Modus Operandi
Marianne Junger
[Mon13] A. L. Montoya Morales, M. Junger, and P. H. Hartel. How 'digital' is traditional
crime? In European Intelligence and Security Informatics Conference (EISIC), Uppsala,
Sweden, Aug 2013. IEEE Computer Society. http://eprints.eemcs.utwente.nl/23423/
1
Cyber-crime
science
Origins of CRIME
 Why do people commit crimes?
 What aspects play a role?
 https://www.youtube.com/watch?v=RmQZ
9RzZa00
2
Cyber-crime science
Background
 Crime Science
» Crime is the product of the environment
» Independent of personal characteristics
 Fact
» Since WWII increase in wealth, more leisure time,
higher education.
» But what happened to crime?
3
Cyber-crime science
Development of registered
crime 1960-1995 in NL (CBS)
4
4
Cyber-crime science
Why did crime increase?
 More targets
 Less supervision
 Increased mobility
 Aim of Crime Science = prevention
5
Cyber-crime science
Issue today
 Does digitalization lead to increase in
crime?
6
Cyber-crime science
Digitalization in he Netherlands
 93% of Dutch population is connected to
the internet (CBS)
 50% also accesses internet via mobile
device (smart-phone: 43%, laptop: 21%)
 53% is active on social media
 79% shop online, 55% are frequent online
shoppers
7
Cyber-crime science
First expectation
 Cybercrime is increasing as a result of
increasing use of ICT
8
Cyber-crime science
Not supported by previous work
 [Dom09] concluded that cybercrime is ‘at
most 1% of all reported crime’
 Hollands-Midden: 0.32% of all crime
 Zuid-Holland-Zuid: 0.54% of all crime
[Dom09] M. M. L. Domenie, E. R. Leukfeldt, M. H. Toutenhoofd-Visser, and W. Ph. Stol.
Werkaanbod cybercrime bij de politie. een verkennend onderzoek naar de omvang van het
geregistreerde werkaanbod cybercrime. Cyren rapport, NHL Hogeschool, Leeuwarden,
2009.
9
Cyber-crime science
Previous work [Dom09] followed
special methodology
 [Dom09] measured prevalence in Zuid
Holland Zuid and Hollands Midden
» Definition: “the use of IT for committing criminal
activities against persons, property, organizations or
electronic communication networks and information
systems”
» Operationalization: Searched for keywords
associated with cybercrime, such as "computer",
"cyber" or “digital“, using a digital search protocol
» Findings: 0.32 - 0.54% of all crime reported to the
Dutch police constitutes cybercrime in 2 police
regions.
10
Cyber-crime science
Aim UTwente study
 Check these figures following new
methodology
 Check manually into the digital modus
operandi (MO) of traditional crime
11
Cyber-crime science
Second expectation
 Changes in technology affect
characteristics of crime, type of
offenders and type of victims
12
Cyber-crime science
Previous work does not
support this expectation
 Cybercriminals are younger but basically
the same as offenders from traditional
crimes [Leu11]
[Leu11] E. R. Leukfeldt and W. Ph. Stol. De marktplaatsfraudeur ontmaskerd.
internetfraudeurs vergeleken met klassieke fraudeurs. Secondant, 25(5):26-31, 2011.
http://www.hetccv.nl/binaries/content/assets/ccv/secondant/2011/secondant2011-6.pdf.
13
Cyber-crime science
Characteristics of cybercriminals
Age
Between 18 and 30 – up to 79% younger than 30
Sex
Males: 80% or more
Technical
Not especially skilled vs very skilled
skill
Role criminal
Cybercrime requires high degree of organization
organizations
and specialization, in financial-driven crimes
Organized crime involvement = 90%
Geographical
Groups may still be located in lose geographical
location
proximity, even if their activities are transnational.
[UNO13]
UNODC. Comprehensive Study on Cybercrime. United Nations Office on Drugs and
Crime, Feb 2013. http://www.unodc.org/documents/organized14
crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf.
Cyber-crime science
Expectations
 Cybercrime should increase as society
goes online
» Check figures [Dom09] with new methodology?
 Digitalisation should affect the
characteristics of the type of crime and
the type of offenders
» Do we see changes in cybercrime corresponding to
the [UNO13] findings?
 Aim present study not measure
‘cybercrime’ but penetration of
Information and Communication
Technology (ICT) in traditional crime
15
Cyber-crime science
Method
 Careful reading of police records (Proces
Verbaal) using a tailor-made checklist
 Random selection of 900 incidents in
Gelderland and Overijssel
 Crime types:
» Residential & commercial burglary (n=300) (link to
cybercrime is unknown)
» Threats (n=300) (suspected link to cybercrime)
» Frauds (suspected link to cybercrime) (n=300)
16
Cyber-crime science
Method (Contd.)
 Crime script
 Amount of ICT used during
» Commission of crime (i.e. modus operandi)
» Criminal investigation
» Apprehension
17
Cyber-crime science
Method (Contd.)
 Socio-demographic variables, age, sex,
place of birth
 Organized crime measured indirectly:
organized crime implies – in the present
study
» Having a criminal record
» More than a single offender
» Not having a legal occupation
» Geographic location: international crime
18
Cyber-crime science
Question
 How much ICT is there in traditional
crime?
 Selection: all cases
19
Cyber-crime science
September 2011
ICT is important for threats and
fraud *




#24
#30
#34
#39
Unsolicited email sent
Threat digital
Forgery digital
Burglary prior to the offense in digital form
% ICT
45.0%
40.0%
40.7%
35.0%
30.0%
25.0%
20.0%
15.0%
16.2%
10.0%
5.0%
3.0%
0.0%
0.0%
Residential Commercial
burglary
burglary
Threats
Fraud
ICT present
* Significant p < .001
20
Cyber-crime science
Burglary: 1.5% takes place after the commission of the
burglary (theft of money via stolen bank cards)
ICT is important for threats and
fraud
 Threat digital
» Verbal threats via SMS, MSN Whatsapp, email or on
social media
» Also: denigrating messages or films on YouTube,
personal, or business (bad publicity)
 Digital Fraud
» Online shopping; ‘E-Bay (Marktplaats) fraud
» Internet banking: skimming or hacking of bank
system
21
Cyber-crime science
Characteristics of digital crime
 Offense
 Offenders
» Selection of threats and fraud
22
Cyber-crime science
Age: % 34 and younger
70%
% 34 and
younger
60%
62%
50%
40%
52%
47%
44%
30%
20%
10%
0%
Fraud (ns)
Traditional
Threats (ns)
Digital
 [UNO13] up to 79% younger than 30
 Offender: offenders of digital crimes are older –
for fraud (but ns)
23
Cyber-crime science
Sex: % female offenders
25%
% female
offenders
20%
20%
19%
15%
16%
13%
10%
5%
0%
Fraud (ns)
Traditional
Threats (ns)
Digital
 [UNO13] Males: 80% or more
24
Cyber-crime science
Role criminal organisation:
% cases with only one suspect
100%
% one
suspect
90%
95%
91%
80%
70%
81%
79%
60%
50%
40%
30%
20%
10%
0%
Fraud **
Traditional
25
Threats (ns)
Digital
 [UNO13] Cybercrime requires high degree of
organization and specialization, at least in financialdriven crimes, up to 90% organized (financially
motivated crime)
Cyber-crime science
Role (contd).: % cases with
suspects with a criminal record
35%
% crim.
record 30%
30%
25%
20%
18%
15%
10%
5%
12%
9%
0%
Fraud (ns)
Traditional
26
Cyber-crime science
Threats (ns)
Digital
Role (contd.): % cases with
suspects with a paid job
% paid job
(and > 18)
45%
40%
41%
35%
30%
25%
27%
20%
15%
17%
16%
10%
5%
0%
Fraud ns
Traditional
27
Cyber-crime science
Threats ***
Digital
Role (contd.): % cases suspects
born in NL
120%
% Born
100%
in Nl
96%
80%
80%
60%
82%
72%
40%
20%
0%
Fraud **
Traditional
28
Cyber-crime science
Threats (ns)
Digital
Geographical distance between the offender
and the victim at the time of the crime, in %
Threats
Both were in Eastern region
Either the victim or the offender
Fraud **
Tradi-
Digi-
Tradi-
Digi-
tional
tal
tional
tal
88.1
80.6
57.5
19.4
7.9
19.4
27.4
63.9
were in eastern region, the other
elsewhere in the Netherlands
International (either the offender or
1.7
-
12.3
13.9
the victim were abroad)
Both were outside Eastern region
2.3
-
2.7
2.8
N
177
31
73
36
** p < 0.01
29
Cyber-crime science
Geographical distance between the offender
and the victim at the time of the crime, in %
Threats
Both were in Eastern region
Either the victim or the offender
Fraud **
Tradi-
Digi-
Tradi-
Digi-
tional
tal
tional
tal
88.1
80.6
57.5
19.4
7.9
19.4
27.4
63.9
were in eastern region, the other
elsewhere in the Netherlands
International (either the offender or
1.7
-
12.3
13.9
the victim were abroad)
Both were outside Eastern region
2.3
-
2.7
2.8
N
177
31
73
36
** p < 0.01
30
Cyber-crime science
Suspect-victim relationship among traditional
and digital crimes
Fraud
Threats
Traditional
Digital
Traditional
Business partners
5.2
2.2
24.0
Family
8.2
8.9
1.2
0.9
13.4
13.3
7.0
1.8 *
Neighbours
9.1
2.2
0.6
1.8
Ex-partners
15.5
28.9
3.5
Partners
3.9
6.7
-
-
Criminal contacts
0.9
-
-
-
Social networks
0.4
-
1.2
-
Game-friends
-
-
-
-
Chat-friends
-
4.4 **
0.6
0.9
0.9 *
acquaintances
Other relationship
N
7.8
13.3
5.3
232
45
171
Significant: p < .05; ** Significant: p < .01; *** Significant: p < .001
science
Digital
47.3 ***
- *
112
comparison of traditional &
digital crime -> normalization
O = Offender
V = Victim
Digital threats are
Digital fraud is
characterized by
characterized by
Sex
O & V more often female V more often female
Age
O are older
Country of birth
V more often Dutch
Paid work (at 18
years and older)
O More often employed
O More often employed
V less often employed
V less often employed
Criminal record
O has less often a
criminal record
O has more often a
criminal record
Committed crime
alone
O more often alone
O more often alone
32
Cyber-crime science
V & O are younger
V & O are Dutch
Criminal Investigation (%)*
* % not mutually exclusive
33
Cyber-crime science
Importance of tools for
apprehension
Witness statements **
1.3
Digital traces of suspect p=09
0.6
Telecom data confiscated
1.8
Camera surveillance
1.0
Digital data confiscated
0.7
Physical traces of suspect **
2.1
Forensic analysis at the scene
1.3
Fraud ***
0.2
Threats **
0.4
Commercial burglary ***
2.9
Residential burglary (ref.)
1.0
0.0
* Significant: p < .05; ** Significant: p < .01
34
Cyber-crime science
1.0
2.0
3.0
4.0
Odds ratio
Conclusion 1: More digital crime
than expected
 Prevalence: most digital crime:
» Fraud 41%
» Threats16%
 More often digital traces
» Fraud: 29%
» Commercial burglary: 29%
» Threats: 18%
» Residential burglary: 13%
35
Cyber-crime science
Conclusion 2: Security is
integrated
 Criminals don’t mind legal or other
disciplinary borders
 Physical social and cyber are all part of
‘security’
36
Cyber-crime science
Conclusion 3: Digital crimes are
– partly - different
 In contrast with [Dom09] findings show –
some -departure form traditional offenders
» Age and sex: no sign differences but trends: towards
‘normalization’ for digital crime
 In contrast with [UNO13] no indication that
‘digital’ means ‘organised crime’. Instead
‘normalization’ of offenders
» digital crime more often single offender (fraud), less often
a criminal record (threats), and more often legal paid job
(threats).
 ICT brings the modus operandi of crime into
the homes
37
Cyber-crime science
Limitations
 Generalisation across crime types is a
bad idea
 Extrapolation of results to other areas of
the country probably not a good idea
» Lower crime rate in smaller urban areas
» Lower internet use in rural areas
38
Cyber-crime science
Thank you
39
Cyber-crime science
Modus operandi (1)
Was the threat digital?
On forehand***
During***
Afterwards
Total***
Was the forgery in digital form?
On forehand ***
During***
Afterwards*
Total***
Was the burglary digital?
On forehandn.v.t.
During***
Afterwards n.v.t.
Total***
N 40
Cyber-crime science
Residenti Commer
al
cial
Burglary burglary
Threats
Fraud
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
3.5
12.7
0.4
14.7
0.0
1.1
0.7
1.5
0.7
0.7
1.5
2.9
0.0
0.0
0.0
0.0
0.4
0.0
0.0
0.4
9.5
38.7
2.9
40.1
0.0
0.0
0.0
0.0
136
0.0
0.0
0.0
0.0
140
0.0
0.0
0.0
0.0
259
0.0
5.1
0.0
5.1
274
Modus operandi (2)
Was there a threat of
disclosure of information
On forehand
During*
Afterwards n.v.t.
Total*
Where there unwanted
emails
On forehand
During*
Afterwards a
Total*
Total
***
41
Cyber-crime science
Resident Commer Threats
ial
cial
Burglary burglary
Fraud
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.8
1.5
0.0
1.9
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.8
3.9
1.2
4.2
1.1
2.6
0.0
3.6