Comparing Victims of Phishing and Malware Attacks: Unraveling Risk Factors and Possibilities for Situational Crime Prevention

This paper compares the risk factors for becoming a victim of two types of phishing: high-tech phishing (using malicious software) and low-tech phishing (using e-mails and telephone calls). These risk factors are linked to possibilities for situational crime prevention. Data from a cybercrime victim survey in the Netherlands (n=10,316) is used. Based on routine activity theory, the multivariate analyses include thirty variables. There are many similarities between the two types of attacks. Both have almost the same crime script, for example. Furthermore, analyses show that both criminal groups are happy with almost any victim they can get and do not discriminate between the rich and poor. There are also differences between highand low-tech victimization. First, almost none of the online visibility variables had any effect on the risk of becoming victim to low-tech attacks. Victims of high-tech attacks tell a different story. There is a clear connection between victimization and spending time in the online world. The second difference can be found within online accessibility. Again, none of the variables mattered when it came to the low-tech attacks. The malware analysis, however, shows that the victims’ technical infrastructure does affect the risk of victimization. The findings show situational crime prevention has to be aimed at groups other than just the users themselves. Criminals are primarily interested in popular online places and the onus is on the owners of these virtual places to protect their visitors from getting infected. Keywords—malware; phishing; cybercrime; situational crime prevention