“A common tactic is to ‘accidentally’ email all the pay data for an organisation and then send a follow-up saying, ‘Oh sorry, that was sent by accident. Please don't open it’. You can guarantee that leveraging people’s curiosity like this is one of the triggers that scam artists will use.”
Would you be able to resist? Professor Adam Joinson from our School of Management has been working in the field of cyber security – at the intersection of psychology and data science – for 15 years. Much of his research focuses on phishing, where fraudulent emails are sent out, purportedly from trusted senders, in a bid to lure you into sharing passwords and other personal information.
Phishing is the most common type of online scam, which means it’s a seriously large-scale problem: as of early 2023, 97.8% of the UK population had access to the internet. 39% of UK businesses reported suffering a cyber attack in 2022, and 83% of these were phishing. Google blocks around 100 million phishing emails in just a single day.
Interestingly, as Adam points out, attackers are simply using modern technology as a medium for centuries-old techniques. “There is quite often an appeal to authority,” he says. “It will be someone pretending to be high up in a bank saying there's been an issue. There’s also the use of urgency, where you have to act quickly because something terrible is going to happen or to take advantage of an opportunity. So you must click now to get your free tickets or to keep access to your bank account.”
Adam’s research started by looking at the results of phishing simulation exercises in national infrastructure organisations, where he found that the most successful attack emails led to around 15% of recipients clicking on the links within. Not everyone went on to input their passwords but, as he points out, this isn’t always necessary to enable an attack on a computer.
He then ran focus groups and identified a range of factors that affect how likely people are to fall for attacks. Those who work in roles such as procurement, for example, spend a lot of time dealing with emails from external senders, often with PDF documents such as invoices attached. For them, taking numerous steps to verify every incoming message simply isn’t practical.
Adam’s now developing a dashboard for UK infrastructure companies that demonstrates not only click rates and their breakdown by job function, but also insights into what types of messaging have proven most effective against which types of employees. The tool will also enable quicker testing of potential interventions, such as encouraging users to report suspicious emails to their IT department.
"What we really want is for people to feel that security is there to help them do their job, not to catch them out,” he explains.
“We encourage people to keep an eye out and to think, 'Am I being prodded in a certain direction?’. It seems to have been quite successful in terms of moving beyond the assumption that it's all on employees to be careful about every single email. Instead, we need to be aware of the ways that scammers will go for you, and how you can take extra precautions, like look at who's sent the message, or put a PDF through a virus scanner when necessary.”
You've been served
Another thing that might get you feeling cynical is social media marketing and those snappy adverts served into your feeds. How do they know, with often uncanny precision, what you might be interested in? “What advertisers do is classify you in relation to your online behaviour and how that compares with other people who have similar kinds of behaviours,” says Dr Sarah Glozer, Head of the Marketing, Business & Society Division in the School of Management.
“These practices are so difficult to understand,” she continues, “because everybody is served something different; it's not like the olden days where you would be sat in front of the TV and at 8 o'clock everybody would be seeing the same advert.”
While she acknowledges that these adverts can prove convenient for users, they can also pick up and capitalise on our insecurities – or even manipulate our feelings about what we ‘should’ be doing at a particular point in our lives.
“When you're dealing with a brand like shoes, it's quite innocuous,” says Sarah. “But some of the adverts we saw [during research conducted with Dr Jo Hinds, also in the School of Management] were for dating sites, the morning-after pill or contraception. What that does is create these quite problematic cultural scripts for people where they think, ‘Oh now I'm at the age where I need to be thinking about settling down’. Funnily enough, pretty much all those adverts were targeted at women.”
She also uses the example of gym advertising: while marketing content will strike gold with a handful of interested viewers and simply be scrolled past by many, there will also be those with anxieties about their bodies, for whom the advert holds more serious emotional connotations.
“We need to be more mindful of not just the accountability of companies in this space, but around our rates of digital literacy,” she says.
Social media platforms prioritise the commercial content that’s most likely to make them money. The issue is that that’s not always in users’ best interests. Is there more that they can be doing to protect us?
In Sarah’s opinion, there’s no limit to the amount that platforms could and should be doing – but the problem also lies in a lack of legislation:
“The Online Safety Bill has been debated in UK Parliament over the past few years, and it still hasn't been finalised. It is designed to give more power to penalise social media companies if they're not carrying out a duty of care towards users, particularly in contexts such as micro-targeted advertising.”
Having an influence
Behind-the-scenes persuasive mechanics aren’t just opaque when it comes to the adverts that we’re served, either. They’re also far from transparent when it comes to that most maligned of online careers: influencing. Sarah has also been investigating the ways in which influencers are recruited and remunerated in their efforts to shape our purchasing decisions.
“We spoke to brands and agencies who use influencers in their social media marketing, and they were open about how they choose who they work with. Sometimes it was quite rational – identifying influencers based on the number of followers and how their engagement rates scored – but other times suggestions were made on a more subjective basis. It's difficult because influencers don't necessarily get a window into that process.”
What’s more, while there’s a perception of influencers living a life of luxury, Sarah’s research has found this to be far from the case. In fact, influencing is a wildly precarious career, subject to the whims of fickle audiences and with no common compensation standards across the industry. By interviewing a range of influencers, she uncovered a gaping pay disparity, which also has both gendered and racial undertones – as well as feelings of ‘tokenism’ from influencers in minority groups.
“At one extreme, people work for free,” Sarah says. “At the other extreme, I met an influencer who was earning €250,000 a year, being flown all around the world and staying in five-star, luxury resorts.” As influencing is quickly becoming one of the most powerful forms of online marketing due to its perceived credibility and authenticity, influencers increasingly mediate our online relationships with brands – for better or worse.
In a jam
Digital issues can have a much wider impact than just on individuals, too: they can be disruptive to the infrastructure that keeps our society running. One such area in which our Department of Electronic and Electrical Engineering has helped police is in the fight against GPS jamming devices.
GPS tracking devices are fitted in many vehicles, particularly delivery vans and high-value cars. These enable owners to keep tabs on where they are at any given moment.
“People that realise they might be being tracked by, say, the National Crime Agency – under suspicion of drug running or organised crime – and are attempting to defeat this equipment,” explains Dr Robert Watson.
“Or just from a privacy point of view, some people decide ‘I don't want that’, and so go out and buy a jammer device. The problem is that they’re quite blunt instruments, so not only do they defeat GPS tracking in the immediate vehicle, but they actually create a bubble of jamming that follows them around. It's equivalent to them putting a big, shiny, orange light on a vehicle and driving around – lots of people get to see it.”
On the lookout
Robert and his team, working in conjunction with industry partner Chronos Technology, developed a tool to detect these jamming devices. GPS signals are incredibly weak by the time they reach the Earth’s surface, and so jammer technology overwhelms GPS receivers by blasting out a more powerful signal, making receivers simply give up the ghost.
As Robert explains: “GPS signals are the equivalent of a 60-watt bulb shining down. The jammer is somebody shining a torch in your face and asking if you can still see the light coming from space.”
They have developed a device that can pinpoint precisely which car in a line of 50 contains a jammer. The device detects for signals above a certain intensity, above what you’d expect to occur naturally. Its receivers listen out from multiple angles, and then use the measurements to triangulate the source of the signal. Robert likens the technique to a TV’s surround sound bar, but in reverse.
The technology has been used by police forces in Hampshire to catch gangs stealing vehicles, breaking them down for parts and shipping them out of the country, but its applications don’t stop there. GPS is a core part of our infrastructure, from maritime navigation to military settings to even keeping energy networks running, so people driving around with GPS jammers could – deliberately or not – cause chaos.
As Robert concludes:
“Everyone assumes that GPS is there, and so when it goes away, potentially because it's threatened by the use of a jammer, lots of things that you wouldn't necessarily expect to suddenly start falling apart.”
Avoiding a deficit
Adam agrees that hardware is as important as human intervention when it comes to keeping us safe from cyber threats: “There is a shift away from thinking that because users are the ones take action or click on links, we should blame them, through to how we should think more fundamentally about how we invest in and build security from the ground up.”
He is a key partner in Digital Security by Design, a £190m initiative involving numerous universities, tech companies and UK government agencies. The project is working to create a safer digital future for us all. It’s an endeavour that will take considerable time and investment – one large software company estimates it would take 2,000 years of coding hours to move its systems over to a more resilient code base – but Adam believes it’s crucial.
“If we don't invest in car maintenance, we may save money now – but two or three years down the line when everything's starting to break because we've not changed the oil, then we've accumulated a deficit based on that non-investment. It's the same with security. At some point you’ve got to pay it. The question is, when do you start to pay back that security debt?”