Phishing and Malware Attacks on Online Banking Customers in the Netherlands: A Qualitative Analysis of Factors Leading to Victimization
Jansen, Jurjen ;
This paper explores factors that may explain online banking fraud victimization. The routine activity approach and protection motivation theory are used as theoretical lenses for this study. Based on 30 semi-structured interviews with phishing and malware victims, we found that suitable target factors from the routine activity approach have a marginal influence on victimization. About a third of the respondents were aware of the scam that they fell victim to prior to the incident. Most respondents had taken measures to protect themselves against online banking fraud. However, phishing victims were negligent and gave security codes to fraudsters. Several respondents reported having insufficient knowledge and skills regarding the safety and security of online banking and finding it difficult to assess to what extent protective measures help them to safeguard against fraudulent attacks. The results suggest, in line with the literature, that everyone is susceptible to some degree to online banking fraud victimization. From a customer perspective, both awareness of fraudulent schemes and training in how to apply protective measures are critical in keeping online banking safe and secure. Future research is needed to assess how customers can be trained to effectively mitigate phishing scams and whether customers are the right unit of analysis to target with interventions for combating malware attacks.
Anderson, K. B. (2006). Who are the victims of identity theft? The effect of demographics. Journal of Public Policy & Marketing, 25(2), 160–171.
Anderson, R. (2007). Closing the phishing hole - Fraud, risk and nonbanks. Proceedings of the Payments System Research Conferences, 1–16.
APWG [Anti-Phishing Working Group] (2015). Phishing activity trends report: 4th quarter 2014. Retrieved from http://docs.apwg.org/reports/apwg_trends_report_q4_2014.pdf.
Bossler, A. M., & Holt, T. J. (2009). On-line activities, guardianship, and malware infection: An examination of routine activities theory. International Journal of Cyber Criminology, 3(1), 400–420.
Brown, J. S., Collins, A. & Duguid, P. (1989). Situated cognition and the culture of learning. Educational Researcher, 18(1), 32–42.
Choi, K.-S. (2008). Computer crime victimization and integrated theory: An empirical assessment. International Journal of Cyber Criminology, 2(1), 308–333.
Cohen, L. E. & Felson, M. (1979). Social change and crime rate trends: A routine activity approach. American Sociological Review, 44, 588–608.
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M. & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32, 90–101.
Davinson, N. & Sillence, E. (2014). Using the health belief model to explore users’ perceptions of “being safe and secure” in the world of technology mediated financial transactions. International Journal of Human-Computer Studies, 72(2), 154–168.
Einspruch, E. L., Lynch, B., Aufderheide, T. P., Nichol, G. & Becker, L. (2007). Retention of CPR skills learned in a traditional AHA Heartsaver course versus 30-min video self-training: A controlled randomized study. Resuscitation, 74(3), 476–486.
Harrell, E. & Langton, L. (2013). Victims of identity theft, 2012. Washington DC: Bureau of Justice Statistics.
Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74–81.
Hutchings, A. & Hayes, H. (2009). Routine activity theory and phishing victimisation: Who gets caught in the net? Current Issues in Criminal Justice, 20, 433–451.
Jansen, J. & Leukfeldt, R. (2015). How people help fraudsters steal their money: An analysis of 600 online banking fraud cases. Proceedings of the 5th Workshop on Socio-Technical Aspects in Security and Trust, 25–31.
Jansen, J. (2015). Studying safe online banking behaviour: A protection motivation theory approach. Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance, 120–130.
Jansson, K. & von Solms, R. (2013). Phishing for phishing awareness. Behaviour & Information Technology, 32(6), 584–593.
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F. & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology, 10(2), 7:1–7:31.
Lastdrager, E. E. (2014). Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Science, 3(1), 1–10.
Leukfeldt, E. R. (2014). Phishing for suitable targets in the Netherlands: Routine activity theory and phishing victimization. Cyberpsychology, Behavior, and Social Networking, 17(8), 551–555.
Leukfeldt, E. R. (2015). Comparing victims of phishing and malware attacks: Unraveling risk factors and possibilities for situational crime prevention. International Journal of Advanced Studies in Computer Science and Engineering, 4(5), 26–32.
Leukfeldt, E. R., & Yar, M. (2016). Applying routine activity theory to cybercrime: A theoretical and empirical analysis, Deviant Behavior, 37(3), 263–280.
Leukfeldt, E. R., Kleemans, E. R. & Stol, W. P. (in press). From low tech locals to high tech specialists: A typology of phishing networks. Crime, Law and Social Change.
Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and intervention in health-related behavior: A meta-analytic review of protection motivation theory. Journal of Applied Social Psychology, 30(1), 106–143.
Ngo, F. T. & Paternoster, R. (2011). Cybercrime victimization: An examination of individual and situational level factors. International Journal of Cyber Criminology, 5(1), 773–793.
NVB [Dutch Banking Association] (2013). Position paper rondetafelgesprek online betalingsverkeer: 30 mei 2013 [Position paper on online banking: May 30, 2013].Amsterdam: Nederlandse Vereniging van Banken.
Pratt, T. C., Holtfreter, K. & Reisig, M. D. (2010). Routine online activity and internet fraud targeting: Extending the generality of routine activity theory. Journal of Research in Crime and Delinquency, 47(3), 267–296.
Reyns, B., Henson, B. & Fisher, B. S. (2011). Being pursued online: Applying cyberlifestyle-routine activities theory to cyberstalking victimization. Criminal Justice and Behavior, 38(11), 1149–1169.
Ritchie, J., Lewis, J., McNaughton-Nicholls, C. & Ormston, R. (2014). Qualitative research practice: A guide for social science students & researchers. London, UK: SAGE Publications Ltd.
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91(1), 93–114.
Sutton, M. (2009). Product design: CRAVED and VIVA. In B. S. Fisher, & S. P. Lab (eds.), Encyclopedia of Victimology and Crime Prevention. Thousand Oaks: Sage.
Vishwanath, A., Herath, T., Chen, R., Wang, J. & Rao, H. R. (2011). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51(3), 576–586.
Wilsem van, J. A. (2011a). Worlds tied together? Online and non-domestic routine activities and their impact on digital and traditional threat victimization. European Journal of Criminology, 8(2), 115–127.
Wilsem van, J. A. (2011b). Bought it, but never got it: Assessing risk factors for online consumer fraud victimization. European Sociologic Review, 29(2),168–178.
Yar, M. (2005). The novelty of cybercrime: An assessment in light of routine activity theory. European Journal of Criminology, 2(4), 407–427.