Cyber-scammers are everywhere, often targeting our most vulnerable populations.
Most of us are familiar with the shadier side of technology. When we get phone calls, we’re unlikely to answer unfamiliar numbers. We roll our eyes and delete the emails from the former prince of some faraway land, who is offering untold wealth in exchange for a bank account number.
But for many refugees to the United States, that cyber-skepticism hasn’t yet had a chance to develop, and far too often they fall prey to phishing and vishing (voice phishing via phone calls) scammers.
Dr. Mythili Menon
“One of the issues we’re facing with the refugee population is that many of them lack digital literacy skills,” said Dr. Mythili Menon, assistant professor of English and linguistics and director of linguistics at 鶹ƽ State University. “Something as basic as checking email on a phone — It’s easy to do for you and me, but very difficult for someone who comes from a different country that doesn’t have the same kind of access to technology and digital access.”
Menon was recently awarded $296,470 as part of the National Science Foundation’s EArly-concept Grants for Exploratory Research (EAGER) program to study how refugees respond to phishing and vishing attempts. EAGER offers exploratory funding for high-risk, high-reward research that investigates the nation’s pressing problems.
The project — ; or, as Menon has dubbed it, Cybersecurity for All — is a collaboration with Dr. Murtuza Jadliwala, associate professor of computer science at the University of Texas at San Antonio (UTSA). There are also two students involved in the research: Mohd Sabra, Shocker graduate and current Ph.D. student at UTSA; and Kaitlyn Hemberger, a 鶹ƽ State graduate student in English with an emphasis on linguistics.
Cybersecurity is one of the top priorities for the federal government, but people coming from countries or areas devastated by conflict have more urgent priorities, Menon said.
“These people who are coming from war and conflict regions have absolutely no idea about the social engineering attacks or the cybersecurity issues facing America,” Menon said. “They are almost completely in the dark when they come here. They might think that someone who is a social engineer trying to impersonate as a humanitarian organization, like the United Nations or the International Rescue Committee, might actually be a real person.”
Community outreach
Sabra, who came from Syria to the United States in 2009, said, “When I came to the United States, I had a cultural and linguistic shock,” and he understands why immigrants are frequently targeted by scammers.
“I understood English, but there were many phrases that have informal meanings which I was not aware of, such as ‘What's up?’ Everything was different. As such, I used to not question much what people say or ask of me,” Sabra said. “After all, it is me who does not know.”
During his early days in the United States, Sabra said, he didn’t even think twice about offering his social security number without understanding the risks. He later met with other Syrians in the United States, and they had made the same mistakes.
“There is a pattern that keeps repeating itself, and over time, I have been seeing more and more scammers take it as an opportunity,” Sabra said. “I think my experience gave me an insight that would help understand some of the perspective of the refugee population and be able to take into consideration what change is needed to protect them from scammers.”
Sabra, who is studying computer engineering, sees Cybersecurity for All as an opportunity to help others.
“Working on a project that could help protect innocent people from scams is a dream come true,” he said. “I personally saw multiple people from my community who either were scammed or on the verge of being scammed, so this hits a soft spot for me.”
Hemberger, who was among the first class of graduates from 鶹ƽ State’s applied linguistics in May 2022, began working with immigrant communities when she was an undergraduate.
“I did my honors thesis on Swahili in the spring,” she said, “so we’re hoping that my connections with the Congolese community will be helpful. I’m also proficient in French, which is a language spoken by many people from the DRC. Further, I’m planning to do some digital literacy work with the International Rescue Committee this summer as an intern, so we’re hoping to tie it together with the project and create common materials that will be useful to refugees.”
Operation: Cybersecurity for All
While cybersecurity is heavily saturated with research, Menon and Jadliwala identified a specific gap.
“When you study cybersecurity, one of the issues was that cybersecurity policies right now cater to only one section of the community. There are no studies that have looked at [about] cybersecurity among refugee populations,” Menon said.
The project will include two segments of 鶹ƽ’s refugee population: 94 Congolese refugees and 94 Afghani refugees. The research team will also be working with the 鶹ƽ branch of the .
There will be three phases in Menon’s research: digital literacy education for the study participants, phishing simulations, and more education based on the gaps revealed in the phishing simulations.
The digital education portion of the study will teach small groups of refugees the basics of technology.
“We’re going to teach them how to use a phone, how to access email, how to set up email, and basically teach them about cybersecurity and tell them, ‘People want to steal your stuff. Don’t give them any private information,’” Menon said.
Phase two will be conducted during spring and summer of 2023, and the researchers will stage phishing and vishing attacks on their students.
“We want to know what they do when they encounter a social engineering attack,” Menon said. “What we’re interested in studying is — what linguistics traits do they fall for? Do they fall for certain linguistic patterns or keywords?”
Menon wants to know if there are certain triggers that make the refugee population more vulnerable.
“For instance,” she said, “if I say I’m going to offer you a sum of money, do they tend to believe me? Are you more likely to click on a link?”
While the participants will be told that if they enter certain information, they’ll receive money or other rewards, the link will stop short of collecting any personal information.
“We’re not going to collect any private information. We just ask them for it, but they’re not going to enter anything,” Menon said. “My collaborator is an expert on privacy and security, so his expertise is going to ensure that no confidential information is collected or be misused.”
Finally, at the end of the study in summer 2024, the study participants will be brought back for an educational workshop.
“We’re going to say, ‘You were phished, and this is what we found out. This is not good.’ If things are good, we’re going to tell them, ‘Good. You already have the cybersecurity knowledge,’” Menon said.
After the final workshop, participants will be armed with a checklist and instructions on how to avoid being taken in by phishing or vishing scams.
“The hope is that they’ll have this information with them that they can keep and circulate among their friends and families,” Menon said.
The research will also be shared among other refugee support groups, such as the United Nations, the International Rescue Committee, and resettlement agencies.
“We want to tell them, ‘This is what you need to do from your end to ensure that your refugee clients not being phished,” Menon said.
Ongoing research
In 2020, Menon founded the Center for Educational Technologies to Assist Refugee Learners (CETARL) as part of 鶹ƽ State’s efforts to promote and encourage interdisciplinary research as a means to solve some of society’s most daunting problems.
Through its work, CETARL began working on Education for All, a project that aimed to make education accessible for elementary and middle school-aged children who are among the more than 70 million displaced refugees worldwide.
“We are targeting a different age group. We really want to understand what the parents are doing before we can understand what the children are doing,” she said. “We need Inclusive cybersecurity policies, so cybersecurity is not for any particular community, but for all communities. That’s where this project is coming from.”
Phishing or vishing can have serious implications for anyone, but for refugees who might not understand the U.S. legal and justice systems, it can have devastating consequences.
“If your identity has been stolen or your bank account compromised, you’re not able to adequately support your children,” Menon said.
With the two initiatives — Education for All and Cybersecurity for All — CETARL takes a family-focused approach to technology.
“We believe in a holistic approach in the center,” Menon said. “If we want to ensure the success of the children, we want to make sure that the parents have adequate tools to ensure the children’s successes.”