Could you fall for this VoIP scam? How an Inclusive approach to cyber security can protect neurodivergent individuals
)
“What do you want to know? How gullible I was?”
A facepalm emoji summed up H’s feelings as we reflected on the day they were manipulated into transferring all of their savings to a Revolut account for “safekeeping”, only to lose the money forever.
H took the call while still half-asleep, and the number on their screen matched the bank’s. The person on the other end was well-spoken, professional, and reassuring, confirming H’s name and personal details. The scammer’s urgency was palpable: they claimed the bank had identified suspicious activity, and H needed to move their funds temporarily to a secure Revolut account to avoid losing access to them. How considerate – what a thoughtful attacker!
The call dropped, and H redialled the number from their recent calls list. The scammer answered. Not the bank. A setup like this could have fooled even the more tech-savvy of us not fully familiar with the intricacies of VoIP spoofing. There is also something oddly satisfying and equally infuriating about scammers who actually know what they’re doing.
We debriefed later on that day. In the seven years I’ve known them, H has never been keen on exploring tech under the hood, and they would endlessly beat themselves up about it. I reassured them that there’s nothing wrong with that – technology today is designed to be used without intervention, and users aren’t expected to dig deeper unless they want to. If it had been me on the call, my alarm bells wouldn’t have gone off until the Revolut transfer was mentioned. This wasn’t your regular, sloppy call centre scam.
But I wasn’t prepared for what H was blaming themselves for.
“Do you think I fell for this because I’m autistic?”
To this day, I don’t have a definitive answer, and I am still looking. We agreed that some of H’s autistic traits may have contributed, such as their strong inclination to trust others and difficulty in recognising social cues (as they interpret communication literally), which might otherwise alert a non-autistic person that something is off. Over the years, H’s sensitivity to sensory and mental overload has sometimes led them to act impulsively or comply under pressure, simply to alleviate the distress.
While these traits don’t apply to all neurodivergent people, we need to acknowledge that social differences can open new paths for exploitation. For individuals sensitive to sensory input, an overload of information can be distressing. Attackers use this by creating high-stress situations, pushing the person to comply quickly to “relieve” the pressure or end a distressing scenario – assuming the person may take the message at face value, without questioning underlying intentions.
As for the tendency to be overly trusting? G, who has ADHD, shared his experience: “Growing up, I heard so often that I was doing things wrong and others knew better, so I just went along without questioning. It taught me to trust people more than I should have done.”
Intrigued, I researched neurodivergent people’s experiences with social engineering and was unsurprised to find a glaring research gap. One study from Heriot-Watt University found that young autistic people are less likely to block unwanted contact or content, with autistic females reporting more instances of online sexual harassment. Another study suggested autistic people might not be inherently more vulnerable to social engineering, crediting the participants’ analytical strengths in spotting fake websites. Autistic children, however, were reported to face more online safety risks than non-autistic children, with parents of autistic children also expressing lower confidence in managing online safety and associated risks.
Many processes and systems were designed by and for neurotypical people – a term that, I’ll admit, is debatable and one I personally dislike. This includes digital literacy initiatives, which often lack sufficient neurodivergent representation and guidance. Neurodivergent people may benefit from programs emphasising skills like safely navigating online environments, spotting social engineering red flags, and understanding cybersecurity threats in a neurodivergent-friendly format. Professionally, I’ve supported people with learning disabilities and stopped a few impersonation and prize scams for those active on social media. Only this year I was glad to find an easy-read guide on cybercrime and online safety, which will be a real help. However, resources specifically addressing the needs of other neurodivergent groups remain scarce.
Banks will advise customers to trust a contact number from their website, but considering the widespread availability of spoofing, financial institutions have a new responsibility to warn customers that caller ID is no longer a reliable verification method. Although H never recovered their lost savings, they’re slowly regaining their confidence. And they know they can always count on my free consultancy whenever a suspicious “missed parcel delivery” email starts asking for more than it should.
Claudia Busuioc is a fresh MSc Cybersecurity graduate with a Distinction from the University of the West of England (UWE). With a foundation in health and social care and an undergraduate degree in Genetics, she brings a unique perspective on the intersection of technology and well-being.
Claudia transitioned to cybersecurity after realising that her true passion lies in addressing contemporary challenges in the digital landscape. As the Postgraduate Vice President of CyberWomen@UWE, Claudia is actively involved in organising events that empower early career professionals.
She also contributes to the CTF Creation Team, developing challenges that enhance technical skills. Passionate about sparking conversations around contentious issues, Claudia aims to drive a culture shift within the community and encourage underrepresented groups to pursue careers in STEM. Claudia is also an avid gamer and a fan of all things PlayStation, particularly the Horizon franchise.