Cybercrime and data protection might be technical disciplines, but people and psychology are key to a deeper understanding. From the gangs responsible for cybercrime, to their victims, and to everyone whose right to privacy and dignity is at risk from encroaching AI and overbearing apps, the human factor was the thread that linked three entertaining and enlightening talks at this year’s BH Consulting customer briefing.
The investigative journalist and author Geoff White kicked off proceedings with a fast-paced look behind cybercrime gangs. He’s fascinated by the individuals and organised groups involved in criminality, and a good way to understand them is through the lens of money. In 2021, the FBI estimated that the Conti ransomware gang made $158 million. Even if this is “a vast underestimate,” as White suggested, it explains criminals’ motivation. “In one month, you and everyone you know is set for life. That’s why they do it,” he said.
The Key to Cybercrime is Money Laundering
The problem is, sums that vast invariably draw attention from the authorities. Directly transferring money from victims’ accounts to their own would leave a trail, which is why criminals design complex networks to avoid detection. “Money laundering is the ‘glue’ that holds this together,” White explained.
For example, members of the Zeus banking malware gang used money mules in the US to bounce stolen funds between bank accounts. They even set up a fake movie studio in Moscow to wash millions of dollars. They engaged the services of a screenwriter to write a script for a legitimate movie about – wait for it – cybercrime. (They’re not always so discreet: one gang member drove a flashy Lamborghini around Moscow bearing a custom registration plate with the word ‘vor’: Russian for ‘criminal’.)
Around 2015, gangs started experimenting with ransomware, sensing the opportunity to move from individual victims to companies, where the rewards were much higher. White described how groups like the one behind the Conti ransomware carefully crafted their extortion techniques against victims like the high-end jewellery business Graff. Conti was also responsible for the infection of the Health Service Executive in 2021 which crippled computer systems across Ireland’s health service for weeks, causing widespread cancellations of essential surgeries and health checks.
Organised Crime: Like a Corporation
White studied thousands of messages that were part of the massive leak of internal chat logs from the Conti gang. He uncovered how cybercrime gangs operate like highly structured corporate businesses. The gang’s leadership was mainly obsessed with administrative tasks like recruitment, staff retention, remote working disputes, and business strategy – all the mundane things a typical business would deal with daily. These groups often struggle to keep their teams together because they’re competing for talent with legitimate tech giants like Microsoft and Google.
To execute targeted attacks, they employ a ‘department of analytics and blackmail’ that creates extensive corporate due diligence dossiers on their victims, mapping out revenues, insurance policies, and even the personal lives of top executives. “If you’re going to charge somebody millions for a ransom, you’ve got to appear professional,” White said.
Trust us; we’re Criminals
Because these gangs view their work as a legitimate service, maintaining a solid reputation is essential so they’ve even got a PR strategy. Victims need to believe they’ll get their stolen data back if they pay up, so there’s a perverse logic behind why some cybercrime gangs interact with reporters. “They believe that if they speak to journalists, it gives them legitimacy,” White said. “On some level, they need to be trusted for the extortion to work.”
Wrapping up, White encouraged the audience to reframe how they think about cybercrime gangs. To justify extorting people every day, these groups see themselves as competitive businesses and reframe their actions as standard business practices. In this mindset, cybersecurity is a market where the strongest software wins and victims are simply competitors who were outsmarted, and cybersecurity professionals are seen by the criminals as just market competitors rather than heroes.
White said cybersecurity professionals should think about their defensive efforts as competing in a marketplace against rival software and organisations. “If you’re thinking of the hacker in the hoodie and I’m defending against an attacker, try this different paradigm: think about competitors.”
Understanding Scam Victims’ Emotional State
Concluding on the criminal mindset proved to be a neat segue into the next talk. Dr Nicola Fox Hamilton is an expert in cyberpsychology and online behaviour who spoke about how people fall for scams, and the impact this can have on them. “We think of the organisation as the victim but it’s also the individual,” she said.
Explaining the emotional state that people go through when they’ve clicked on something they’re not supposed to, she reminded the audience that this doesn’t happen because people are stupid or don’t care. Instead, they’re more likely to take action when their guard is down, when they’re overwhelmed, stressed, or not paying attention.
“Social engineering uses psychology against us to make us do something we’re not supposed to do,” she said. Ever entrepreneurial, criminals concoct scams to suit every kind of life situation. If someone has loads of money, they’re more likely to fall for an investment scam. If a person has no money, then a get-rich-quick scheme will push their buttons.
Heightened Stress, Reduced Vigilance
Dr Fox Hamilton explained how scammers prey on heightened emotional states to trick people into taking action against their own best interests. Someone checking their email while on holiday, or returning from an extended absence, might miss the cues that an email is suspicious. That’s when the classic trick like a password reset email, made to look like it comes from the organisation’s IT department, is more likely to fool an unsuspecting or stressed individual.
There’s a similar principle at work when scammers send messages purporting to be from the Revenue Commissioners or banks. “These are institutions we automatically trust,” said Dr Fox Hamilton. Fake messages are deliberately worded to heighten the recipient’s stress levels by creating a sense of urgency. If the victim thinks they need to act quickly, they’re less likely to think rationally. “Fear, anxiety and stress increase vulnerability… Increased emotion equals decreased attention to detail,” she said.
Empathy Essential: how Security Professionals Help
The theme throughout her talk was that IT support teams and security professionals need to show compassion and empathy when dealing with people who have fallen for phishing emails or online scams. They can help by creating a psychologically safe environment where people feel able to speak up if they’ve accidentally visited a scam website or inadvertently clicked on a fraudulent link.
Dr Fox Hamilton urged people working in the field to cultivate a workplace that encourages risk reporting without blame or shame. The additional benefit is that this actually leads to higher performing teams, she argued.
And although awareness education is important in security, awareness-raising alone doesn’t necessarily change behaviour, she added. If that was the case, nobody would drink or smoke. An effective way to improve security is to invite participation from people within the organisation. Seeking ideas and feedback for what could be safer will lead to better defences, Dr Fox Hamilton said.
Do the Right Thing
For example, if the organisation uses tools like two-factor authentication for added security, this can feel like a nuisance for many people. However, they’re more likely to do so if the organisation acknowledges the inconvenience but clearly explains why it’s necessary to improve security. Organisations can also help their people to take the right action – such as pausing before responding to a suspicious email – by creating clear pathways to do so.
Dr Fox Hamilton concluded by encouraging security professionals to foster environments that reward the right behaviour and strengthen defences by helping people to be “part of the human firewall”. They also need to show understanding at the appropriate time: a message that also holds true for people who fall for scams. “You are the victim of a crime that is designed psychologically to get you to do this…. It’s not a reflection of our intelligence if we fall for a scam,” she said.
Food for Thought: AI, Algorithms, and Agency
Fraudsters and criminals aren’t the only ones robbing people of their ability to take action in their own best interests. In the morning’s final talk, BH Consulting COO Dr Valerie Lyons explored how technology like AI risks encroaching on people’s agency. She talked about the concept of ‘dignity by design’ as an ethical framework that goes beyond standard data protection laws, defining dignity as a fundamental, inviolable right that underpins all other human rights.
The idea springs from the work of Professor Mireille Hildebrandt, who developed the concept of ‘legal protection by design’, which is intended to articulate those fundamental rights in technology.
Dr Lyons said dignity by design is a vital guide for data privacy in the age of AI and algorithms that increasingly predict our behaviour, influence our decisions, or rank our credibility. Faced with this, standard data privacy compliance is no longer enough to protect individuals from harm, Dr Lyons argued.
Two examples highlighted this issue in practice. Dr Lyons talked about a wellness app she had advised on years prior that was subsequently prescribed, inappropriately, to an elderly man seeking grief counselling. She said this highlighted that although developers can build legally compliant systems, the specific context of their deployment can still fail the consumer.
Dignity Denied by Profiling
In another case, the UK government used AI to predict welfare fraud system, but the system disproportionately flagged individuals simply based on their age, disability or nationality. In doing so, it stripped citizens of their dignity, she said.
Applying a ‘dignity by design’ framework to data privacy forces organisations to ask crucial ethical questions such as where does optimisation turn into manipulation? When does prediction become prejudgment? Where does automation become an erasure of human agency?
Dr Lyons broke the issue into four distinct areas. Compliance is about following the letter of the law, asking “have we met the rules?” In organisations, this is often the baseline and not the goal. The second area is ethics, or the spirit of the law. Organisations need to question whether their action erodes human standing. Simply put: “just because you can doesn’t mean you should”. The third aspect is responsibility: accountability that determines “whose neck is on the block” when systems deny dignity. The fourth area focuses on social agency and the impact a system has on a person’s ability to make decisions freely.
To apply the ‘dignity by design’ framework in practice, Dr Lyons outlined several core principles that elevate basic data privacy into true user protection. These include respecting human agency, where systems must empower users to make their own choices without coercion, manipulation, or deception.
Striking the Right Balance: Productivity vs Privacy
Dr Lyons illustrated this by talking about the emerging use of ambient AI scribes that record and transcribe doctor-patient consultations. Tools like this might save time for the doctor in writing their case notes, but the patient doesn’t necessarily gain a similar benefit. Even if the data is secure, if a patient knows an AI is recording the conversation, it can change how they behave, or make them afraid to share sensitive information about themselves, therefore directly affecting their agency.
She also said organisations should move beyond vague ‘transparency’ notices where companies simply state they share data with third parties. Applying the dignity principle requires true explainability that gives users have the right to understand exactly how an algorithm makes decisions about them.
Applying fairness and non-discrimination involves making active mitigations against systemic biases, and preventing scenarios where AI tools favour certain races or genders over others, or makes assumptions about a person’s means or social standing based simply on their postcode. Organisations should also check whether mass data collection is genuinely necessary, or if they are over-engineering a solution at the expense of privacy. Dr Lyons called this “bringing a tank to a gunfight”.
Although data privacy impact assessments (DPIAs) exist to evaluate data privacy during the development stage, Dr Lyons said organisations need to implement Fundamental Rights Impact Assessments (FRIAs) at the point of delivery.
Ultimately, she cautioned that without the right guidance during the development phase and into deployment, systems run the risk of dehumanising users: the very opposite of what dignity should be. It was an appropriate note to end the session: a reminder of the importance of the individual human being, not a ‘user’ or data point, in privacy and cybersecurity.
