Cybercrimes in the United State
The School of Information Technology
University of Cincinnati
A dangerous aspect of the Internet Age that all businesses and government agencies must effectively counteract is cybercrime. As technology advances, so do the criminals. President Obama addressed that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and “America’s economic prosperity in the 21st century will depend on cybersecurity.” (Pinguelo & Muller, 2011) This article addresses the definitional concepts of cybercrime and, some of the most common forms of cybercrimes effecting American businesses and the federal and state governments, its threats to society and companies as well as the types of cyber-attacks.
He was very excited as he bought the new IPhone about six years ago. He saw it, a commercial website, first time and said to himself “I’d like to believe that’s true”, because the IPhone’s price was pretty cheap which and was almost 300$ cheaper than other websites. He instantly ordered to buy it. First of all, he signed up to website, and then filled out necessary information on the website. He gave them his own credit card and SSN information. After 10 days, he received a box from the company and he excitingly opened it, but he was really surprised because of the box. He thought that “it was a terrible joke”, because there was a cucumber in the box. He was very angry since he bought a cheap IPhone and immediately contacted his bank. They had withdrawn an extra 500 $ from his account, so he called his bank and temporarily closed his account. He complained about the company, but police department was not able to find them. Their company and website were fake and they diddled money out of people. He asked the police officer “Who were they?”. The police answered his question “They get people’s identity information by means of internet. We call this situation; identity theft or internet fraud,” he had heard internet fraud and identity theft many times from TV’s and newspapers, but he had never thought that he would have faced such a situation. As a result, he bought the most expensive cucumber in his life and learned what cyber-crime is, especially identity theft and internet fraud.
Today in the world, more than 2 billion people have personal computer which have become a big part of our lives (Winmill, Metcalf, & Band, 2010, p. 19). So many people might face identity theft and internet fraud like the above story. The importance of cyber-crime has been gradually increasing. The availability of electronic resources has brought about a new type of criminal activity, namely computer crime and computer fraud (Kunz & Wilson, 2004, p. 3). There is no static “profile” for a cybercriminal, as they take on many forms in their effort to steal, cheat, and destroy. For American consumers and businesses, more likely then not the cybercriminal they encounter will be a male from the United States (Wall, 2010). By one study, it was found that seventy-six percent of cybercriminals were male, with over half residing in either California, Florida, New York, the District of Columbia, Texas, Washington, Illinois, Georgia, New Jersey, or Nevada (Wall, 2010).
What are cybercrimes?
“Cybercrime,” an amorphous term that, at its greatest breadth, is used to describe “any crime that is facilitated or committed using a computer, network, or hardware device,”(Gordon & Ford, 2006). There are various definitions with regard to Cyber-crime. For instance; the Department of Justice defines cyber-crime as “…any violation of the criminal law that involves the knowledge of computer technology for its perpetration, investigation, or prosecution.” (Kunz & Wilson, 2004). Other definitions are that in the United Nations Congress on the Prevention of Crime and the Treatment of Offenders, two definitions were identified on the cyber-crime by speakers. The first definition is that cyber-crime in a narrow sense involves any illegal behavior on the computer system (America, 2000) (Gercke, 2012) and its goal is to obtain the security of computer system and the data processed (Gercke, 2012). In a broader sense, cyber-crime involves any illegal behavior committed via network and computer system (Gercke, 2012), such as illegal possession and sharing or distributing other people’s information like credit card numbers, SSN number or TIN number. Cyber-crime might be categorized in two major categories of offences: computer crime and computer fraud. A computer connected to network might be target of offence. Thus, network security is important in case of attacks on network, such as preventing unauthorized reading of information (confidentiality), unauthorized writing (integrity) and data availability, which has become a fundamental issue in information security (Stamp, 2011). For instance, unauthorized access is related to network security and is known hacking. This crime’s goal is to access computer resources and to obtain all resources in the computer without permission by means of network. Alexey V. Ivanov who was a hacker from Russia, hacked dozens of computers in the USA and stole usernames, credit card and bank account information. He also threatened victims deleting their data and destroying their computers in 2003. (Kunz & Wilson, 2004). Another category is traditional crimes, such as child pornography, prostitution, identity theft and internet fraud. Two reports are going to be presented below to show the importance of cyber-crime.
The U.S. Department of Justice issued a report about victims of identity theft in 2015 (Harrell, 2015). According to the report; in the U.S., estimated 7% of all U.S. residents faced incidents of identity theft in 2014. (Harrell, 2015) 86% of cases victims were exposed to fraudulent use of existing credit card or bank account information. In between 2012- 2014, identity theft of elderly victims increased from 2.1 million to 2.6 million. 32% of victims experienced multiple types of identity theft, such as existing account and internet fraud.(Harrell, 2015, p. 1). In 2014, 49% of identity theft victims lost 99$ or less and 16% of victims reported expenses of 100$ to 249$. Also, 14% of victims reported expenses of 1000$ and more.(Harrell, 2015a, p. 6,7).
Another report was issued about the cost of data breach by the IBM and Ponemon Institute in 2016. Preventing data and records containing sensitive and confidential information is important against cyber-attacks. In 2015, the average cost of each lost or stolen data and records increased from $154 to $158. According to the report, in the USA per capita cost of data breaches was 221$ in 2015. The USA spent a total cost of 7.01$ million on databases in 2015 and Germany spent total cost $5.01 million.(Ponemon Institute LLC & IBM, 2016, p. 2). In 2013, McAfee and Center for Strategic and International Studeis issued a report about the economic impact of cyber-crime, and according to this report; the governments and companies spend perhaps 7% of their information technology budgets on security (McAfee & Center for Strategic and International Studies, 2013, p. 12). Also, In the USA, federal agencies spent more than $15 billion with regard to cyber-security project and activities. This cost is equal to 20% of all federal spending on information technology (McAfee & Center for Strategic and International Studies, 2013, p. 13). The governments and companies have to protect data and records containing sensitive and confidential information against attackers and they will always have to spend on cyber-security. Thus, the cost of cyber-security has been gradually increasing. I suppose that regarding the cost of cyber-security will substantially occupy their own budgets. The cost of cyber-crime is billions of dollars in the world.
Major Forms of Cybercrimes Effecting Government and Businesses
- Economic or Foreign Espionage
Espionage is a hot topic in the cyber realm. In August 2010, the Department of Defense issued a report (The Department of Defense, 2010) discussing China’s increased use of “‘information warfare units’ to develop viruses to attack enemy computer systems and networks (Pinguelo & Muller, 2011). According to the Pentagon, the federal government’s computer systems remain a continued target of cyber intrusions from China (Pinguelo & Muller, 2011). The effectiveness of this variety of crime was witnessed in 2009, when cyber spies broke into the plans for the Pentagon’s $300 billion Joint Strike Fighter project, the Defense Department’s costliest weapons program ever (Gorman, Cole, & Dreazen, 2009). To face this growing threat, and go on the offensive, the Pentagon has recruited “hacker soldiers” to “develop weapons that defend against, or initiate, computer attacks,” (Drew & Markoff, 2009) and has also opened its U.S. Cyber Command, which, in 2010, took control of the various cybersecurity and cyber offensive units that had been scattered among the military’s branches (Hersh, 2010). The new commander of the military’s cyberwarfare operations is also advocating for the creation of a “separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet.” (Shanker, 2010). This all comes as the Pentagon’s interest in cyberwarfare (Kilgannon & Cohen, 2009) has reached what has been described as “religious intensity” by one military expert.
Espionage is a similar concern for Corporate America, where trade secrets are a valuable commodity, and hackers are using military style techniques to steal confidential information from organizations (Smith, 2014). Indeed, the growing threat from China-based cyber spies is not limited to the military realm, as Chinese hackers have attacked Dow Chemical and Northrop Grumman’s computer networks (Goel, 2011) These attacks were described as “sophisticated and precisely targeted, ‘designed to get in, cover its tracks and steal corporate secrets and get out.’ (McAfee & Center for Strategic and International Studies, 2013) One commentator has described China’s all out cyber assault on American businesses as a “‘full economic attack inside the United States.” (Hersh, 2010)
As shown by the public and private sector’s vulnerability to cyber espionage, it is difficult to protect oneself from the covert activity of cyber spies. Nevertheless, individual companies can easily implement policies to reduce their exposure. For example, Porsche SE has blocked employees from using Facebook to help reduce potential access points for cyber spies, (Pinguelo & Muller, 2011) as fears grow about the security threats created by social networking sites.
- Malicious Insiders
In both the government and business context, disgruntled employees can be an especially harmful brand of cybercriminal (Greitzer et al., 2008) Cybercrime studies reveal that the negative financial impact caused by insider intrusions is increasing. Indeed, it has been found that “although insider attacks may not occur as frequently as external attacks, they have a higher rate of success, can go undetected and pose a much greater risk than external attacks.” (Chinchani, Iyer, Ngo, & Upadhyaya, 2005). This insider risk became glaringly apparent in 2010, when disaffected Army Private Bradley Manning released a huge cache of classified government documents to WikiLeaks, causing great havoc in the Pentagon (Nakashima, 2010).
When an employee leaves a company to work for a competitor, there is always the potential that he or she will attempt to steal intellectual property. For example, the Department of Justice issued a press release in September 2010 announcing that a chemist had pled guilty to stealing $20 million in trade secrets from his former admitted using his access to his employer’s secure internal computer network to enter confidential databases containing trade secrets and to download approximately 160 secret formulas for paints and coatings (Pinguelo & Muller, 2011). Similarly, in July 2010, a Michigan couple was indicted for stealing and selling $40 million worth of General Motor’s hybrid motor trade secrets to a Chinese automaker (Pinguelo & Muller, 2011) The employee allegedly downloaded a confidential GM document and saved thousands of pages of private GM information onto a hard drive.
An insider may also decide to turn his technical prowess against his employer’s information systems. In 2002, a computer systems administrator was charged with using a “logic bomb” (Peiravi, 2010) to cause more than $3 million in damage to his employer’s computer network, as part of a plan to drive down the company’s stock (Pinguelo & Muller, 2011) In July 2010, a disgruntled former senior database administrator received a year in prison for, following his firing, accessing his ex-employer’s customer database, causing damage to the network and the database, and copying and saving the database to his home computer. His actions resulted in a $100,000 loss to the company (Peiravi, 2010).
- Phishing and Spam emails
Phishing is the illegal attempt to acquire confidential information such as credit card details, usernames & password and service security number generally for malicious purpose (Solanki & Vaishnav, 2016). According to the Ant-Phishing Working Group report “Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials”(Anti-Phishing Working Group, 2016). Phishing affects the Internet in general by undermining consumers’ trust in secured online transactions, which in turn leads to reduced activity online. Because the fraudulent e-mails and websites look incredibly similar to official e-mails and sites, these scams call into question any electronic communication received from an online business(Lynch, 2005). Consumers start to doubt the veracity of any unsolicited e-mail they receive, which could force organizations to return to more expensive offline methods to communicate with their customers(Brain Krebs, 2004a)
Brain Krebs published an example of a phishing incident in the Washington Post. Brain Krebs published an article related to phishing incident in the Washington Post. He talked about William Jackson who lives in Texas. William Jackson received an email which looked like an email that comes from PayPal. The email said that he should update his information by clicking a link that was provided by the email. He clicked that link, and provided his personal information. He became a victim of a phishing attack(Brain Krebs, 2004b).
The most prevalent from phishing is identity theft. Phishing is the act which is more depends on the user then attacker since the user may not be able to identify that the website they have visited is fake or original. This is the point where attackers get advantage to acquire their confidential information like social security number, username, credit card details, passwords, account details(Solanki & Vaishnav, 2016). According to the Javelin report, in the U.S.A., 12.7 million victims were exposed to identity theft in 2014. Put it differently, 5.2% of U.S. population were fraud victims(Javelin Strategy & Research, p. 14). The number of fraud victims reduces in 2014, compared to 2013 which was 13.1 million.
Phishing is a business, and there are gangs of phishers organized all over the world, but primarily in Eastern Europe, Asia, Africa and the Middle East, using sophisticated and elaborate schemes to steal personal information(Anti-Phishing Working Group, 2016) For example, cyber-criminals use malicious software, like malware to obtain someone’s personal information. PandaLabs found 18 million new malware samples in 2016 (2nd quarter April-June), an average of more than 200,000 a day. 71.53% of malware samples are Trojans which are the most pervasive type of malware. Also, 12.36% of malware samples are virus and followed by worms with 10.05% (Anti-Phishing Working Group, 2016).
Phishing is also substantially used by organized crime groups. Huge amount of money is under the risk because of cyber-criminals. Even if they steal bank account information of only a small percentage of people who get duped, this is enough for them to get millions of dollars(Lynch, 2005). In the United States, total fraud losses declined to $16 billion in 2014, a decrease of 11% from 2013 ($18 billion)(Javelin Strategy & Research, p. 7). According to the Department of Justice report, in 2014, about 8.6 million victims experienced the fraudulent use of their credit cards, a slight increase from 7.7 million victims in 2012(Harrell, 2015b)
Companies lose many customers because of phishing which damages their image. Also, some companies offer complete compensation to customers whose accounts are abused(IBM Ponemon Institue, 2016). Companies lost related to data breach is average $4 million in 2016. Hackers and cyber-criminal insiders caused the most data breaches. 48% of all breaches were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $170(IBM Ponemon Institue, 2016). Additional, The number of brands targeted by phishers in the second quarter remained consistent – ranging from 411 to 425 different brands each month(Anti-Phishing Working Group, 2016). In the United State, The Retail/Service sector remained the most targeted industry sector during the second quarter of 2016, suffering 43% of attacks(Anti-Phishing Working Group, 2016)
Many companies have stopped communicating with their customers’ via e-mail and they start using alternative ways, such as letter, message via mobile phone. For instance, US Bank in the United State, automatically alerts customers via mobile phone, letter and e-mail when personal information changes on their system.
As a result, cyber-crime has been gradually increasing in the world. The USA spends millions of dollars to combat cyber-crime, such as identity theft, preventing data and records and network security. Also, companies have to reserve a significant amount of their own budgets to prevent customers’ information, from being stolen or “attacked”.
Internet has become a useful part of our regular day to day life as we do almost all of our social and financial activities online. Today every persons are heavily depends on internet and online activities such as online shopping, online banking, online booking, online recharge and many more(Solanki & Vaishnav, 2016). Hackers generally attack to breach data security and make sabotage for to break network security system. Companies have to pay a significant amount of money to secure their database system and sensitive information.
America, U. S. of. (2000). Crimes Related to Computer Networks: Background Paper for the Workshop on Crimes Related to the Computer Network. Retrieved from https://www.ncjrs.gov/App/Publications/abstract.aspx?ID=184824
Anti-Phishing Working Group. (2016). Phishing Attack Trends Report 2016. Retrieved from http://www.antiphishing.org/resources/apwg-reports/
Brain Krebs. (2004a, b). Companies Forced to Fight Phishing. Retrieved from http://www.washingtonpost.com/wp-co/hotcontent/index.html?section=technology/techpolicy/cybercrime
Brain Krebs. (2004b). Phishing Feeds Internet Black Markets. Retrieved October 13, 2016, from http://www.washingtonpost.com/wp-co/hotcontent/index.html?section=technology/techpolicy/cybercrime
Chinchani, R., Iyer, A., Ngo, H. Q., & Upadhyaya, S. (2005). Towards a theory of insider threat assessment. In 2005 International Conference on Dependable Systems and Networks (DSN’05) (pp. 108–117). IEEE. Retrieved from http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1467785
Drew, C., & Markoff, J. (2009). Contractors Vie for Plum Work, Hacking for US. New York Times, 31.
Gercke, M. (2012). Understanding Cybercrimes: Phenomena, Challenges and Legal Response. International Telecommunication Union.
Goel, S. (2011). Cyberwarfare: connecting the dots in cyber intelligence. Communications of the ACM, 54(8), 132–140.
Gordon, S., & Ford, R. (2006). On the definition and classification of cybercrime. Journal in Computer Virology, 2(1), 13–20.
Gorman, S., Cole, A., & Dreazen, Y. (2009). Computer spies breach fighter-jet project. The Wall Street Journal, 21. Retrieved from http://www.ismlab.usf.edu/isec/files/fighter-jet-WSJ-04_09.pdf
Greitzer, F. L., Moore, A. P., Cappelli, D. M., Andrews, D. H., Carroll, L. A., & Hull, T. D. (2008). Combating the insider cyber threat. IEEE Security & Privacy, 6(1), 61–64.
Harrell, E. (2015a). Victims of Identity Theft, 2014. US Department of Justice Bureau of Justice Statistics Bulletin, September. Retrieved from http://www.a51.nl/sites/default/files/pdf/vit14.pdf
Harrell, E. (2015b). Victims of Identity Theft, 2014. US Department of Justice Bureau of Justice Statistics Bulletin, September. Retrieved from http://www.a51.nl/sites/default/files/pdf/vit14.pdf
Hersh, S. M. (2010). The online threat. The New Yorker, 1. Retrieved from http://www-personal.umich.edu/~shanesq/EOTW/Supplementary_Readings/Templates_and_Sources/OnlineThreat_Hersh.pdf
IBM Ponemon Institue. (2016). IBM 2016 Cost of Data Breach Study – United States. Retrieved from http://www-03.ibm.com/security/data-breach/
Javelin Strategy & Research. (n.d.). Research (2014).
Kilgannon, C., & Cohen, N. (2009). Cadets trade the trenches for firewalls. New York Times, 11, A1.
Kunz, M., & Wilson, P. (2004). Computer Crime and Computer Fraud. Montgomery County Criminal Justice Coordinating Commission.
Lynch, J. (2005). Identity theft in cyberspace: Crime control methods and their effectiveness in combating phishing attacks. Berkeley Technology Law Journal, 259–300.
McAfee, & Center for Strategic and International Studies. (2013). The Economic Impact of Cybercrime and Cyber Espionage. USA.
Nakashima, E. (2010). Messages from alleged leaker Bradley Manning portray him as despondent soldier. Washington Post.
Peiravi, A. (2010). Internet security-cyber crime paradox. Journal of American Science.
Pinguelo, F. M., & Muller, B. W. (2011). Virtual Crimes–Real Damages: A Primer on Cybercrimes in the United States and Efforts to Combat Cybercriminals. Virginia Journal of Law and Technology, Forthcoming. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1789284
Ponemon Institute LLC, & IBM. (2016). 2016 Cost of Data Breach Study: Global Analysis. USA.
Shanker, T. (2010). Cyberwar Chief Calls for Secure Computer Network. The New York Times, 23. Retrieved from http://www.distributedworkplace.com/DW/Government/Government%202010/Cyberwar%20Chief%20Calls%20for%20Secure%20Computer%20Network.doc
Smith, G. (2014). Espionage. Retrieved from http://lawi.us/espionage/
Solanki, J., & Vaishnav, R. G. (2016). Website Phishing Detection using Heuristic Based Approach. Retrieved from https://www.irjet.net/archives/V3/i5/IRJET-V3I5420.pdf
Stamp, M. (2011). Front Matter. In Information Security (pp. i–xxi). John Wiley & Sons, Inc. Retrieved from http://onlinelibrary.wiley.com/doi/10.1002/9781118027974.fmatter/summary
The Department of Defense. (2010). Office of The Sec’y. of Defense, Annual Report to Congress: Military and Security Developments Involving The People’s Republic of China.
Wall, D. S. (2010). The Internet as a conduit for criminal activity. Information Technology and The Criminal Justice System, Pattavina, A., Ed, 77–98.
Winmill, B. L., Metcalf, D. L., & Band, M. E. (2010). Cybercrime: Issues and challenges in the United States. Digital Evidence & Elec. Signature L. Rev., 7, 19.
Zhang-Kennedy, L., Fares, E., Chiasson, S., & Biddle, R. (2015). Geo-Phisher: The Design of a Global Phishing Trend Visualization Tool. In Symposium on Usable Privacy and Security (SOUPS). Retrieved from http://cups.cs.cmu.edu/soups/2015/posters/soups2015_posters-final20.pdf