Don’t Click on That Link!

The basic techniques of modern cybercrime have changed little since the dawn of the internet: fool people into giving up access to their personal information and their money. But the complexity of these scams has spiked in recent years due to advances in technology.

The latest data from 2024 show that U.S. consumers reported 2.6 million cases of fraud to the Federal Trade Commission (FTC) — about the same as 2023. But consumers lost $12.4 billion to these scams — an increase of 25 percent from the previous year.

It might be tempting to simply break with technology altogether. But if throwing out your computer and moving to an off-the-grid farm is not an option, there are ways to practice safe tech that, luckily, don’t require an expert’s understanding of cybersecurity.

According to Wash and Rader, the human instinct for telling stories may provide one of the strongest defenses against cyberscams.

The More Things Change …

Wash began his academic career some 20 years ago researching cryptography, or the making and breaking of secret codes. He discovered early on, he says, that “no matter how good the technology is, if people make bad decisions, then the technology can’t help.”

Today, Wash studies the human factors of cybersecurity because, he explains, “I think those are much more critical than a lot of the tech.”

Technology has come a long way since Wash began researching cybercrime. But perhaps the biggest change, he says, is how much each individual is now asked to do to stay safe online.

No longer is a single password scribbled on a Post-It note sufficient to maintain your cybersafety. Recent studies have found that the average person has more than 150 passwords. Wash also cites developments like the need to set up two-factor authentication and install required software updates. Though these systems are designed to protect users — and Wash acknowledges that each new task isn’t too taxing on its own — they also create many more instances where information may be leaked, lost, or stolen.

At the same time, emerging technologies are making cyberscams more complex, harder to spot, and easier for less tech-savvy scammers to pull off.

The typos and grammatical errors that were once the classic tell of the scam text or email? “AI has basically fixed all those,” Wash says.

Many scams traditionally began with single messages designed to get targets to act fast, to click a link, or to provide information right away. Today, victims are just as likely to get caught up in personalized “conversations” with AI chatbots.

The interaction may start with a short, innocuous message, “something that just piques your interest,” Wash says. “And after two or three responses, then they’ll try to get you to do something that’s potentially dangerous.”

Today, scams can be easily scaled to target more people. There’s currently a veritable industry that exists around cybercrime. And just about anyone can become a cybercriminal, not only the tech-savvy teenage boy in his parents’ basement who was once cybercrime’s usual suspect.

“There’s a whole ecosystem of criminal actors who work together,” Wash says. “They’re contracting out different pieces of the scam to different parties. So they’ll get their software from one place, a separate service that they can use to send lots of fraudulent text messages. There’s another service they can use, once they have a bunch of credit card numbers, to turn those into money.”

Yet as much as technology has evolved, scammers’ basic techniques are more or less the same as ever.

The More They Stay the Same

You’re likely familiar with the most common kinds of fraud reported to the Federal Trade Commission. In 2024, these were impostor scams — where fraudsters pretend to be someone you know or an official from a recognized institution like a bank or government agency — followed by online shopping and business and job opportunities. (“Join our professional team! Make up to $500 a day!”) The channels these scammers use haven’t changed much, either. Per the FTC, the three most common ways scammers contacted their targets in 2024 were emails, phone calls, and text messages.

It may come as no surprise, then, that Wash says across his decades of research, “the human stories we’re hearing don’t change much.”

In 2012, when Wash and Rader were on the faculty at Michigan State, they coauthored a study on how “nonexpert” technology users made decisions about cybersecurity. They concluded that one of the most effective ways their subjects learned about cybersafety was through real-life cautionary tales shared by friends and family members or in the media.

The stories that Wash and Rader’s subjects reported were memorable for being connected to a specific incident, as compared to, say, hypothetical scenarios in mandated cybersecurity training or jargon-filled expert advice. Many of the stories mirror today’s most common scam attempts, “from emails impersonating banks,” the study reads, “to more elaborate attempts by individuals chatting up unsuspecting users on Facebook or in online games.”

The lessons gleaned from these stories correspond to traditional expert advice: don’t talk to strangers online; choose a strong password and change passwords often; don’t share personal information. In 2022, Rader and a new group of coauthors replicated the storytelling study. They found echoes of several of the same 10-year-old lessons.

Whether it’s coaxing someone into divulging their bank account information or trying to get them to click a link in a text message claiming to be from a relative, some of the strongest obstacles to cybercrime are the same as they’ve ever been. While a scammer may have an easy time finding out your name, or where you work or even where you bank, it’s harder for them to know if you’re expecting a call or email from an old friend or a package in the mail. Ultimately, scammers don’t know that much about you. Or do they?

Do You Know Where Your Data Are?

When Rader was a postdoctoral fellow at Northwestern University, a visiting friend was perplexed by the flashing blue lights that she saw all over town. They belonged to surveillance cameras installed by the Chicago Police Department to record potential crime in high-risk areas.

“Did someone have to give you notice about that?” Rader’s friend asked. “Did you have to consent to being recorded?”

The interaction was a turning point for Rader. Since then, she has researched the human aspects of data privacy. The subject has become increasingly thorny as technology and systems for collecting personal data have entered every aspect of our daily lives. In the UW class she teaches, Digital Footprints: Privacy and Technology, Rader explains that most of your interactions with technology, from telling Facebook your birthday to using Face ID on your iPhone, can contribute to a profile of you created from data.

Companies called data brokers combine that data, Rader says, “and feed it into models that can infer stuff about people that they didn’t intend to disclose.”

These brokers can then sell data to a wide range of customers, like advertisers, who use it to show you ads based on your activity. If you’ve ever been confronted with an ad on your social media feed for cat food just hours after visiting a pet adoption website, you can thank data brokers.

But the information can also serve more far-reaching purposes. Bounty hunters or private investigators, for example, can use brokered data to track down persons of interest. In worst-case scenarios, criminals may illegally purchase users’ data to forge health records or reveal private addresses or other identifying information (a type of harassment known as doxing). But even data obtained legitimately can be cause for concern.

So what’s a privacy-minded person to do?

Modern data-collecting infrastructure, Rader says, is so ubiquitous that it would be near impossible to turn invisible online. “How would we live without our cell phones?” she asks. In an age of datafication, a good start may just be thinking more critically about privacy — its value and its cost.

In Rader’s class, she illustrates this principle using the example of the MagicBand, an electronic bracelet that guests at Disney parks can use as a hotel room key, admission ticket, payment method, and more. Rader explains that the product works in much the same way as a prisoner’s ankle monitor, although the MagicBand uses a built-in RFID sensor, while ankle monitors typically use GPS.

Even though users can remove the MagicBand whenever they choose, they are still sacrificing some of their privacy in exchange for convenience. It’s a reminder to be diligent about technology use, because information can be compromised even in a situation that seems harmless.

Thankfully, there are steps you can take to protect yourself (see below). But if you do fall victim to a scam, Wash says it’s important to share the news with others. “That’s how we teach each other how to be safe online.”