Phishing and Malware Attacks on Online Banking Customers in the Netherlands: A Qualitative Analysis of Factors Leading to Victimization

Abstract

IntroductionThis paper describes an in-depth analysis into the behaviour and characteristics of bank customers leading to victimization caused by phishing and malware attacks, the most common crimes involving online banking fraud in the Netherlands (NVB, 2013). Phishing is "a scalable act of deception whereby impersonation is used to obtain information from a target" (Lastdrager 2014, 8). Malware is the infection of a computer by malicious software, which includes viruses, worms, Trojan horses and spyware. In both cases, the aim of the fraudsters is to deceive the customer or the system used for online banking in order to obtain user credentials and/or to gain control over customers' devices. Fraudster use user credentials to access a victim's online bank account and to validate money transfers on behalf of the victim. Phishing and malware scams, however, are significant across the world and go beyond the online banking context. The Anti-Phishing Working Group reported in their Phishing Activities Trends Report of Q4 2014 that nearly 200,000 unique phishing reports were submitted to them and that an average of 255,000 new malware threats (including variants) emerged each day (APWG, 2015).A number of recent studies try to shed light on how and why people fall victim to these crimes and others do not (Bossler & Holt, 2009; Ngo & Paternoster, 2011; Vishwanath, Herath, Chen, Wang, & Rao, 2011). Jansen and Leukfeldt (2015), for example, carried out an exploratory study into how customers become victims of online banking fraud and demonstrate that customers have a specific role in their own victimization. Customers provide fraudsters with information, such as credentials, which fraudsters can use to steal money from their bank accounts. A study into phishing victimization shows that everybody is at risk when it comes to this type of crime (Leukfeldt, 2014). Additionally, Leukfeldt (2015) claims that this also largely holds for malware victimization; merely spending more time online, carrying out various kinds of activities, increased the risk of a malware infection.Both of Leukfeldt's studies (2014, 2015) - which are based on an online survey - conclude that in-depth studies are necessary to increase knowledge about why customers are victimized. It is not sufficiently clear if certain individuals are more prone to being at risk for online banking fraud than others, and how it can be explained. Therefore, this study qualitatively explores, by means of interviews, what factors explain online banking fraud victimization. Crossler et al. (2013) mention, that, the interview is a valuable method to better understand the actual motivations and behaviour of individuals.Theoretical backgroundFor this study, two theoretical perspectives are in place. First, we take a routine activity approach (Cohen & Felson, 1979) to study victim characteristics and behaviours that influence victimization. This approach is also central to the studies of Leukfeldt (2014, 2015) making it possible to assess whether our qualitative study has added value to the quantitative studies in this context. The routine activity approach holds that victimization is influenced by a combination of a motivated offender, a suitable target and the absence of a capable guardian in a convergence of time and space. We study the two latter aspects of routine activity approach, namely the suitability of targets and the capability of their guardians. Guardians can, for example, be technical security measures such as anti-virus software.Over time, elements regarding suitability have been added to the routine activity approach. Two acronyms that often emerge are CRAVED, which stands for concealable, removable, available, valuable, enjoyable and disposable and VIVA, which stands for value, inertia, visibility and accessibility. Sutton (2009) compared the two acronyms and concluded that they deal with identical attributes. Furthermore, he argues that VIVA elements relate to characteristics that attract attention, while the additional elements of CRAVED are related to characteristics that make an object attractive for criminals. …