The email popped up on my screen at 6:45 a.m. on December 24. I’d already been up for a couple of hours, working to deadline. It was from someone I know quite well: the minister of the North Shore Unitarian Church, which we attend.
“I need a favor from you,” the message said. “Email me as soon as you get my message.”
“Ahoy Ron,” I replied.
A friend was in the hospital battling cancer, he said, and he’d just learned she was scheduled for surgery tonight. Could I possibly pick up some iTunes gift cards? “She needs the cards to download her favorite music and videos to boost her confidence on her next phase of surgery.” He’d do it himself, but he was tied up, he explained. “I will surely reimburse you as soon as I can.”
No one else in the house was up, so there was no one to run this by. But then, I probably wouldn’t have asked for a second opinion anyway. For reasons I’ll explore, reasons that are the heart of this story, it didn’t really occur to me that this might be a scam.
“Ok,” I emailed back.
“Thank you so much, Bruce,” my correspondent replied. Then he got down to business. I was to buy $300 of cards. (That is quite a lot of music, I thought.) “I need you to scratch the silver lining laced at the back of each card to reveal the redemption code, then take a snapshot of the code and have the picture or the Ecodes sent directly to Sharon at the hospital on her email.” He gave the address.
“Let me know when you’ve sent it,” he said. “God bless.”
God bless? We’re Unitarians. Optimistic agnostics at best. The “G” word doesn’t come up much. Totally weird sign-off there. I assumed Ron’s mind was still on the dire circumstances of his friend Sharon, who was evidently a Christian.
“I can pick up the card around noon and engineer this by tonight,” I said.
He was super grateful, he replied six minutes later, but tonight’ll be too late for Sharon to use the cards. “Can you please send them to her by noon so she could be able to use them before her surgery?”
This was unhandy. But hey, what was my slight inconvenience against this woman’s cancer fight—on Christmas Eve, no less? I drove to the grocery store and purchased four gift cards. The clerk activated them at the till, turning them into currency. Back home, I took pictures of the codes. At 9:30, I emailed the pictures with the following message:
Dear Sharon,
The codes on the cards below will buy you music via iTunes.
Everybody is pulling for you.
A busy Christmas Eve day then unfolded. I forgot all about this until, around 4:30 p.m., while waiting for takeout fish and chips, I checked my email. A follow-up message had been sitting in my inbox.
“Sharon just emailed me now saying she got the cards. I want to really appreciate you for that. I’m sure it’s going to go a long way in her fight over cancer.”
But now there was a new development. Apparently word of the gift cards had made its way around the cancer ward. Now other patients were asking for the same thing.
“Could you please get me additional $500 worth of Itunes gift cards right away? I will be paying you back $800. I’m so sorry for the inconvenience.”
This was a bridge too far. The personal friend was one thing, but random strangers on the ward? Don’t these women have family? And anyway, I thought, it might be too late.
I called Ron.
“Hey Bruce. What’s up?”
“Are we too late to help those other patients?” I asked.
Silence. Then: “Um. I don’t know what you’re talking about.”
“Those other patients on the ward who now also want music,” I said.
“Uhhh . . . ”
“I’ve been copying you on these emails,” I said. “Haven’t you been getting them?”
“Bruce.” A long beat. “It’s a scam. Somebody has been impersonating me. I put out a warning out on Facebook.”
“I didn’t . . . see that.”
I heard Ron exhale. Neither of us knew quite what to say next.
Phishing, the “the easiest and the most productive attack vector used by criminals,” as one security consultant put it, is now so common it’s practically a demonstration sport at the fraudster Olympics. Indeed, the exact scam I’ve just described can be found on the internet in thirty seconds. But it never occurred to me to check. The question is, Why?
Near the end of the film The Sixth Sense, director M. Night Shyamalan springs his trap. And you go: Wait. Bruce Willis is . . . dead? I remember feeling stung. Disoriented. And yet, in retrospect, the evidence was there all along.
It was exactly the same experience when Ron—the real Ron—said over the phone: “It’s a scam.” There was the sudden reframe, the forehead-smiting denouement. The resolution seemed almost literary: both shocking and somehow inevitable.
That is the human brain on a well-crafted fiction, says Vera Tobin, a cognitive scientist at Case Western Reserve university in Ohio and the author of Elements of Surprise: Our Mental Limits and the Satisfactions of Plot. The sympathies and attention of the “victim” are expertly manipulated by narrative sleight of hand. O. Henry–ish storytellers are social engineers in the same way that scammers are. The architecture of “the con” is the same. Carefully, we are led down the garden path.
The stakes start small. In my case, the initial contact was modest and believable. There were the shoe-shuffling apologies, the thanks in advance. From there, the story unfolded. Next thing I knew, I was putting on my jacket. It was as if I had been “activated,” like a sleeper agent. Once I’d bought the gift cards, I was all-in.
Stanley Milgram, the experimental psychologist—and really, all experimental psychologists are con artists of a sort—ran his most famous ruse out of his Yale lab in 1961. In it, test subjects swallowed the fiction that, by flicking switches of a console, they were administering increasingly powerful electric shocks to a man in the next room as punishment for his getting test questions wrong. The experiment was designed, in the wake of the Nazi atrocities, to test people’s willingness to blindly follow orders to dire ends.
What kept those volunteers going was that they had been led into the madness gradually. They had no idea they’d crossed a border until they were on the other side. “It wasn’t a study of obedience,” said behavioural economist Tim Harford not long ago, “so much as a study of our unwillingness to stop and admit that we’ve been making a dreadful mistake.” We get in over our heads, so we just keep going. For me, beyond a certain point, bailing wasn’t even an option. Three hundred dollars seemed like an audacious ask for some music, but it was just within the realm of the credible.
Scammers exploit thinking errors in the same way those surprise-ending storytellers do. We are “cognitive misers,” says University of Toronto psychologist Keith Stanovich, taking mental shortcuts and jumping to conclusions wherever possible. That’s why Stanovich insists that gullibility isn’t a sign of low intelligence. It’s a sign of “low rationality,” which is different. The front brain never has a chance; the horse has already left the barn with that first snap judgment. And now, all that’s left is rationalization.
Scammers exploit other cognitive errors, like “optimism bias.” Most people think they’re a little bit charmed, a little luckier than average. We harbour a personal fable that things are likely to go well for us. The possibility that we’ve been hoodwinked just isn’t as “available” as a happy ending. So the Debbie Downer story gets suppressed.
And then there’s “consistency bias,” which says people tend to act in accordance with whom they believe themselves to be. As I sat waiting for my takeout at the fish shop and retrieved that second email asking for more money, annoyance flared. But it was soon swamped by another feeling: I’m a nice guy, and here’s an opportunity to prove it. “You were on a goodwill mission,” said the cop at the North Shore RCMP detachment who dutifully took down my report. “And that kind of put blinders on you.”
Behavioural economists coined a term, the “curse of knowledge,” which psychologists have adopted. “It’s hard for people to set aside the things they know,” says Tobin. “The more experience we have with something, the harder it is to step outside it.” The scammer had fixed in my mind the image of a cancer ward. Meet my friend Sharon. She is craving distraction because she’s terrified to die. I could see Sharon because I have been there. I was at my father’s bedside when he died of cancer. “Once you know something, or think you know something, it’s really hard to suppress that way of seeing things,” says Tobin. “And now you’re suddenly blind to what would be obvious if you didn’t have that baggage.”
That the cancer story was ripped right out of a made-for-TV movie was also no accident. “The more gripping the story, and the more emotionally engaged we are in it,” says Tobin, “the less we’re thinking critically and asking ourselves, ‘What are the discrepancies here? Should I trust this source?’” Under such highly charged conditions, “you can talk yourself into anything.”
My scam landed in my inbox in the early morning. The dreamy predawn is a great time to be creative; our “ego defenses” are down, as some psychologists claim. But it’s a lousy time to be logical. Then I learned about the tight deadline. Again, not by accident.
Studies show that people are more likely to respond to an internet solicitation when a quick response is required. The sense of urgency “short-circuits the resources available for attending to other cues that could potentially help detect the deception,” says Arun Vishwanath, a University of Buffalo psychologist and a visiting lecturer at Harvard. The ticking clock is a “visceral trigger,” an express ticket to a “hot state” where sound reasoning goes to die.
All these factors together may incline scam victims to overlook what should be glaring red flags. My minister didn’t use my name in the first email. Then again, Why would he? (Of course, one possible reason the scammer didn’t use my name is he didn’t have it. Until, with my response, I gave it to him.) And the grammatical errors from a person I knew to be fastidious with the language? I chalked it up to stress. Basically, I read those emails through a filter that cleaned up the language, imputed only good motives, and kept me from looking up from the puppet, even once, to see if there might be strings.
But wait: If successful scams exploit these universal cognitive biases, why don’t all of us fall for them? Around 20 percent of the population is especially vulnerable to scams, says Stephen Lea, a psychologist at the University of Exeter, in the UK, who studies the personality traits of likely fraud victims. Of the folks who receive phishing emails like mine, only around 3 percent actually bite, according to a recent study by telecom giant Verizon. So we few, we sorry few, we band of schlemiels: What’s different about us?
There’s a widespread perception that scam victims are predominantly older folk. But that isn’t quite right. Millennials are actually scammed more than any other group, according to Federal Trade Commission data. But they lose less money than seniors because they have less, notes Frank “Catch Me If You Can” Abagnale, the former con man who now consults to law enforcement, in an interview with Vox. (Curiously, seniors are more likely to get scammed face-to-face. One theory is that older people are less alive to visual cues of insincerity. Shelley Taylor, the UCLA psychologist driving this research, found the brains of older people showed less activity in the areas that process risk and subtle danger.)
The stereotype that the lonely are sitting ducks is true. Lonely people are more likely to let scammers get their foot in the door; they open unsolicited mail and stay on the line with those bogus Canada Revenue Agency officers. A scammer can figure out if you’re lonely from your social media trail. But, when a reporter for Mother Jones magazine travelled to Nigeria to interview a group of email scammers, the young men were pretty clear that they didn’t care about lonely. They only cared about wealthy. “We know how much you have in your account,” one said.
I’m not lonely, not a millennial, and the opposite of rich. But I was randomly phished in a pool that is statistically promising for scammers: a minister’s congregation. There’s evidence that con artists disproportionately target religious groups—although it’s less clear whether “people of faith” are actually more gullible to such scams. Most Unitarians, I’d venture, are of the “trust but verify” variety, too intellectual and circumspect to fall for these kinds of shenanigans. And sure enough, I learned that no one else in my congregation was fooled. This scammer was lucky to have found me. I have a history he could only have dreamt of.
I am the kid who sent away for the full-size “Frontier Cabin” from the back of a comic book—perhaps as a place for the Sea Monkeys I’d previously ordered to hang their little crowns. The kid grew who grew up to be the adult whom panhandlers naturally find in a crowd. I have accepted at face value every hard-luck story going and duly coughed up five bucks for a hamburger, ten bucks for a bus ticket, twenty for gas to get back home to Abbotsford. “Remember the time you almost bought a car with a lien on it?” my wife reminded. “Or the time you went, with great hope, to the Downtown Eastside to meet the guy who said he’d found your stolen camera?” She started enumerating the scams she could remember; it took two hands.
Gullibility is a handicap for a journalist. It seems to take me twice as long as everyone else to write a feature. I routinely have to rip the whole thing back down to the studs when I hit the fact-checking stage and discover people weren’t being entirely honest. Or at the very least, that the truth is way more subtle than how it had been presented. Shoulder-checking earlier would save me a lot of trouble, but shoulder-checking earlier would also break the spell—the spell of the perfect story taking shape.
Perhaps gullibility, as Stanford psychiatrist David Spiegel believes, is a “neural trait” in the way that hypnotizability is. (Brain scans of “very hypnotizable” people reveal distinct activity patterns, Spiegel found.) Whether that proves true, there are other character traits we scam victims demonstrably share.
We are decisive. Okay, impulsive. “Ready fire aim.” Deficient “depth of processing” is another way to put it, and mine was abysmal in this case. I read those Christmas Eve emails the way our dog eats her dinner: I wolfed them down without really reading them. I got the gist, then my imagination quickly filled in the rest. That’s how it works. “You see things that aren’t there,” says cognitive scientist Vera Tobin, “or you fail to see things that are there because your expectations are driving the bus.”
“Naive” or “trusting” come close, but social scientists prefer the descriptor “unsuspicious.” That’s another way of saying I just have a low-wattage BS detector. And we are “risk takers,” physically, financially, emotionally. Psychologist Stephen Lea found that self-reported risk takers were twice as likely to be victims of scams.
You’d think ignorance would be a precondition of getting bilked. But weirdly, the opposite may be true. Sometimes the problem isn’t knowing too little but too much. One of Bernie Madoff’s victims was a psychiatrist named Stephen Greenspan, who lost about a third of his retirement savings to Madoff’s Ponzi scheme. Just two days before he learned he’d been hoodwinked, Greenspan had published a big authoritative tome, the fruit of decades of research in his area of expertise. It’s called The Annals of Gullibility: Why We Get Duped and How to Avoid It. “Scam victims often have better than average background knowledge in the area of the scam content,” notes the psychologist Lea.
Some expertise, it turns out, can make people a bit cocky. This is the so-called Dunning-Kruger effect. It’s basically the premise of every Will Ferrell movie. Overconfidence can produce a kind of unwarranted swagger, an almost comically obtuse misreading of events. The more we know, the less likely we are to second-guess our initial take on something—which may have arrived via the gut rather than the brain. Overconfidence disarms the sensor of sober second thought.
And, while you can teach people to detect scams, until their scam-detectors become as sensitive as a sandpapered fingertip, it turns out the effect is short lived. Not long ago, a group of cadets at West Point, the prestigious military academy in New York state, were trained to accurately detect email phishing schemes. They got good at recognizing incoming emails with links that could activate malware and other security risks. But old habits and sloppy cognitive processing die hard. The cadets soon slipped back into their old email-reading habits. Ninety percent of them fell for a phishing scheme resembling the ones they’d just learned about, a mere four hours after receiving the training.
I actually know quite a lot about scams myself. I own a copy of the 420-page scam-detecting bible How to Cheat at Everything, by short-con guru Simon Lovell. I know quirky facts, such as that there are two key pieces of information you should never divulge together: your date of birth and city of birth. (With those a scammer has, according to Abagnale, 98 percent of what they need to steal your identity.) Plus, ironically enough, I’d been right in the middle of editing some articles on how to avoid scams. That kind of knowledge should have made me be able to smell a ruse at fifty paces. But here’s the thing: while I had a solid general knowledge, I’d somehow never encountered this particular scam. There was no Nigerian prince. No one claiming to be from the Canada Revenue Agency or Windows or Apple. No relative had been falsely arrested and needed bail money. It wasn’t a pyramid scheme. It didn’t even involve money directly. Why would a crook want music? (The answer is, of course, that they don’t. The reason scammers ask for iTunes gift cards is simple: the codes are hard to trace. And, once they have them, they can resell them for money on the aftermarket. Gift cards are the new wire transfers.)
“I’m afraid there’s nothing we can do,” said the agent from Visa’s fraud department after silently hearing out my whole story, back on shift after Christmas break.
“Why not?”
“Because it’s not fraud,” he said. “When we dispute a charge, our claim is against the merchant. But the merchant didn’t do anything wrong here. You willingly purchased those gift certificates.”
Wait, what? I didn’t willingly purchase them. Or did I?
What distinguishes fraud from all other crimes is that it demands cooperation from the victim, notes Lea. The underground card magician Wesley James puts a finer point on it: “The dupe is always to some extent complicit.” But what could possibly be the payoff in getting robbed?
Maybe the answer is not so different from why we go to magic shows, or The Sixth Sense–style movies with whip crack endings. It’s weirdly pleasurable to suspend our disbelief and then have the rug pulled out from under us. “That ‘aha’ moment,” says Tobin, “is something humans like a lot.” The tension and release, after being expertly led into jeopardy, is something I’ve probably been missing on the flat sea of midlife.
And of course, for a writer, drama is its own kind of payoff. What did I get out of the whole ordeal? I got a “moment”—a frisson of aliveness, a memory to distinguish this day from all others, forever. And, not least, a story.
Was all of that worth 300 bucks and public humiliation?