Experts Ponder Effectiveness of Official Warnings of Cyber Scams

The Dubai Police, from the United Arab Emirates, and the Cyber Security Authority of Ghana have already issued two warnings this year, thanks to a series of unsolicited scam messages being sent to individuals.

In addition, malicious websites have recently been impersonating Dubai's Road and Transport Authority, and with some clever use of "black hat search engine optimization," these were ranking high on search results, and were convincing enough for unsuspecting browsers to hand over money to these scam websites.

Is it the fault of the public for continuing to fall for these fairly obvious scams, or do we need to do more to prevent these threats from flourishing? Security experts have a variety of takes on the answer to that question.

We're Too Trusting

Thea Mannix, director of research at Praxis Security Labs, says humans often operate in what she calls a "default mode," as information is passively consumed and there is a default response, which is to trust an authority figure.

When an authority figure asks you to do something, you are going to comply with whatever they tell you to do, she posited. So if an individual receives an email asking for money from what appears to be a legitimate entity, most recipients are less likely to question it.

Mannix explains that scammers or attackers are more likely to snare someone when the user isn't paying attention. And while a person may be more savvy when presented with a threat in real life, "in a digital space [the brain] is not really built for that," she adds, where we're more likely to miss the telltale signs of a scam site or message.

Kai Roer, CEO of Praxis Labs, agrees, saying "we are created to trust" and accept at face value, and that individuals will inherently trust the person communicating with you "because that is necessary for me and for you to survive as a species."

Joe Stewart, principal security researcher at eSentire, says it is all too easy to presume that no one would fall for a particular scam, but he points to the issue of "implicit trust" in search engine results.

"Attackers will use third-party blogs that they have hacked to increase their page ranking through SEO tricks and to get themselves placed higher," Stewart says. "A lot of the reasons that they are so successful is that they use highly targeted keywords."

What appears higher in search results is more likely to be clicked on, and Stewart says there is some responsibility on search engine operators to ensure malicious content — and sponsored adverts that lead to scam websites — get taken down.

It's less clear if warnings came from the police and the national cybersecurity agency make a real impact on the public. Stewart says there is always a belief that campaigns could be done better, but many agencies and law enforcement organizations are constrained by budgets and how much money they can devote to countering these threats.

Roer says there is a need for humans to have "constant reminders that we need to tell our brain to stop automatically making decisions," and be wary that not everything is as it seems.