The art of the scam: what makes the CEO fraud scam work?
Dr Peter Brooks, Head of Behavioural Finance at Barclays Wealth and Investments, examines the psychology behind the CEO fraud scam and explains why social engineering can be so effective…
Social engineering scams are effective because they recognise that the weakest point in a security procedure is often human psychology. The study of behavioural economics has many demonstrations of how our decisions can be manipulated.
In the CEO fraud scam, someone claiming to be the CEO unexpectedly approaches a colleague in the finance department to make a prioritised payment.
This pulls three psychological levers that can lower our defences against the scammers: authority, urgency and consequence. When combined, they create an effective way to defraud an individual.
In the 1960s, psychologist Stanley Milgram conducted experiments into how individuals respond to orders from someone in a position of authority. The rather uncomfortable (and somewhat controversial) experiment involved a participant trying to teach pairs of words to a fellow participant.
If the ‘learner’ got the pair wrong then the ‘teacher’ would have to administer larger and larger electric shocks. In fact, the learner was an actor and there were no electric shocks involved. However, the experiments found that many individuals would continue to apply the electric shocks even after the actor had stopped describing the pain of each shock and had fallen quiet. When questioned, the experimenter just informed the teacher to continue the experiment.
We all naturally tend to avoid the possibility of bad outcomes, or in other words, we are loss-averse…
In the CEO fraud scam the scammer establishes their position of authority (albeit falsely) and makes an instruction. If the Milgram experiments are to be believed, we tend to be obedient rather than defiant in a situation like this. The success of this element of the scam depends upon how successfully the scammer can trick you into thinking they are the CEO. Once that is done, the scam has a good chance of succeeding.