New research into phone scams has identified the scripts and emotions that drive most calls.
Researchers from Macquarie University's Cyber Security Hub have analysed the content of more than 100 hours of scam phone calls to identify clear call "stages" and pinpoint the social engineering techniques scammers use on their victims.
The team, headed by Dali Kaafar, used machine-learning techniques and natural language processing to uncover scam "scripts" that use various topics and emotions.
These findings will help develop better ways to detect and prevent scams which account for the human element which is critical to scammers' success.
"Most people have either been targeted themselves, or know someone who has fallen victim to scammers, because it's so common, so relentless and in many ways, so clever," Professor Kaafar says.
"Ours is one of the only studies to unpack the content of scam calls and the psychological tricks used by attackers in depth.
"I have even known a postdoctoral researcher, with years of experience in cybersecurity, who was tricked out of $8000 in a phone scam."
During 2021 alone, phone scammers stole more than $100 million from Australians via more than 144,000 incidents reported to the ACCC's Scamwatch service - and that's just the tip of a fast-growing iceberg, says Professor Kaafar.
"Advances in technology allow attackers to hide their identities and use things like recorded robocalls and VOIP platforms like Skype to reduce call costs, and lower their own risk."
Technology only part of the solution
Despite new rules introduced by the federal government allowing telcos to block more than 200 million scam calls during 2021, millions more scam calls still get through each week, Professor Kaafar says.
He says that while a range of technology fixes have been developed such as blocking known bad numbers and using pattern recognition on outgoing calls, these capture only a small portion of the influx of scam calls.
Harder to address are the social engineering techniques that scammers use to manipulate their victims into revealing personal and account details, buying online vouchers or transferring funds to bank accounts controlled by the scammer.
"Ours is one of the only studies to unpack the content of scam calls and the psychological tricks used by attackers in depth," he says.
Professor Kaafar's team transcribed more than 300 scam calls published on YouTube, most recorded by people who pretend to fall for a scam, then eventually reveal their ploy and chastise the scammer.
Selected samples were subject to sentiment analysis, and machine-learning models were used to find patterns in the calls.
Team member Ian Wood is an expert in natural language processing - which he admits is "somewhat a dark art".
"Our artificial intelligence model looks for particular phrases and keywords, and common transitions between topics that might reflect steps in a scam script," Dr Wood says, adding that the 100 hours of transcript is a rich data source, as just one hour of audio can include 5000 to 9000 words.
The team found scripts used by scammers contain multiple paths, which can be simplified into four different stages:
The scammer establishes themselves as credible and in a position of authority, then talks about a serious threat to the recipient in a matter-of-fact way - with the threat supposedly from a higher authority (for instance, the legal system or tax office).
The scammer poses as a helpful instructor, using rapport-building conversations, ostensibly helping the recipient to resolve the supposed problem, giving step-by-step guidance to navigate to a website, install software or fill out online forms.
Emotions can ramp up at this stage, as the scammer reinforces threats for non-compliance, citing police, court orders, arrest warrants, jail and other negative consequences, using legal-sounding terms, talking over the victim to defer questions and introducing time pressure to prevent the victim thinking it through.
Once the scammer gets what they want - like a credit card payment or enticing the victim to download malicious software - the conversation becomes less organised, and scammers finish the call, sometimes promising to call back with confirmation.
"Finding clear evidence of the social engineering strategies used by scammers will help us build more effective scam detection and prevention mechanisms," Professor Kaafar says .
Professor Dali Kaafar is executive director of the Cyber Security Hub in the School of Computing.
Sign up for our newsletter to stay up to date.