Cybercrime and social ties

Trends Organ Crim (2014) 17:231–249 DOI 10.1007/s12117-014-9229-5

Cybercrime and social ties Phishing in Amsterdam E. R. Leukfeldt

Published online: 7 November 2014 # Springer Science+Business Media New York 2014

Abstract This paper presents a case study of phishing in Amsterdam, demonstrating that the current literature on criminal phishing networks provides an incomplete picture of this form of organized crime. The paper adds to the current literature by describing an organized group of phishers whose relationships are based on real-world social networks rather than internet forums, and who mainly use social engineering rather than malware as a tool to acquire information from their victims. Because the origin and growth of the Amsterdam network differ from those of groups previously described, other possibilities for situational crime prevention arise. In addition to technological measures, for example those aimed at forums, this article focuses on measures that target the social ties on which the networks are based. Keywords Phishing . Cybercrime . Organized crime . Offender convergence settings . Situational crime prevention

Introduction ‘Orange and green wanted!’, ‘Who wants to make money fast?’ Orange and green are the colors of the ATM cards of two major Dutch banks, and young people in the Netherlands are being approached on the streets or through social media and asked if they are willing to lend their ATM cards and pin numbers. These cards and codes are being used by criminal groups to transfer and withdraw money originating from phishing attacks. Phishing is the act of digitally stealing user credentials, in this case the credentials of online bank accounts. If successful, large sums of money can be E. R. Leukfeldt (*) Open University of the Netherlands, P.O. Box 2960, 6401 DL Heerlen, The Netherlands e-mail: [email protected] E. R. Leukfeldt NHL University of Applied Sciences, P.O. Box 1080, 8900 CB Leeuwarden, The Netherlands E. R. Leukfeldt Police Academy of the Netherlands, P.O. Box 834, 7301 BB Apeldoorn, The Netherlands

232

Trends Organ Crim (2014) 17:231–249

transferred from the victims’ accounts to the criminal network. In the Netherlands in 2011 and 2012, banks reported losses from this type of crime amounting to 35 million euros (NVB Nederlandse Vereniging van Banken 2013). In the UK the losses were equivalent to 41.2 million euros in 2011, while criminals obtained 46.2 million euros through these practices in 2012 (Financial Fraud Action 2013). Official figures from other countries are not available, but there is no reason to suppose that phishing problems are not comparable. An understanding of how these criminal groups operate may help fight the problem. To this end, this article focuses on a criminal organization targeting victims in the Netherlands, describing their modus operandi (‘crime scripts’), origins and growth, the nature of relationships within the group, and other criminal activities engaged in by the network. Added value of this article Previous studies into phishing networks have already been published. The studies by Peretti (2008), Holt and Lampke (2009) and Soudijn and Zegers (2012), for example, provide insight into phishing groups’ characteristics and methods. Other studies use social network analysis to reveal the structure of such groups (Lu et al. 2010; Soudijn and Monsma 2012; Décary-Hetú and Dupont 2012). These researchers base their studies on the forums in which these criminals come together, relying on information about these forums gathered by police or taken from the public domain (e.g. public court documents and newspaper articles). The forums serve as a criminal marketplace where services are offered (e.g. phishing sites or credit card information), thus functioning as ‘offender convergence settings’ where cybercriminals meet each other online. Articles on phishing provide interesting insights into criminal groups engaged in this type of crime. By focusing on the forums, however, the picture can become rather onesided. In fact, the only understanding we have concerns the modus operandi and nature of phishing networks operating through such forums. It is, however, unclear whether all criminals who engage in phishing have access to, and always use these digital venues. Previous research into criminal groups has found that the degree of access to certain key figures and offender convergence settings determines the growth and scope of a network, with some network leaders becoming local heroes and others becoming international players. (Kleemans et al. 1998, 2002; Van de Bunt and Kleemans 2007; Kleemans and De Poot 2008; Kleemans and Van de Bunt 1999; Kruisbergen et al. 2012). In this article, therefore, we use information from a recently completed criminal investigation into phishing in the Netherlands (2013) whereby the offenders did not use a forum to meet other phishers and plan new activities. The analysis reveals differences between the Amsterdam network and phishing networks described in previous studies. To illustrate the differences, a recent analysis of such a forum was chosen for comparison. In 2012, Soudijn and Zegers published the article ‘Cybercrime and virtual offender convergence settings’ in this journal. In their paper, the authors described a phishing attack that targeted victims in the Netherlands. Because the authors had a digital copy of the forum at their disposal, they could partially illustrate how the attack was launched, and based on this description, they made a number of proposals regarding situational crime prevention. The Amsterdam case presented in this paper shows that, although the method used by the phishers was virtually the same as that reported in the paper by Soudijn and Zegers, the phishing groups do have different


233

characteristics. In particular, the differences related to the origin and growth of the networks (recruitment of new members). This implies that other forms of situational crime prevention are possible. The section below describes the data and methods used in this study. Thereafter, the crime script, the origin and growth of the criminal network and the different roles within the group are discussed. Subsequently, the differences between the case reported by Soudijn and Zegers and the case introduced here are described. These differences show that there may be other opportunities for early intervention in addition to those suggested by Soudijn and Zegers. The next part of the article outlines these opportunities. In addition to technological measures aimed at forums, this article focuses on measures that target the social ties on which the Amsterdam network was based. Finally, the last section presents the main conclusions, followed by a discussion of the relevance of these two cases to prevention practice as well as some theoretical notes.

Data and methods The case presented below involves a criminal network operating in Amsterdam in 2012 and 2013. The police investigation was completed in 2013. At the time this article was written it was the most recently completed Dutch criminal investigation into phishing. The criminal investigation contained records of interrogations and information obtained by means of special investigative powers (e.g. transcripts of phone taps, internet traffic and other surveillance reports). Using an analysis framework, relevant information was systematically gathered from the investigation files. While the framework was developed on the basis of the literature, it was highly dependent on the analytical frameworks used in the Dutch Organized Crime Monitor. This is a long-running research program on organized crime (see Kleemans et al. 1998, 2002; Van de Bunt and Kleemans 2007; Kleemans and De Poot 2008; Kleemans and Van de Bunt 1999; Kruisbergen et al. 2012). Questions about the influence of digitization were added for the current analysis (e.g. the role of forums, the role of the internet in the recruitment of new members, etc.). The analysis of this large-scale investigation was complemented by interviews with the public prosecutor, the police team leader and a financial expert from the investigation team. The interviews were conducted because the information in the police files focused on providing evidence of criminal activity, meaning other information relevant to a scientific analysis was lacking. Binding mechanisms, for example, are not always described, although the actors on the law enforcement side might have a clear picture of them. Soudijn (2010) explored the role of women in criminal groups in this way, supplementing the analysis of the police investigation with police interviews conducted by the author. This provided an additional descriptive insight into the characteristics of the cybercriminal organization. In addition to basic information regarding the number of suspects and the amount of criminal revenue, for example, less visible data on relationships within the network, binding mechanisms and opportunity structures were also revealed.

234


The Public Prosecution Office (‘College van PG’s’) must give permission for the analysis of a police investigation, and the research proposal must first be assessed by the Scientific Research and Documentation Centre (WODC) of the Ministry of Security and Justice. WODC gives advice on the (scientific) quality of the research proposal and the research topic (e.g. added value regarding current research projects). This advice is taken into account, but the Public Prosecution Office decides.

Phishing: the Amsterdam case The criminal group first attracted the attention of the police because the core members had carried out burglaries in commercial buildings. They broke into safes, taking ATM cards and pin codes. Phone taps revealed other criminal activities, with one of the offenders receiving large numbers of bank account details. These bank accounts turned out to be those of ‘money mules’, who allowed their accounts to be used to deposit money obtained from phishing. From that moment on, the focus of the investigation shifted from the burglaries to phishing. The section below details the crime script, followed by a description of the characteristics of the criminal network, including the structure of the network, the different roles of the criminals and the manner in which the offenders met. Crime script The group focused on two major banks, each of which has a different authentication system for digital payments. Users of Bank 1 have a hardcopy list of codes or they receive a code by text message for authenticating transactions. Users of Bank 2 must generate a code using a handheld card-reader device supplied by the bank. The phishing group first sends an email to potential victims that appears to be from the victim’s bank. In the email, the victim is asked to fill out information or click on a link, taking the victim to a phishing website. The website appears to be the bank’s official website, but is actually a copy that is controlled by the criminals. When customers log in via the phishing website, all the data entered – including their username and password, as well as their cell phone number and ATM card number – becomes available to the criminals. The aim of both the email and the phishing website is to gain access to information about internet bank accounts. At this point, the criminals have gained access to the online accounts of the victims. It is, however, not possible to actually transfer money from the account, as this requires a unique transaction code. To obtain the transaction code, the criminals make a telephone call to the victim. Thus, a few days after replying to the email or logging on to the phishing website, the victim receives a call from someone posing as a bank employee. In this case, the caller was a woman with a common Dutch surname, who spoke correct Dutch. She provided the victim with a range of details about their bank account (type of account, address, most recent transactions, etc.), which instilled trust. The caller sometimes also gave her personal bank identification number so the victim could verify that the caller really worked for the bank. In one case, a call-back request was made because the victim was too busy at the time. According to the victims, the caller seemed to be legitimate and had a convincing story. The caller informed the victim about new security measures


235

regarding internet banking that had been introduced due to recent attacks by hackers. To ensure that the victim would be able to use his or her internet bank account safely in the future they were told that a unique code was required. Once the victim provided this code the criminals were able to make a series of transfers. In the third phase, money was transferred from the victims’ account to accounts which are controlled by the criminals. Because the latter do not want to be traced by the banks or police, accomplices known in cybercrime literature as ‘money mules’ are used. They are clearly important to the criminal group because they ensure that the digital money trail is interrupted before reaching the core members of the group. The money transferred to these accounts was withdrawn within minutes of the transfer. The criminal group Criminals possessing a range of different skills are required to carry out a successful attack. Unlike the case reported by Soudijn and Zegers (2012), the criminals in the Amsterdam case did not use a forum to find suitable accomplices, but rather turned to their own real-world social networks. The offender convergence settings here were the streets of Amsterdam. The criminal network consisted of eight core members, nine others with facilitating roles – the caller, insiders who provide bank information, those who stole the official bank documents, those responsible for the falsification of identities – and twenty money mules. 1 The initiators of the network were the group of eight core members, and from the criminal investigation it appears that they controlled the other people involved in various ways. Below, each layer of the network is discussed, describing how they became involved in the criminal collaboration. Layer 1: the core members The eight core members performed several important tasks themselves. One was in charge of transferring the money from the victim to the money mule accounts. Other core members were responsible for withdrawing the money. In addition, some core members recruited money mules or organized others to recruit money mules. Finally, one of the suspects had a connection to someone who could forge identity papers (which are used to open new bank accounts, to gain access to victims’ online bank accounts, or to make changes to their accounts). What remains unclear is how the eight members of the core group met. In contrast to suspects from the other layers, the core members would not provide any information during their police interrogation. What the suspects shared was the ‘working’ field of Amsterdam, their ethnicity and criminal careers. While the police respondents we interviewed would rather not put an ethnic label on the group, as one stated delicately, ethnic ties did play a role, as the majority of the suspects had Surinamese roots. However, these ethnic ties probably had more to do with where the defendants resided 1 In this police investigation twenty money mules were interrogated and suspected to be part of the network. However, during the investigation many more were discovered. According to the respondents, during the criminal investigation period alone, at least 50–60 mules were used; however, it was simply too costly in terms of time to involve all of them in the investigation. The aim of the investigation was to identify and prosecute the core members of the group, not to prosecute all of the accomplices.

236


than any criminal predisposition for phishing that this particular ethnic background might present. It was the location (in this case the Bijlmer neighborhood of Amsterdam) that enabled the potential offenders to get to know each other. Furthermore, the core members all had some criminal background. According to the respondents, they were all known to the police for various offenses and were likely to be acquainted within the criminal underworld of Amsterdam. The criminal investigation also suggests that the core members had been involved in a variety of other criminal activities, not necessarily together but in various groupings. During the phishing investigation, for example, two of the core members were arrested for smuggling drugs into the Netherlands. Another key member was also involved in what is known as ‘spear phishing’, attacking one of the largest flower wholesale companies in the Netherlands. Other core members were involved in skimming or fraud concerning cell phone contracts. Layer 2: the facilitators The second layer was made up of suspects who carried out all kinds of criminal services for the core members in exchange for money. During the investigation, different facilitators were discovered – one ‘caller’, eight bank employees and one postal employee (a letter carrier). In addition, there was also someone who supplied fake identity papers, about whom, however, the police files contain no further information.2 The caller The caller posed as a bank employee and called customers of the bank to obtain their login codes. The caller seemed credible to the victims and had a convincing story. Usually the caller reported a problem with the victim’s internet bank account and offered a quick and necessary solution, which required the bank customer to generate a unique code which would then be used by the criminal group to transfer money. During a house search the police found a call script (see Table 1). Phone records revealed that the caller maintained contact with the victims for about 30 min. According to statements by the victims, this seemed more like 15 or 20 min. According to one police respondent, this would have required good preparation, as well as some talent and experience. According to the police file, the caller had probably worked for a call center. This was verified from an intercepted telephone conversation between a core member and an unknown male in which it was stated that they had both worked in the same department of a call center and had both been fired. It is unclear how the caller was recruited, as the defendant remained silent during interrogation.

2

Using false identity papers, criminals are able to open new bank accounts (private or business), apply for internet bank accounts, or make changes to the account details of a client. The documents can also be used for other purposes. According to police respondents, they can be used, for example, for fraudulent telephone contracts and car rental. Whether the group actually did this is not known. The criminal investigation did not focus on the identity of the forger or on the specific activities that could be committed using false identities. However, it appears from the phone-tapped conversations that the group did purchase a number of fake identities from this facilitator.


237

Table 1 A part of the call script A very good afternoon, this is Priscilla Versaat speaking, from the … bank. I would like to speak to Mr or Ms de Vries (example). Well, I’m glad we have been able to contact you, sir/madam de Vries. For security reasons, I am first going to verify your address. The street name is Veldstraat, Number 33 (example). Is that correct? Okay, now I would like to explain why we are contacting you. We have recently received multiple reports of spam emails that look as if they were sent from the bank. However, we did not send the emails and they are fraud related. We are trying to stop them and, therefore, my question to you is whether or not you have had problems like this? (If Yes) I’m making notes here because this is going to our research team. - How long ago did you receive the first email? (It does not have to be the exact date, as long as we have an estimate) - How often did you receive the email? - Did you reply to an email? Let me explain exactly what is going on. (…)

The police file suggested that the callers were not part of the core group but were probably lower in the hierarchy. The core members, for example, discussed how the callers should be paid as well as the qualities of different callers. In a telephone conversation between two core members one of the callers was labelled ‘lazy’. Another girl, Candy, who was not part of this criminal investigation but who also called victims, was labelled ‘stupid’. The amount of money the callers should be paid was also a point of discussion between the core members. Bank employees Seven bank employees were arrested during the investigation. These people provided a core member of the criminal group with detailed information from the system used by the bank for which they worked. The bank employees all worked in the call centers of several major banks, and in order to do so they had to gain security clearance. The police interrogations revealed that most had either secondary vocational education or a college degree in financial services (or equivalent). The bank employees provided an important service to the criminal network because they had access to systems containing confidential information. They were therefore able to provide information about victims and make changes to their accounts. This information was important to the network because it enabled them to build trust with the victims (see also Table 2). Examples include addresses and personal details, recent transfers from the bank account, the bank account type (business, private) and information on savings or investment portfolios. An important part of the modus operandi was the call to potential victims in an attempt to obtain the codes needed to complete a financial transaction. The callers were able to win their victims’ trust by using this personal information. The bank employees were also able to make changes to the victims’ accounts, such as adding another ATM card and creating additional internet bank accounts without the client’s consent. They were also able to change addresses, enabling the criminal group

238


Table 2 Winning trust by using information from bank systems Direct quote from a victim statement: … I heard a woman who introduced herself as an employee of the bank … I questioned the woman’s authenticity, and she could give me all kinds of information about myself. She knew my address, the account number of our joint check account and even when my debit card would expire. Because this was all correct, I thought the woman was actually an employee of the bank … Because she did not ask for my card number, I did not think she could do anything wrong. When transferring money, you have to provide your card number and the woman had not asked for this …

to intercept confidential bank mail containing pin numbers and login codes. Finally, withdrawal limits and credit limits could also be increased. For example, one employee changed the victim’s withdrawal limit from 500 euros (nearly US$700) to 9,000 euros (more than US$12,000) a day. This was particularly advantageous for the criminals, because fewer money mules were needed for each transaction. Most of the bank employees had worked at the bank for only a short period of time. They were former or current students who had done an internship and were then employed by the bank or had got the job through an employment agency. However, one employee had worked for the bank for fifteen years. This suspect remained silent during her police interview. Five of the seven suspects made statements concerning how they were approached by the core members. The others remained silent. The police transcripts of the interviews show that the bank employees were approached by friends or acquaintances on the street. The people who approached them often knew through the grapevine that they worked at a bank. In one case, the bank employee had a relationship with a member of the core group. The bank employees involved all stated that they were asked quite openly to provide account information. It usually began with an excuse. One example given by a bank employee was: ‘He told me his ex-girlfriend owed him some money, but she said her account was empty. He didn’t believe her and asked me to check her bank balance’. Once it was known that the bank employee could indeed obtain certain kinds of information, pressure was exerted on them to provide information about other people. The bank employee would receive a financial reward for these activities. Phone taps revealed no standard fee for the employees. At one point, for example, two bank employees received a fee of between 20 and 25% of the money which was withdrawn from victim accounts of which they provided information. Another employee received between 800 and 1,000 euros for information about victim accounts. A third employee asked for 300 euros to increase a withdrawal limit. Letter carrier The letter carrier involved was employed by a Dutch postal company and only had access to mail within a given postcode area. A core member would inform the letter carrier about important mail being sent by the bank and he would attempt to intercept it. This was possible because the bank employees changed the addresses of victims to addresses in the letter carrier’s postcode area. The letter carrier could thus intercept new ATM cards, pin codes and usernames and/or passwords.


239

Other postal workers were considered suspects, but the investigation focused on only one of them, who was put under video surveillance during his shifts for a period of almost three months. His job was to pick up mail from the distribution center and deliver it to the post office. The surveillance revealed that on all but one delivery run, the employee stole mail, much of which was from banks. In addition, the employee sometimes opened packages with clothes, apparently for his own use. According to our interviews with members of the police, the postal worker’s colleagues sometimes clearly saw what he was doing but no one seemed to find it strange. Like the core members, the postal employee remained silent during his interrogation. It is therefore unknown how he became involved in the criminal network. However, phone tapping showed how a new postal worker was recruited. The report revealed that one of the core members was introduced by an unknown man to a new postal worker who could be used for criminal activities. The core member wanted to know when the postal worker would be working because this was crucial for intercepting mail from the bank (see Table 3). Layer 3: the money mules The third layer of the network consisted of accomplices who were used as money mules. The money mules gave their ATM cards and pin numbers to core members of the criminal group. These accounts were then used to make deposits from victims’ accounts and to withdraw the cash shortly afterwards. The identity of the money mules could be traced using bank records, where the account numbers of the mules were directly linked to the transfers from the victims’ accounts, making it easy for the police to obtain their names and addresses. Table 3 Recruiting a new postal worker Core member (CM) is speaking to an unknown man (UM): CM: How are you? UM: Thank God. I know someone who will do the job. CM: The person delivers house-to-house? UM: Yes. CM: Ask him how many days per week he works. UM: That’s all I have to ask? CM: Yes, how many days, because we need be able to get everything he delivers. UM: I know. I understand what you mean. CM: How many days he works, so we do not miss anything. UM: Ok, ok, I’ll call you back. CM: Ok, Bye. UM calls back UM: He says he works fulltime, except on Fridays. CM: Except Fridays? UM: Yes. CM: That’s ok. This one you can do fast. It’s ok. UM: Ok, no problem.

240


Money mules were found by ‘recruiters’. While some members of the core group were responsible for the recruitment of new mules, the police transcripts showed that money mules themselves also provided new cards and codes taken from their own friends. The money mules were therefore also involved in recruiting. The mules did not always explain how they were recruited. The interrogation transcripts revealed that during the first interview with police almost all of the money mules stated that they had lost their card. Apparently, they had been instructed to do so, as in later interviews many of the suspects told the police more about how they had become involved. The interrogations show that the recruitment of money mules mainly occurred through social contacts. Some money mules indicated that it was quite common to be approached by people asking for their ATM card. In some cases, new mules were recruited using the chat function on Blackberry (a popular cell phone brand at the time, see Table 4). If a user accepted a request from someone to become a contact then they could exchange messages. During interrogations, money mules often indicated that vague acquaintances and friends-of-friends were also in their chat contact list. Other statements show that people were approached on the street, at school or even at soccer games (see Table 5). According to the police respondents, money mules knew that what they were doing was illegal and they were generally offered a percentage of the money that was deposited into their account (see Table 6). The recruiters told the mules that their participation was risk free because they could not be discovered; they might claim, for example to have a friend working in the bank who could transfer money without anyone noticing it. However, interrogations of suspects and phone-tapped conversations revealed that money mules did not have their ATM cards returned and were often not paid. Different excuses were made by the recruiters. Mules were told that the police had taken the money, that the ATM did not complete the transaction or that the transaction had failed for other reasons (see Table 5). It was only later when the money mules received a letter from the bank explaining that they would have to pay back the money which had been illegally transferred through their accounts that they realized that the money had in fact been transferred and withdrawn.

Table 4 Recruitment through a mobile phone chat function During a police interview, a money mule said: ‘I have a Blackberry and get regular ping messages from boys. Those guys ask me if I know someone who wants to make money. I know this is all about cards. They just ask you if you have orange or green. I know it’s about [Bank 1] and [Bank 2]’. The money mule showed the police a message she had received that morning from someone named ‘F’. This F had added her to his Blackberry contact list. The ping message said: ‘Do you know any girl who wants to make loot [street lingo for making money]’. The mule wrote a message back in the presence of the police officers: ‘For what?’ F sent back: ‘What kind of card do you have?’ The mule replied: ‘What for?’ F typed: ‘I need to get money from my father who is in Curacao, but it is quite a lot so I need to divide it over two passes, yours and mine, and then I can cash it and bring you back your pass + also give you some of it’. The mule sent a message back claiming she had no interest. F removed her from his contact list.


241

Table 5 Recruitment on the streets A money mule stated: John (also a money mule suspect) came to me asking if I had money, stating, ‘Brother, I know you can arrange money’. I didn’t have any, but I knew someone from school who was able to get money fast. It was someone named Joey. Joey had previously asked for my debit card and pin number. The payment would be 750 euros. I told this to John and John gave me his card and code. An appointment was then made via a mobile phone. The suspect then went to a deli in the city of Dronten where he had a sandwich and gave John’s card and code to Joey. Joey left and came back after a while claiming that the transaction had failed and that no one would get any money. Later it appeared that 2,500 euros had been transferred to and withdrawn from John’s account.

Similarities and differences between the case reported by Soudijn and Zegers and the Amsterdam case The previous section outlined the modus operandi of a phishing group operating in Amsterdam. The criminal investigation began after reports of burglaries in commercial buildings. During this investigation it became clear that the suspects were engaged in phishing. This case paints a different picture from existing case descriptions which are based on an analysis of internet forums. To illustrate the differences, this section presents a direct comparison between the Amsterdam case and the case reported by Soudijn and Zegers (2012). This case was selected because it was the most recent and because in both cases the criminal activity was directed at customers of Dutch banks and the investigation was carried out by the Dutch police. To begin with, there are similarities in the crime script, with three basic phases recognizable in each case3: (1) The preparation phase: first, a group of core members with the necessary criminal skills is formed with the intention of executing phishing attacks. Facilitators who offer specific services may be approached by the core members, and the core members recruit money mules. (2) Theft phase: the criminals gain access to the victims’ bank accounts. Transaction codes have to be secured in order to actually obtain money from the victims’ accounts. (3) Cash withdrawal phase: to remain untraceable by the bank and police, the digital money trail has to be interrupted. This is done by transferring the money to the accounts of money mules and immediately withdrawing the money from the accounts. Once the money is withdrawn, the digital money trail comes to an end. Now the money can be used by the core members (after being laundered). Although the crime scripts have many similarities, there are also distinct differences. Below, each of the three phases of the crime script is discussed in depth.

3 Soudijn and Zegers (2012) described four stages: preparation, theft, transferring money and cash withdrawal. As the last two stages are so interconnected in our case, they are combined into one phase in this article.

242


Table 6 Promising a financial reward to money mules A money mule stated that: ‘J and D are members of some sort of gang in Amsterdam. I only had contact with D. I was just someone who supplied a card. After the summer break from football, I ran into them and they said let’s go chill and stuff. I had some debts and I let myself be persuaded, because they told me I could make a nice amount of money. They would transfer about 5,000 or 10,000 euros and I would receive about 30 to 35 % of it. In the end I didn’t get any money at all’.

Preparation phase The first difference involves the origins of the groups and the offender convergence settings. To begin with, criminals with the right skills have to get together, as a range of different skills are required, from drafting phishing emails and copying banking websites, to transferring money and money laundering. In the case of Soudijn and Zegers, the criminal group looked for suitable accomplices on a web forum where, according to the authors, everyone knew each other only by their digital nicknames. There were no meetings offline, but reliable accomplices could still be found because the forum worked with system statuses and a peer-review system. There were different types of statuses. To become a member, newcomers first had to be vetted and guaranteed by someone with a higher status. A member with a ‘service status’ could sell services over the forum, with verified members being checked and approved by the moderator (the highest status). Furthermore, users judged each other on the basis of the services previously provided (as occurs on eBay, for example). A member who scams another member is given the status of ‘ripper’. Thus, in the case studied by Soudijn and Zegers, the offender convergence setting was a digital forum where criminals met, made plans and recruited new members. In the Amsterdam case, the offender convergence setting was the streets of the Bijlmer neighborhood. The members of the criminal group knew each other from the streets, or because they went to the same school or sport clubs or because they were acquainted with relatives. Others with facilitating roles, such as bank employees and postal workers, were directly approached on the street by friends or acquaintances. In the case of the bank employees, pressure was exerted on them to cooperate. The recruitment of the money mules also occurred through the grapevine. Again, potential mules were recruited on the street, at school or at a gym. Some were recruited using the chat function on a mobile phone. Potential mules were asked whether they wanted to make fast money. The contact information of the potential mules had to be given to the recruiter by someone who knew the telephone number (or ‘ping’ number) of the mule. During interrogations, money mules explained that it was quite common to receive such messages (see also Table 4). In some parts of the city it was so well known that people were looking for cards that there was a pull factor, and people who needed money quickly actively sought to supply their ATM card and pin number in exchange for money (see Table 6). Another difference between the two groups concerns the international character of the case reported by Soudijn and Zegers, in which criminals from Russia targeted victims in the Netherlands using Dutch money mules and Russians to withdraw the cash. In the Amsterdam case, there was no international component; the core members, facilitators, money mules and victims were all from the Netherlands.


243

Theft phase There are also differences with regard to obtaining credentials from victims. Both groups used phishing emails and websites. In the Soudijn and Zegers’ case, the goal of this approach was to install malware, while in the Amsterdam case, the goal was to obtain information which could be used during a social engineering attack by telephone. In both cases phishing played a preliminary role (‘first entry’), while the end goals differed (i.e., malware installation as opposed to obtaining personal data). Cash withdrawal phase Money mules and cash withdrawers were used in both cases to obtain money from victims’ bank accounts without leaving a direct trail back to the core members of the criminal group. Money mules provided an important link between the victims and the criminal group in this process. The money was transferred from the victims’ accounts into the accounts of the money mules and was then withdrawn as cash and delivered to the core members or their accomplices, with the money trail ending at the money mules’ accounts. Despite these similarities, there are also differences between the two cases. In the case of Soudijn and Zegers, the money mules were recruited by one of the core members of the network. This was done using a spam email advertising a vacancy for a ‘Financial Department Manager’ for a Russian company. The new employee would receive money from European customers and would be required to send the money to the company in Russia. The employee could retain a percentage of each transaction. In Russia, ‘cashiers’ would withdraw the money from their bank account and send this with the help of intermediaries to the core members of the criminal network. In the Amsterdam case, money mules were recruited through social contacts on the street, for example by acquaintances or by friends-of-friends. People openly asked others for their ATM cards. This also created a pull factor, with people who needed money seeking to supply their ATM card in return for cash (see Table 5). In the police interrogations, the money mules explained that it was quite common to be asked to provide an ATM card in return for cash (see also Table 6).

Opportunities for situational crime prevention While the crime scripts for the Amsterdam case and that of Soudijn and Zegers (2012) have many similarities, there are specific differences in the origins and growth of the criminal networks. In the Soudijn and Zegers case, technology played a major role (a forum as the meeting place, contacts primarily online, spam emails used to recruit money mules), while in the Amsterdam case, social ties played an important role (recruitment through social contacts, encounters on the street, etc.). Another difference concerns the international character of the Soudijn and Zegers’ case, in which criminals from Russia, with accomplices in various countries, targeted victims in the Netherlands. In the Amsterdam case, all of the suspects and victims were from the Netherlands. The potential for situational crime prevention in these two cases is therefore quite different. Below, we first describe the measures proposed by Soudijn and Zegers and then present the opportunities for prevention based on the Amsterdam case.

244


The case of Soudijn and Zegers: technological measures The measures proposed by Soudijn and Zegers (2012) are mainly technological in nature, which is logical given that the core members of the criminal group in question only met on a forum and also recruited money mules through digital means. The authors describe possible measures in two areas. Firstly, they define measures that focus on digital meeting places: for example, taking down an entire forum, police infiltration of a forum to uncover the identities of the members, or undermining the value of forums by creating false input, thus damaging the system used to maintain reputations. Secondly, they suggest measures that focus on money mules. According to the authors, the mules are recruited using spam emails. To counter this, spam filters could be better adjusted, by adding keywords used in the recruitment emails. Furthermore, they suggest that police and bank personnel could pose as willing money mules and respond to the spam. The money would thus be directed into their accounts, interrupting the money flow. Finally, campaigns could be implemented to inform the public about how money mules are recruited. The Amsterdam case: We never call you! In the Amsterdam case, technology is of less importance, and preventive measures should therefore not only be considered from a technological point of view. Different types of measures might be taken to prevent phishing. Firstly, the crime script revealed that criminals not only used fake emails and replicated websites that appeared to be from the bank, but also made telephone calls to victims to obtain transaction codes. The telephone calls in this crime script can thus be viewed as a critical part of the criminal process, as the use of phishing emails and/or website access in themselves do not give the group control of the victim’s account. In order to actually transfer money, a unique transaction code is required. Awareness campaigns, therefore, should explain that phishers are not only looking for user credentials but also (and primarily) for transaction codes. The message should be simple and clear – no one ever asks for your bank transfer codes, in the same way that no one ever asks for your pin number (something that is already thoroughly understood in the Netherlands). The Amsterdam case: detecting phishing signals in other criminal investigations Other measures concern the characteristics of the network. The suspects knew each other through their social networks, whether they were core members, bank employees, postal workers, mule recruiters or money mules themselves. The network also had strong local roots, as the members grew up or lived in the same area (Amsterdam’s Bijlmer neighborhood) and the core members were from the same ethnic group. In other words, all of the ties were based on social relationships developed in the context of the neighborhood, street, school, local hangouts, soccer club, etc. The core members of the criminal network also knew each other from the criminal underworld and had been involved – in varying combinations – in other forms of fraud and/or other forms of crime aimed at earning quick money. Two of the core members invested money in a narcotics smuggling route into the Netherlands, while other core members engaged in burglaries, skimming and fraud related to cell phone contracts. It


245

is therefore quite possible that core members of such groups will be known to the police from other criminal investigations having nothing to do with phishing. As mentioned above, the criminal investigation began in response to reports of burglaries in commercial buildings rather than a report of phishing by one of the victims. It is therefore important to look for signs of phishing activities during other criminal investigations, particularly into financial crimes. In this case, phone tapping showed that the suspects exchanged a lot of information about bank accounts, and also that the mule recruiters had collected and hidden many ATM cards, which might be found during house searches. By proactively checking for these signs, phishing groups may be identified and investigative measures – such as surveillance and phone tapping of suspects – could be undertaken more effectively. Once transactions from victims accounts via money mules to core members can be observed, criminal prosecution is relatively easy (this is even more important because the core members and some of the facilitators who apparently knew how to deal with the police remained silent during interrogations). The Amsterdam case: money mules Other measures could specifically target money mules, who have an important function in the criminal network but are not part of the core group. In many cases they are used to ensure that the core members remain invisible to the police and banks, and many mules do not receive the promised reward. As Soudijn and Zegers also claimed, targeted awareness campaigns might be a good preventive measure. The effects of such a campaign should of course be evaluated. In the Amsterdam case, it seems that young people who want to earn money fast are the main targets of abuse. Further research is needed to establish whether a specific risk group of potential money mules can be identified. Campaigns that inform potential money mules that they are likely to be used and not rewarded for supplying their ATM card and pin number could be developed on the basis of such profiles. In addition, police officers in the field of juvenile delinquency, as well as youth workers and other professionals who work with young people, need to be aware of the signs of money mule recruitment. The Amsterdam case shows that it was quite common to be asked for ATM cards and pin codes, and that this was done fairly openly. The Amsterdam case: preventive measures by banks There are also preventive measures that banks might consider taking. The core members were abetted by people with specific knowledge or skills. Bank employees, for example, were used to obtain information about potential victims, increase cash withdrawal limits and change addresses, while a postal worker intercepted mail from the bank which included ATM cards and login credentials for internet bank accounts. The bank employees all worked in bank call centers, giving them access to customer data and the ability to make changes. While the bank is able to monitor who looks up information and who makes changes, information was still shared and changes made in spite of the fact that employees must log in with personal credentials. A logical step would be to make it more difficult to carry out such actions by raising the security levels required of call center employees. Requiring supervisor authorization for such changes to account details might also help to prevent such fraud. Suspect employees

246


might also be discovered by developing an automatic search system that flags suspicious search queries or strange changes to client accounts. For example, an employee who normally looks at the data of twenty bank clients each shift but is suddenly accessing forty might be seen as suspicious and could then be investigated further to establish whether there is indeed some kind of fraud occurring. Finally, banks can address the problem of the recruitment of postal employees to intercept mail sent by the bank. User credentials for internet bank accounts and new ATM cards and pin codes are all sent separately to customers by mail, but the banks have no control over these documents once they are in the mail. In the Netherlands, postal workers are not very highly paid, but are clearly of great value to criminal networks. Consequently, it is worthwhile for criminals to risk approaching postal workers, who may be more readily persuaded to become involved in criminal activity if intercepting items of mail is made worth their while. If the bank wants more control over these important items, it should deliver the documents to customers itself or use a company that will guarantee delivery to the customer. Of course, this would entail higher costs for the bank.

Main conclusion and discussion Main conclusion Both the Amsterdam case and the case reported by Soudijn and Zegers (2012) show that there are situational measures that can be taken against phishing. The crime script in both cases consisted of the formation of a criminal group, the capturing of login details from the victims, the transfer of funds to money mule accounts and the withdrawal of the money from these accounts to ensure interruption of the digital money trail. The methods differed on only one point. In the Amsterdam case, telephone calls to the victims were an essential aspect because they were used to obtain the transaction codes needed to transfer money. Furthermore, both cases demonstrated that money mules are an important part of the network because they enable money to be transferred to the core members while leaving no trace of their involvement. However, the potential situational crime prevention measures differ. This is mainly due to the different origins and growth of each criminal group. The case examined by Soudijn and Zegers involved a group of criminals who had made contact through a forum, through which they also made plans and looked for other relevant participants. In other words, the offender convergence setting was a digital forum. In the Amsterdam case, the members knew or contacted each other in the physical world. Here, the offender convergence settings were the streets of the Bijlmer neighborhood – and one café in that neighborhood in particular. Different types of preventive measures can be taken in each case. Soudijn and Zegers mainly focused on technological measures, such as taking down online forums or infiltrating them. In the Amsterdam case, it appears that the entire phishing enterprise depended heavily on telephone calls to obtain essential information, suggesting that further measures could be taken in this area to recognize signs of phishing. Also, the core criminals were all engaged in other forms of criminal activity and might have been suspects in other police investigations, which could also have given rise to suspicion of


247

phishing. Finally, banks should take measures to reduce the appeal of recruiting bank employees and postal workers for criminal activity. Both cases clearly demonstrate the importance of the withdrawal process and the role of money mules within that process. Despite the fact that money mules were recruited differently, an awareness campaign aimed at this group seems to be an obvious measure to take. Further research is required to identify the groups potentially at risk of becoming money mules. Theoretical discussion This article demonstrated that there are different types of groups involved in phishing. The differences primarily concern their origins and growth (digital meeting places versus social contacts), but the modus operandi may also vary (level of technology use, international character, secondary criminal activities). An explanation of the differences can be found in the concept of ‘social opportunity structure’, introduced by Kleemans and De Poot (2008), according to whom social ties and networks not only provide access to criminal opportunities, but their nature further determines the opportunity structure, which facilitates different types of crime. Sometimes existing social contacts will not offer sufficient opportunities. This is especially the case in international crime. According to Van de Bunt and Kleemans (2007), the problem with social relationships is that they are highly clustered and therefore always limited in certain ways. Thus, to expand opportunities it is necessary to establish relationships with ‘outsiders’. Access to key figures who are able to arrange these new contacts and organize offender convergence settings determines the growth and scope of a given network. Constraints to the social network, e.g. geographical or social barriers between countries, lack of access to different ethnic groups or the underworld, can be resolved. Leaders of some networks might remain local heroes, while others grow into international players. Within their own region, these ‘local heroes’ engage in different criminal operations to make money, and have no further contact outside their region or any expertise on which others might call. The conditions for growing into an international or even a national player include having contacts with brokers who have access to new export markets, or who provide capital or expertise. The degree of access to digital offender convergence settings thus provides an explanation for the differences between the two cases discussed in this article. In fact, here we see the equivalent of local heroes in the one case and international players in the other. The Amsterdam group had no access to digital convergence settings and was thus limited by the social cluster in which it was located, as accomplices were recruited through local social contacts. Moreover, there were no victims targeted in other countries. This was probably because the criminals did not have a method of recruiting bank employees or postal workers outside the Netherlands, nor were they able to recruit money mules or contact victims in other languages. They also committed all kinds of other crimes to earn quick money. In contrast, in the case reported by Soudijn and Zegers, the offenders met each other on a digital forum which was more international in character. Other services could be relatively easily acquired through the forum (victims were targeted and accomplices recruited in different counties). It also seems that the criminals specialized in phishing attacks, as no other criminal activities were described in this case.

248


On the basis of just the two cases discussed in this article, it can be assumed that there are at least two types of networks engaged in phishing. Based on the concept of social opportunity structures and the importance of access to offender convergence settings, this has consequences for criminal investigations. Indeed, the opportunities for prevention and the difficulties faced by law enforcement agencies in the case of a locally based network of criminals involved in a range of criminal activities are different to those faced when dealing with an international network of experts who only know each other through online identities. More research into criminal phishing groups – and indeed cybercriminal networks in general – is required to map the entire spectrum of cybercriminal phishing groups. Research limitations The current literature on phishing networks focuses on internet forum-based groups. The Amsterdam case shows that this only offers us a partial picture of this form of organized crime. This article provides new information about these groups, as we found that contacts are not always made solely through online forums, but might also rely on old-fashioned, non-digital social networks. Moreover, they do not rely solely on hightech tools such as Trojans or other viruses, but also on social engineering. Thus, if criminological research into cybercrime focuses on what is happening in the digital world to the detriment of the offline world, a significant part of the organized cybercrime scene will remain undetected. A limitation of both case studies is that they were based on police investigations. We still know nothing of the crime scripts and the characteristics of networks that remain unknown to police. Other methods should also be used to complement information from police investigations (e.g. self-report studies of offenders, honeypots, etc.). In addition, in-depth research using transcripts of interviews with offenders may provide a better understanding of the motivations of those involved and precisely how they became involved in the criminal group. Finally, victims their selves may provide valuable information about the modus operandi of criminal groups. Are certain groups more at risk than others (e.g., the elderly with big savings accounts)? Why do victims (unwillingly) still share their personal information with criminals? Knowing more about victims helps to learn more about the criminal groups and to better target prevention campaigns. Both cases show that money mules play an important role within phishing networks. Preventive and deterrence measures might initially focus on this relatively visible group of offenders, because without money mules it will become much more difficult for the core group to obtain cash without leaving a digital trail. Thus, a greater understanding of the motivations of the money mules is necessary in order to determine whether awareness campaigns may be useful (in the case of a well-defined group who do not know that they are participating in fraud), or whether other measures are necessary to ensure a deterrent effect (e.g. civil proceedings by banks or prosecution of money mules). Another challenge is to think about the alternatives that criminal groups might turn to should they no longer be able to recruit money mules.


249

References Décary-Hetú D, Dupont B (2012) The social network of hackers. Glob Crime 13(3):160–175 Financial Fraud Action UK (2013) Decline in fraud losses stalled by rise in deception crime aimed at consumers. (News release 12 March 2013) . Holt JT, Lampke E (2009) Exploring stolen data markets online: products and market forces. Crim Justice Stud 23(1):33–50 Kleemans ER, van der Berg AEIM, van de Bunt HG (1998) Georganiseerde criminaliteit in Nederland (Organized Crime in the Netherlands). WODC, Den Haag Kleemans ER, Brienen MEI, van de Bunt HG, Kouwenberg RF, Paulides G, Barensen J (2002) Georganiseerde criminaliteit in Nederland, tweede rapportage op basis van de WODC-monitor (Organized crime in the Netherlands, second report based on the Monitor Organized Crime). WODC, Den Haag Kleemans ER, de Poot CJ (2008) Criminal careers in organized crime and social opportunity structure. Eur J Criminol 5(1):69–98 Kleemans ER, van de Bunt HG (1999) The social embeddedness of organized crime. Transl Organized Crime 5(2):19–36 Kruisbergen, E.W., H.G. van de Bunt & E.R. Kleemans (2012) Georganiseerde criminaliteit in Nederland. Vierde rapportage op basis van de Monitor Georganiseerde Criminaliteit. (Organized crime in the Netherlands, fourth report based on the Monitor Organized Crime), Den Haag: Boom Lemma Uitgevers. Lu Y, Luo X, Polgar M, Cao Y (2010) Social network analysis of a criminal hacker community. J Comput Inform Syst 51(2):31–41 NVB (Nederlandse Vereniging van Banken) (2013) Jaarverslag 2012. Een sector in dialoog. (Dutch Banking Association. Annual Report 2012). Nederlandse Vereniging van Banken, Amsterdam Peretti KK (2008) Data breaches: What the underground world of ‘carding’ reveals. Santa Clara Comput High Technol Law J 25(2):345–414 Soudijn MRJ, Zegers BCHT (2012) Cybercrime and virtual offender convergence settings. Trends in Organized Crime 15(2–3):111–129 Soudijn MRJ, Monsma E (2012) Virtuele ontmoetingsuimtes voor cybercriminelen. Tijdschrift voor Criminologie (Virtual meeting places for cyber criminals) 54(4):349–360 Soudijn MRJ (2010) Wives, girlfriends and money laundering. J Money Laundering Control 13(4):405–416 van de Bunt HG, Kleemans ER (2007) Georganiseerde criminaliteit in Nederland, derde rapportage op basis van de Monitor Georganiseerde Criminaliteit (Organized crime in the Netherlands: third report based on the Monitor Organized Crime). WODC, Den Haag