Skip to main content

Smart, careful people fall for online scams every day, and that is by design.

A scam rarely works by outsmarting your knowledge. It works by triggering an emotional response, like urgency, fear or the instinct to protect someone you love, that pushes you to act before the thinking part of your brain catches up. Researchers at the University of Central Florida study this from both sides: the psychology of why human trust can be turned against us, and the engineering of the systems that deliver the attack.

The Short Version

People fall for online scams because scams are built to bypass careful thinking, not to defeat it. Scammers use urgency, fear and trust to make you act before you verify, and AI tools now clone familiar voices and faces to make the trick feel personal. Slowing down and confirming the request through a channel you already trust is the most reliable defense.

What Makes an Online Scam Work?

An online scam works by exploiting trust rather than technology.

Most scams are a form of social engineering, a tactic that manipulates a person into handing over money, access or information voluntarily. Instead of breaking through a firewall, the attacker convinces you to open the door yourself. That is why a scam can succeed against someone who would never click a suspicious link in calmer circumstances.

Social Engineering

Manipulating a person into giving up money, access or information by exploiting trust, emotion or authority instead of hacking a system.

Phishing

A message that imitates a trusted sender to trick you into clicking a link, sharing a password or sending money.

Voice Cloning and Deepfakes

AI-generated audio or video that mimics a real person to make a scam feel personal and urgent.

Is Falling for a Scam a Tech Problem or a Human One?

It is both, and treating it as only a technical problem is exactly why scams keep working.

UCF’s Cyber Security and Privacy Cluster frames security as a socio-technical system: security is a technical construct, privacy is a social construct and the human user sits inside the attack surface rather than above it. In plain terms, the person reading the email is part of the system being attacked. The cluster, directed by Professor Yan Solihin, brings together faculty from across computer science, psychology, philosophy, law and other fields, precisely because the human side and the technical side cannot be solved separately.

Why Does Your Brain Fall for It?

Scams hijack the fast, emotional part of decision-making before slower, careful reasoning can step in.

Associate Professor Nichole Lighthall, who directs UCF’s Adult Development and Decision Lab, studies how people learn to trust and distrust, and why urgency and strong emotion can switch off the caution that would normally protect them. Her lab uses behavioral experiments and brain imaging to map the moments when trust is granted or withheld. The pattern is consistent: the feeling of pressure is the attack. This is also why falling for a scam is not a sign of carelessness or low intelligence. Scams are engineered to defeat the mental shortcuts that everyone relies on.

“Slow down. Most scams have urgency to them. They make you believe you or someone you know will be in big trouble unless you act now. Think with a clear head. Write down what is said and talk with a friend or family member about it.”

– Nichole Lighthall, Associate Professor of Psychology and Director of the Adult Development and Decision Lab, University of Central Florida
Nichole Lighthall, Associate Professor of Psychology at the University of Central Florida

How Is a Phishing Attack Built?

A phishing message is built to look routine and feel urgent at the same time.

Cybersecurity teams break a typical phishing email into a few recurring parts. Each piece is doing a specific job in the manipulation.

An Alarming Subject Line

A threat or warning that raises your heart rate, like a locked account or a missed payment, so you react emotionally.

A Sender That Looks Almost Right

An address that mimics a real company but does not quite match, which lowers your guard before you check the details.

A Demand to Act Now

An artificial deadline that removes the pause where you would normally notice something is wrong.

How Is AI Making Scams Harder to Catch?

AI has made scams cheaper to run and far more convincing.

The clearest example is voice cloning. With a short audio sample, a scammer can generate a loved one’s voice for a panicked phone call that often opens with a line like “Hi Grandma, guess who this is?” The same tools produce deepfake video and personalized phishing text that no longer carries the obvious spelling mistakes people once looked for. The scale is already large. The FBI’s Internet Crime Complaint Center reports billions of dollars in losses each year, and the true total is almost certainly higher because many victims never report what happened.

How Do You Protect Yourself From Online Scams?

The single most effective defense is to slow down, because urgency is the scammer’s main tool.

Researchers point to a few concrete habits that work against almost every scam:

  • Pause before you act. Any message that demands immediate action is a warning sign, no matter who it appears to come from.
  • Verify through a channel you already trust. Hang up and call the person or company back using a number you look up yourself, never the one provided in the message.
  • Set a family code word. Agree on a private word now so a cloned voice cannot fake a real emergency later.
  • Protect your overall health. Lighthall’s research connects sleep, stress and cognitive health to how well people resist manipulation, so rest and wellbeing are part of staying safe.

What Is Being Done to Stop Scams Before They Happen?

Researchers are working to spot scam vulnerability before a victim is ever targeted.

With a $742,833 grant from the Florida Department of Health, UCF leads the Florida Consortium to Reduce Misinformation and Exploitation in Alzheimer’s Disease, which is building a screening tool to flag who is most at risk of exploitation.

A separate National Institutes of Health grant funds Lighthall’s work to characterize and even retrain the brain processes behind learning to trust and distrust, including real-time fMRI neurofeedback. That research also connects scam vulnerability to early, pre-clinical signs of Alzheimer’s disease, which could help families and clinicians step in sooner.

What Is Still Unsolved?

The hardest part of the scam problem is that the most successful attacks are the ones nobody sees.

UCF’s research notes that the most skilled scammers are rarely caught, and the most vulnerable victims often never realize they were exploited. That underreporting hides the true scale of the problem and makes the people at highest risk the hardest to reach. AI is also moving faster than public awareness, so the same defenses have to keep adapting as voice clones and deepfakes improve.

Summary: Why People Fall for Online Scams

  • People fall for scams because scams attack emotion and trust, not intelligence, pushing victims to act before careful reasoning can intervene.
  • Most scams are social engineering: the attacker convinces you to hand over money, access or information rather than breaking in technically.
  • UCF’s Cyber Security and Privacy Cluster, directed by Professor Yan Solihin, treats the human user as part of the attack surface, which is why scams cannot be solved with technology alone.
  • Nichole Lighthall’s Adult Development and Decision Lab shows that urgency and strong emotion can switch off the caution that normally protects people.
  • AI voice cloning and deepfakes have made scams cheaper and more convincing, and reported losses already run into the billions of dollars.
  • The most reliable defenses are to slow down, verify through a trusted channel and set a family code word, alongside protecting overall health.

Frequently Asked Questions About Online Scams

Age alone does not determine risk, but UCF research links scam vulnerability to factors like stress, cognitive health and early, pre-clinical signs of Alzheimer’s disease. That work is being used to build screening tools that flag risk before exploitation occurs.

A scammer uses a short audio sample to generate a realistic copy of someone’s voice, then makes an urgent phone call pretending to be that person. The familiar voice and a manufactured emergency are meant to stop the victim from verifying the story.

The FBI’s Internet Crime Complaint Center reports billions in losses each year. Researchers believe the real figure is higher because many victims never report.

Slow down and verify any urgent request through a channel you already trust, such as calling back on a number you look up yourself. Setting a private family code word also defends against cloned-voice emergency calls.

Social engineering is the manipulation of a person into giving up money, access or information by exploiting trust, emotion or authority. It targets the human user instead of breaking through technical security.

It is a grandparent scam in which a caller, often using a cloned or disguised voice, pretends to be a grandchild in trouble and asks for money urgently. It works by combining a loved one’s voice with panic and time pressure.

Scams are designed to trigger urgency, fear or trust so that people act before they think. The emotional reaction bypasses the careful reasoning that would normally catch the trick, which is why intelligent, cautious people are still vulnerable.


Degrees for Jobs in Cybersecurity & Digital Trust

Master’s Degree in Digital Forensics

Gain the knowledge and skills required to work as an examiner in the field or continue on to a doctoral degree or law school.

Master’s Degree in Cyber Security and Privacy

The skills you develop in the program will help you meet the needs of the cybersecurity workforce in the state and throughout the country.

Online Behavioral Cybersecurity and Privacy Graduate Certificate

Become empowered to develop proactive security plans and implement reactive strategies to minimize damage.

Sources and Further Reading