Want to keep learning?

This content is taken from the Newcastle University's online course, Cyber Security: Safety at Home, Online, in Life. Join the course to learn more.
Poker (by Viri G)
Poker (by Viri G)

Risk and reward

People are relatively bad at assessing risks vs rewards. In this article Martin discusses how our attitudes to risk and reward influence payments security.


Risk can be defined as ‘the probability of an event occurring multiplied by the consequence of that event’. How much risk would we normally tolerate?

  • Clearly a LOW probability event with LOW consequence is fine
  • and a HIGH probability event with LOW consequence is also manageable.
  • A LOW probability event with HIGH consequence would be manageable for most people, perhaps with insurance or a backup plan.
  • However HIGH probability event with HIGH consequence is not sustainable, as the risk is too high.


Does our view of risk change when the perceived rewards change?

We tend to focus on the reward or the motivation and do not make an accurate assessment of whether it is equal to the risk we are taking. Let’s look at some examples of real-world payment scams:

Example 1

You spot that must-have child’s toy online just before Christmas and it is half the price of anywhere else. You have never used the online retailer before, but their site looks legitimate. Unfortunately the online retailer is fake and has been set up to harvest credit card details. Let’s look at the risks and rewards in this case:

  1. Probability: there are very few fake online retailers but Christmas is a time to be extra careful as there is an inbuilt time pressure associated with getting gifts for the big day. So, the probability that this is a fraud is reasonably low.

  2. Consequence: your credit card details, entered into a fake online merchant, will be used to rapidly empty your bank account, so the consequences are high. The bank’s fraud detection algorithms are getting better at identifying the rapid transaction activity which follows your credit card details being compromised. However, this is harder to spot for people who frequently shop online.

  3. Reward/Motivation: the perceived reward is often high. Something you cannot get anywhere else, or at a very low price. This is to draw you in to taking a risk on an online retailer you would not otherwise use.

Good rules to follow

  • If it looks too good to be true then it probably is. Be extra cautious.
  • Stick to online retailers you have used in the past or online retailers your friends /family are using and you know to be trustworthy.
  • Mitigate your risk using payment systems such as PayPal where you do not enter your credit card details directly into the online retail website. Using payment online wallets (eg Skrill, Google Wallet) means that your risk is limited to the value of the item. You will lose the value of the item ordered if the fake online merchant does not deliver the goods, but they cannot empty your bank account.

Example 2

How many of us have received an email from an ‘overseas nobleman’ who is fleeing his own country and would like to deposit a large sum of money in your bank account to get it safely out of the country? All we have to do is supply our online banking details and he will make the deposit into our bank account.

  1. Probability: this is a scam. We’ve all seen it. Your bank will tell you that you should never reveal your online and/or telephone banking access codes and passwords. This is because with these details your bank account can be emptied in seconds.

  2. Consequence: once they have your details they can empty your bank account in seconds.

  3. Reward/motivation: the perceived reward is always very high to match the risk. It’s only there to lure you in.

Good rules to follow

  • Once again, if it looks too good to be true, it probably is!
  • Never disclose access codes and passwords even if the request seems to come from someone you trust - like your bank.

Example 3

You get a phone call from your bank telling you that there has been an attempted fraud on your bank account, and a motorcycle courier will be calling at your house to pick up your card. They will also request your PIN as verification.

  1. Probability: most of us would know that a bank would not ask for a card and PIN number, so it’s highly probable that this is a scam.

  2. Consequence: the stranger has access to all of the money in your bank account so the consequence is high.

  3. Reward/motivation: here there isn’t an explicit reward, but your motivation is to avoid fraud which is allegedly imminent. Fraudsters often put time pressure on their victims as we make poor decisions when we have less time to think them through.

This is an extreme example, however many people do hand over their card to the fraudsters.

Good rule to follow

Do not be put under pressure to make an important financial decision now. This rule works for many scams where the fraudsters will apply ‘act now or the deal is gone’ pressure, such as boiler room fraud where the victim is sold fake shares.

What other good advice can you think of to help spot potential fraud?

Share this article:

This article is from the free online course:

Cyber Security: Safety at Home, Online, in Life

Newcastle University

Get a taste of this course

Find out what this course is like by previewing some of the course steps before you join: