Why are scams so prevalent? How has technology aided their growth? In analyzing the psychology behind scams, can we inoculate ourselves to better prevent their success?Are your inoculations up-to-date? I\u2019m not talking about your tetanus shot, I\u2019m talking about an inoculation of skepticism!\u00a0This week alone I received a phony invoice for a conference I attended in 2017, two phone calls from my \u201ccredit card company\u201d asking about two transactions made at 4 a.m. that day (eBay and Western Union), a text from my \u201cbank\u201d telling me that my credit card was disabled\u2026\u00a0 Couple that with the fact that we\u2019ve just concluded tax season \u2013 it\u2019s time to talk about scams!\u00a0\u00a0I\u2019d recently finished reading the book \u201cThe Confidence Game: The Psychology of the Con and Why We Fall for It Every Time\u201d by Maria Konnikova. It, along with a long-time favorite resource of mine: \u201cInfluence: The Psychology of Persuasion\u201d by Dr. Robert Cialdini, are resources I highly recommend to those trying to dissect the means of manipulation in daily life.\u00a0Cialdini\u2019s Theory of Influence is based on six principles: reciprocity (the tendency to return a favor), commitment\/consistency (a promise made is generally kept, even if the original motivation or incentive is removed), social proof (to join a following if they see others doing it first), authority (the tendency to obey authority figures), liking (to join a following if others you like are doing it first), and scarcity (the economic principle that perceived scarcity generates demand).Konnikova couples Cialdini\u2019s principles with stressors that make people more susceptible to scams, including: FOMO (Fear Of Missing Out), and other concerns (including health, financial, and family), and urgency.\u00a0 In particular, she focuses on our innate inclination to trust people.\u00a0 She goes into great detail, describing how confidence games existed (even pre-Ponzi), but how technology has helped broaden the playing field, and how even sophisticated people can be duped.\u00a0Scams, when successful, usually play on a subset of these principles.\u00a0 Some of the most prevalent scam vectors include:Phone\/impersonation scamsFraudsters typically call the target and misrepresent themselves. In my most recent case, they claimed to be from VISA. In the background, I could hear a busy call center and my caller had a thick accent. They asked for my VISA number (and even told me the first few digits of my credit card). Note: you can go online and find the first several digits of your credit card, depending on the bank you use (it\u2019s called the Issuer Identification Number (IIN), previously called the Bank Identification Number (BIN)).\u00a0 I told them I had several VISA cards and wanted to know which bank it was.\u00a0 They misidentified my real bank and then promptly hung up.This fraud vector plays on the principles of authority, financial stress, and urgency.\u00a0It\u2019s important that you don\u2019t offer these fraudsters ANY information whatsoever. Don\u2019t confirm or deny any information, including what is your real bank (checking\/savings\/investment account numbers, etc.) because it can be used to build up a profile to be shared with other groups and used against you later.Sometimes the fraudsters pretend to be from a tax authority (IRS, CRA), threatening arrest, deportation or revoking your license. Tax authorities do not typically use the phone to demand a payment (and certainly not through wire transfers, gift cards, or prepaid debit cards). In a similar vein, tax season provides ample opportunity for would-be identity theft. One of the best ways to defend against this is to file your tax return as soon as you can (electronic filing and direct deposit to receive a refund are generally considered the best method).By default, don\u2019t blindly trust any inbound phone call, even if the Caller-ID seems legitimate. If they ask you for personal information, ask for their phone number to call them back. Before calling back, check with Google to see if the number is legitimate (or just call the number on the back of your bank card). If someone claiming to be from the IRS calls you, call them back directly (personal: 800-829-1040, business: 800-829-4933). Similarly, the CRA may be reached at: 800-959-8281.Many of these scams operate overseas, which adds layers of complexity and difficulty for investigators. It has been demonstrated that they\u2019re well-organized businesses.\u00a0 Don\u2019t bait them. They have your phone number and you have little recourse if they decide to escalate.Email scamsPhishing. Good old reliable phishing. It\u2019s still the most popular attack vector for scamming people. From fake login pages for retail (e.g. Amazon, eBay, Apple Store), financial pages (e.g. banking, investment accounts, insurance claims), As-A-Service offerings (e.g. Gmail, DocuSign), and Business Email Compromise (aka \u201cSpoofing the Boss\u201d) it\u2019s an amazingly cost-effective and popular avenue to try and rip off people. \u00a0It may (but not necessarily) use malicious content to achieve its goal; in this manner, it may be difficult to prevent through purely technical means. This fraud vector also plays on the principles of authority, financial stress and urgency.\u00a0Increasingly, tax professionals, and finance and human resource personnel are being selectively targeted for user information. Within your business, ensure that those who have access to sensitive employee data are on especially high alert for inbound scams.\u00a0It\u2019s also important that you let family members know about this; those who might be particularly susceptible to fear tactics.\u00a0Some quick tips:Use two-factor authentication wherever you can, and if you can\u2019t, use a unique, complicated password for all other uses.Never give out sensitive information over the telephone unless you\u2019ve taken steps to verify the other party first.Recognize the signs of a well-crafted email scam and exercise skepticism.Twenty minutes after the first fake \u201cVISA\u201d call, I had another person call me and read off the identical script (4 a.m. charges to eBay and Western Union) amid the same noisy call center background. I figured that they hadn\u2019t had a chance to update my contact information in their database from the earlier call. I told them that the charges were legit, and they quickly hung up. \u00a0In this case, an inoculation of skepticism worked! However, there is no sure-fire way to guarantee a perfect result every time. I distrust every single inbound phone call until I\u2019ve evidence to modify this belief. Not everyone has this ability to be so judgmental.\u00a0For example, when performing corporate social engineering tests, one area ripe for exploit is the IT help desk. Being that their job is to deal with dozens (if not hundreds) of inbound requests for assistance, and usually with mundane issues, such as password resets and access requests, it isn\u2019t unusual for them to be exploited. It is critical that process be detailed (and followed, consistently) to minimize the security surface.The third book I\u2019d like to reference is \u201cThe Art of Deception: Controlling the Human Element of Security\u201d by Kevin Mitnick. It details several stories and strategies that I find valuable. When assembling a strategy to defend against scams (and social engineering), I recommend you (or the course planner) read these three volumes for ideas.It isn\u2019t sufficient to simply hold a \u201conce-a-year\u201d security training session. Tools, such as weekly advisories (e.g. examples of scam attempts which were caught internally), can help raise awareness. The judicious use of phishing tests can also help to increase the security baseline of skepticism. It is important to note that stylistically, email phishing has become considerably improved and professional-looking. Although Nigerian princes still try to give away their fortunes, in general the days of misspellings and low-resolution graphics are far behind us.\u00a0One last item of note from Konnikova\u2019s book: we don\u2019t generally recognize our own blind spots (of course \u2013 that\u2019s why they\u2019re called blind spots), but we\u2019re usually well attuned to those of others. If you find yourself presented with an \u201copportunity\u201d or unusual email, ask someone near you if it makes sense. Watch for undue urgency (\u201cI need this wire transfer sent immediately!\u201d or \u201cYour email will be shut down if you don\u2019t update your credentials!\u201d).There is no absolute way to completely eradicate end users\u2019 susceptibility to scams, but with constant care and diligence (coupled with technical measures), it\u2019s possible to provide guidance to ensure a heightened awareness and skepticism.