Fraud: Studies into Victimization and Prevention
Luka Koning is a PhD student in the Department Industrial Engineering & Business Information Systems. (Co)Promotors are prof.dr.ir. B.P. Veldkamp, prof.dr. M. Junger and dr. J.H. Bullee from the Faculty of Behavioural, Management and Social Sciences.
This PhD thesis documents a variety of studies into the victimization and prevention of fraud (see Chapter 1). Fraud is a type of crime whereby a victim is knowingly deceived so that the offender can gain profit.
Various investigations show that fraud is on the rise. Yet, relatively few studies have been done on fraud victimization. Studies to date are furthermore troubled by sampling limitations and a lack of common definitions in relation to the ever-evolving nature of fraud (see Chapter 2).
Therefore, a novel fraud victimization study was conducted (see Chapter 3). This victimization study highlights the scale of the fraud problem in the Netherlands: about 16% of the Dutch population aged 16 and above fell victim to fraud in 2020. The estimated total monetary loss was €2.75 billion for 2020.
Relatively little research has been conducted on the risk factors of fraud victimization. Chapter 4 presents a quantitative analysis of variables that may indicate risk for fraud victimization, based on the victimization study. There were relatively few factors associated with fraud victimization. An important predictor for vulnerability to fraud attempts is self-control (the extent to which someone can control their behaviour in the face of emotions, temptations, and impulses). People with a non-western immigration background were also more vulnerable to fraud attempts, though future research needs to investigate why. Frequent internet users were also more at risk for fraud because they were exposed to attempts more often. People who said that they had prior knowledge of a fraud form (i.e., they knew that it existed and what it was, before encountering it) were less vulnerable to fraud attempts.
Chapter 5 presents a qualitative analysis of fraud attempts, based on the victimization study. Participants explained in their own words why they did or did not fall victim to fraud attempts. In line with the quantitative results of Chapter 4, participants often stated that knowledge about fraud was what prevented them from falling victim.
Chapter 6 presents a quantitative analysis of variables that are associated with (not) reporting fraud victimization to the police. Only 11.8% of victimization events were reported to the police. This is unfortunate because police reports are crucial in the fight against fraud. Fraud victimization events were more often reported if the loss of money was higher. Victim characteristics were less important for the decision to report. Nonetheless, victims living in more urbanized areas reported considerably less to the police. A major effort is required to stimulate the reporting of fraud to the police.
Chapters 7 and 8 focus on phishing, a form of fraudulent cybercrime. Phishing involves sending deceptive e-mails to get people to go to malicious websites, to download malicious files, and/or to share sensitive information which can then be abused.
- Prior studies into why people fall victim to phishing and how they may be trained against phishing have neglected differences in individual cultural values which may impact how they evaluate e-mails. Chapter 7 presents an investigation into this. It describes an international research study that collected data from students at 14 universities located in 12 countries. It turned out that various cultural dimensions indeed affect phishing susceptibility. For instance, people who were less power-distant (i.e., they are more prone to question authority), more uncertainty-avoidant (i.e., they prefer approaching situations with more structure), or more long-term oriented (i.e., they place less value on immediate rewards) were less susceptible to phishing.
- Phishing is a threat to organizations if their employees get phished. Therefore, programmes exist which intend to train employees against phishing. Often, such programmes have not been tested on their effectiveness and it is neglected how long their effects last if they have effects. In Chapter 8, we evaluated an anti-phishing training programme in a real-world setting with repeated tests to assess anti-phishing proficiency. We discovered that employee motivation to participate in the training was extremely low and that this is another difficulty to consider when designing anti-phishing training. The results furthermore revealed that most people do not know what to pay attention to when they evaluate an e-mail as phishing or legitimate.
Chapters 9 and 10 present an investigation into how to prevent fraud victimization by influencing the behaviour of offenders. Both chapters take a behavioural design approach to prevent individuals from committing dishonest acts in digital environments, i.e., fraud. This encompasses applying changes to the context in which the offender operates. Chapter 9 investigates if digital signatures may be a tool to prevent dishonesty, while Chapter 10 investigates the influence of dark mode in software on the honesty of its users. Both interventions did not affect honesty. Likely, subtle interventions which affect behaviour in rather unconscious ways are not suitable for preventing conscious dishonest acts.
Chapter 11 presents a final conclusion. There, it is discussed that fraud is a many-headed monster that is hard to measure and constantly changing; continuous research is needed to keep track of the problem. Promoting knowledge about fraud is likely the best route to prevention, but there may be other opportunities in cooperation with various parties. It is essential to evaluate interventions and policies against fraud to know what works and what does not.
