonder why the service cannot prevent the user from using the same screen name as email address? Simple, but maybe effective?

Now, when calling my bank to make an appointment to go into the physical branch to show my identification documents and set up new users credentials etc. I needed to choose the ‘Service for Seniors’ option. Why? Because ALL of the other options were automated and required my user credentials that had been cancelled upon me realizing I had been scammed. I needed to phone my bank several times before discovering the option (the senior customer option) via which I could receive service without my credentials. Moreover, the next live appointment available at my nearest almost abandoned physical bank branch is in three days’ time (I’m now writing on a Monday). AND, to make a formal report of offence (rikosilmoitus) to the police, I need to fill an online form for that happens to require my…. yes…. guess what…. online banking credentials.

Not easy to survive is it? Something has got to give. My colleagues (Jaana Leikas, Hannu Vilpponen and Pertti Saariluoma) and I happen to have a paper that will be published in November precisely about this dilemma in light of older adults.  In terms of designing the ideal future, we as researchers, designers, developers and decision-makers need to consider the basic pillars and rights of human integrity and what it means to maintain a well-balanced, sustainable life. The fact of the matter is that no level of generalization will be apt enough to pre-empt specifically who will be prone to what type of scam. The circumstances surrounding particular scam instances (i.e., context and events in people’s lives) are not considered adequately either. So, here’s a run through of my circumstances:

• Motivation – I wanted to get items that have been in storage for years out of my house, starting the new work year with a clean slate;
• Pre-scam Emotional State – feeling like a super woman (pride), finally getting on top of the backlog (satisfaction);
• During-scam Emotions – feeling like I owe the customer (undertaking the transaction of money he said he’s already paid and supplying the goods);
• Immediate Post-scam Emotions – amazing disappointment and despair (I had been giving away goods that others usually sell, and selling goods at a ‘steal’ as a part of what I self-reasoned ‘my contribution to society,’ and that was completely taken advantage of.

 

I had separated my diligent self-awareness of cybercrime and fraud that I would have with me on other occasions with my, ‘getting stuff done around the house’ and the mode of thinking when everything’s going well – the idea of maleficence did not even cross my mind. That’s another world.

The effects of cybercrime are severe and the domain shouldn’t go unnoticed, particularly from the victims’ and potential victims’ (everyone’s) perspective. In addition to sales and purchase frauds being about the most prominent scams, the cybercrime victims (younger and more senior adults) suffer (Statistics Netherlands, 2023): diminished trust (in general); diminished sense of safety; sleep problems; depressive symptoms; anxiety symptoms; and reliving the incident.

How to build a world or economy of trust in a world where you absolutely can’t trust is an extremely challenging idea. Particularly, when many of these attacks are encountered by people in the comfort and peace of their own home. The circumstances of people’s actions leading up to victimization are poorly accounted for by scientific literature and cybersecurity initiatives in general. Furthermore, one person does not account for ‘one user’. Rather, one person equals many users depending on the day, time and conditions of the user and interactions with technology. We understand that cybercrime is a hugely wicked problem that is spiraling out of control at a momentous rate, meaning that there is no way that on a technical level anyone can stay on top of deviant developments. BUT, what we can control are the obvious pitfalls that can be anticipated and have already proven to be flawed.

Through communication and design for ALL OCCASIONS we can make a difference.

If you have a story like mine that you would like to share, please contact me at: Rebekah.rousi@uwasa.fi, or via LinkedIn (https://www.linkedin.com/in/rebekahrousi/). I would love to hear from you, all knowledge is good knowledge when it comes to literally saving lives.

This blog is linked to our “Emotional Experience of Privacy and Ethics in Everyday Pervasive Systems” project, funded by the Research Council of Finland.

And, for more on this case see a recent Helsingin Sanomat article (6.8.2024): https://www.hs.fi/suomi/art-2000010613533.html

 

References

Europol. (2022). Cybercrime. https://www.europol.europa.eu/crime-areas/cybercrime

Frijda, N. H. (1993). Appraisal and beyond. Cognition & Emotion, 7(3-4), 225-231.

Government of the Netherlands. (n.d.). Forms of cybercrime. https://www.government.nl/topics/cybercrime/forms-of-cybercrime

Kahneman, D. (2011). Thinking, Fast and Slow. Macmillan. ISBN 978-1-4299-6935-2.

Russell, J. A. (2003). Core affect and the psychological construction of emotion. Psychological review, 110(1), 145.

Statistics Netherlands. (2023). 2.2 million cybercrime victims in 2022. https://www.cbs.nl/en-gb/news/2023/19/2-2-million-cybercrime-victims-in-2022

Woods, N., & Siponen, M. (2018). Too many passwords? How understanding our memory can increase password memora