Phishing for suitable targets in the Netherlands: routine activity theory and phishing victimization.

Abstract

This article investigates phishing victims, especially the increased or decreased risk of victimization, using data from a cybercrime victim survey in the Netherlands (n=10,316). Routine activity theory provides the theoretical perspective. According to routine activity theory, several factors influence the risk of victimization. A multivariate analysis was conducted to assess which factors actually lead to increased risk of victimization. The model included background and financial data of victims, their Internet activities, and the degree to which they were "digitally accessible" to an offender. The analysis showed that personal background and financial characteristics play no role in phishing victimization. Among eight Internet activities, only "targeted browsing" led to increased risk. As for accessibility, using popular operating systems and web browsers does not lead to greater risk, while having up-to-date antivirus software as a technically capable guardian has no effect. The analysis showed no one, clearly defined group has an increased chance of becoming a victim. Target hardening may help, but opportunities for prevention campaigns aimed at a specific target group or dangerous online activities are limited. Therefore, situational crime prevention will have to come from a different angle. Banks could play the role of capable guardian.