How the Scarcity Principle is Used in Online Scams and Attacks

The scarcity principle, popularized in Robert Cialdini’s book Influence: Science and Practice, dictates that people assign more value to opportunities that are less available. Scammers take advantage of this psychological tendency when social engineering victims on-line.

Time Limitation

A classic illustration of the scarcity principle used for persuasion is the situation where the offer has an expiration date. You’ve probably seen this in action at a local store, where signs exclaimed “Hurry! Sales ends Saturday!”

How do scammers replicate this scenario on line? In an earlier post I described a “Home Income Kit” scam, which attempted to persuade victims to pay for a kit that would allow them to make thousands of dollars per month without much effort. The scam used numerous social-engineering techniques. One of them was the scarcity principle in this form:

The scarcity principle suggested that people were more likely to purchase the kit before the (bogus) promotion offer was about to expire.

Another illustration of the time limitation igniting the sense of urgency among victims is the scam that directed people to a fraudulent website under the guise that Facebook will be disabling unconfirmed accounts today. (This scam was reported by Graham Cluley.)

Obstacle Restriction

Building upon the scarcity principle, Cialdini described research showing that “the act of limiting access to a message causes individuals to want to receive it more.” In other words, the forbidden fruit tastes sweeter.

I noticed this principle being used as part of an on-line scam that Jerome Segura described, discussing a link to a malicious executable that was sent via email. When the victims clicked the link, they were made to wait a minute:

After that, they had to solve a CAPTCHA challenge before finally being allowed to obtain the file. The more obstacles the victim had to bypass, the more he or she wanted the file:

Similar use of the scarcity principle occurs when victims are told that they need to install a missing plug-in or update Flash Player to see the desired content. Not being able to get the content immediately makes people want it even more. Unfortunately, they end up installing a trojan horse in the process.

We can consider the scarcity principle playing a role in the success of phishing scams, which present the victim with a logon screen before the person can access the needed data. The human brain will see the logon screen as an obstacle that’s restricting access to the desired item, and will motivate the person to provide the username and password to bypass the restriction.

Why the Scarcity Principle Works

According to Cialdini, one of the reasons the scarcity principle works is because “things that are difficult to attain are typically more valuable.” As the result, humans use the availability of an item as a heuristic for assessing its quality. Second, “as things become less accessible, we lose freedoms. According to psychological reactance theory, we respond to the loss of freedoms by wanting to have them.”

Now that you know about the scarcity principle, be weary of the situations where someone is trying to use it to persuade you to take an action. Also, consider discussing this tendency and the examples of relevant scams as part of your security awareness training.

If you found this post interesting, take a look at my other writing on social engineering, including Faux-Targeted Attacks and the Magic of Cold Reading.

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds creative anti-malware solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more