A multi-level influence model of COVID-19 themed cybercrime

ABSTRACT The recent severity and frequency of cybercrime has been dominated by a single theme – the COVID-19 pandemic. This research develops a multi-level influence model to explore how cybercriminals are exploiting the COVID-19 pandemic by assessing situational factors, identifying victims, impersonating trusted sources, selecting attack methods, and employing social engineering techniques. The model extends upon prior work on influence techniques and emotional appeals that cybercriminals employ, by bringing into sharper focus the role of situational factors in COVID-19 related cybercrime attacks. Content and thematic analysis was conducted on 185 distinct COVID-19 cybercrime scam incident documents, including text, images, and photos, provided by a global online fraud and cybersecurity company tracking COVID-19 related cybercrime. The analysis reveals interesting patterns about the sheer breadth and diversity of COVID-19 related cybercrime and how these crimes are continually evolving in response to changing situational factors. It is hoped that these insights and recommendations for end-users and organisations can contribute to a safer digital world as we cope with many other pressing challenges during the COVID-19 pandemic.

[1]  Xin Luo,et al.  Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration , 2013, Comput. Secur..

[2]  Frank Stajano,et al.  Understanding scam victims , 2011, Commun. ACM.

[3]  James Price Dillard,et al.  Persuasion and the Structure of Affect: Dual Systems and Discrete Emotions as Complementary Models. , 2001 .

[4]  Richard Ford,et al.  On the definition and classification of cybercrime , 2006, Journal in Computer Virology.

[5]  Gunther Eysenbach,et al.  Infodemiology and infoveillance tracking online health information and cyberbehavior for public health. , 2011, American journal of preventive medicine.

[6]  Seamus O. Ciardhuáin,et al.  An Extended Model of Cybercrime Investigations , 2004, Int. J. Digit. EVid..

[7]  B. Crabtree,et al.  A Template Approach to Text Analysis: Developing and Using Codebooks , 1992 .

[8]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[9]  R. Cialdini Influence: Science and Practice , 1984 .

[10]  Lawrence E. Cohen,et al.  Social Change and Crime Rate Trends: A Routine Activity Approach , 1979 .

[11]  T. Hart,et al.  Hunter or Prey? Exploring the Situational Profiles that Define Repeated Online Harassment Victims and Offenders , 2020 .

[12]  Jay F. Nunamaker,et al.  Detecting Fake Websites: The Contribution of Statistical Learning Theory , 2010, MIS Q..

[13]  Kai Lung Hui,et al.  See No Evil, Hear No Evil? Dissecting the Impact of Online Hacker Forums , 2019, MIS Q..

[14]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[15]  John T. Cacioppo,et al.  The Elaboration Likelihood Model of Persuasion , 1986, Advances in Experimental Social Psychology.

[16]  Ryan T. Wright,et al.  Where Did They Go Right? Understanding the Deception in Phishing Communications , 2010 .

[17]  Stuart E. Madnick,et al.  Decision-Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment , 2017, J. Strateg. Inf. Syst..

[18]  Stephanie Watts,et al.  Informational Influence in Organizations: An Integrated Approach to Knowledge Adoption , 2003, Inf. Syst. Res..

[19]  Ryan T. Wright,et al.  Training to Mitigate Phishing Attacks Using Mindfulness Techniques , 2017, J. Manag. Inf. Syst..

[20]  Edgar R. Weippl,et al.  Advanced social engineering attacks , 2015, J. Inf. Secur. Appl..

[21]  Terance D. Miethe,et al.  Lifestyle changes and risks of criminal victimization , 1990 .

[22]  William Yurcik,et al.  Threat Modeling as a Basis for Security Requirements , 2005 .

[23]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[24]  Monideepa Tarafdar,et al.  Reflecting on the "Dark Side" of Information Technology Use , 2012, Commun. Assoc. Inf. Syst..

[25]  Ojelanki K. Ngwenyama,et al.  Communication Richness in Electronic Mail: Critical Social Theory and the Contextuality of Meaning , 1997, MIS Q..

[26]  Yue Xu,et al.  Susceptibility to Social Engineering in Social Networking Sites: The Case of Facebook , 2015, ICIS.

[27]  J. Burger Obedience to Authority , 2011 .

[28]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[29]  T. Holt,et al.  Examining the Applicability of Lifestyle-Routine Activities Theory for Cybercrime Victimization , 2008 .

[30]  K. Gleeson Polytextual thematic analysis for visual data , 2020 .

[31]  N. Akbar,et al.  Analysing Persuasion Principles in Phishing Emails , 2014 .

[32]  X. Bosch The Lucifer Effect: Understanding How Good People Turn Evil , 2007 .

[33]  David Maimon,et al.  Cyber-Dependent Crimes: An Interdisciplinary Review , 2019, Annual Review of Criminology.

[34]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[35]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[36]  Brad McKenna,et al.  Social media in qualitative research: Challenges and recommendations , 2017, Inf. Organ..

[37]  Xin Luo,et al.  Social Engineering: The Neglected Human Factor for Information Security Management , 2011, Inf. Resour. Manag. J..

[38]  Noah J. Goldstein,et al.  Social influence: compliance and conformity. , 2004, Annual review of psychology.

[39]  Elena Karahanna,et al.  Time Flies When You're Having Fun: Cognitive Absorption and Beliefs About Information Technology Usage , 2000, MIS Q..

[40]  R. Cialdini Influence: The Psychology of Persuasion , 1993 .

[41]  H T Sorensen,et al.  A framework for evaluation of secondary data sources for epidemiological research. , 1996, International journal of epidemiology.

[42]  Rui Chen,et al.  Visual e-mail authentication and identification services: An investigation of the effects on e-mail use , 2009, Decis. Support Syst..

[43]  Thomas J. Holt,et al.  Testing an Integrated Self-Control and Routine Activities Framework to Examine Malware Infection Victimization , 2018, Social Science Computer Review.

[44]  William Allen,et al.  The influence of source credibility on communication effectiveness , 1953 .

[45]  A. D. Jones,et al.  Obedience to Authority , 1974 .

[46]  Rui Chen,et al.  An investigation of email processing from a risky decision making perspective , 2011, Decis. Support Syst..

[47]  J. Clough Principles of Cybercrime , 2010, The Military Law and the Law of War Review.

[48]  B. Orbach,et al.  Con Men and Their Enablers: The Anatomy of Confidence Games , 2018 .

[49]  Yue Xu,et al.  Social Engineering in Social Networking Sites: The Art of Impersonation , 2014, 2014 IEEE International Conference on Services Computing.

[50]  Ryan T. Wright,et al.  Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance , 2014, Inf. Syst. Res..

[51]  Richard Baskerville,et al.  Generalizing Generalizability in Information Systems Research , 2003, Inf. Syst. Res..

[52]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[53]  Ana Ferreira,et al.  Principles of Persuasion in Social Engineering and Their Use in Phishing , 2015, HCI.

[54]  Marsha L. Richins Measuring Emotions in the Consumption Experience , 1997 .

[55]  Indranil Bose,et al.  Unveiling the Mask of Phishing: Threats, Preventive Measures, and Responsibilities , 2007, Commun. Assoc. Inf. Syst..

[56]  Al Anneloes Meijnders,et al.  Persuasion and the structure of affect , 2002 .

[57]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[58]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[59]  M. D. Myers,et al.  Qualitative Research in Business & Management , 2008 .

[60]  Fawn T. Ngo,et al.  Cybercrime Victimization: An Examination of Individual and Situational Level Factors , 2011 .

[61]  G. Eysenbach Infodemiology: The epidemiology of (mis)information. , 2002, The American journal of medicine.

[62]  Anol Bhattacherjee,et al.  Influence Processes for Information Technology Acceptance: An Elaboration Likelihood Model , 2006, MIS Q..

[63]  Jason Hart Remote working: managing the balancing act between network access and data security , 2009 .

[64]  Lee P. Ruddin,et al.  You Can Generalize Stupid! Social Scientists, Bent Flyvbjerg, and Case Study Methodology , 2006 .

[65]  Md Rezaul Karim,et al.  The Influencing Factors Associated with Ketosis-Prone Type 2 Diabetes Mellitus: A Syndrome of Diabetes Mellitus , 2018 .

[66]  Brandon Van Der Heide,et al.  Social Media as Information Source: Recency of Updates and Credibility of Information , 2014, J. Comput. Mediat. Commun..

[67]  J. Zarocostas How to fight an infodemic , 2020, The Lancet.

[68]  J. Fereday,et al.  Demonstrating Rigor Using Thematic Analysis: A Hybrid Approach of Inductive and Deductive Coding and Theme Development , 2006 .

[69]  P. Todd,et al.  Simple Heuristics That Make Us Smart , 1999 .