How to Identify a Scammer Online: Spotting Digital Deception
Everyone is vulnerable to scams and fraud online, especially if you’re distracted or in a hurry. That includes scam and security experts, too. We’re all at risk. That’s why it’s so important to learn how to identify a scammer online. Building these skills with critical thinking, self-awareness, and habits of healthy skepticism can help protect you.
See Digital Deception: What Lies Ahead with Perry Carpenter for a complete transcript of the Easy Prey podcast episode.
Perry Carpenter is a technology professional who specializes in cybersecurity. He has worked at the intersection of tech and the human condition for the past twenty years – which means he focuses on why people do what they do, why they think what they think, and how tech helps or hinders that. He is currently the Chief Human Risk Management Strategist at KnowBe4. His latest book, FAIK, explores AI and online deception.
When Perry first started his security career, working in security meant also working in groups and taking deep dives into things like permissions and directory structures. After a few years, he realized that no matter how much you do with security issues, it’s still hard to control or account for the human factor. So he started exploring why people do what they do and think what they think, and how they can get pulled into doing or believing something they never would have thought they’d do or believe.
Regardless of how much people say, spend, or do on security-related issues, there’s always this factor that’s hard to control and hard to account for, and that’s the people side of things.
Perry Carpenter
Even Experts Get Fooled
Perry has always been interested in professional deception, like magicians and mentalists. If you’ve ever had your attention pulled by a good magician, you know how misdirection works. By using body language and other cues, they’ll convince you they put the coin somewhere they never did. The pattern is the same – it’s taking advantage of the way the human mind works to misdirect. Perry sees it all the time in cybersecurity.
It’s the same pattern. It’s taking advantage of human nature and the way that our minds work at their core.
Perry Carpenter
KnowBe4 is a cybersecurity training company. They specialize in simulated phishing emails. Perry had worked there for about a week when he fell for the first one. If you would expect anyone to know how to identify a scammer or a suspicious email, it would be Perry. That’s literally his job. But it just happened to hit him the right way. He was waiting for a legitimate DocuSign document from HR for part of his benefits. The phishing email looked like a DocuSign email. He has good habits on his computer, like looking at senders and hovering over links, but in this case he was on his phone. Everything seemed to add up, and boom, he was caught.
That wasn’t the only time it happened, either. Another time, he was in a line at a conference. He was already distracted and had already talked to several people on the phone while standing in this line. His company’s VoIP system sent emails when you get a voicemail. So when he saw the phishing email about a missed call, he clicked. Again, it was a plausible situation, and he was distracted and using a device where he hadn’t yet built good security habits. Everyone is vulnerable in the right situations.
Secure Habits for Mobile Phones
Now it’s been over seven years since Perry has fallen for a phishing email. At his company, they send out multiple per week, so that’s a good track record! It also means he’s probably due for another situation where he’s distracted and the phishing message finds another place where he hasn’t built the right security habits yet.
He’s kept up this sever-year streak by building better habits. His habits to identify scammers and phishers online and in emails on his computer were already pretty good. So he added better phone habits. Now, if he gets a notification or email that he can’t verify on his phone without clicking the link, he doesn’t click. It will have to wait until he’s in front of a computer and can check more thoroughly. And if the notification is related to a service that has an app or website, he doesn’t click the notification – instead, he opens the app or logs into the website separately to check.
I take out the convenience factor of clicking on the link … to save myself a little bit of hardship if that thing is not legit.
Perry Carpenter
Some things are obvious red flags. If you use Gmail and get a notification about your Office 365 account, you know that’s suspicious. But when the phishing message includes a real service you do use, there’s implicit trust. We’ve been conditioned to take the easy way out by clicking the link. Platforms and apps want to make our experiences easy. But cybercriminals and scammers also want to make falling into their traps easy. Human minds easily fall into habits – we have to break them.
Friction is Important for Cybersecurity
For many years, businesses have wanted to reduce friction. They don’t want to make it hard for customers – if it’s too hard, customers will go somewhere easier. But with all the scammers and fraudsters online getting harder and harder to identify, we’re almost at a stage where we need more friction.
When Perry was an analyst at Gartner, he focused on the field of identity management and authentication authorization – basically, how to prove that you are who you say you are and should be doing the thing you’re trying to do. In some spaces, especially where there’s low risk, you want as little friction as possible. But when there’s more risk, and the user understands and appreciates that risk, that’s almost permission to introduce risk. In fact, if there’s no friction, people often don’t feel safe.
Putting on a seatbelt is a little bit of “friction” in the driving experience. You have to pause and take the time to do it. But if you got in a car and there were no seatbelts, you wouldn’t be comfortable. Sure, there’s less friction, but it feels less safe. With some environments, like online banking, people just don’t feel safe if there’s not the right amount of friction. We still want to be able to do things like wire money to someone, but we appreciate it when the bank has our backs and wants us to verify things first.
How to Identify a Scammer Online in a World of AI
Social engineering is really just a form of misdirection targeted around how the human mind works and combined with technology trends. We’re in a space where tech-based deception is more available to anyone than in any time in history. Perry is specifically thinking of generative AI including text, images, and deepfake videos and voices. AI uses the same deceptive principles, but with unprecedented scale, ease, and ability to create them.
Social engineering really is misdirection, but it’s just built around the way the human mind works.
Perry Carpenter
It’s human nature for us to want an easy way to detect something. In the past, the advice to identify a scammer online was to get them on video – if you could get them on video chat, they were probably legit. Now tech has made it easy to alter voices and appearances in real time, so that’s no longer good advice. Perry sees people over and over again giving advice like looking at fingers, hair, text in the background, or any number of things to spot deepfakes. Right now, that only helps you detect bad deepfakes. Those signs are going away rapidly. And what do you do if someone takes the time to get a good deepfake that doesn’t have those tells?
Security people are constantly pushed into advice mode. But Perry doesn’t give people the easy way out on how to identify a scammer online, because that doesn’t exist. In fact, that’s not even the right question. Whether or not the person you’re talking to is “real” or not is actually secondary.
The Actual Questions You Should Be Asking (Hint: It’s Not “How do I Identify Scammers Online?”)
Here are the questions you should be asking: Why does this exist? Why is it in front of me? What story is it telling? What emotions is it trying to evoke? How is it pushing me to act or believe?
It’s a challenge to answer those questions when you’ve already been pushed past the point where you can cognitively make these assessments. In some ways, it comes back to your basic security training. But really, the biggest thing you can do to get the upper hand is just stop and take a breath. If you want to identify scammers and scam techniques online in a world of AI, you’re going to have to cultivate that skill.
Studies show that people can tell if something is fake or not less than a quarter of the time. News stories report all these “tells” of deepfakes that give us a false sense of confidence. But when it’s one of a hundred things in your inbox or social media feed, it’s not obvious. When we’re looking at those things, our default assumption is that everything is real. We have to cultivate a healthy skepticism where we evaluate everything before we act.
We have to cultivate this pleasant skepticism … before I do anything, before I react emotionally to this thing, I need to introspect just a little bit.
Perry Carpenter
Introspection for Scammer Detection
Before you act, do a little bit of introspection. What story is it telling, what are you feeling, what does it want you to feel, and what is it hoping you do? If you feel yourself getting emotional, why? Slow down. We know people are capable of doing this because people throughout history have been trained to recognize and manage their emotions before they act.
Security professionals have to be honest with themselves and the people around them. Just because they’re experts in how to identify scammers online and spot deception and misinformation doesn’t mean they can’t get caught. The right pretext, scam, or story at the right time can get anybody.
We see Nigerian Prince emails and think it’s pretty obvious that no random stranger wants to give us $100 million. We create a false sense of security in our heads that all scams are that easy to identify. But in the moment, it’s not always that far outside of what you expect. Think about the phishing emails that caught Perry – they were both plausible. If it fits within the narrative that we would understand, expect, or hope for, the scammer is already halfway there.
Scammers are getting good at this, too. A little bit of hope, like a fake lottery win when you don’t know how you’re going to pay rent, can be enough to plant the seeds of credibility. And a lot of pig butchering scams are starting to send a little money back to victims – not much, but because the narrative is that you’ll never get any money back from a scammer, it’s enough to convince them it’s legit. People have a hard time embracing uncertainty and nuance. But unfortunately, identifying scams online often isn’t black and white.
What We Can Do
Perry is against easy answers. The complex answer is that we have to have a healthy skepticism of our information environment. We are always being sold stories, whether they’re legitimate or disinformation or deepfake. You need to know how you can know it is true, or at least how to evaluate when it asks you to believe something or make a critical decision.
If I now live in an information environment where fiction passes for true over 75% of the time, what questions do I need to ask myself anytime this thing might lead me to make a critical decision?
Perry Carpenter
The human mind works on stories and is driven by emotion. When we understand every scammer, hacker, and influence artist is after your money or data, you can start to ask what the story is, what it’s making you feel, if the source is credible, if the information is variable, and what it wants you to do or believe. No matter where it comes from, ask these questions. React in an informed way, not just on reflex or because of emotions. There are very few situations where slowing down to think will cause problems.
There are very few things in life where we pay a price for slowing down and asking some critical questions.
Perry Carpenter
Perry loves Super Bowl commercials as an exercise for this. You already know what they want you to do – buy their product, or at least be aware of their product. Watching these commercials can show you great examples, and also examples with huge budgets and very little planning. Watch some commercials, identify the product, the story, and how it’s trying to make you feel. As you do this, you’ll start to notice what types of stories and emotions really influence you.
Know What Influences You
The narratives, tells, and offerings that work for you aren’t ubiquitous. They’re not the same thing that other people would have fallen for or that would raise a red flag for them. The sooner we realize this, the better we are. If you’re giving someone advice on how to identify a scammer online, the last thing you want to do is say something is how it will always be. It’s not a monolith. People are complex, and scammers are people too.
People are complex, and scammers are also people. They’re very complex as well.
Perry Carpenter
If we say to look at the ears to spot deepfakes, scammers are going to tune their software so the ears look better. If we say watch out for someone offering $10 million, what happens if a scammer offers $1,000? It’s not about the message you’re getting, it’s about what’s happening internally. If you’re feeling an inordinate amount of hope, if it’s appealing, if you really appreciate it, if it makes you really scared or angry, beware. Once you realize you’re feeling those emotions, consider how someone could weaponize that feeling against you.
It always comes back to that internal reaction. It doesn’t matter if you can identify a scammer or a fake person online or not. The important part is internal – how you’re reacting to that message and what they want you to believe or do. It’s all introspection. The mindfulness movement can be very “woo” at times, but if you take all the spiritual stuff out, being aware of yourself as a person with emotions that can be hijacked and being aware of your emotions in a moment without reacting to them are great skills to have. You can apply that directly to cybersecurity. That awareness is what’s going to keep you safe.
You can connect with Perry Carpenter on LinkedIn; he is also on Twitter/X @perrycarpenter, but less active there. Get more information about his book at thisbookisfaik.com.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Your Online Order Never Arrived? Here’s What to Do Next
We’re getting into the holiday shopping season, and that means that you’re probably buying at least some…
[Read More]The Ultimate Privacy Gift Guide for 2024
The holidays are rapidly approaching – which means it’s time to think about holiday shopping. If you…
[Read More]How to Identify a Scammer Online: Spotting Digital Deception
Everyone is vulnerable to scams and fraud online, especially if you’re distracted or in a hurry. That…
[Read More]VPN Update: Is it still important to use a VPN?
Using a VPN (Virtual Private Network) when you’re online is still very wise and important and that’s...
[Read More]The “Red Flags” of a Scam Can Alert You to Pending Danger
We’re used to hearing “red flag” conditions. Hopefully, we know they indicate a dangerous situation or risky…
[Read More]Windscribe VPN
Windscribe VPN provides the ultimate privacy, security, and simplicity with an easy-to-use website interface.
[Read More]