a case study on scams targeting international...
TRANSCRIPT
A Case Study on Scams Targeting International College Students
Morvareed (Moury) BidgoliThe Pennsylvania State University
College of Information Sciences and [email protected]
Jens GrossklagsTechnical University of Munich
Department of [email protected]
Motivation
Online fraud manifests itself in a variety of ways
• Credit card fraud, phishing, pharming, advance fee fraud, etc.
In 2015, the IC3 received 17,172 complaints on credit card fraud resulting in a total loss of ~$41.5M.
Focus: Examine local case examples of scam schemes
• Phone scams and a Craigslist scam are specifically affecting international college students at Penn State
Fraud Exploits Vulnerabilities
The elderly are susceptible to various forms of fraud including telemarketing fraud, investment fraud, lottery fraud, and identity theft.
• Their vulnerability is due to reduced cognitive ability, social isolation, and a lack of awareness about fraud.
AARP survey: Of 745 telemarketing fraud victims, 56% were 50 years or older
Why International Students?
• Conversations with Penn State campus police• Exploitation of their demographic as a mechanism to extort money• Under-researched population
Reasons for Why Cybercrimes Go Unreported
Lack of severity (Yar, 2013; Wall, 2008)
Waste of time and effort (Goucher, 2010)
Low likelihood of cybercriminal getting caught (Goucher, 2010)
Victim self-blame (Goucher, 2010)
Reasons for Why Cybercrimes Go Unreported
Victim is unaware a cybercrime occurred (Yar, 2013; Wall, 2008; Goodman and Brenner, 2002)
Feeling of embarrassment (Wall, 2008; Goodman and Brenner, 2002)
Novelty of reporting mechanisms (Wall, 2007)
Lack of cybercrime reporting knowledge (Bidgoli, Knijnenburg, and Grossklags, 2016)
Research Questions
RQ #1: What is the nature of the recent scam schemes affecting international college students?
RQ #2: How do international students contextualize their scam experiences?
Research Questions
RQ #3: What are the motivations behind international students’ decisions to file a report particularly in instances an inchoate crime is experienced?
RQ #4: Through what avenues (i.e., telephone, online form, in person walk-in) did international students report their scam victimizations and which reporting avenues do they generally prefer to file reports through?
Research Questions
RQ #5: What impact have cybercrime awareness campaigns disseminated by on campus entities interacting with international students at Penn State had?
Campus Police Report Data
A qualitative analysis of three years of Penn State campus police report data involving scams from 2014 to 2016.
Purpose: to better understand the nature of the most prevalent scam schemes, students’ reporting behaviors, and to set the groundwork for the focus of the semi-structured interviews
Creation of victim profiles (e.g., demographics, type of scam, method of reporting, choate/inchoate classification)
72 reports were analyzed
Campus Police Report Data
Female 35 (48.6%)
Male 36 (50%)
Gender Unknown 1 (1.4%)
Student 51 (70.8%)
Employee 13 (18.1%)
Status Unknown 8 (11.1%)
Table 1: Demographics
Campus Police Report Data
Phone Scams 57 (79.2%)
Online Scams (e.g., phishing, extortion)
8 (11.1%)
Craigslist Scam 5 (6.9%)
Harassment via Phone 1 (1.4%)
Extortion via Phone 1 (1.4%)
Table 2: Crime Type
Campus Police Report Data
Walk-in/In-person 18 (25%)
Phone 17 (23.6%)
Web form 5 (6.9%)
Email 1 (1.4%)
In-personresponse/Follow up by officer
14 (19.4%)
Combination of different report types
4 (5.6%)
Unknown report type 13 (18.1%)Table 3: Method of Reporting
Campus Police Report Data
13 choate crimes with either monetary loss or payment through gift cards (i.e., iTunes) ranging in a couple of hundred dollars to a couple of thousand dollars
• Largest reported financial loss: $5,610 from a phone scam where the scammer was impersonating the U.S. tax office in Philadelphia; victim was also asked to email a photocopy of his passport and take a selfie to which the student obliged
Reasons for reporting: affirmation that they are not in trouble, assurance that their information is safe, or simply to prevent someone else falling for the scam in the future
Interviews
Purpose: to better understand nature of scam schemes, contextualization of scam schemes, and the decision-making process behind reporting such incidents
IRB approved; interviews were audio recorded after written (signed) consent was obtained
Participation requirements: 18 years or older, current international student at Penn State, good command of English, and experienced a scam during college experience
Recruitment: social media, emails by professors and on campus entities (e.g., the Directorate of International Students and Scholar Advising (DISSA))
17 interviews with 1 exclusion
Interviews
Demographics
– Gender: 8 Male, 8 Female
– Academic level: 6 undergraduate, 10 graduate
– Countries represented: India (5), China (3), Hong Kong (1), Iran (1), Venezuela (1), Germany (1), Poland (1), Brazil (1), Israel (1), and South Korea (1)
Compensation: $10 Starbucks gift card
Preventative Measures
All but one student stated that they publicize their personal phone number.
Six students opted in, 4 students opted out, and 6 students were unsure with regards to publicizing their number on the Penn State directory.
Online security measures: anti-virus software (16), biometric/password protection on personal devices (14), looking for a secure connection such as SSL/HTTPS (8)
Awareness
DISSA is the main source of international students’ knowledge regarding the prevalence of such scams
Sources of scam knowledge: DISSA emails (16), new student orientation (3), daily digest (1), on-campus housing flyers (1)
Sources of cybercrime knowledge: online news articles/media (13), school/coursework in college (7), vicarious cybercrime experiences (6), personal experience (6), personal research (4), and work experience (2)
Excerpted email from an email DISSA sent out on September 27, 2016
Scam Schemes
Similar to those found in Penn State campus police report data
Crime types: phone scams (10), Craigslist scam (5), auto fraud (1), and scareware (1)
15 inchoate crimes, 1 choate crime (student lost ~ $100 to purchase anti-virus software)
Loss is not always financial, it can also be emotional
Reporting Behaviors
6 students reported the incident, 10 students did not report
Reasons for not reporting: lack of time to file report (3), lack of any perceived harm/financial loss (2), lack of knowledge on how to report (2), fear of visa/academic status being affected (2)
Reasons for reporting: catch the criminal (3), raise awareness in order to prevent it from happening to others (2), useful information for law enforcement (1)
Entities reported to: DISSA (3), local police (3), campus police (1), U.S. Postal Inspection Service (1), personal bank (1)
Reporting Behaviors
All the students who filed a report experienced inchoate crimes.
“People say it’s not that big you know because the scam really didn’t go through…for example somebody arrived at your house and you just noticed yeah they didn’t take anything but they came you know?” –Interviewee #11
The presence or absence of financial loss should not be the basis for why a financial report should be filed.
There was an even split among interviewees with regards to choosing to report via phone or an online form.
Contextualization of Scam Experience
Thirteen interviewees expressed that they do not feel targeted based on their demographic (e.g., due to information they found online).
Interviewees expressed that they saw the phone scam as being geared towards targeting international students more than the Craigslist scam due to its nature.
Concluding Remarks
Study shows that awareness matters both in terms of cybercrimes and cybercrime reporting.
Need to find more effective ways to increase computer users’ cybercrime reporting self-efficacy.
Exploration of adding more avenues to report cybercrimes through formal cybercrime reporting mechanisms like the IC3
A Special Thanks
Thank you! Questions?
Morvareed (Moury) Bidgoli The Pennsylvania State University
College of Information Sciences and [email protected]
Jens GrossklagsDepartment of Informatics
Technical University of [email protected]