- Email: [email protected]
Being a cybercrime victim
FEATURE
Being a cybercrime victim Wendy Goucher, Idrach Wendy Goucher
Cybercrime is an interesting term. It grabs headlines and attracts many column inches in its various forms. The spectre of the faceless criminal stealing money and identities, or enticing the unsuspecting victim to innocently engage in criminality themselves – for example, through the use of ‘bots’ – or even to risk their lives in face-to-face interaction, is a well-used tool of crime and horror writers. How can users defend themselves against an attack they may not recognise, from an attacker they do not know? Recently the Scottish Universities Insight Institute hosted a conference on cybercrime. Participants ranged across the information security industry and academia, and it was a very interactive event, with a lot of lively discussion from many on the ‘front line’ of protecting business from criminals.
Early on, Dave Reid of Evidential Systems made the pivotal comment that: “There is no such thing as cybercrime, there is just crime – with different tools”. This is a point that is not made often enough. Fascination with the technical side of cybercrime can blind users to the classic weaknesses that are being exploited. Identity theft existed before
Figure 1: Emotional reactions to cybercrime. Source: Symantec.
16
Computer Fraud & Security
computers: to find examples you need only look at popular fiction, such as Frederick Forsyth’s ‘The Day of the Jackal’ where the protagonist creates false credentials based on the stolen identity of a dead child. Indeed, the main motivation for most common online crimes is either money or sex, both of which certainly pre-date the Internet.
Not a victimless crime There is a further factor that does not change either – there is a victim. However, the difference with much of the crime on the Internet is that the victims are, or perceive themselves to be, unsupported. They have nowhere to go, no emergency number to dial and no-one to talk to. The general attitude of society to those falling victim to certain types of crime, especially ‘advanced fee fraud’ crime (which is, after all, theft), can be very negative. This echoes the attitude, in certain corners of the press, in the 1980s, to girls who were raped when they went out for the evening wearing short skirts. At times this was also reflected in comments from the judiciary that, in some way, the girls were to blame for being attacked. Surely society has moved on from such a black and white view of crime – no matter what type? Symantec recently released a report, commissioned from market research company StrategyOne that gathered responses from 77,000 individuals in many different countries. The purpose of the work was to examine beliefs and attitudes to cybercrime. Overall, 65% of respondents reported that they had been victims to some form of cybercrime October 2010
FEATURE that prompted some kind of extreme emotional response (see Figure 1). But of these, only 44% reported the crime to the police (see Figure 2). A concern must be the level of underreporting. Reasons for that included: UÊ iivÊÌ >ÌÊÌÊÜÕ`ÊLiÊ>ÊÜ>ÃÌiÊvÊÌiÊ as it is a low-value loss. UÊ ÜÊV >ViÊvÊ«iÀ«iÌÀ>ÌÀÊLi}ÊV>Õ} Ì° UÊ -ivL>iÊ qÊ Ì iÊ ÛVÌÃÊ viiÊ ÌÊ Ü>ÃÊ partly their fault UÊ ÌÊÜ>Ì}ÊÌÊLiÊ>Lii`]ÊLÞÊÌ iselves or others, as a victim.
Waste of time Three key categories merit further discussion. Firstly the idea that reporting cybercrime is a waste of time and effort. This is not irrational: it applies with any lowvalue loss. For instance, the experience of coming home from a shopping trip to realise that that you were short-changed is not uncommon but few people return to the shop to redress the matter. By the time you factor in the time, travel costs and effort of trying to prove the mistake it would be a poor use of resources. Where a transaction happens on the Internet, especially via an auction site, and it turns out to be of lower quality than expected, often cyber-shoppers chalk it up to experience for much the same reason.
“In the Symantec survey, 80% of responders said that they did not expect a cybercriminal to get caught” The more serious part of that ‘waste of time’ reaction is the one that says that there is no point because the criminal won’t get caught. In the Symantec survey, in fact, 80% of responders said that they did not expect a cyber-criminal to get caught. The majority opinion at the conference was that this is not an unreasonable expectation for most cybercrime, and often this is due to lack of funding. One point given insufficient emphasis in the report is that some people failed to report the crime because they felt they October 2010
Figure 2: Whom victims of cybercrime contact. Source: Symantec.
had ‘been stupid’ to allow themselves to get drawn into the scam, and consequently they felt they should not receive any help to extricate themselves.
“The banks know that when the chips are down most employees will protect their families or close friends before the bank’s property” This makes no practical sense: if you brake too suddenly while driving home, hit a patch of oil and then drive into a tree, you are unlikely to refuse the help of the emergency services just because it was your mistake that caused the crash.
Targeting businesses It is important to remember that cybercrime is not always committed against an isolated individual. Some of these crimes target businesses and in that case the motivation to keep quiet about it is even stronger. Management may well believe that if their clients find out they have acted unwisely they would then lose confidence in the firm’s ability to do its job or protect customer data. In these difficult times, what company can take the risk of losing even 2% of its customers? That fear is echoed in the Symantec survey report.
Where this becomes more dangerous to business is when the crime is a fraud against an employee. That person will be under stress and possibly, in extreme cases, may be tempted to commit fraud against an employer to obtain the money they need to complete the ‘deal’. Banks train their branch managers about what to do if their family is threatened in an effort to get their co-operation for an ‘insider crime’. But the banks know that when the chips are down most employees will protect their families or close friends before the bank’s property. However, it is arguable that a manager is less likely to lose face if he reports that his family is being held hostage than if he admits he fell victim to advanced fee fraud scam run through a social networking site. This may be compounded if it is the sort of site that wouldn’t meet the approval of his partner. In May 2010, the press reported a very traumatic story of a victim of a form of advance fee fraud that the newspapers labelled ‘Romance Fraud’. It is, again, a development of the sort of crime committed in pre-email days using the ‘pen pal’ method. However, in this case, as reported in The Daily Telegraph, a woman ‘met’, via a dating site, someone claiming to be a US soldier serving in Iraq.2 They Computer Fraud & Security
17
FEATURE corresponded over 18 months and she became very psychologically involved with him. On his journey home, his luggage was supposedly impounded in Ghana and he needed £2,300 to get it released. When she provided the money, there was a further requirement for £20,000 and then still more for legal and Customs costs. She was assured that this would be repaid out of $8m hidden in the luggage, which the soldier had supposedly ‘acquired’ in Iraq. Ultimately, the criminal was caught when he tried to apply for a UK visa in connection with a scam against another woman. When the Serious Organised Crime Agency (SOCA) looked into the Ghanaian national, they found information about the earlier victim and contacted the defrauded woman directly. She had been conned out of more than £270,000 in total but she expressed her main emotion upon finally coming to terms with the fraud with the words: “I feel so stupid”. Of course she does; this was not a ‘get rich quick’ 419 scam. The criminal invested significant time and effort grooming her until she could see no way out.
No obvious help One of the key problems with being a victim of a cybercrime is that there is no obvious way of getting help. If a car is broken into, the police can at least see and acknowledge the crime and the loss. Although the police admit that, in most cases, there are just not the resources and expertise to handle all such cases at the local level, even if they are not able to catch the culprit, at least the case has been taken seriously and there is therefore a motivation to report it. But what is the motivational reward in reporting cybercrime? The statistics demonstrate that the criminal is unlikely be brought to trial, so positive reinforcement is absent. In fact, there is a risk that victims will be labelled, both by themselves and others, as fools for falling for the temptation in the first place. So positive reinforcement is replaced by negative reinforce18
Computer Fraud & Security
ment, and why would anyone do something that can lead only to bad results? Yet, the information security community needs to get a grip on this issue because crime that utilises Internet connectivity is increasing, not decreasing. Social networking sites are rich hunting grounds for scammers and those wanting to harvest credit card details. All it takes is a convincing free offer and many will willingly divulge their personal data. If they succumb in a moment of weakness, they are unlikely to tell the story to those around them and so build up the community understanding of the hazard. This kind of awareness needs to be built into the security culture otherwise what can result is a weakness of the organisation as well as the individual.
“Awareness needs to be built into the security culture otherwise what can result is a weakness of the organisation as well as the individual” Imagine that a C-level executive of a multinational company got drawn into a targeted scam, maybe one that was carefully designed to engage him with helping young people from under-privileged backgrounds in the area where he grew up (a bit of background work would be needed here, but probably not much) After he becomes involved it turns out to be an expensive hoax. Would you expect that the executive, or the board, would be willing to publicise the story in the company newsletter or even in the general media? Probably not. The resulting publicity would be almost certain to harm both the executive’s reputation and that of the organisation.
Awareness training Experience shows that, in general, people care more about protecting themselves than their employers. This security weakness can, therefore, be utilised as a splendid opportunity to target some security awareness training on a subject with which staff are motivated to engage
– not only for their own protection, but also because they can pass on the message to family and friends. In this way staff become less likely to fall victim, whether through stress or possible exploitation, which will, in turn, reduce the risk to the organisation.
“Encouraging an active dialogue on security issues with all staff can lead to better-targeted training and, ultimately, safer business practice” Finally, organisations that have experimented with the idea have found that providing an easy method for staff to report any and all security concerns is very beneficial. Of course, any process change such as this is harder to implement than it sounds. However, the pay-off can be the extent to which encouraging an active dialogue on security issues with all staff can lead to better-targeted training and, ultimately, safer business practice.
About the author Wendy Goucher has an approach to information security that is heavily influenced by her background in social science and management. She seeks to bridge the gap between professional ideals and operational requirements when helping organisations to devise policies and procedures that can be more honoured in the observance than the breach. At the same time she is researching for a doctorate in computer science with psychology. She speaks widely at international conferences.
References 1. ‘Norton Cybercrime Report: The Human Impact’. Symantec, September 2010. 2. Alexander, Harriet. ‘British victim of ‘romance fraud’ tells of ordeal’. The Daily Telegraph, 2 May 2010. October 2010
Being a cybercrime victim Wendy Goucher, Idrach Wendy Goucher
Cybercrime is an interesting term. It grabs headlines and attracts many column inches in its various forms. The spectre of the faceless criminal stealing money and identities, or enticing the unsuspecting victim to innocently engage in criminality themselves – for example, through the use of ‘bots’ – or even to risk their lives in face-to-face interaction, is a well-used tool of crime and horror writers. How can users defend themselves against an attack they may not recognise, from an attacker they do not know? Recently the Scottish Universities Insight Institute hosted a conference on cybercrime. Participants ranged across the information security industry and academia, and it was a very interactive event, with a lot of lively discussion from many on the ‘front line’ of protecting business from criminals.
Early on, Dave Reid of Evidential Systems made the pivotal comment that: “There is no such thing as cybercrime, there is just crime – with different tools”. This is a point that is not made often enough. Fascination with the technical side of cybercrime can blind users to the classic weaknesses that are being exploited. Identity theft existed before
Figure 1: Emotional reactions to cybercrime. Source: Symantec.
16
Computer Fraud & Security
computers: to find examples you need only look at popular fiction, such as Frederick Forsyth’s ‘The Day of the Jackal’ where the protagonist creates false credentials based on the stolen identity of a dead child. Indeed, the main motivation for most common online crimes is either money or sex, both of which certainly pre-date the Internet.
Not a victimless crime There is a further factor that does not change either – there is a victim. However, the difference with much of the crime on the Internet is that the victims are, or perceive themselves to be, unsupported. They have nowhere to go, no emergency number to dial and no-one to talk to. The general attitude of society to those falling victim to certain types of crime, especially ‘advanced fee fraud’ crime (which is, after all, theft), can be very negative. This echoes the attitude, in certain corners of the press, in the 1980s, to girls who were raped when they went out for the evening wearing short skirts. At times this was also reflected in comments from the judiciary that, in some way, the girls were to blame for being attacked. Surely society has moved on from such a black and white view of crime – no matter what type? Symantec recently released a report, commissioned from market research company StrategyOne that gathered responses from 77,000 individuals in many different countries. The purpose of the work was to examine beliefs and attitudes to cybercrime. Overall, 65% of respondents reported that they had been victims to some form of cybercrime October 2010
FEATURE that prompted some kind of extreme emotional response (see Figure 1). But of these, only 44% reported the crime to the police (see Figure 2). A concern must be the level of underreporting. Reasons for that included: UÊ iivÊÌ >ÌÊÌÊÜÕ`ÊLiÊ>ÊÜ>ÃÌiÊvÊÌiÊ as it is a low-value loss. UÊ ÜÊV >ViÊvÊ«iÀ«iÌÀ>ÌÀÊLi}ÊV>Õ} Ì° UÊ -ivL>iÊ qÊ Ì iÊ ÛVÌÃÊ viiÊ ÌÊ Ü>ÃÊ partly their fault UÊ ÌÊÜ>Ì}ÊÌÊLiÊ>Lii`]ÊLÞÊÌ iselves or others, as a victim.
Waste of time Three key categories merit further discussion. Firstly the idea that reporting cybercrime is a waste of time and effort. This is not irrational: it applies with any lowvalue loss. For instance, the experience of coming home from a shopping trip to realise that that you were short-changed is not uncommon but few people return to the shop to redress the matter. By the time you factor in the time, travel costs and effort of trying to prove the mistake it would be a poor use of resources. Where a transaction happens on the Internet, especially via an auction site, and it turns out to be of lower quality than expected, often cyber-shoppers chalk it up to experience for much the same reason.
“In the Symantec survey, 80% of responders said that they did not expect a cybercriminal to get caught” The more serious part of that ‘waste of time’ reaction is the one that says that there is no point because the criminal won’t get caught. In the Symantec survey, in fact, 80% of responders said that they did not expect a cyber-criminal to get caught. The majority opinion at the conference was that this is not an unreasonable expectation for most cybercrime, and often this is due to lack of funding. One point given insufficient emphasis in the report is that some people failed to report the crime because they felt they October 2010
Figure 2: Whom victims of cybercrime contact. Source: Symantec.
had ‘been stupid’ to allow themselves to get drawn into the scam, and consequently they felt they should not receive any help to extricate themselves.
“The banks know that when the chips are down most employees will protect their families or close friends before the bank’s property” This makes no practical sense: if you brake too suddenly while driving home, hit a patch of oil and then drive into a tree, you are unlikely to refuse the help of the emergency services just because it was your mistake that caused the crash.
Targeting businesses It is important to remember that cybercrime is not always committed against an isolated individual. Some of these crimes target businesses and in that case the motivation to keep quiet about it is even stronger. Management may well believe that if their clients find out they have acted unwisely they would then lose confidence in the firm’s ability to do its job or protect customer data. In these difficult times, what company can take the risk of losing even 2% of its customers? That fear is echoed in the Symantec survey report.
Where this becomes more dangerous to business is when the crime is a fraud against an employee. That person will be under stress and possibly, in extreme cases, may be tempted to commit fraud against an employer to obtain the money they need to complete the ‘deal’. Banks train their branch managers about what to do if their family is threatened in an effort to get their co-operation for an ‘insider crime’. But the banks know that when the chips are down most employees will protect their families or close friends before the bank’s property. However, it is arguable that a manager is less likely to lose face if he reports that his family is being held hostage than if he admits he fell victim to advanced fee fraud scam run through a social networking site. This may be compounded if it is the sort of site that wouldn’t meet the approval of his partner. In May 2010, the press reported a very traumatic story of a victim of a form of advance fee fraud that the newspapers labelled ‘Romance Fraud’. It is, again, a development of the sort of crime committed in pre-email days using the ‘pen pal’ method. However, in this case, as reported in The Daily Telegraph, a woman ‘met’, via a dating site, someone claiming to be a US soldier serving in Iraq.2 They Computer Fraud & Security
17
FEATURE corresponded over 18 months and she became very psychologically involved with him. On his journey home, his luggage was supposedly impounded in Ghana and he needed £2,300 to get it released. When she provided the money, there was a further requirement for £20,000 and then still more for legal and Customs costs. She was assured that this would be repaid out of $8m hidden in the luggage, which the soldier had supposedly ‘acquired’ in Iraq. Ultimately, the criminal was caught when he tried to apply for a UK visa in connection with a scam against another woman. When the Serious Organised Crime Agency (SOCA) looked into the Ghanaian national, they found information about the earlier victim and contacted the defrauded woman directly. She had been conned out of more than £270,000 in total but she expressed her main emotion upon finally coming to terms with the fraud with the words: “I feel so stupid”. Of course she does; this was not a ‘get rich quick’ 419 scam. The criminal invested significant time and effort grooming her until she could see no way out.
No obvious help One of the key problems with being a victim of a cybercrime is that there is no obvious way of getting help. If a car is broken into, the police can at least see and acknowledge the crime and the loss. Although the police admit that, in most cases, there are just not the resources and expertise to handle all such cases at the local level, even if they are not able to catch the culprit, at least the case has been taken seriously and there is therefore a motivation to report it. But what is the motivational reward in reporting cybercrime? The statistics demonstrate that the criminal is unlikely be brought to trial, so positive reinforcement is absent. In fact, there is a risk that victims will be labelled, both by themselves and others, as fools for falling for the temptation in the first place. So positive reinforcement is replaced by negative reinforce18
Computer Fraud & Security
ment, and why would anyone do something that can lead only to bad results? Yet, the information security community needs to get a grip on this issue because crime that utilises Internet connectivity is increasing, not decreasing. Social networking sites are rich hunting grounds for scammers and those wanting to harvest credit card details. All it takes is a convincing free offer and many will willingly divulge their personal data. If they succumb in a moment of weakness, they are unlikely to tell the story to those around them and so build up the community understanding of the hazard. This kind of awareness needs to be built into the security culture otherwise what can result is a weakness of the organisation as well as the individual.
“Awareness needs to be built into the security culture otherwise what can result is a weakness of the organisation as well as the individual” Imagine that a C-level executive of a multinational company got drawn into a targeted scam, maybe one that was carefully designed to engage him with helping young people from under-privileged backgrounds in the area where he grew up (a bit of background work would be needed here, but probably not much) After he becomes involved it turns out to be an expensive hoax. Would you expect that the executive, or the board, would be willing to publicise the story in the company newsletter or even in the general media? Probably not. The resulting publicity would be almost certain to harm both the executive’s reputation and that of the organisation.
Awareness training Experience shows that, in general, people care more about protecting themselves than their employers. This security weakness can, therefore, be utilised as a splendid opportunity to target some security awareness training on a subject with which staff are motivated to engage
– not only for their own protection, but also because they can pass on the message to family and friends. In this way staff become less likely to fall victim, whether through stress or possible exploitation, which will, in turn, reduce the risk to the organisation.
“Encouraging an active dialogue on security issues with all staff can lead to better-targeted training and, ultimately, safer business practice” Finally, organisations that have experimented with the idea have found that providing an easy method for staff to report any and all security concerns is very beneficial. Of course, any process change such as this is harder to implement than it sounds. However, the pay-off can be the extent to which encouraging an active dialogue on security issues with all staff can lead to better-targeted training and, ultimately, safer business practice.
About the author Wendy Goucher has an approach to information security that is heavily influenced by her background in social science and management. She seeks to bridge the gap between professional ideals and operational requirements when helping organisations to devise policies and procedures that can be more honoured in the observance than the breach. At the same time she is researching for a doctorate in computer science with psychology. She speaks widely at international conferences.
References 1. ‘Norton Cybercrime Report: The Human Impact’. Symantec, September 2010.