Identity Theft caused by Phishing attacks
and Scams over the Internet
By
Mariah Childs
December 1st, 2019
Graduate Research Paper
Childs, 1
Abstract
The 2017 Internet Crime Report emphasizes the IC3’s efforts in monitoring trending
scams such as Business Email Compromise (BEC), Ransomware, Tech Support Fraud, and
Extortion. The report also highlights the Elder Justice Initiative promoting justice for the nation’s
seniors. In 2017, IC3 received a total of 301,580 complaints with reported losses exceeding $1.4
Billion. This past year, the most prevalent crime types reported by victims were NonPayment/Nondelivered, Personal Data Breach, and Phishing. The top three crime types with the
highest reported loss were BEC, Confidence/Romance fraud, and Non-Payment/Non-Delivery.
This year’s report features success stories from two different successful cases initiated from IC3
complaints. Additionally, the Operation Wellspring (OWS) Initiative continues to build the cyber
investigative capability by utilizing Cyber Task Force officers, thus strengthening state and local
law enforcement collaboration (Complaint Center, 2019).
Childs, 2
Introduction
I am composing this research paper because I want the world to know why stealing
personal information from someone can be used through phishing attacks and scams to get more
information from someone else. I can provide details as to how people can protect themselves
from becoming a victim to identity theft, phishing schemes, and other scams. Identity theft is
steady increasing throughout the world. My research will address this issue by defining Identity
theft, preventive measures, and incorporate programs that can decrease Identity theft, and aware
individuals on what is being taken from them and why it takes longer to recover their
information. The question that remains is what factors choose this person as a target? How can
we improve our security systems without the constant fear of not having internet protection of
personal data? I will include my own security system that I personally feel will help keeping
privacy protected and free of phishing attacks and scams from the internet.
Phishing attacks are becoming increasingly pervasive and sophisticated. Phishing has
spread beyond email to now include VOIP, SMS, instant messaging, social networking sites, and
even massively multiplayer games. Criminals are also shifting from sending out mass emails in
the hopes of tricking anyone, to more selective “spear-phishing” attacks that use relevant
contextual information to trick specific victims. Academic and commercial work in phishing is a
dynamic area that combines elements of social psychology, economics, distributed systems,
machine learning, human computer interaction, and public policy. In 2006, Jakobsson and Myers
provided an overview of how phishing works and what countermeasures were available at that
time. This article serves as an introduction as well as an overview on the current state of
phishing.
These attacks and scams happen in so many ways that could steal a person’s identity.
There are three major phases: the first is potential victims receiving a phish, the second step is
the victim taking the suggested action in the message, Which is usually to go to a fake web site
but can also include installing malware or replying with sensitive information. The third step is
the criminal monetizing stolen information. However, there are three stages to identity theft
victim known as acquisition, financial gain, and discovery. The acquisition of theft consists of
“computer hacking, fraud, trickery, force, or intercepting mail” (McNally & Newman, 2005, p.
6). Financial gain is a common motive for identity theft. According to McNally & Newman
crimes in this stage consist of account takeover, opening new accounts, abusing debit or credit
card information, trading identity information for money, filing tax returns, and insurance fraud.
Discovery is the time frame it takes to report information on identity theft. Claims that consist of
credit cards are discovered quickly then other tools. Recent research suggested that Identity theft
is discovered by the victim based on the amount of loss incurred by the criminal.
Research Purpose
The purpose is to survey current research on identity theft caused by phishing attacks and scams
over the internet. The information on protecting people’s privacy online, Carpenter (2014)
mentioned that we must address a fundamental challenge where it would motivate individuals to
avoid unnecessary identity exposure behaviors. (Milne, 2003) says a communication program is
needed to alert consumers to be careful of their credit records. This would help increase the
awareness rate with business and individuals and decrease identity theft in the United States.
Carpenter (2014) stated that we need to design warnings for cyber-environments. Designing
warnings would increase the awareness rates of identity theft and focus on the frequency of
online routines. This would also help individuals identify their starting point with cybercrimes
and further research on the virtual location of the individual and the hacker (Roberts, Indermaur,
& Spiranovic, 2012). This could potentially decrease cybercrime rates, Identity theft cases, and
help individuals feel more secure while surfing the internet.
Method
The method I use to conduct my research was using UMSL’s library database and google
scholarly to find keywords and information relating to my research topic. I also searched on the
internet for current identity theft and phishing schemes cases that would be relevant to this paper.
The keywords that were my focus were identity theft, scams, phishing attacks, data losses,
breaches of data access, and cybercrime rate reports. I choose these keywords because they all
pertain to topics and information with in my topic. I am looking to try to explain the deep
Childs, 3
connection to at least explain how certain people because targets of having their personal
identification stolen and used in schemes and scams to obtain personal information of someone
else. I have found close to thirteen articles that were useful to my research topic and obtained the
information that I was seeking to use for my research. Starting this paper, I had trouble with
creating a summary that would fit perfectly in explaining my research question and to also
explain why it’s important. I took some time with my abstract and read through my articles to
pick a good survey report to start off my research. I wanted to retrieve as much data that I could
use for my paper. Next, I created an outline of the sub headings and started my paper in an order
that I feel will help my reader follow along and to understand my research question and why in
choose this topic.
Findings
Risk Factors:
While phishing attacks and scams are plain in general, I decided to focus on the risk
factors that could increase the chance of becoming a victim of Identity theft. There information
could be used for online banking, emailing, shopping online, and saving debit/credit information
over the internet. Reyns (2013) found that about 30 percent of victims that were shopping online
and saving their credit information on devices were at risk of having their identity stolen. Reyns
(2013) study found that individuals who use the internet for online banking and emailing were
likely to have their identity stolen by 50 percent. Although, more research can explain how
people are losing their information and becoming gullible by the information supplied by the
criminal. The world needs more ways to secure personal identification over the internet.
Past research has focused on tools and technology used by criminals. They focused on
looking at the patterns and how they track individual’s information. I decided to draw this
sample because I want to aware individuals about this information and provide a new way to
protect their privacy using a new system. The literature suggests we follow Milne’s study which
measured the self-behavior, of 61 college students and 59 non college students. The study
approach was to show how some students were adequate for several preventive behaviors and
some show interest in diverges in behavior. I picked this study to build my research because we
have the same purpose to decrease individuals having their identity taken by criminals and
making the internet safe again. Edward (2014) composed a solution to eliminate third party
documents, erase pin codes, and accurate identification for everyone online buying things. He
supported his solution by composing a system where every human must identify themselves.
Gartner research conducted in April 2004 indicates that millions of consumers
unknowingly fall for phishing attacks — e-mail communications designed to steal consumer
account information, such as credit card data, home addresses and telephone numbers.
Consumers have reason to be nervous. Phishing attacks undermine their confidence in the
Childs, 4
authenticity of e-mail originators, threatening consumer trust in the very foundation of Internetbased communications.
Based on the representative sample, Gartner believes that nearly 11 million online adults
representing about 19 percent of those attacked have clicked on the link in a phishing attack
email. Even more seriously, 1.78 million Americans, or 3 percent of those attacked, remember
giving the phishers sensitive financial or personal information, such as credit card numbers or
billing addresses, by filling in a form on a spoof Web site. Gartner believes that at least a million
more individuals may have fallen for such schemes without realizing it. Direct losses from
identity theft fraud against phishing attack victims including new-account, checking account and
credit card account fraud cost U.S. banks and credit card issuers about $1.2 billion last year.
Gartner believes that the double-digit expansion of U.S. e-commerce will slow down
unless service providers adequately address consumer security concerns. A future Gartner note
will outline emerging antiphishing solutions, ranging from digitally signed e-mail to managed
antiphishing services. Without the implementation of phishing antidotes, consumer trust will
further erode, and annual U.S. e-commerce growth will slow to 10 percent or less by 2007 (0.6
probability) (Litan, 2004)
Time Frame:
The amount of time it takes to resolve cases of identity theft depends on the discovery of
the damage. Victims over the age of 55 were more likely to settle their problems quicker than
victims under the age of 30 (McNally & Newman, 2005). Results from the FTC showed that
76% of victims discovered theft less than one month after it happen and took less than 10 hours
to resolve. Identity theft cases that took longer than 6 months, were only solved by 20 percent of
victims (McNally & Newman, 2005). The best way to catch Identity theft is to check every
billing statement, credit records, and bank statements every month.
This way your Identity can be cleared and protected. It is important to check your reports
every 6 months. Ingram (2006) showed survey results from the Better Business Bureau which
indicated that the chance of a thief getting caught was 1 in 700. Identity Theft is hard to solve
because most victims are unaware of how their identity was stolen or obtain agreement, Which
makes it hard to solve a case due to missing or lack of information. (Roberts, Indermaur, &
Spiranovic, 2012). Reed (2019) suggests that the average time it takes to resolve a cyber-attack is
32 days, with an average cost to participating organizations of $1,035,769 during the 32-day
period. This represents a 55 percent increase from last year’s estimated average cost of $591,780,
which was based upon a 24-day resolution period. Results show that malicious insider attacks
can take more
than 65 days on average to contain. Information theft continues to represent the highest external
cost followed by the costs associated with business disruption. On an annualized basis,
information theft accounts for 43 percent of total external costs. The costs associated with
Childs, 5
disruption to business or lost productivity account for 36 percent of external costs. Recovery and
detection are the most costliest internal activities. On an annualized basis, recovery and detection
combined account for 49 percent of the total internal activity cost with cash outlays and labor
representing many of these costs. Activities relating to IT security in the network layer receive
the highest budget allocation. In contrast, the host layer receives the lowest funding level. The
percentage allocations to physical layer activities is highest for critical infrastructure companies
such as communications, energy and utilities and lowest for retail companies.
Deployment of security intelligence systems makes a difference. The cost of cybercrime
is moderated using security intelligence systems (including SIEM). Findings suggest companies
using security intelligence technologies were more efficient in detecting and containing cyber-
attacks. As a result, these companies enjoyed an average cost savings of nearly $4 million when
compared to companies not deploying security intelligence technologies.
Data Loss and Breaches:
The literature I researched and discovered to use for this topic was about the Telstra data
breach. Layton, R., & Watters, P. A. (2014) article states on Friday December 9th, 2011, a user
on the internet forum “Whirlpool” was investigating different bundling options for Telstra
communications when he noticed that the search page released a significant amount of personal
information. Very quickly, other users commented that they too could see a significant amount of
data by using Google to search through files that contained personal data for hundreds of
thousands of Telstra clients. Telstra was either notified of the breach or discovered the posting
that day. The site, which was served from a third-party website, was taken down between 4pm
and 5pm on that day. This left just four hours from the first posting on Whirlpool that the site
was left with an open and known vulnerability. Further, the subsequent investigations revealed
that the site was in its current vulnerable state for at least two months, with a backup incorrectly
removing file permissions for the folder that contained the sensitive data.
The report into this investigation was released in June 2012 and found the breach released
personal information of customers. The personal data of 734,000 customers was made public
through this vulnerability. The data breach occurred because the procedure for applications that
handle private data was not followed correctly. A manager had stated incorrectly at the start of
the project that no private data would be held, which stopped more stringent security procedures
from being applied to this project. Telstra took appropriate steps to address the breach and notify
relevant parties after it became aware of it. Multiple employees were aware of the problem
before the public disclosure but failed to report it. The passwords of 73,000 customers were
reset. These customers were required to call Telstra during a heavy peak time to restore their
accounts and access to services like email. These services were not available until they did this,
and the call center wait was reported to be over an hour. These customers had potential account
access information such as passwords in plain text, stored in the breached information. Telstra
Childs, 6
had instigated a remediation procedure enough for the Privacy Commissioner to halt further
investigation into the breach. Telstra was to provide the commissioner with a progress report in
October 2012 on their remediation plan. A final report was due in April 2013, at the completion
of the plan.
Most of the costs in this breach came from the IT support, as affected customers were
required to perform an IT support call to reinstate their accounts. This accounted for most of the
overall costs, between $730,000.00 and $1,460,000.00. Using outsourced support staff may
reduce this amount, potentially up to a factor of two. The other headline figure is that, even
without the support costs, the overall costing is still between $261,395.67 and $480,267.37. This
is a significant cost and is a direct, tangible cost to the business. The report literature from
Tcherni, Davies, Lopes, Lizotte (2016) suggests that the estimates of financial losses from online
theft and fraud are compiled by Javelin Strategy & Research (2011), using a methodology closest
to the one employed in calculating losses from traditional crime by the FBI in their annual Crime
in the US reports (U.S. Federal Bureau of Investigation, 2013). The results paint a picture that
clearly shows losses from online crime far surpass those from traditional and that the proportion
of people or households financially affected by OPC is substantial.
By asking respondents to identify the date of their discovery of the loss and the
“approximate total dollar value of what the person obtained while misusing information”, Javelin
computes a moving three-year average of monetary losses (except for years 2008 and 2009,
where only a standard one-year estimate was available at the time of report publication). The
total losses vary within the range of $45 billion to $60 billion yearly during the period of 2003 to
2009. The study also includes direct personal financial losses from identity theft which estimated
from $14.4 billion to $16.5 billion annually over the same timeframe. The UCR estimates of
monetary losses reported from the traditional property crimes such as burglary, larceny/theft, and
motor vehicle theft, by comparison, range between $15.2 billion and $17.6 billion.
In the conclusion of this information about data losses and breaches most can result in
hundreds of thousands (sometimes millions) of compromised records and lead to identity theft
and related crimes (Givens, 2000). In the United States, identity theft resulted in corporate and
consumer losses of around $56 billion in 2005 (Javelin Research, 2006). When trying to reduce
these crimes many states have responded by adopting data breach disclosure (also known as
security breach notification) laws requiring firms to notify individuals when their personal
information has been compromised. However, no empirical analysis has investigated the
effectiveness of such legislative initiatives in reducing identity theft.
Conclusion
One of the biggest ways to protect your identity is to avoid using the internet for purposes
that require information about your identity (Reyns, 2013). There should always be a fraud alert
to your credit account (Ingram, 2006), billing cycles, guarding your mail, and minimizing the
information you disclosed on the internet (Milne, 2003). There are ways to prevent individuals
from identity theft on the internet. Simple things like installing firewalls on computers,
reviewing your bank and phone statements each month (Ingram, 2006) to prevent hackers from
stealing information. The focus was on education and how it could encourage people to make
non-obvious passwords, and better individuals understanding of the risks when giving
information to merchants (Milne, 2003). Lastly, Wi-Fi networks would have to be monitored
closely and not shared with anyone because hackers always find ways to steal your information
from the same network (Reyns, 2013).
These arguments present a stimulating debate as to whether data breach disclosure laws
can reduce identity theft—an impact that no one has attempted to empirically measure. The
purpose is to investigate the effectiveness of data breach disclosure laws in reducing identity
theft. In order to properly identify this effect, we must attempt to control for several possible
factors. We consider the increased media attention regarding data breaches and the risk of
identity theft may affect reported rather than the actual crimes making proper identification
difficult. Research suggest that we can address both endogeneity and awareness bias later in the
manuscript by using panel data on identity theft gathered from the Federal Trade Commission
(FTC) and other sources from 2002 to 2009. If we use the state and time fixed effect regression
analysis to empirically estimate the impact of data breach disclosure laws on the frequency of
identity thefts due to breaches.
We find that adoption of these disclosure laws reduces identity thefts, on average, by 6.1
percent. A solution to Identity theft, fraud cases, and cyber-crimes would be to continue
developing a steady change in technology and functions of the internet (Reyns, 2013). This
change would legislate all states to offer free annual credit reports and bureaus (Milne, 2003).
(Edwards, 2014) says eliminating third party documents entirely will help decrease cybercrime.
The solution for electronic crimes would be to create a specific electronic transaction for people
shopping online to identify themselves (Edwards, 2014). A universal online authentication centre
would be created to limit user data to non-sensitive so that no one could use it for malicious
purposes. This would require a certain fingerprint like a scan where the data would be encrypted
in a way that no one could decode it (Edwards, 2014).
The literature review from (Kirda & Kruegel, 2005) suggests a browser extension known
as AntiPhish that aims to protect inexperienced users against spoofed web site-based phishing
attacks. AntiPhish keeps track of the sensitive information of a user and generates warnings
whenever sensitive information is typed into a form on a web site that is considered untrusted.
The tool has been implemented as a Mozilla Firefox plug-in and is free for public use. AntiPhish
is based on the premise that for inexperienced, technically unsophisticated users, it is better for
an application to attempt to check the trustworthiness of a web site on behalf of the user. Unlike
a user, an application will not be fooled by obfuscation tricks such as a similar sounding domain
name.
Childs, 8
Proper research on the effectiveness of data breach disclosure laws is hampered by the
relative scarcity of data. Hoofnagle (2007) argues that the current collection of identity theft
records is not enough, and that banks and other organizations should be required to release
identity theft data to the public for proper research. We certainly agree with this view. To the
extent that sampling and awareness biases can be reduced, this will allow researchers to more
accurately measure the impact of disclosure laws. Moreover, we believe that the better collection
of identity theft victimization, consumer and firm losses, and changes in firm behavior will be
valuable for researchers, policymakers, and consumers. A broader issue relevant to policymakers
is whether there are other means by which these laws should be evaluated. Environmental
disclosure laws often measure a deterrent policy by their effectiveness at reducing not just the
frequency of incidents, but also the severity of incidents (Cohen, 2000). Therefore, it is possible
that these disclosure laws could help reduce the severity of the crimes (as measured by the
amount of consumer loss or type of identity theft) or reduce the number of records lost or stolen
per breach.
APA References
1. Carpenter, S., Zhu, F., & Kolimi, S. (2014). Reducing online identity disclosure using
warnings. Applied Ergonomics, 45(5), 1337-1342
2. Complaint Center, F. B. I. (2019, October 17). How to Recognize and Avoid Phishing
Scams.
3. Edwards, C. (2014). Ending identity theft and cyber-crime. Biometric Technology Today,
2014(2), 9-11.
4. Ingram, D. M. (2006). How to minimize your risk of identity theft. Optometry - Journal
of the American Optometric Association, 77(6), 312-314.
5. Kirda, E., & Kruegel, C. (2005). Protecting users against phishing attacks with AntiPhish
6. Layton, R., & Watters, P. A. (2014). A methodology for estimating the tangible cost of
data breaches. Journal of Information Security and Applications, 19(6), 321-330.
7. Litan, A. (2004). Phishing attack victims likely targets for identity theft.
8. Milne, G. R. (2003). How well do consumers protect themselves from identity theft? The
Journal of Consumer Affairs, 37(2), 388-402.
9. Reed, T. S. (2019). cybercrime and technology losses: Claims and potential insurance
coverage for modern cyber risks. Tort Trial & Insurance Practice Law Journal, 54(1),
153-209.
10. Reyns, B. W. (2013). Online routines and identity theft victimization: Further expanding
routine activity theory beyond direct-contact offenses. Journal of Research in Crime and
Delinquency, 50(2), 216-238.
11. Roberts, L. D., Indermaur, D., & Spiranovic, C. (2012). Fear of cyber-identity theft and
related fraudulent activity. Psychiatry, Psychology and Law, 20(3), 1-14.
12. Romanosky, S., Telang, R., & Acquisti, A. (2011). Do data breach disclosure laws reduce
identity theft? Journal of Policy Analysis and Management, 30(2), 256-286.
13. Tcherni, M., Davies, A., Lopes, G., & Lizotte, A. (2016). The dark figure of online
property crime: Is cyberspace hiding a crime wave? Justice Quarterly, 33(5), 890-911.