Another contributing factor might be a person’s level of anxiety about the DVLA, or government, or email, or “the system”. When people are anxious about what “the system” might do to them, and prepared for it to make novel demands upon them, that primes them to be scammable.
A different example: If you want to phish an office-worker, one way to do it is to pretend to be their boss and make sudden urgent demands of them. If the office-worker fears that they will be fired if they don’t comply with novel demands from their boss, then they are primed to be scammable. Workers who feel unsafe questioning “their boss’s” orders will be more scammable than workers who feel safe calling bullshit on their actual boss once in a while.
Sure, but the boss can go wrong by creating an incentive structure in which questioning a message “from the boss” is unsafe.
Successful anti-phishing campaigns instill not only doubt (“Is this actually from the boss?”) but also permission to act on that doubt (“I’ve got the boss’s cell phone number already; when I’m not sure if the message is from the boss, I’m supposed to call the boss and check, with no chance of bad consequences for pestering her.”)
Another contributing factor might be a person’s level of anxiety about the DVLA, or government, or email, or “the system”. When people are anxious about what “the system” might do to them, and prepared for it to make novel demands upon them, that primes them to be scammable.
A different example: If you want to phish an office-worker, one way to do it is to pretend to be their boss and make sudden urgent demands of them. If the office-worker fears that they will be fired if they don’t comply with novel demands from their boss, then they are primed to be scammable. Workers who feel unsafe questioning “their boss’s” orders will be more scammable than workers who feel safe calling bullshit on their actual boss once in a while.
The office worker has gone wrong already by panicking and failing to ask, “Is this actually from the boss?”
Always be asking “What am I looking at?”
Sure, but the boss can go wrong by creating an incentive structure in which questioning a message “from the boss” is unsafe.
Successful anti-phishing campaigns instill not only doubt (“Is this actually from the boss?”) but also permission to act on that doubt (“I’ve got the boss’s cell phone number already; when I’m not sure if the message is from the boss, I’m supposed to call the boss and check, with no chance of bad consequences for pestering her.”)