Training Users to Recognize Persuasion Techniques in Vishing Calls
Author: Sumair Ijaz Hashmi (currently a junior and Research Assistant at SIA LUMS, and summer intern at CISPA)
Voice-based phishing attacks (vishing or commonly known as scam calls) involve scammers who try to convince victims over a phone call to perform actions of the attackers’ choosing, such as transferring money to their bank account or giving away sensitive personal information. Such attacks are rampant worldwide and cause losses of several million dollars per year: for example, the Federal Trade Commission (FTC) reported that in the US in 2022 alone, an aggregate loss of $798 million was lost to these scam calls, with a median per victim loss of $1400 [1].
Such drastic losses have pushed a diverse set of entities, such as policymakers, researchers, banks, and telecommunication providers, across the globe to carry out mass campaigns to educate users on detecting and avoiding these scams. However, no solution has been proposed by any entity so far that has effectively solved and mitigated the problem of scam calls, which are constantly on the rise.
The reasons for the failure of such efforts are many. Firstly, scammers use convincing narratives and psychological principles to trick victims into complying with their demands; however, most of the current awareness efforts do not focus their training on detecting the use of these psychological principles. Secondly, most current efforts raise awareness on specific types of scams, such as how to avoid the infamous IRS scam call; however, scammers quickly adapt their narratives to emerging contexts, as evidenced by the recent COVID-19 pandemic-related scams. Furthermore, scammers regularly target users in low-income and low-literate populations, such as Pakistan and India, resulting in severe losses for the already financially constrained people; however, it is challenging to raise awareness among these people due to poor technological literacy.
What we did
In our work, we designed and tested a novel educational intervention on scam calls that trains users to detect the underlying psychological principles used by scammers. By educating them on these psychological principles, we aimed to provide users with a deeper understanding of how and why these scams work, thereby equipping them to detect these calls better, and also make them robust across changing scam contexts and narratives employed by scammers.
We used analogical learning from the field of psychology, which is used to learn the underlying abstract principle between two different examples. By leveraging this method, we trained users about the psychological persuasion principles that scammers employ to convince people to comply with their demands. In particular, we trained users to detect the principle of ‘authority’ – which involves people obeying authority figures such as experts or officials. This training was conducted via a Whatsapp chatbot, providing an interactive learning experience. Hence, the chatbot used analogical learning to help detect the various features of authority by making users infer the underlying similarities and differences of example audio recordings taken from scam call snippets. Figure 1 shows example screenshots from our chatbot.
Figure 1: Example screenshots from our Whatsapp chatbotTo test the effectiveness of our training, we conducted a between-subjects study between participants who received our training (persuasion group) vs. a control group that received a slides-based lecture. 100 participants from an undergraduate university in Lahore, Pakistan participated in the study; thereby making our work the first attempt in the research community to educate non-WEIRD populations on vishing. All participants were subjected to a vishing call after a delay of eight days, which had the scam context of a university-related issue. After the call, post-hoc interviews were conducted with 18 participants to assess the perceived usefulness of the chatbot.
Figure 2: A flowchart illustrating our study designMain findings
Out of the 100 participants, 50 picked up the simulated vishing call. This call had a high success rate as 26 out of the 50 participants complied with the scammers’ demands for at least one step. The persuasion group fared slightly better, as 47.6% of the participants from the persuasion group (who picked up the call) fell for the scam as compared to the victim participants who picked up the call from the control group (55.2%). However, these results were not statistically significant due to the high dropout rate of participants; hence, our analysis failed to detect the effectiveness of the training due to insufficient power.
| Total | Control group | Persuasion group | |
| Trained | 100 | 54 | 46 |
| Picked up a scam call | 50 | 29 | 21 |
| Fell for scam | 26 | 16 | 10 |
| Participated in Interview | 18 | 9 | 9 |
From the interviews, we aimed to gain insights into the scam call and understand the perceived usefulness of the training. Most of the participants mentioned the landline number used for the call, the convincing narrative of the actors, and the unlikelihood of a university-related scam as factors contributing to the believability of the call. Amongst those who successfully detected the scam call, participants mentioned the call’s similarity to the training, the detection of the trained principle of authority, and the unusual nature of the call as being helpful indicators. Overall, participants gave positive feedback on the chatbot, especially on the use of voice notes as a means to understand and infer how vishing attacks are carried out.
This blog post discusses our recent research paper “Training Users to Recognize Persuasion Techniques in Vishing Calls“, which was presented earlier at CHI 2023 in the Late-Breaking work track