The Gullibility Scale and susceptibility to phishing

Back in 2015, American journalist and New York Times columnist Frank Bruni wrote a passionate piece on the world of anti-vaxxers, the role the internet may be playing in our collective intelligence and humanity’s propensity to believe everything within indexing reach of a search engine:

Although the Internet could be making all of us smarter, it makes many of us stupider, because it’s not just a magnet for the curious. It’s a sinkhole for the gullible. It renders everyone an instant expert. You have a degree? Well, I did a Google search!

I’m fairly sure there has always been a proportion of our species more trusting of others, the good-hearted, happy to put faith in bold assertions, those now dubbed gullible and open to exploitation. Whether or not the internet can be shown to be making many of us ‘stupider’, it has certainly changed the playing field for the criminally minded.

The late 1970s era ‘crime triangle’ offers an easy way to visualise and understand crime problems – three things must exist in order to have a crime: an offender, a victim, and a location. Traditional crime prevention efforts looked to remove one of more aspects of the triangle to decrease the potential for harm – don’t walk through that rough neighbourhood at night and your likelihood of meeting an offender and becoming a victim is reduced. What the internet has done is turn the high risk rough neighbourhood from a known geographic location with visual warning signs to a far larger area with fewer potential clues to detect danger and take early evasive action.

If location is harder to address, why not look to identify and assist potential victims? That has been the intent behind the Security Quotient research and it’s great to see a similar strategic effort underway at Macquarie University in Sydney to identify susceptibility to scams.

Gotcha! Behavioural validation of the Gullibility Scale looks to develop a similar psychometric scale to test and identify those who may fall victim to online harms.

The scoring construct – using HEXACO personality factors, Need for Cognition, Need for Closure, Sense of Self, and the Gullibility Scale – has some potential symmetry to other international efforts including the researchers at the Universities of Cambridge and Helsinki who have developed the ‘Susceptibility to Persuasion II (StP-II)’ test that can be used to predict who may be more likely to become a victim of cybercrime.

In short, research over 219 undergraduate students found:

  • Participants scored as gullible were more likely to engage with scam emails by clicking on links.
  • Gullibility was also associated with emotionality and a poor sense of self.

Examining emotionality more closely, “people who are naturally inclined to be more emotionally reactive are consequently more likely to be persuaded by scam material.”

This emotional reactivity can be linked to feelings of stress, anger or pain and may lead to impulsive behaviour with potential poor outcomes – the archetypal decision made in the heat of the moment. Chris Hadnagy, my favourite social engineer, has talked at length about phishers using ‘amygdala hijacking’ to trigger physiological and psychological responses before the brain has time to kick in.

Could reading your emails in a heightened ‘fight-or-flight’ state lead to poor outcomes? There are certainly links to the UK’s Take Five fraud prevention campaign which highlights the need to stop, think and challenge your initial emotional response to email and phone based deception offences.

It will be interesting to follow the work of the team in Australia and see how their Gullibility Scale develops.