Ken Jochims Oct 2, 2019 16 min read

Criminal appeal and secure virtual behavior

In 1979, Cohen and Felson presented a new approach in criminology theories. Until then, these theories had been quite focused on the criminal – on their genesis and characteristics, as if a crime depended solely on the existence of a criminal motivated to commit it.

Thanks to these authors and all the development of so-called Environmental Criminology, a new perspective was opened for understanding crime from a broader perspective. The Crime Triangle tells us that, in order for a crime to take place, the presence of a motivated criminal is not enough.

There are two other essential elements that determine whether or not a crime may be carried out. First, although there is no chronological order, these authors talk about a victim or target favorable for the criminal. The criminal must be motivated, but must also have an accessible victim or target that is attractive and generates the benefit they are seeking from a crime.

This opens up a whole world of possibilities for crime prevention and is the subject of this post. Seen this way, we can influence a potential victim to stop having - or diminish - their “criminal appeal”.

But even if a motivated criminal and a likely victim converge, we still need a third element for the crime to take place: a lack of vigilance over the criminal's target. This means that an opportunity for crime is generated in a context or situation that makes the victim vulnerable to an attack while the delinquent is sufficiently safe. This reminds us of the Cornish and Clark Rational Choice Theory in criminology.

According to this theory, the criminal performs a cost-benefit analysis where they assess whether to carry out the crime or not.

In this sense, the situation is also a key element when understanding a crime and also opens up new approaches to prevent crime from the standpoint that, even if there are motivated criminals and appealing victims, we can intervene in the situation to create conditions that are enough to dissuade the criminal from their intentions.

But let's go back to the victim and their relationship with what we have called “criminal appeal.” First, we must make it clear that when we talk about victims we are not only referring to people, but to any criminal target, such as a home, a company, a computer system, bank accounts....

Likewise, when we talk about appeal we are not referring only to aesthetic-physical elements, but to a series of characteristics of the target that make it attractive to the criminal. A lonely house, a company without access controls, a computer system without cybersecurity elements or a person who does not know what phishing is can be targets with criminal appeal.

To go more deeply into the subject, we are going to use the last example mentioned above: phishing victims and their criminal appeal. Phishing is a method used by cybercriminals to scam people and fraudulently obtain confidential information such as a password or detailed information about the victim's credit cards or other banking information.

To do this, the most frequent method is to send out bulk emails to potential victims.


These emails are mainly of two types: those that imitate a company brand, usually of banks, and those that impersonate people. Basically, the purpose of these emails is to deceive the people who receive them so that they provide personal information, or in some cases send money. 

A typical example could be an email that impersonates the identity of a bank and asks the person who receives it to access their online banking from a link that appears in the body of the message.

The person really believes that this email has been sent by their bank and accesses their online banking portal through the link sent. Without knowing that the website they are accessing is not really that of their bank, the user signs in using their codes and passwords, which are the ultimate target of the cybercriminal.

With less technical support and more of what is called social engineering, another typical phishing attack involves sending an email posing as a person who has claimed an inheritance or won the lottery.

The fictitious person requests help from the recipient of the email in exchange for payment. “Helping” means that the person has to send confidential documentation or information, or simply send money to a destination. Either way, sooner or later the recipient who goes along with the email request ends up being scammed financially.

This cybercrime type is based on an insurmountable security breach present in many technological elements, a security problem impossible to solve or "patch": the participation of a human being. Any machine, computer system or technological device that requires human participation or management is susceptible to hacking in a relatively simple way.

We can program a system to execute or not execute a particular action when certain parameters are met, to make a particular decision based exclusively on objective and rational elements, or not to act unless it has certain information.

But can we do the same with people? Can we make a person not open an email that seems suspicious? Can we make a person not believe that they can earn a million euros from a person they do not know? Can we make a person take a minute to think and not download software when they don't know its origin, even though it's free? These questions are what make a machine controlled or operated by a human being attractive to the criminal.

As in any scam, for phishing attacks to be successful the victim has to participate, to act deliberately, letting themselves be fooled. Therefore, cybercriminals mainly need two elements:

  • Credibility
  • Persuasion

Credibility is an element that starts with the cybercriminal's skills. The email's whole format, content, the aesthetics, the link, the web to which it redirects the user... should be as believable as possible for the recipient.

This includes, as we have said, technical elements of hacking, but also large doses of social engineering.


The other element, persuasion, requires the victim's participation and therefore it is necessary to focus the attacks on those targets that will “swallow” the phishing deception more easily. We are talking, therefore, about identifying victims with greater criminal appeal. Although most phishing attacks are massive and at the cybercriminal's discretion, they do need certain levels of success.

Therefore, they must increasingly study the brands that are easiest to copy in order to create their “hooks”, and user targets that will fall into the trap more easily. Therefore, brands and companies today invest in creating anti-phishing systems and keeping all their cybersecurity systems updated.


But what about the human factor? How can we make people/users less “victimizable”?

We need to focus on raising awareness of what we can call “secure virtual behavior”; on making sure that information technology users know and apply security behaviors that reduce their risk of becoming victims, as occurs in other areas of security. Raising awareness of cybersecurity issues is a matter still pending today for administrations and companies that have mainly addressed people learning to use technologies, without teaching them how to use them safely. It is not only phishing: Other cybercrime typologies such as sexting or cyber-bullying also take advantage precisely of this user ignorance about security.

This secure virtual behavior consists in empowering users through different strategies, such as cybersecurity education. We do not mean that all users should have technical training in cybersecurity, just as we do not ask the general public to be security experts. But they should employ basic protection behaviors.

No one would think of leaving the door of their house open when they go to work, or allowing just anyone who rings the bell entry into their home. These are safety behaviors that we have learned but that we do not put into practice in the virtual world.

All this may seem strange, but think carefully about this example of home access and you will realize that it is easier to enter our home through our router connection than through our front door.

And it is in this area where what is called "phishing training" has begun to emerge, where users are taught techniques and skills to detect phishing messages. One of these learning techniques consists of integrated learning, where users are sent false messages and when they fall into the trap they are informed that they have just been victims of a phishing email.

They are taught about what they should have taken into account or how they should have acted upon receipt of this email, so users learn in real time not only that they could be a potential victim, but also to discover strategies that allow them to avoid being the victim of a real attack.  

There are traditional websites that try to train people about phishing through texts, but some researchers have confirmed how the use of comics or interactive models is more useful for teaching users not to be victims. "Anti-phishing Phil"[1] is a game designed by a Carnegie Mellon team that empowers users to identify phishing URLs.

It uses a fun game built around real fishing (URLs are hooks to catch fish) to educate users on how to look at a URL and identify which website is actually running.

Another source of learning is word of mouth, when users tell each other stories that have happened to them regarding security incidents of this type, and what they did or how they handled the situation.

This is nothing more or less than the vicarious learning that we have always used to learn from the experience of others, from people like ourselves, friends or family with whom we identify and from whom we receive advice in a more receptive way compared to when we receive it from experts.

The same thing happens when it's a neighbor who tells us that the other day someone tried to rob his house and his alarm system prevented it. This story will surely make a bigger impact on us when deciding to buy an alarm than if an expert tells us how it works.

However, this does not discredit expert training, which would be more or less what the integrated learning system offers us, because when learning to use the alarm system we will be more receptive to listening to the advice and instructions of an expert.

Therefore, both learning systems are complementary and very useful to raise end user awareness in secure virtual behavior that allows them to handle phishing attacks and other types of cybercrime phenomena.

As the crime triangle shows us, the victim is not neutral in the crime; they condition and influence it, so cybersecurity companies must take this element into account in their services and strategies to fight cybercrime.

[1] Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS). ACM Press, New York, New York, USA, 88.


Ken Jochims

Ken has over 25 years of enterprise software product marketing experience delivering fraud prevention, customer support, identity and access management and IT infrastructure solutions to financial institutions and fortune 1000 companies. Prior to Arxan Technology Ken worked for Neustar, ThreatMetrix, Guardian Analytics, Genesys, CA Technologies, NeXT Computer and Apple. Ken received a BS in Engineering Technology from California State University, Long Beach, and outside of work Ken can be found hiking, mountain biking and working on cars.