Cybercrime: Victimization, Perpetration, and Techniques

  Published: 10 November 2021
  Volume 46, pages 837–842, (2021)

James Hawdon

  • James Hawdon   ORCID: 1  

The creation of the World Wide Web revolutionized communication. At the turn of the twenty-first century, roughly 413 million people used the internet (Roser & Ortiz-Ospina, 2015 ). A mere 21 years later, nearly 4.7 billion people, or about 60% of the world’s population, actively use the internet (We Are Social, & DataReportal, & Hootsuite, 2021 ). The pace of innovation in information technology, from the introduction of email in the 1960s to the rise of multiple social media platforms in the early 2000s to the rise of the Internet of Things (Iot) and 5 g, has been astonishing. It is now almost inconceivable to imagine life without access to the internet. Yet the IT revolution, like all technological revolutions, has been a dual-edge sword. Indeed, the internet’s many benefits and drawbacks have been discussed in numerous forums, and these discussions will undoubtedly continue as long as we remain dependent on this technology. This special edition of the American Journal of Criminal Justice contributes to those discussions by considering one of the drawbacks: cybercime.

Cybercrime, or the use of computer technology or online networks to commit crimes, ranges from fraud and identity theft to threats and intimidation. Cybercrime and its many manifestations has clearly increased over the past 20 years. For example, cybercrime costs increased from approximately $3 trillion in 2015 to more than $6 trillion in 2021, and these are expected to increase to over $10.5 trillion by 2025 (Morgan, 2020 ). In the U.S. alone, approximately 23 percent of households experience some sort of cybercrime annually (Reinhart, 2018 ; Hawdon et al., 2020 ). Indeed, in the same way that larceny characterized the twentieth century, cybercrime is characterizing the twenty-first century (Albanese, 2005 ). And these facts just reflect the economic costs of cybercrime and do not account for the non-monetary harms caused by cyberviolence. Cyberstalking, online sexual exploitation, cyber-harassment and bullying, threats of violence, and online violent extremism are also commonly committed acts of cyberviolence (FBI, 2021 ).

In many ways, it is unsurprising that cybercrime has increased in recent years. As technology becomes more sophisticated, so do cybercriminals, and cybercriminals now target individuals, businesses, healthcare facilities, educational institutions, and governments. As more people engage in an ever-increasing variety of online activities and more businesses conduct their affairs online, it is predictable that there would be a rise in cybercrime. To use the familiar language of Routine Activity Theory (Cohen & Felson, 1979 ), we have a lot more suitable targets in insufficiently guarded space being victimized by an increasing number motivated offenders. It is also unsurprising that there is a growing body of literature dedicated to cybercrime as scholars scramble to understand the ever-evolving phenomena. Entire journals are now dedicated to its study, and new academic disciplines have been created to try to prevent it. While our understanding of cybercrime has accumulated quickly and impressively, there is so much about cybercrime that we still do not know. This special issue of the A merican Journal of Criminal Justice offers nine new articles to help fill that knowledge gap.

The articles included in this issue reflect three broad areas of cybercrime research: cybercrime victimization, cybercrime perpetration, and techniques and facilitators of cybercrime. While there is some overlap, the issue includes three papers focused on each of these three areas.

The first area covered in the special issue focuses on cybercrime victimization. This area has generated the most research to date. In part because victims of cybercrime are relatively easy to find, considerable research has been conducted on cybervictimization across a variety of cybercrimes. Three of the articles in this special issue focus on cybervictimization, and they add to the literature in interesting ways by providing cross-national perspectives, building on theoretical traditions, or providing systematic summaries of the state of field at this time.

The first article in this section by Michelle Wright and a team of colleagues investigates how adolescent from China, Cyprus, the Czech Republic, India, Japan, and the United States explain being a victim of cyberbully. The investigation compares if how adolescents explain victimization varies by setting (private vs. public), medium (offline vs cyber), and severity and if cultural differences alter these relationships. Their findings suggest the need for prevention and intervention efforts to consider the role of setting, medium, severity, and cultural values if they are to be successful.

The second paper focusing on victimization builds on the frequent finding that problematic social media use is associated with negative life experiences and provides empirical support for a theoretical link between problematic social media use and cybervictimization. The analysis, conducted by colleagues Eetu Marttila, Aki Koivula, and Pekka Räsänen, is framed in Routine Activity Theory/Lifestyle-Exposure Theory. The results indicate that not only is problematic social media use strongly correlated with cybervictimization in a between-subject analysis, but within-subject analyses also reveal that problematic social media use has a cumulative effect on victimization.

The third paper bridges research on cybercrime victimization and cybercrime perpetration and provides a glimpse at the state of knowledge about a specific form of cyberviolence. Catherine Marcum and George Higgins conduct a systematic review of literature investigating both offending and victimization of cyberstalking, cyberdating abuse, and interpersonal electronic surveillance. Using a number of electronic databases, the authors focus on 31 studies to identify correlates of involvement in these cybercrimes. Victims are disproportionately female. Other correlates of victimization include overall social media use, risky online behavior, and negative external factors such as being attached to abusive peers. Correlates of perpetration provide support for a number of leading criminological theories as perpetrators tend to have low levels of self-control, associate with delinquent peers, and have low levels of parental supervision. As more research is conducted, there is a great need for more systematic literature reviews so we can begin to better refine our understanding and identify the theoretical approaches that provide the most insight into the world of cybercrime.

There are another three articles included in this special issue that focus on cybercrime perpetration. All three articles test traditional criminological theories and find support for them. In the first, Adam Bossler uses Sykes and Matza’s ( 1957 ) techniques of neutralization to examine the effects of techniques of neutralization on college students’ willingness to commit cybercrime, specifically hacking websites to deface them or compromise foreign and domestic financial and government targets. An overall techniques of neutralization scale significantly predicts being willing to commit cyberattacks even after controlling for other relevant factors. In addition to the theoretical implications of finding strong support for Sykes and Matza’s framework, the findings also have implications for situational crime prevention efforts aimed at removing excuses for offenders.

In another article focusing on perpetration, Thomas Dearden and Katalin Parti use a national online sample of 1,109 participants and find strong support for social learning theory as measures of both online and offline social learning correlate with a measure of cyber-offending. However, the authors also argue that self-control will interact with social learning variables to further influence the likelihood of cyber-offending. Overall, they find that both social learning and self-control, individually and as an interaction, are good predictors of cyber-offending.

In the final article dedicated to investigating the perpetration of cybercrime, Ashley Reichelmann and Matthew Costello use a nationally representative sample to explore how various dimensions of American national identity relate to producing online hate materials. The analysis reveals that higher levels of salience and public self-regard are weakly related to producing online hate. However, the findings suggest that understanding the nuances of “what it means to be American” is important for fully understanding the phenomenon of cyberhate, especially in this polarizing time when what it means to “be American” is frequently questioned.

Another three articles deal with perpetrating cybercrimes or “pseudo-cybercrimes,” but their focus is on how these crimes are committed. That is, the investigations deal with using the Dark Web or the surface web to make illegal or pseudo-legal purchases of illegal or quasi-legal substances. In the first paper in the section, Eric Jardine provides a crime script for purchasing drugs on the Dark Web. The script involves four generic stages (i.e. Informational Accumulation; Account Formation; Market Exchange; Delivery/Receipt) and provides an opportunity to review known law enforcement interventions that have effectively targeted each stage of the script to reduce the use of these online markets. The paper highlights numerous steps that law enforcement could take to effectively reduce the illegal selling and purchasing of drugs on the Dark Web.

Next, Robert Perdue engages in green criminology and focuses on the illegal trade of endangered species. Noting that regulating this trade is a critical, and very difficult, challenge for conservationists and law enforcement agents, Perdue examines the role the Internet plays in critically endangered plant transactions, but instead of focusing on the Dark Web, he investigates eBay to understand the extent to which such trades occur in plain sight. He finds that nearly a third of the critically endangered plant species examined were for sale in some form on eBay. Yet, despite the evidence that there is a high degree of open trading in these species, the complexity of the international legal frameworks regulating these transactions makes it difficult to ascertain their legality. Nevertheless, at least a subset of these sales are probably unlawful.

Finally, J. Mitchell Miller and Holly Ventura Miller provide insight into the computer-facilitated gray market of pseudo-legal marijuana sales in Los Vegas, Nevada. The ethnographic study reveals how various cannabis products are illegally diverted from legal markets to the gray market, and how brokers use the Internet in clever ways to advertise their products and services to a public that is likely unaware that they are engaging in illegal activities by skirting the regulations and tight control of the legal market.

Taken together, these three papers highlight the tremendous difficulties with regulating e-commerce. While the Dark Web provides an environment to conduct illegal transactions with minimal risk, it turns out that the Dark Web may be unnecessary for many illegal cyber-purchases. Given the surface web is convenient, widely available, and scarcely policed, many cybercriminals simply commit their crimes in the open. Using the language of Routine Activity Theory again, the internet—Dark or Surface—is an environment largely devoid of capable guardians.

As a whole, I believe these nine papers speak to the current state and future promise of cybercriminology. Currently, we are building a large body of empirical studies that speak to patterns of victimization and perpetration. With respect to victimization, we have learned a lot about who is likely to be victimized and how the patterns of victimization vary by type of cybercrime. We also have a good understanding of the activities that increase the likelihood of victimization, the emotional and financial costs of being a victim, and how people view victims depending on the setting and type of victimization. The body of evidence supporting a slightly modified version of Routine Activity Theory/Lifestyle-Exposure Theory is increasingly impressive, and the papers by Marttila, Koivula, and Räsänen as well as the article by Marcum and Higgins offer additional support for aspects of this theoretical approach.

Similarly, our understanding of cybercrime perpetration has expanded exponentially in recent years. While finding samples of cybercriminals is always a challenge, the growing body of evidence suggests that the behavior of cybercriminals is largely explained by the same set of factors that can account for the behavior of more traditional criminals. That is, cybercriminals tend to have low levels of self and social control, are largely unsupervised, experience strains, and learn the how, when, and why of their crimes from their associates. The papers in this issue offer additional support for techniques of neutralization, social learning theory, and self-control theory. While there are nuanced differences in how some criminogenic factors play out in the virtual and offline worlds, our existing theories appear to be robust as many of our theories apply to both online and offline criminal behavior. A number of the differences that exist largely relate to the asynchronous nature of many online interactions. The fact that online interactions can occur synchronously as well as asynchronously expands our networks and provide additional opportunities for others beyond our immediate environment to influence us and for us to commit crimes. The full ramifications of these changes in social networks, criminogenic forces, and criminal opportunities are not understood; however, we understand these far better today than we did even just a few years ago.

We also have a far greater understanding of the techniques of committing cybercrimes. We know considerably more about the use of the Dark Web to find and purchase illegal goods and services, and we have learned that the Surface Web plays a significant role in computer-dependent crimes. Moreover, as the article by Miller and Miller highlights, information technology has helped blur the line between legal, pseudo-legal, and illegal behaviors. What work in this area really highlights is how difficult it is to monitor and police the internet. While there is certainly social control exercised on the internet, there are limits to the effectiveness of this control (see Hawdon et al., 2017 ). Yet, by understanding the patterns of victimization, the underlying causes of perpetration, and the techniques that facilitate cybercrime, we become better armed in designing strategies to prevent it, defend against it, mitigate its adverse effects, and prosecute those who commit it. All of the articles included in this issue further that understanding.

The Special Issue

The process of selecting the articles for this special issue was perhaps unusual but also rather intensive. The process began by me inviting a group of scholars to submit manuscripts for the special issue. I selected these scholars because I knew of their work and was confident they would submit quality papers that covered a wide range of topics in the area of cybercrime. After discussing their planned submissions with the authors to assure there would be good topic coverage, the authors submitted their paper. An anonymous scholar and I reviewed these initial submissions (the anonymous scholar served as a typical double-blind reviewer). Each contributing author also reviewed one or two of the included articles. Authors then revised their work based on the reviewers’ comments and resubmitted the papers. Each contributing author was then asked to read all nine revised papers. Then, the authors and I took advantage of the brief pause in the COVID-19 pandemic and gathered for a two-day workshop in Asheville, North Carolina as part of the Center for Peace Studies and Violence Prevention’s annual research workshop program. The lone exception to this was our Finnish colleagues who were unable to get a special visa to visit the U.S. at that time. These colleagues joined the workshop via Zoom. The authors/workshop participants then discussed and provided feedback on all of the articles. The authors then made final revisions to their papers based on these discussions. Thus, these papers have been through three rounds of revisions. As the editor of the special edition, I am proud of the finished product.

Albanese, J. S. (2005). Fraud: The characteristic crime of the 21st Century. Trends in Organized Crime, 8 , 5–16.

Article   Google Scholar  

Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends: A routine activity approach. American Sociological Review, 44 (4), 588–608.

Federal Bureau of Investigation. (2021). 2020 Internet crime report . U.S. Government Printing Office.

Google Scholar  

Hawdon, J., Costello, C., Ratliff, T., Hall, L., & Middleton, J. (2017). Conflict management styles and cybervictimization: An extension of routine activity theory. Sociological Spectrum, 37 (4), 250–266.

Hawdon, J., Parti, K., & Dearden, T. E. (2020). Cybercrime in America amid COVID-19: The initial results from a natural experiment. American Journal of Criminal Justice, 45 , 546–562.

Morgan, S. (2020). Cybercrime to cost the World $10.5 Trillion Annually by 2025. Cybercrime Magazine , November 13, 2020.

Reinhart, R. J. (2018). One in four Americans have experienced cybercrime. Gallup Politics .

Roser, M. H. R. & Ortiz-Ospina, E. (2015). "Internet". Published online at Retrieved from: ' ' [Online Resource]

Sykes, G. M., & Matza, D. (1957). Techniques of neutralization: A theory of delinquency. American Sociological Review, 22 (6), 664–670.

We Are Social, & DataReportal, & Hootsuite. (2021). Global digital population as of January 2021 (in billions) [Graph]. In  Statista . Retrieved September 24, 2021, from

Author information

Research trends in cybercrime victimization during 2010–2020: a bibliometric analysis

Research on cybercrime victimization is relatively diversified; however, no bibliometric study has been found to introduce the panorama of this subject. The current study aims to address this research gap by performing a bibliometric analysis of 387 Social Science Citation Index articles relevant to cybercrime victimization from Web of Science database during the period of 2010–2020. The purpose of the article is to examine the research trend and distribution of publications by five main fields, including time, productive authors, prominent sources, active institutions, and leading countries/regions. Furthermore, this study aims to determine the global collaborations and current gaps in research of cybercrime victimization. Findings indicated the decidedly upward trend of publications in the given period. The USA and its authors and institutions were likely to connect widely and took a crucial position in research of cybercrime victimization. Cyberbullying was identified as the most concerned issue over the years and cyber interpersonal crimes had the large number of research comparing to cyber-dependent crimes. Future research is suggested to concern more about sample of the elder and collect data in different countries which are not only European countries or the USA. Cross-nation research in less popular continents in research map was recommended to be conducted more. This paper contributed an overview of scholarly status of cybercrime victimization through statistical evidence and visual findings; assisted researchers to optimize their own research direction; and supported authors and institutions to build strategies for research collaboration.


To date, the debate of cybercrime definition has been controversial which is considered as one of the five areas of cyber criminology (Ngo and Jaishankar 2017 ; Drew 2020 ). 1 Several terms are used to illustrate ‘cybercrime’, such as ‘high-tech crime’ (Insa 2007 ), ‘computer crime’ (Choi 2008 ; Skinner and Fream 1997 ), ‘digital crime’ (Gogolin 2010 ), or ‘virtual crime’ (Brenner 2001 ). ‘Cybercrime’, however, has been the most popular in the public parlance (Wall 2004 ). A propensity considers crime directly against computer as cybercrime, while other tendency asserts that any crime committed via internet or related to a computer is cybercrime (Marsh and Melville 2008 ; Wall 2004 ). Hence, there is a distinction between ‘true cybercrime’ or ‘high-tech’ cybercrime and ‘low-tech’ cybercrime (Wagen and Pieters 2020 ). Council of Europe defines ‘any criminal offense committed against or with the help of a computer network’ as cybercrime (Abdullah and Jahan 2020 , p. 90). Despite different approaches, cybercrime generally includes not only new types of crimes which have just occurred after the invention of computer and internet (Holt and Bossler 2014 ; Drew 2020 ) but also traditional types of crimes which took the advantages of information communication technology (ICT) as vehicle for illegal behaviors (Luong 2021 ; Nguyen and Luong 2020 ; Luong et al. 2019 ). Two main cybercrime categories identified, respectively, are cyber-dependent crime (hacking, malware, denial of service attacks) and cyber-enable crime (phishing, identity theft, cyber romance scam, online shopping fraud). Nevertheless, there are several different classifications of cybercrime such as cybercrime against certain individuals, groups of individuals, computer networks, computer users, critical infrastructures, virtual entities (Wagen and Pieters 2020 ); cyber-trespass, cyber-deceptions, cyber-pornography, and cyber-violence (Wall 2001 ).

Due to the common prevalence of cybercrime, the increasing threats of cybercrime victimization are obviously serious. Cybercrime victimization has become a crucial research subfield in recent years (Wagen and Pieters 2020 ). It is difficult to differ “forms of online victimization” and “acts that actually constitute a crime”, then it is usual for researchers to focus less on perspective of criminal law and consider any negative experiences online as cybercrime (Näsi et al. 2015 , p. 2). It was likely to lead to practical gaps between theory and practice in terms of investigating the nexus of offender and victims on cyberspace. In the light of literature review, numerous specific aspects of cybercrime victimization were investigated by questionnaire surveys or interview survey such as the prevalence of cybercrime victimization (Näsi et al. 2015 ; Whitty and Buchanan 2012 ); causes and predictors of cybercrime victimization (Abdullah and Jahan 2020 ; Algarni et al. 2017 ; Ilievski 2016 ; Jahankhani 2013 ; Kirwan et al. 2018 ; Näsi et al. 2015 ; Reyns et al. 2019 ; Saad et al. 2018 ); and the relationship between social networking sites (SNS) and cybercrime victimization (Das and Sahoo 2011 ; Algarni et al. 2017 ; Benson et al. 2015 ; Seng et al. 2018 ). To some extent, therefore, the current study examines cybercrime victimization in the large scale, referring to any negative experiences on cyberspace or computer systems. Nevertheless, no bibliometric analysis was found to show the research trend and general landscape of this domain.

Bibliometric is a kind of statistical analysis which uses information in a database to provide the depth insight into the development of a specified area (Leung et al. 2017 ). The present study aims to address this research gap by providing a bibliometric review of the relevant SSCI articles in WoS database during the period of 2010–2020. The pattern of publications, the productivity of main elements (authors, journals, institutions, and countries/regions), statistic of citations, classification of key terms, research gaps, and other collaborations will be presented and discussed in section four and five after reviewing literatures and presenting our methods conducted. This article contributes an overview of research achievements pertaining to cybercrime victimization in the given period through statistical evidence and visual findings; assists researchers to perceive clearly about the key positions in research maps of this field, and obtain more suggestions to develop their own research direction.

Literature review

Cybercrime victimization.

Cybercrime victimization may exist in two levels including institutional and individual level (Näsi et al. 2015 ). For the former, victim is governments, institutions, or corporations, whereas for the latter, victim is a specific individual (Näsi et al. 2015 ). A wide range of previous studies concerned about individual level of victim and applied Lifestyle Exposure Theory (LET), Routine Activity Theory (RAT) and General Theory of Crime to explain cybercrime victimization (Choi 2008 ; Holt and Bossler 2009 ; Ngo and Paternoster 2011 ). Basing on these theories, situational and individual factors were supposed to play an important role in understanding cybercrime victimization (Choi 2008 ; Van Wilsem 2013 ). However, there was another argument that situational and individual factors did not predict cybercrime victimization (Ngo and Paternoster 2011 ; Wagen and Pieters 2020 ). Overall, most of those studies just focused only one distinctive kind of cybercrime such as computer viruses, malware infection, phishing, cyberbullying, online harassment, online defamation, identity theft, cyberstalking, online sexual solicitation, cyber romance scams or online consumer fraud. Referring to results of the prior research, some supported for the applicability of mentioned theories but other did not share the same viewpoint (Leukfeldt and Yar 2016 ). It was hard to evaluate the effect of LET or RAT for explanation of cybercrime victimization because the nature of examined cybercrime were different (Leukfeldt and Holt 2020 ; Leukfeldt and Yar 2016 ).

Previous research determined that cybercrime victimization was more common in younger group compared to older group because the young is the most active online user (Näsi et al. 2015 ; Oksanen and Keipi 2013 ) and males tended to become victims of cybercrime more than females in general (Näsi et al. 2015 ). However, findings might be different in research which concerned specific types of cybercrime. Women were more likely to be victims of the online romance scam (Whitty and Buchanan 2012 ) and sexual harassment (Näsi et al. 2015 ), while men recorded higher rate of victimization of cyber-violence and defamation. Other demographic factors were also examined such as living areas (Näsi et al. 2015 ), education (Oksanen and Keipi 2013 ; Saad et al. 2018 ) and economic status (Oksanen and Keipi 2013 ; Saad et al. 2018 ). Furthermore, several prior studies focus on the association of psychological factors and cybercrime victimization, including awareness and perception (Ariola et al. 2018 ; Saridakis et al. 2016 ), personality (Kirwan et al. 2018 ; Orchard et al. 2014 ; Parrish et al. 2009 ), self-control (Ilievski 2016 ; Ngo and Paternoster 2011 ; Reyns et al. 2019 ), fear of cybercrime (Lee et al. 2019 ), online behaviors (Al-Nemrat and Benzaïd 2015 ; Saridakis et al. 2016 ). Psychological factors were assumed to have effects on cybercrime victimization at distinctive levels.

Another perspective which was much concerned by researchers was the relationship between cybercrime victimization and SNS. SNS has been a fertile land for cybercriminals due to the plenty of personal information shared, lack of guard, the availability of communication channels (Seng et al. 2018 ), and the networked nature of social media (Vishwanath 2015 ). When users disclosed their personal information, they turned themselves into prey for predators in cyberspace. Seng et al. ( 2018 ) did research to understand impact factors on user’s decision to react and click on suspicious posts or links on Facebook. The findings indicated that participants’ interactions with shared contents on SNS were affected by their relationship with author of those contents; they often ignored the location of shared posts; several warning signals of suspicious posts were not concerned. Additionally, Vishwanath ( 2015 ) indicated factors that led users to fall victims on the SNS; Algarni et al. ( 2017 ) investigated users’ susceptibility to social engineering victimization on Facebook; and Kirwan et al. ( 2018 ) determined risk factors resulting in falling victims of SNS scam.

Bibliometric of cybercrime victimization

“Bibliometric” is a term which was coined by Pritchard in 1969 and a useful method which structures, quantifies bibliometric information to indicate the factors constituting the scientific research within a specific field (Serafin et al. 2019 ). Bibliometric method relies on some basic types of analysis, namely co-authorship, co-occurrence, citation, co-citation, and bibliographic coupling. This method was employed to various research domains such as criminology (Alalehto and Persson 2013 ), criminal law (Jamshed et al. 2020 ), marketing communication (Kim et al. 2019 ), social media (Chen et al. 2019 ; Gan and Wang 2014 ; Leung et al. 2017 ; Li et al. 2017 ; You et al. 2014 ; Zyoud et al. 2018 ), communication (Feeley 2008 ), advertising (Pasadeos 1985 ), education (Martí-Parreño et al. 2016 ).

Also, there are more and more scholars preferring to use bibliometric analysis on cyberspace-related subject such as: cyber behaviors (Serafin et al. 2019 ), cybersecurity (Cojocaru and Cojocaru 2019 ), cyber parental control (Altarturi et al. 2020 ). Serafin et al. ( 2019 ) accessed the Scopus database to perform a bibliometric analysis of cyber behavior. All documents were published by four journals: Cyberpsychology, Behavior and Social Networking (ISSN: 21522723), Cyberpsychology and Behavior (ISSN: 10949313) , Computers in Human Behavior (ISSN: 07475632) and Human–Computer Interaction (ISSN: 07370024), in duration of 2000–2018. Findings indicated the use of Facebook and other social media was the most common in research during this period, while psychological matters were less concerned (Serafin et al. 2019 ). Cojocaru and Cojocaru ( 2019 ) examined the research status of cybersecurity in the Republic of Moldavo, then made a comparison with the Eastern Europe countries’ status. This study employed bibliometric analysis of publications from three data sources: National Bibliometric Instrument (database from Republic of Moldavo), Scopus Elsevier and WoS. The Republic of Moldavo had the moderate number of scientific publications on cybersecurity; Russian Federation, Poland, Romania, Czech Republic, and Ukraine were the leading countries in Eastern Europe area (Cojocaru and Cojocaru 2019 ). Altarturi et al. ( 2020 ) was interested in bibliometric analysis of cyber parental control, basing on publications between 2000 and 2019 in Scopus and WoS. This research identified some most used keywords including ‘cyberbullying’, ‘bullying’, ‘adolescents’ and ‘adolescence’, showing their crucial position in the domain of cyber parental control (Altarturi et al. 2020 ). ‘Cyber victimization’ and ‘victimization’ were also mentioned as the common keywords by Altarturi et al. ( 2020 ). Prior research much focus on how to protect children from cyberbullying. Besides, four online threats for children were determined: content, contact, conduct and commercial threats (Altarturi et al. 2020 ).

Generally, it has been recorded several published bibliometric analyses of cyber-related issues but remained a lack of bibliometric research targeting cybercrime victimization. Thus, the present study attempts to fill this gap, reviewing the achievements of existed publications as well as updating the research trend in this field.

In detail, our current study aims to address four research questions (RQs):

What is overall distribution of publication based on year, institutions and countries, sources, and authors in cybercrime victimization?

Which are the topmost cited publications in terms of cybercrime victimization?

Who are the top co-authorships among authors, institutions, and countries in research cybercrime victimization?

What are top keywords, co-occurrences and research gaps in the field of cybercrime victimization?

Data collection procedure

Currently, among specific approaches in cybercrime’s fileds, WoS is “one of the largest and comprehensive bibliographic data covering multidisciplinary areas” (Zyoud et al. 2018 , p. 2). This paper retrieved data from the SSCI by searching publications of cybercrime victimization on WoS database to examine the growth of publication; top keywords; popular topics; research gaps; and top influential authors, institutions, countries, and journals in the academic community.

This paper employed Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) for data collection procedure. For timeline, we preferred to search between 2010 and 2020 on the WoS system with two main reasons. First, when the official update of the 2009 PRISMA Statement had ready upgraded with the specific guidelines and stable techniques, we consider beginning since 2010 that is timely to test. Secondly, although there are several publications from the early of 2021 to collect by the WoS, its updated articles will be continued until the end of the year. Therefore, we only searched until the end of 2020 to ensure the full updates.

To identify publications on cybercrime victimization, the study accessed WoS and used two keywords for searching: ‘cybercrime victimization’ or ‘cyber victimization’ after testing and looking for some terminology-related topics. Accordingly, the paper applied a combination of many other searching terms besides two selected words such as “online victimization”, “victim of cybercrime”, “phishing victimization”, “online romance victimization”, “cyberstalking victim”, “interpersonal cybercrime victimization”, or “sexting victimization”, the results, however, were not really appropriate. A lot of papers did not contain search keywords in their titles, abstracts, keywords and were not relavant to study topic. After searching with many different terms and comparing the results, the current study selected the two search terms for the most appropriate articles. The query result consisted of 962 documents. Basing on the result from preliminary searching, retrieved publications were refined automatically on WoS by criteria of timespan, document types, language, research areas, and WoS Index as presented in Table ​ Table1. 1 . Accordingly, the criteria for automatic filter process were basic information of an articles and classified clearly in WoS system so the results reached high accuracy. The refined results are 473 articles.

Criteria for automatic filter

After automatic filters, file of data was converted to Microsoft Excel 2016 for screening. The present study examined titles and abstracts of 473 articles to assess the eligibility of each publication according to the relevance with given topic. There are 387 articles are eligible,while 86 irrelevant publications were excluded.

Data analysis

Prior to data analysis, the raw data were cleaned in Microsoft Excel 2016. Different forms of the same author’s name were corrected for consistency, for example “Zhou, Zong-Kui” and “Zhou Zongkui”, “Van Cleemput, Katrien” and “Van Cleemput, K.”, “Williams, Matthew L.” and “Williams, Matthew”. Similarly, different keywords (single/plural or synonyms) used for the same concept were identified and standardized such as “victimization” and “victimisation”; “adolescent” and “adolescents”; “cyber bullying”, “cyber-bullying” and “cyberbullying”; “routine activity theory” and “routine activities theory”.

The data were processed by Microsoft Excel 2016 and VOS Viewer version 1.6.16; then it was analyzed according to three main aspects. First, descriptive statistic provided evidence for yearly distribution and growth trend of publications, frequency counts of citations, the influential authors, the predominant journals, the top institutions and countries/territories, most-cited publications. Second, co-authorship and co-occurrence analysis were constructed and visualized by VOS Viewer version 1.6.16 to explore the network collaborations. Finally, the current study also investigated research topics through content analysis of keywords. The authors’ keywords were classified into 15 themes, including: #1 cybercrime; #2 sample and demographic factors; #3 location; #4 theory; #5 methodology; #6 technology, platforms and related others; #7 psychology and mental health; #8 physical health; #9 family; #10 school; #11 society; #12 crimes and deviant behaviors; #13 victim; #14 prevention and intervention; and #15 others. Besides, the study also added other keywords from titles and abstracts basing on these themes, then indicated aspects examined in previous research.

In this section, all findings corresponding with four research questions identified at the ouset of this study would be illustrated (Fig.  1 ).

An external file that holds a picture, illustration, etc.
Object name is 43545_2021_305_Fig1_HTML.jpg

PRISMA diagram depicts data collection from WoS database

Distribution of publication

Distribution by year, institutions and countries.

Basing on retrieved data, it was witnessed an increasing trend of articles relevant to cybercrime victimization in SSCI list during the time of 2010–2020 but it had slight fluctuations in each year as shown in Fig.  2 . The total number of articles over this time was 387 items, which were broken into two sub-periods: 2010–2014 and 2015–2020. It is evident that the latter period demonstrated the superiority of the rate of articles (79.33%) compared to the previous period (20.67%). The yearly quantity of publications in this research subject was fewer than forty before 2015. Research of cybercrime victimization reached a noticeable development in 2016 with over fifty publications, remained the large number of publications in the following years and peaked at 60 items in 2018.

An external file that holds a picture, illustration, etc.
Object name is 43545_2021_305_Fig2_HTML.jpg

Annual distribution of publications

Distribution by institutions and countries

Table ​ Table2 2 shows the top contributing institutions according to the quantity of publications related to cybercrime victimization. Of the top institutions, four universities were from the USA, two ones were from Spain, two institutions were from Australia and the rest ones were from Czech Republic, Belgium, Greece, and Austria. Specifically, Masaryk University (17 documents) became the most productive publishing institution, closely followed by Michigan State University (16 documents). The third and fourth places were University of Antwerp (13 documents) and Weber State University (10 documents). Accordingly, the institutions from The USA and Europe occupied the vast majority.

Top contributing institutions based on total publications

TP total publications, TC total citations for the publications reviewed, AC average citations per document

In Table ​ Table2, 2 , University of Seville (total citations: 495, average citations: 70.71) ranked first and University of Cordoba (total citations: 484, average citations: 60.50) stayed at the second place in both total citations and average citations.

Referring to distribution of publications by countries, there were 45 countries in database contributing to the literature of cybercrime victimization. The USA recorded the highest quantity of papers, creating an overwhelming difference from other countries (159 documents) as illustrated in Fig.  3 . Of the top productive countries, eight European countries which achieved total of 173 publications were England (39 documents), Spain (34 documents), Germany (22 documents), Netherlands (18 documents), Italy (17 documents) and Czech Republic (17 documents), Belgium (14 documents), Greece (12 documents). Australia ranked the fourth point (32 documents), followed by Canada (30 documents). One Asian country which came out seventh place, at the same position with Netherlands was China (18 documents).

An external file that holds a picture, illustration, etc.
Object name is 43545_2021_305_Fig3_HTML.jpg

Top productive countries based on the number of publications

Distribution by sources

Table ​ Table3 3 enumerates the top leading journals in the number of publications relevant to cybercrime victimization. The total publications of the first ranking journal— Computers in Human Behavior were 56, over twice as higher as the second raking journal— Cyberpsychology, Behavior and Social Networking (24 articles). Most of these journals have had long publishing history, starting their publications before 2000. Only three journals launched after 2000, consisting of Journal of School Violence (2002), Cyberpsychology: Journal of Psychosocial Research on Cyberspace (2007) and Frontiers in Psychology (2010). Besides, it is remarked that one third of the top journals focuses on youth related issues: Journal of Youth and Adolescence , Journal of Adolescence, School Psychology International and Journal of School Violence .

Top leading journals based on the quantity of publications

SPY Started Publication Year

In Table ​ Table3, 3 , relating to total citations, Computers in Human Behavior remained the first position with 2055 citations. Journal of Youth and Adolescence had total 1285 citations, ranked second and followed by Aggressive Behavior with 661 citations. In terms of average citations per documents, an article of Journal of Youth and Adolescence was cited 67.63 times in average, much higher than average citations of one in Computers in Human Behavior (36.70 times). The other journals which achieved the high number of average citations per document were School Psychology International (59.00 times), Journal of Adolescence (44.83 times) and Aggressive Behavior (44.07 times).

Distribution by authors

Table ​ Table4 4 displays ten productive authors based on article count; total citations of each author and their average citations per document are also included. Michelle F. Wright from Pennsylvania State University ranked first with twenty publications, twice as higher as the second positions, Thomas J. Holt (10 articles) from Michigan State University and Bradford W. Reyns (10 articles) from Weber State University. Rosario Ortega-Ruiz from University of Cordoba stayed at the third place in terms of total publications but the first place in aspect of total citations (483 citations) and the average citations (60.38 times).

Top productive authors based on article count

Of the most productive authors based on total publications, there were three authors from universities in the USA; one from the university in Canada (Brett Holfeld); the others were from institutions in Euro, including Spain (Rosario Ortega-Ruiz), Greece (Constantinos M. Kokkinos) and Belgium (Heidi Vandebosch), Netherlands (Rutger Leukfeldt) and Austria (Takuya Yanagida and Christiane Spiel).

Most-cited publications

The most-cited literature items are displayed in Table ​ Table5. 5 . The article which recorded the highest number of citations was ‘Psychological, Physical, and Academic Correlates of Cyberbullying and Traditional Bullying’ (442 citations) by Robin M. Kowalski et al. published in Journal of Adolescent Health , 2013. Seven of ten most-cited articles were about cyberbullying; focused on youth population; made comparisons between cyberbullying and traditional bullying; analyzed the impact of several factors such as psychological, physical, academic factors or use of Internet; discussed on preventing strategies. The other publications studied victimization of cyberstalking and cyber dating abuse. All most-cited articles were from 2015 and earlier.

The most-cited publications in subject of cybercrime victimization during 2010–2020

Of the top productive authors, only Bradford W. Reyns had an article appeared in the group of most-cited publications. His article ‘Being Pursued Online: Applying Cyberlifestyle-Routine Activities Theory to Cyberstalking Victimization’ (2011) was cited 172 times.

Co-authorship analysis

“Scientific collaboration is a complex social phenomenon in research” (Glänzel and Schubert 2006 , p. 257) and becomes the increasing trend in individual, institutional and national levels. In bibliometric analysis, it is common to assess the productivity and international collaboration of research; identify key leading researchers, institutions, or countries (E Fonseca et al. 2016 ) as well as potential collaborators in a specific scientific area (Romero and Portillo-Salido 2019 ) by co-authorship analysis which constructs networks of authors and countries (Eck and Waltman 2020 ).

This section analyses international collaboration relevant to research of cybercrime victimization among authors, institutions, and countries during 2010–2020 through visualization of VOS Viewer software.

Collaboration between authors

Referring to the threshold of choose in this analysis, minimum number of documents of author is three and there were 80 authors for final results. Figure  4 illustrates the relationships between 80 scientists who study in subject of cybercrime victimization during 2010–2020. It shows several big groups of researchers (Wright’s group, Vandebosch’s group, or Holt’s group), while numerous authors had limited or no connections to others (Sheri Bauman, Michelle K. Demaray or Jennifer D. Shapka).

An external file that holds a picture, illustration, etc.
Object name is 43545_2021_305_Fig4_HTML.jpg

Collaboration among authors via network visualization (threshold three articles for an author, displayed 80 authors)

Figure  5 displayed a significant network containing 23 authors who were active in collaboration in detail. The displayed items in Fig.  5 are divided into five clusters coded with distinctive colors, including red, green, blue, yellow, and purple. Each author item was represented by their label and a circle; the size of label and circle are depended on the weight of the item, measured by the total publications (Eck and Waltman 2020 ). The thickness of lines depends on the strength of collaboration (Eck and Waltman 2020 ).

An external file that holds a picture, illustration, etc.
Object name is 43545_2021_305_Fig5_HTML.jpg

Collaboration among authors via network visualization (threshold three articles for an author, displayed 23 authors)

The most significant cluster was red one which is comprised of six researchers: Michelle F. Wright, Sebastian Wachs, Yan Li, Anke Gorzig, Manuel Gamez-Guadix and Esther Calvete. The remarked author for the red cluster was Michelle F. Wright whose value of total link strength is 24. She had the strongest links with Sebastian Wachs; closely link with Yan Li, Anke Gorzig, Manuel Gamez-Guadix and collaborated with authors of yellow cluster, including Shanmukh V. Kamble, Li Lei, Hana Machackova, Shruti Soudi as well as Takuya Yanagida of blue cluster. Michelle F. Wright who obtained the largest number of published articles based on criteria of this study made various connections with other scholars who were from many different institutions in the world. This is also an effective way to achieve more publications.

Takuya Yanagida was the biggest node for the blue cluster including Petra Gradinger, Daniel Graf, Christiane Spiel, Dagmar Strohmeier. Total link strength for Takuya Yanagida was 28; twelve connections. It is observed that Takuya Yanagida’ s research collaboration is definitely active. Besides, other research groups showed limited collaborations comparing with the red and blue ones.

Collaboration between institutions

The connections among 156 institutions which published at least two documents per one are shown in Fig.  6 . Interestingly, there is obvious connections among several distinctive clusters which were coded in color of light steel blue, orange, purple, steel blue, green, red, yellow, light red, dark turquoise, light blue, brown and light green. These clusters created a big chain of connected institutions and were in the center of the figure, while other smaller clusters or unlinked bubbles (gray color) were distributed in two sides. The biggest chain consisted of most of productive institutions such as Masaryk University, Michigan State University, University of Antwerp, Weber State University, University of Cordoba, Edith Cowan University, University of Cincinnati, University of Victoria, University of Vienna, and University of Seville.

An external file that holds a picture, illustration, etc.
Object name is 43545_2021_305_Fig6_HTML.jpg

Collaboration among institutions via network visualization (threshold two articles for an institution, 156 institutions were displayed)

Light steel blue and orange clusters presented connections among organizations from Australia. Light green included institutions from Netherland, while turquoise and light blue consisted of institutions from the USA. Yellow cluster was remarked by the various collaborations among institutions from China and Hong Kong Special Administrative Region (Renmin University of China and South China Normal University, University of Hong Kong, the Hong Kong Polytechnic University and the Chinese University of Hong Kong), the USA (University of Virginia), Cyprus (Eastern Mediterranean University), Japan (Shizuoka University), India (Karnataka University) and Austria (University Applied Sciences Upper Austria). Central China Normal University is another Chinese institution which appeared in Fig.  5 , linking with Ministry of Education of the People’s Republic of China, Suny Stony Brook and University of Memphis from the USA.

Masaryk University and Michigan State University demonstrated their productivity in both the quantity of publications and the collaboration network. They were active in research collaboration, reaching twelve and eleven links, respectively, with different institutions, but focused much on networking with institutions in the USA and Europe.

Collaboration between countries

The collaboration among 45 countries which published at least one SSCI documents of cybercrime victimization during the given period was examined in VOS Viewer but just 42 items were displayed via overlay visualization. Figure  7 depicts the international collaborations among significant countries. The USA is the biggest bubble due to its biggest number of documents and shows connections with 26 countries/regions in Euro, Asia, Australia, Middle East. Excepting European countries, England collaborate with the USA, Australia, South Korea, Japan, Thailand, Singapore, Sri Lanka, and Colombia. Spain and Germany almost focus on research network within Euro. China has the strongest tie with the USA, link with Australia, Germany, Czech Republic, Austria, Cyprus and Turkey, Japan, Indian, Vietnam.

An external file that holds a picture, illustration, etc.
Object name is 43545_2021_305_Fig7_HTML.jpg

Collaboration among countries via overlay visualization

Color bar in Fig.  7 is determined by the average publication year of each country and the color of circles based on it. It is unsurprised that the USA, Australia, England, or Spain shows much research experience in this field and maintain the large number of publications steadily. Interestingly, although the average publication year of South Korea or Cyprus was earlier than other countries (purple color), their quantities of documents were moderate. The new nodes (yellow circles) in the map included Vietnam, Norway, Pakistan, Ireland, Scotland, Switzerland.

Keywords and co-occurrence

The present paper examined the related themes and contents in research of cybercrime victimization during 2010–2020 through collecting author keywords, adding several keywords from tiles and abstracts. Besides, this study also conducted co-occurrence analysis of author keywords to show the relationships among these keywords.

The keywords were collected and categorized into 15 themes in Table ​ Table6, 6 , including cybercrime; sample and demographic factors; location; theory; methodology; technology, platform, and related others; psychology and mental health; physical health; family; school; society; crimes and other deviant behaviors; victim; prevention and intervention; and others.

Statistic of keywords in themes

These keywords were most of author keyword, adding a few selected keywords from the titles and abstracts by the author of this current study

In the theme of cybercrime, there were numerous types of cybercrimes such as cyberbullying, cyber aggression, cyberstalking, cyber harassment, sextortion and other cyber dating crimes, cyber fraud, identity theft, phishing, hacking, malware, or ransomware. Generally, the frequency of interpersonal cybercrimes or cyber-enable crimes was much higher than cyber-dependent crimes. Cyberbullying was the most common cybercrime in research.

Relating to sample and demographic factors, there were sample of children, adolescent, adults, and the elder who were divided into more detail levels in each research; however, adolescent was the most significant sample. Besides, demographic factor of gender received a remarked concern from scholars.

It is usual that most of the research were carried out in one country, in popular it was the USA, Spain, Germany, England, Australia, Canada or Netherland but sometimes the new ones were published such as Chile, Vietnam, Thailand or Singapore. It was witnessed that some studies showed data collected from a group of countries such as two countries (Canada and the United State), three countries (Israel, Litva, Luxembourg), four countries (the USA, the UK, Germany, and Finland), or six Europe countries (Spain, Germany, Italy, Poland, the United Kingdom and Greece).

A wide range of theories were applied in this research focusing on criminological and psychological theories such as Routine Activities Theory, Lifestyle—Routine Activities Theory, General Strain Theory, the Theory of Reasoned Action or Self-control Theory.

Table ​ Table6 6 indicated a lot of different research methods covering various perspective of cybercrime victimization: systematic review, questionnaire survey, interview, experiment, mix method, longitudinal study, or cross-national research; many kinds of analysis such as meta-analysis, social network analysis, latent class analysis, confirmatory factor analysis; and a wide range of measurement scales which were appropriate for each variable.

Topic of cybercrime victimization had connections with some main aspects of technology (information and communication technologies, internet, social media or technology related activities), psychology (self-esteem, fear, attitude, personality, psychological problems, empathy, perceptions or emotion), physical health, family (parents), school (peers, school climate), society (norms, culture, social bonds), victim, other crimes (violence, substance use), prevention and intervention.

Co-occurrence analysis was performed with keywords suggested by authors and the minimum number of occurrences per word is seven. The result showed 36 frequent keywords which clustered into five clusters as illustrated in Fig.  8 .

An external file that holds a picture, illustration, etc.
Object name is 43545_2021_305_Fig8_HTML.jpg

Co-occurrence between author keywords via network visualization (the minimum number of occurrences per word is seven, 36 keywords were displayed)

Figure  8 illustrates some main issues which were concerned in subject of cybercrime victimization, as well as the relationship among them. Fifteen most frequent keywords were presented by big bubbles, including: ‘cyberbullying’ (174 times), ‘cyber victimization’ (90 times), ‘adolescent’ (79 times), ‘bullying’ (66 times), ‘victimization’ (56 times), ‘cybercrime’ (40 times), ‘cyber aggression’ (37 times), ‘depression’ (23 times), ‘aggression’ (14 times), ‘routine activities theory’ (13 times), ‘cyberstalking’ (11 times), ‘gender’ (11 times), ‘longitudinal’ (10 times), ‘peer victimization’ (10 times) and ‘self-esteem’ (10 times).

‘Cyberbullying’ linked with many other keywords, demonstrating the various perspectives in research of this topic. The thick lines which linked ‘cyberbullying’ and ‘bullying’, ‘adolescent’, ‘cyber victimization’, ‘victimization’ showed the strong connections between them; there were close relationship between ‘cyber aggression’, ‘bystander”, ‘self-esteem’ or ‘moral disengagement’ and ‘cyberbullying’.

‘Cybercrime’ had strong links with ‘victimization’, ‘routine activities theory’. In Fig.  8 , the types of cybercrime which occurred at least seven times were: cyberbullying, cyber aggression, hacking, cyberstalking, and cyber dating abuse.

The increasing trend over the years reveals the increasing concern of scholarly community on this field, especially in the boom of information technology and other communication devices and the upward trend in research of cyberspace-related issues (Altarturi et al. 2020 ; Leung et al. 2017 ; Serafin et al. 2019 ). It predicts the growth of cybercrime victimization research in future.

Psychology was the more popular research areas in database, defeating criminology penology. As part of the ‘human factors of cybercrime’, human decision-making based on their psychological perspectives plays as a hot topic in cyber criminology (Leukfeldt and Holt 2020 ). Then, it is observed that journals in psychology field was more prevalent in top of productive sources. Besides, journal Computers in Human Behavior ranked first in total publications, but Journal of Youth and Adolescence ranked higher place in the average citations per document. Generally, top ten journals having highest number of publications on cybercrime victimization are highly qualified ones and at least 10 years in publishing industry.

The USA demonstrated its leading position in the studied domain in terms of total publications as well as the various collaborations with other countries. The publications of the USA occupied much higher than the second and third countries: England and Spain. It is not difficult to explain for this fact due to the impressive productivity of institutions and authors from the USA. A third of top twelve productive institutions were from the USA. Three leading positions of top ten productive authors based on document count were from institutions of the USA, number one was Michelle F. Wright; others were Thomas J. Holt and Bradford W. Reyns.

Furthermore, these authors also participated in significant research groups and become the important nodes in those clusters. The most noticeable authors in co-authors network were Michelle F. Wright. The US institutions also had strong links in research network. The USA was likely to be open in collaboration with numerous countries from different continents in the world. It was assessed to be a crucial partner for others in the international co-publication network (Glänzel and Schubert 2006 ).

As opposed to the USA, most of European countries prefer developing research network within Europe and had a limited collaboration with other areas. Australia, the USA, or Japan was in a small group of countries which had connections with European ones. Nevertheless, European countries still showed great contributions for research of cybercrime victimization and remained stable links in international collaboration. The prominent authors from Euro are Rosario Ortega-Ruiz, Constantinos M. Kokkinos or Rutger Leukfeldt.

It is obvious that the limited number of publications from Asia, Middle East, Africa, or other areas resulted in the uncomprehensive picture of studied subject. For example, in the Southeast Asia, Malaysia and Vietnam lacked the leading authors with their empirical studies to review and examine the nature of cybercrimes, though they are facing to practical challenges and potential threats in the cyberspace (Lusthaus 2020a , b ). The present study indicated that Vietnam, Ireland, or Norway was the new nodes and links in research network.

Several nations which had a small number of publications such as Vietnam, Thailand, Sri Lanka, or Chile started their journey of international publications. It is undeniable that globalization and the context of global village (McLuhan 1992 ) requires more understanding about the whole nations and areas. Conversely, each country or area also desires to engage in international publications. Therefore, new nodes and clusters are expected to increase and expand.

The findings indicated that cyberbullying was the most popular topic on research of cybercrime victimization over the given period. Over a half of most-cited publications was focus on cyberbullying. Additionally, ‘cyberbullying’ was the most frequent author keyword which co-occurred widely with distinctive keywords such as ‘victimization’, ‘adolescents’, ‘bullying’, ‘social media’, ‘internet’, ‘peer victimization’ or ‘anxiety’.

By reviewing keywords, several research gaps were indicated. Research samples were lack of population of the children and elders, while adolescent and youth were frequent samples of numerous studies. Although young people are most active in cyberspace, it is still necessary to understand other populations. Meanwhile, the elderly was assumed to use information and communication technologies to improve their quality of life (Tsai et al. 2015 ), their vulnerability to the risk of cybercrime victimization did not reduce. Those older women were most vulnerable to phishing attacks (Lin et al. 2019 ; Oliveira et al. 2017 ). Similarly, the population of children with distinctive attributes has become a suitable target for cybercriminals, particularly given the context of increasing online learning due to Covid-19 pandemic impacts. These practical gaps should be prioritized to focus on research for looking the suitable solutions in the future. Besides, a vast majority of research were conducted in the scope of one country; some studies collected cross-national data, but the number of these studies were moderate and focused much on developed countries. There are rooms for studies to cover several countries in Southeast Asia or South Africa.

Furthermore, although victims may be both individuals and organizations, most of research concentrated much more on individuals rather than organizations or companies. Wagen and Pieters ( 2020 ) indicated that victims include both human and non-human. They conducted research covering cases of ransomware victimization, Bonet victimization and high-tech virtual theft victimization and applying Actor-Network Theory to provide new aspect which did not aim to individual victims. The number of this kind of research, however, was very limited. Additionally, excepting cyberbullying and cyber aggression were occupied the outstanding quantity of research, other types of cybercrime, especially, e-whoring, or social media-related cybercrime should still be studied more in the future.

Another interesting topic is the impact of family on cybercrime victimization. By reviewing keyword, it is clear that the previous studies aimed to sample of adolescent, hence, there are many keywords linking with parents such as ‘parent-adolescent communication’, ‘parent-adolescent information sharing’, ‘parental mediation’, ‘parental monitoring of cyber behavior’, ‘parental style’. As mentioned above, it is necessary to research more on sample of the elder, then, it is also essential to find out how family members affect the elder’s cybercrime victimization.

It is a big challenge to deal with problems of cybercrime victimization because cybercrime forms become different daily (Näsi et al. 2015 ). Numerous researchers engage in understanding this phenomenon from various angles. The current bibliometric study assessed the scholarly status on cybercrime victimization during 2010–2020 by retrieving SSCI articles from WoS database. There is no study that applied bibliometric method to research on the examined subject. Hence, this paper firstly contributed statistical evidence and visualized findings to literature of cybercrime victimization.

Statistical description was applied to measure the productive authors, institutions, countries/regions, sources, and most-cited documents, mainly based on publication and citation count. The international collaborations among authors, institutions, and countries were assessed by co-authors, while the network of author keywords was created by co-occurrence analysis. The overall scholarly status of cybercrime victimization research was drawn clearly and objectively. The research trend, popular issues and current gaps were reviewed, providing numerous suggestions for policymakers, scholars, and practitioners about cyber-related victimization (Pickering and Byrne 2014 ). Accordingly, the paper indicated the most prevalent authors, most-cited papers but also made summary of contributions of previous research as well as identified research gaps. First, this article supports for PhD candidates or early-career researchers concerning about cybercrime victimization. Identifying the leading authors, remarked journals, or influencing articles, gaps related to a specific research topic is important and useful task for new researchers to start their academic journey. Although this information is relatively simple, it takes time and is not easy for newcomers to find out, especially for ones in poor or developing areas which have limited conditions and opportunities to access international academic sources. Thus, the findings in the current paper provided for them basic but necessary answers to conduct the first step in research. Secondly, by indicating research gaps in relevance to sample, narrow topics or scope of country, the paper suggests future study fulfilling them to complete the field of cybercrime victimization, especial calling for publications from countries which has had a modest position in global research map. Science requires the balance and diversity, not just focusing on a few developed countries or areas. Finally, the present study assists researchers and institutions to determined strategy and potential partners for their development of research collaborations. It not only improve productivity of publication but also create an open and dynamic environment for the development of academic field.

Despite mentioned contributions, this study still has unavoidable limitations. The present paper just focused on SSCI articles from WoS database during 2010–2020. It did not cover other sources of databases that are known such as Scopus, ScienceDirect, or Springer; other types of documents; the whole time; or articles in other languages excepting English. Hence it may not cover all data of examined subject in fact. Moreover, this bibliometric study just performed co-authorship and co-occurrence analysis. The rest of analysis such as citation, co-citation and bibliographic coupling have not been conducted. Research in the future is recommended to perform these kinds of assessment to fill this gap. To visualize the collaboration among authors, institutions, countries, or network of keywords, this study used VOS Viewer software and saved the screenshots as illustrations. Therefore, not all items were displayed in the screenshot figures.

Data availability


The authors declare that they have no competing interest.

1 In the ‘commemorating a decade in existence of the International Journal of Cyber Criminoogy’, Ngo and Jaishankar ( 2017 ) called for further research with focusing on five main areas in the Cyber Criminiology, including (1) defining and classifying cybercrime, (2) assessing the prevalence, nature, and trends of cybercrime, (3) advancing the field of cyber criminology, (4) documenting best practices in combating and preventing cybercrime, and (5) cybercrime and privacy issues.

Contributor Information

Huong Thi Ngoc Ho, Email: moc.liamg@252nhgnouH .

Hai Thanh Luong, Email: [email protected] .

  • Abdullah ATM, Jahan I. Causes of cybercrime victimization: a systematic literature review. Int J Res Rev. 2020; 7 (5):89–98. [ Google Scholar ]
  • Al-Nemrat A, Benzaïd C (2015) Cybercrime profiling: Decision-tree induction, examining perceptions of internet risk and cybercrime victimisation. In: Proceedings—14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015, vol 1, pp 1380–1385. 10.1109/Trustcom.2015.534
  • Alalehto TI, Persson O. The Sutherland tradition in criminology: a bibliometric story. Crim Justice Stud. 2013; 26 (1):1–18. doi: 10.1080/1478601X.2012.706753. [ CrossRef ] [ Google Scholar ]
  • Algarni A, Xu Y, Chan T. An empirical study on the susceptibility to social engineering in social networking sites: the case of Facebook. Eur J Inf Syst. 2017; 26 (6):661–687. doi: 10.1057/s41303-017-0057-y. [ CrossRef ] [ Google Scholar ]
  • Altarturi HHM, Saadoon M, Anuar NB. Cyber parental control: a bibliometric study. Child Youth Serv Rev. 2020 doi: 10.1016/j.childyouth.2020.105134. [ CrossRef ] [ Google Scholar ]
  • Ariola B, Laure ERF, Perol ML, Talines PJ. Cybercrime awareness and perception among Students of Saint Michael College of Caraga. SMCC Higher Educ Res J. 2018; 1 (1):1. doi: 10.18868/cje.01.060119.03. [ CrossRef ] [ Google Scholar ]
  • Benson V, Saridakis G, Tennakoon H. Purpose of social networking use and victimisation: are there any differences between university students and those not in HE? Comput Hum Behav. 2015; 51 :867–872. doi: 10.1016/j.chb.2014.11.034. [ CrossRef ] [ Google Scholar ]
  • Brenner SW. Is there such a thing as “rough”? Calif Crim Law Rev. 2001; 4 (1):348–349. doi: 10.3109/09637487909143344. [ CrossRef ] [ Google Scholar ]
  • Chen X, Wang S, Tang Y, Hao T. A bibliometric analysis of event detection in social media. Online Inf Rev. 2019; 43 (1):29–52. doi: 10.1108/OIR-03-2018-0068. [ CrossRef ] [ Google Scholar ]
  • Choi K. Computer Crime Victimization and Integrated Theory: an empirical assessment. Int J Cyber Criminol. 2008; 2 (1):308–333. [ Google Scholar ]
  • Cojocaru I, Cojocaru I (2019) A bibliomentric analysis of cybersecurity research papers in Eastern Europe: case study from the Republic of Moldova. In: Central and Eastern European E|Dem and E|Gov Days, pp 151–161
  • Das B, Sahoo JS. Social networking sites—a critical analysis of its impact on personal and social life. Int J Bus Soc Sci. 2011; 2 (14):222–228. [ Google Scholar ]
  • Drew JM. A study of cybercrime victimisation and prevention: exploring the use of online crime prevention behaviours and strategies. J Criminol Res Policy Pract. 2020; 6 (1):17–33. doi: 10.1108/JCRPP-12-2019-0070. [ CrossRef ] [ Google Scholar ]
  • E Fonseca B, Sampaio, de Araújo Fonseca MV, Zicker F (2016). Co-authorship network analysis in health research: method and potential use. Health Res Policy Syst 14(1):1–10. 10.1186/s12961-016-0104-5 [ PMC free article ] [ PubMed ]
  • Feeley TH. A bibliometric analysis of communication journals from 2002 to 2005. Hum Commun Res. 2008; 34 :505–520. doi: 10.1111/j.1468-2958.2008.00330.x. [ CrossRef ] [ Google Scholar ]
  • Gan C, Wang W. A bibliometric analysis of social media research from the perspective of library and information science. IFIP Adv Inf Commun Technol. 2014; 445 :23–32. doi: 10.1007/978-3-662-45526-5_3. [ CrossRef ] [ Google Scholar ]
  • Glänzel W, Schubert A. Analysing scientific networks through co-authorship. Handb Quant Sci Technol Res. 2006 doi: 10.1007/1-4020-2755-9_12. [ CrossRef ] [ Google Scholar ]
  • Gogolin G. The digital crime tsunami. Digit Investig. 2010; 7 (1–2):3–8. doi: 10.1016/j.diin.2010.07.001. [ CrossRef ] [ Google Scholar ]
  • Holt TJ, Bossler AM. Examining the applicability of lifestyle-routine activities theory for cybercrime victimization. Deviant Behav. 2009; 30 (1):1–25. doi: 10.1080/01639620701876577. [ CrossRef ] [ Google Scholar ]
  • Holt TJ, Bossler AM. An assessment of the current state of cybercrime scholarship. Deviant Behav. 2014; 35 (1):20–40. doi: 10.1080/01639625.2013.822209. [ CrossRef ] [ Google Scholar ]
  • Ilievski A. An explanation of the cybercrime victimisation: self-control and lifestile/routine activity theory. Innov Issues Approaches Soc Sci. 2016; 9 (1):30–47. doi: 10.12959/issn.1855-0541.iiass-2016-no1-art02. [ CrossRef ] [ Google Scholar ]
  • Insa F. The Admissibility of Electronic Evidence in Court (A.E.E.C.): Fighting against high-tech crime—results of a European study. J Digital Forensic Pract. 2007; 1 (4):285–289. doi: 10.1080/15567280701418049. [ CrossRef ] [ Google Scholar ]
  • Jahankhani H. Developing a model to reduce and/or prevent cybercrime victimization among the user individuals. Strategic Intell Manag. 2013 doi: 10.1016/b978-0-12-407191-9.00021-1. [ CrossRef ] [ Google Scholar ]
  • Jamshed J, Naeem S, Ahmad K (2020) Analysis of Criminal Law Literature: a bibliometric study from 2010–2019. Library Philos Pract
  • Kim J, Kang S, Lee KH (2019) Evolution of digital marketing communication: Bibliometric analysis and networs visualization from key articles. J Bus Res
  • Kirwan GH, Fullwood C, Rooney B. Risk factors for social networking site scam victimization among Malaysian students. Cyberpsychol Behav Soc Netw. 2018; 21 (2):123–128. doi: 10.1089/cyber.2016.0714. [ PubMed ] [ CrossRef ] [ Google Scholar ]
  • Lee S-S, Choi KS, Choi S, Englander E. A test of structural model for fear of crime in social networking sites A test of structural model for fear of crime in social networking sites. Int J Cybersecur Intell Cybercrime. 2019; 2 (2):5–22. doi: 10.52306/02020219SVZL9707. [ CrossRef ] [ Google Scholar ]
  • Leukfeldt R, Holt T, editors. The human factor of cybercrime. New York: Routledge; 2020. [ Google Scholar ]
  • Leukfeldt ER, Yar M. Applying routine activity theory to cybercrime: a theoretical and empirical analysis. Deviant Behav. 2016; 37 (3):263–280. doi: 10.1080/01639625.2015.1012409. [ CrossRef ] [ Google Scholar ]
  • Leung XY, Sun J, Bai B. Bibliometrics of social media research: a co-citation and co-word analysis. Int J Hosp Manag. 2017; 66 :35–45. doi: 10.1016/j.ijhm.2017.06.012. [ CrossRef ] [ Google Scholar ]
  • Li Q, Wei W, Xiong N, Feng D, Ye X, Jiang Y. Social media research, human behavior, and sustainable society. Sustainability. 2017; 9 (3):384. doi: 10.3390/su9030384. [ CrossRef ] [ Google Scholar ]
  • Lin T, Capecci DE, Ellis DM, Rocha HA, Dommaraju S, Oliveira DS, Ebner NC. Susceptibility to spear-phishing emails: effects of internet user demographics and email content. ACM Trans Comput-Hum Interact. 2019; 26 (5):1–28. doi: 10.1145/3336141. [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
  • Luong TH. Prevent and combat sexual assault and exploitation of children on cyberspace in Vietnam: situations, challenges, and responses. In: Elshenraki H, editor. Combating the exploitation of children in cyberspace: emerging research and opportunities. Hershey: IGI Global; 2021. pp. 68–94. [ Google Scholar ]
  • Luong HT, Phan HD, Van Chu D, Nguyen VQ, Le KT, Hoang LT. Understanding cybercrimes in Vietnam: from leading-point provisions to legislative system and law enforcement. Int J Cyber Criminol. 2019; 13 (2):290–308. doi: 10.5281/zenodo.3700724. [ CrossRef ] [ Google Scholar ]
  • Lusthaus J (2020a) Cybercrime in Southeast Asia: Combating a Global Threat Locally. Retrieved from Canberra, Australia:
  • Lusthaus J. Modelling cybercrime development: the case of Vietnam. In: Leukfeldt R, Holt T, editors. The human factor of cybercrime. New York: Routledge; 2020. pp. 240–257. [ Google Scholar ]
  • Marsh I, Melville G. Crime justice and the media. Crime Justice Med. 2008 doi: 10.4324/9780203894781. [ CrossRef ] [ Google Scholar ]
  • Martí-Parreño J, Méndez-Ibáñezt E, Alonso-Arroyo A (2016) The use of gamification in education: a bibliometric and text mining analysis. J Comput Assist Learn
  • McLuhan M. The Global Village: Transformations in World Life and Media in the 21st Century (Communication and Society) Oxford: Oxford University Press; 1992. [ Google Scholar ]
  • Näsi M, Oksanen A, Keipi T, Räsänen P. Cybercrime victimization among young people: a multi-nation study. J Scand Stud Criminol Crime Prev. 2015 doi: 10.1080/14043858.2015.1046640. [ CrossRef ] [ Google Scholar ]
  • Ngo F, Jaishankar K. Commemorating a decade in existence of the international journal of cyber criminology: a research agenda to advance the scholarship on cyber crime. Int J Cyber Criminol. 2017; 11 (1):1–9. [ Google Scholar ]
  • Ngo F, Paternoster R. Cybercrime victimization: an examination of individual and situational level factors. Int J Cyber Criminol. 2011; 5 (1):773. [ Google Scholar ]
  • Nguyen VT, Luong TH. The structure of cybercrime networks: transnational computer fraud in Vietnam. J Crime Justice. 2020 doi: 10.1080/0735648X.2020.1818605. [ CrossRef ] [ Google Scholar ]
  • Oksanen A, Keipi T. Young people as victims of crime on the internet: a population-based study in Finland. Vulnerable Child Youth Stud. 2013; 8 (4):298–309. doi: 10.1080/17450128.2012.752119. [ CrossRef ] [ Google Scholar ]
  • Oliveira D, Rocha H, Yang H, Ellis D, Dommaraju S, Muradoglu M, Weir D, Soliman A, Lin T, Ebner N (2017) Dissecting spear phishing emails for older vs young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In: Conference on Human Factors in Computing Systems—Proceedings, 2017-May, 6412–6424. 10.1145/3025453.3025831
  • Orchard LJ, Fullwood C, Galbraith N, Morris N. Individual differences as predictors of social networking. J Comput-Mediat Commun. 2014; 19 (3):388–402. doi: 10.1111/jcc4.12068. [ CrossRef ] [ Google Scholar ]
  • Parrish JL, Jr, Bailey JL, Courtney JF. A personality based model for determining susceptibility to phishing attacks. Little Rock: University of Arkansas; 2009. pp. 285–296. [ Google Scholar ]
  • Pasadeos Y. A bibliometric study of advertising citations. J Advert. 1985; 14 (4):52–59. doi: 10.1080/00913367.1985.10672971. [ CrossRef ] [ Google Scholar ]
  • Pickering C, Byrne J. The benefits of publishing systematic quantitative literature reviews for PhD candidates and other early-career researchers. Higher Educ Res Devel ISSN. 2014; 33 (3):534–548. doi: 10.1080/07294360.2013.841651. [ CrossRef ] [ Google Scholar ]
  • Reyns BW, Fisher BS, Bossler AM, Holt TJ. Opportunity and Self-control: do they predict multiple forms of online victimization? Am J Crim Justice. 2019; 44 (1):63–82. doi: 10.1007/s12103-018-9447-5. [ CrossRef ] [ Google Scholar ]
  • Romero L, Portillo-Salido E. Trends in sigma-1 receptor research: a 25-year bibliometric analysis. Front Pharmacol. 2019 doi: 10.3389/fphar.2019.00564. [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
  • Saad ME, Huda Sheikh Abdullah SN, Murah MZ. Cyber romance scam victimization analysis using Routine Activity Theory versus apriori algorithm. Int J Adv Comput Sci Appl. 2018; 9 (12):479–485. doi: 10.14569/IJACSA.2018.091267. [ CrossRef ] [ Google Scholar ]
  • Saridakis G, Benson V, Ezingeard JN, Tennakoon H. Individual information security, user behaviour and cyber victimisation: an empirical study of social networking users. Technol Forecast Soc Change. 2016; 102 :320–330. doi: 10.1016/j.techfore.2015.08.012. [ CrossRef ] [ Google Scholar ]
  • Seng S, Wright M, Al-Ameen MN (2018) Understanding users’ decision of clicking on posts in facebook with implications for phishing. Workshop on Technology and Consumer Protection (ConPro 18), May, 1–6
  • Serafin MJ, Garcia-Vargas GR, García-Chivita MDP, Caicedo MI, Correra JC. Cyberbehavior: a bibliometric analysis. Annu Rev Cyber Ther Telemed. 2019; 17 :17–24. doi: 10.31234/ [ CrossRef ] [ Google Scholar ]
  • Skinner WF, Fream AM. A social learning theory analysis of computer crime among college students. J Res Crime Delinq. 1997; 34 (4):495–518. doi: 10.1177/0022427897034004005. [ CrossRef ] [ Google Scholar ]
  • Tsai H, Yi S, Shillair R, Cotten SR, Winstead V, Yost E. Getting grandma online: are tablets the answer for increasing digital inclusion for older adults in the US? Educ Gerontol. 2015; 41 (10):695–709. doi: 10.1080/03601277.2015.1048165. [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
  • van Eck NJ, Waltman L (2020) Manual for VOSviewer version 1.6.16
  • Van Wilsem J. “Bought it, but never got it” assessing risk factors for online consumer fraud victimization. Eur Sociol Rev. 2013; 29 (2):168–178. doi: 10.1093/esr/jcr053. [ CrossRef ] [ Google Scholar ]
  • van der Wagen W, Pieters W. The hybrid victim: re-conceptualizing high-tech cyber victimization through actor-network theory. Eur J Criminol. 2020; 17 (4):480–497. doi: 10.1177/1477370818812016. [ CrossRef ] [ Google Scholar ]
  • Vishwanath A. Habitual Facebook use and its impact on getting deceived on social media. J Comput-Mediat Commun. 2015; 20 (1):83–98. doi: 10.1111/jcc4.12100. [ CrossRef ] [ Google Scholar ]
  • Wall D. Crime and the Internet: Cybercrime and cyberfears. 1. London: Routledge; 2001. [ Google Scholar ]
  • Wall D. What are cybercrimes? Crim Justice Matters. 2004; 58 (1):20–21. doi: 10.1080/09627250408553239. [ CrossRef ] [ Google Scholar ]
  • Whitty MT, Buchanan T. The online romance scam: a serious cybercrime. Cyberpsychol Behav Soc Netw. 2012; 15 (3):181–183. doi: 10.1089/cyber.2011.0352. [ PubMed ] [ CrossRef ] [ Google Scholar ]
  • You GR, Sun X, Sun M, Wang JM, Chen YW (2014) Bibliometric and social network analysis of the SoS field. In: Proceedings of the 9th International Conference on System of Systems Engineering: The Socio-Technical Perspective, SoSE 2014, 13–18. 10.1109/SYSOSE.2014.6892456
  • Zyoud SH, Sweileh WM, Awang R, Al-Jabi SW. Global trends in research related to social media in psychology: Mapping and bibliometric analysis. Int J Ment Health Syst. 2018; 12 (1):1–8. doi: 10.1186/s13033-018-0182-6. [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]

  • Published: 23 February 2023

Exploring the global geography of cybercrime and its driving forces

  • Shuai Chen   ORCID: 1 , 2 ,
  • Mengmeng Hao   ORCID: 1 , 2 ,
  • Fangyu Ding   ORCID: 1 , 2 ,
  • Dong Jiang 1 , 2 ,
  • Jiping Dong 1 , 2 ,
  • Shize Zhang 3 ,
  • Qiquan Guo 1 &
  • Chundong Gao 4  

12k Accesses
10 Citations
1 Altmetric

12k Accesses

10 Citations

1 Altmetric

Cybercrime is wreaking havoc on the global economy, national security, social stability, and individual interests. The current efforts to mitigate cybercrime threats are primarily focused on technical measures. This study considers cybercrime as a social phenomenon and constructs a theoretical framework that integrates the social, economic, political, technological, and cybersecurity factors that influence cybercrime. The FireHOL IP blocklist, a novel cybersecurity data set, is used to map worldwide subnational cybercrimes. Generalised linear models (GLMs) are used to identify the primary factors influencing cybercrime, whereas structural equation modelling (SEM) is used to estimate the direct and indirect effects of various factors on cybercrime. The GLM results suggest that the inclusion of a broad set of socioeconomic factors can significantly improve the model’s explanatory power, and cybercrime is closely associated with socioeconomic development, while their effects on cybercrime differ by income level. Additionally, results from SEM further reveals the causal relationships between cybercrime and numerous contextual factors, demonstrating that technological factors serve as a mediator between socioeconomic conditions and cybercrime.

Similar content being viewed by others

cybercrime research papers

Determinants of behaviour and their efficacy as targets of behavioural change interventions

cybercrime research papers

Systematic review and meta-analysis of ex-post evaluations on the effectiveness of carbon pricing

cybercrime research papers

Toolbox of individual-level interventions against online misinformation


Cybercrime is a broad term used by government, businesses, and the general public to account for a variety of criminal activities and harmful behaviours involving the adoption of computers, the internet, or other forms of information communications technologies (ICTs) (Wall, 2007 ). As an emerging social phenomenon in the information age, cybercrime has aroused growing concern around the world due to its high destructiveness and widespread influence. In 2017, the WannaCry ransomware attack affected more than 230,000 computers across 150 countries, resulting in economic losses of more than 4 billion dollars and posing a serious danger to the global education, government, finance, and healthcare sectors (Ghafur et al., 2019 ; Castillo and Falzon, 2018 ; Mohurle and Patil, 2017 ). Although there is currently no precise and universally accepted definition of cybercrime (Phillips et al., 2022 ; Holt and Bossler, 2014 ), it is generally acknowledged that the term covers both traditional crimes that are facilitated or amplified by utilising ICTs as well as new types of crimes that emerged with the advent of ICTs (Ho and Luong, 2022 ). Based on the role of technology in the commission of the crime, the most widely utilised typology divides cybercrime into cyber-dependent crime (such as hacking, distributed denial of service, and malware) and cyber-enabled crime (online fraud, digital piracy, cyberbullying) (Brenner, 2013 ; Sarre et al., 2018 ; McGuire and Dowling, 2013 ). Along with the rapid development of ICTs and the increasing prevalence of the internet, these criminal activities are significantly disrupting the global economy, national security, social stability, and individual interests. Although it is difficult to estimate the precise financial cost of cybercrime (Anderson et al., 2013 ; Anderson et al., 2019 ), statistical evidence from governments and industries indicates that the economic losses caused by cybercrime are extremely enormous and are still rising rapidly (McAfee, 2021 ).

Cybercrime is complicated in nature and involves many disciplines, including criminology, computer science, psychology, sociology, economics, geography, political science, and law, among others (Holt, 2017 ; Dupont and Holt, 2022 ; Payne, 2020 ). Computer science and cybersecurity efforts are primarily focused on applying technical approaches such as Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), firewalls, and anti-virus software to mitigate cyberattack threats (Kumar and Carley, 2016 ; Walters, 2015 ). These methods may help to some extent lessen the adverse impacts of cybercrime on both organisations and individuals. However, these technical solutions are largely unaware of the human and contextual factors that contribute to the issues, providing only reactive solutions, and are unable to keep up with the rapidly evolving modus operandi and emerging technologies (Clough, 2015 ; Neal, 2014 ). It is suggested that cybercrime is a complex social phenomenon driven by the compound interactions of underlying socioeconomic factors. Human and social factors play a substantial role in the formation of cybercrime agglomerations (Waldrop, 2016 ; Watters et al., 2012 ; Leukfeldt and Holt, 2019 ). They are also important aspects of cybercrime prevention and control (Dupont and Holt, 2022 ). The human factors influencing cybercrime have been the subject of an expanding body of sociological and psychological study in recent years. These studies, which covered cyberbullying, online harassment, identity theft, online fraud, malware infection, phishing, and other types of cybercrime, generally applied traditional criminological and psychological theories, such as routine activities theory, lifestyle-routine activities theory, self-control theory, and general strain theory, to explain the victimisation and offending of various cybercrimes (Bergmann et al., 2018 ; Mikkola et al., 2020 ; Ngo and Paternoster, 2011 ; Pratt et al., 2010 ; Williams, 2016 ). Results from these studies suggested that by altering criminal motivations and opportunity structures, individual factors (i.e., age, gender, ethnicity, education, socioeconomic status, and self-control) and situational factors (online activities, time spent online, risk exposure, deviant behaviours) may have an impact on cybercrime offence and victimisation. These findings advanced our knowledge in understanding the impact of technology on criminal behaviours, factors affecting the risk of cyber victimisation, and the applicability of traditional criminological theories to cybercrime (Holt and Bossler, 2014 ).

Cybercrime is a highly geographical phenomenon on a macro-level scale, with some countries accounting for a disproportionate amount of cybercrimes (Kigerl, 2012 ; Kigerl, 2016 ). This spatial heterogeneity is closely related to specific socioeconomic contexts (Kshetri, 2010 ). Academic efforts have been made to identify the clusters of high cybercrime countries and to explain the potential socioeconomic factors that led to the formation of these clusters. For example, Mezzour, Carley, and Carley ( 2014 ) found that Eastern European countries hosted a greater number of attacking computers due to their superior computing infrastructure and high levels of corruption. Similarly, Kumar and Carley ( 2016 ) found that higher levels of corruption and large internet bandwidth would favour attack origination. They also noted that countries with the greater gross domestic product (GDP) per capita and better ICT infrastructure were targeted more frequently. Meanwhile, Srivastava et al. ( 2020 ) pointed out that countries with better technology and economic capital were more likely to become the origins of cybercrime, but countries with better cybersecurity preparedness may reduce the frequency of the cybercrime originating within them. Moreover, Holt, Burruss, and Bossler ( 2018 ) suggested that nations with better technological infrastructure, greater political freedom, and fewer organised crime were more likely to report malware infections, while Overvest and Straathof ( 2015 ) suggested that the number of internet users, bandwidth, and economic ties were significantly related to cyberattack origin. Kigerl ( 2012 ) found that a higher unemployment rate and more internet users were linked to an increase in spam activities. However, these studies have tended to utilise a restricted range of predictor variables and only included certain aspects of cybercrime. Besides, most of the studies have been conducted at the national level, which could potentially hide many disparities within countries.

In this work, we construct a conceptual model to better represent the context from which cybercrime emerges, which is applied as a framework to analyse the underlying socioeconomic driving forces. A novel cybersecurity data set, the FireHOL IP blocklist, is adopted as a proxy to reflect the levels of cybercriminal activities within different areas. A set of social, economic, political, technological, and cybersecurity indicators is used as explanatory variables. Generalised linear models (GLMs) are used to quantify the effect of each factor on cybercrime, while structural equation modelling (SEM) is used to estimate the complex interactions among various factors and their direct and indirect effects on cybercrime.

Conceptual framework

We propose a conceptual framework for examining the driving forces of cybercrime by reviewing existing empirical literature and integrating different criminological theories. The conceptual framework includes five interrelated components: the social, economic, political, technological, and cybersecurity factors. The potential pathways by which each component may directly or indirectly influence cybercrime are illustrated in Fig. 1 .

figure 1

The solid line indicates a direct effect, and a dashed line indicates indirect effect. H1–H5 refer to the five hypotheses, “+” indicates a positive effect, and “−” indicates a negative effect.

The social and economic factors depict the level of regional development, serving as the fundamental context in which cybercrime emerges. Given the intrinsic technological nature of cybercrime, global urbanisation, and the information technology revolution have promoted global connectivity and created unprecedented conditions and opportunities for cybercrime (UNODC, 2013 ). From the perspective of general strain theory, poverty, unemployment, income inequality, and other social disorders that are accompanied by social transformations could lead to cultures of materialism and stimulate motivations of cybercrime for illegal gains (Meke, 2012 ; Onuora et al., 2017 ). On the other hand, economically developed regions generally have superior ICT infrastructure, which can provide convenient and low-cost conditions for cybercriminals to commit crimes. High educational attainment is also likely to be associated with cybercrime, given that cybercrime usually requires some level of computer skills and IT knowledge (Holt and Schell, 2011 ; Asal et al., 2016 ). In general, better socioeconomic conditions are associated with more cybercriminal activities, which leads us to develop the first two hypotheses:

H1: Social factor is positively associated with cybercrime .
H2: Economic factor is positively associated with cybercrime .

The influence of political factors on cybercrime is mainly reflected in the regulation and intervention measures of governments in preventing and controlling cybercrime, such as legal system construction, government efficiency, control of corruption, and political stability. The offender’s decision to engage in illegal activity is a function of the expected probability of being arrested and convicted and the expected penalty if convicted (Ehrlich, 1996 ). As with traditional crimes, the lack of efficient social control and punishment mechanism will breed criminal behaviours. The deterrent effect of the legislation makes cybercriminals have to consider the consequences they need to bear. While the virtual and transnational nature of cyberspace makes it easier for perpetrators to avoid punishment, cybercrime can be deterred to some extent by increasing the severity of punishment and international law enforcement cooperation (Hall et al., 2020 ). On the other side, cybercriminals could seek protection through corrupt connections with the local institutional environment, which would weaken law enforcement operations and encourage cybercriminal activities (Hall et al., 2020 ; Lusthaus and Varese, 2021 ; Sutanrikulu et al., 2020 ). For instance, corruption in law enforcement authorities makes it hard for cybercriminals to be punished, while corruption in network operators or internet service providers (ISPs) makes it easier for cybercriminals to apply for malicious domain names or register fake websites. Some studies have shown that areas with high levels of corruption usually have more cybercriminal activities (Mezzour et al., 2014 ; Watters et al., 2012 ). Cybercrimes are typically attributed to political corruption, ineffective governance, institutional weakness, and weak rule of law across West Africa and East Europe (Asal et al., 2016 ). Therefore, we propose that:

H3: Political factor is negatively associated with cybercrime .

The technological environment, which is composed of communication conditions and underlying physical ICT infrastructure, serves as an essential medium through which cybercrime is committed. According to the rational choice theory, crime is the result of an individual’s rational consideration of the expected costs and benefits attached to their criminal activity (Mandelcorn et al., 2013 ; Brewer et al., 2019 ). Better internet infrastructure, greater internet penetration, and faster connection could facilitate cybercrimes by reducing crime costs, expanding opportunities, and increasing potential benefits. For example, in a majority of spam and DDoS attacks, cybercriminals often carry out large-scale coordinated attacks by sending remote commands to a set of compromised computers (also known as botnets). High-performance computers and high-bandwidth connectivity such as university, corporate, and government servers allow for more efficient attacks and could expand the scope of cybercrime, making them preferred by cybercriminals (Hoque et al., 2015 ; Van Eeten et al., 2010 ; Eslahi et al., 2012 ). We thus hypothesise that:

H4: Technological factor is positively related to cybercrime .

Cybersecurity preparedness reflects the capabilities and commitment of a country to prevent and combat cybercrime. According to the International Telecommunication Union (ITU), cybersecurity preparedness involves the legal, technical, organisation, capacity, and cooperation aspects (Bruggemann et al., 2022 ). Legal measures such as laws and regulations define what constitutes cybercrime and specify necessary procedures in the investigation, prosecution, and sanction of cybercrime, providing a basis for other measures. Technical measures refer to the technical capabilities to cope with cybersecurity risks and build cybersecurity resilience through national institutions and frameworks such as the Computer Incident Response Teams (CIRTs) or Computer Emergency Response Teams (CERTs). Organisation measures refer to the comprehensive strategies, policies, organisations, and coordination mechanisms for cybersecurity development. Capacity development reflects the research and development, awareness campaigns, training and education, and certified professionals and public agencies for cybersecurity capacity building. Cooperation measures refer to the collaboration and information sharing at the national, regional, and international levels, which is essential in addressing cybersecurity issues given the transnational nature of cybercrime. According to the general deterrence theory and routine activity theory of criminology (Leukfeldt and Holt, 2019 ; Hutchings and Hayes, 2009 ; Lianos and McGrath, 2018 ), cybersecurity preparedness serves as a deterrent or a guardianship of cybercrime. It is crucial in defending a country from external cybercrime as well as reducing cybercrime originating from within. Therefore, we hypothesise that:

H5: Cybersecurity preparedness is negatively associated with cybercrime .

The five hypotheses proposed in the conceptual model (Fig. 1 ) outline the direct effects of various contextual drivers on cybercrime. The social, economic, political, technological, and cybersecurity factors may interact in other ways, which could also have an indirect impact on cybercrime. Then, using a combination of two statistical methods and a set of explanatory covariates, we test the hypothesised pathways.

Cybercrime data

It is commonly acknowledged among cybercrime scholars that the lack of standardised legal definitions of cybercrime and valid, reliable official statistics makes it difficult to estimate the prevalence or incidence of cybercrime around the world (Holt and Bossler, 2015 ). Although in some countries, law enforcement agencies do collect data on cybercrime (e.g., police data and court judgement), there are inevitable under-reporting and under-recording issues with these official data (Holt and Bossler, 2015 ; Howell and Burruss, 2020 ). This has prompted some researchers to use alternative data sources to measure cybercrime, including social media, online forums, emails, and cybersecurity companies (Holt and Bossler, 2015 ). Among these data sources, technical data such as spam emails, honeypots, IDS/IPS or firewall logs, malicious domains/URLs, and IP addresses are often used as proxies for different aspects of cybercrime (Amin et al., 2021 ; Garg et al., 2013 ; Kigerl, 2012 ; Kigerl, 2016 ; Kigerl, 2021 ; Mezzour et al., 2014 ; Srivastava et al., 2020 ; Kshetri, 2010 ), accounting for a large proportion in the literature of macro-level cybercrime research. However, due to the anonymity and virtuality of cyberspace, cybercriminals are not restrained by national boundaries and could utilise compromised computers distributed around the world as a platform to commit cybercrime. Meanwhile, IP addresses can be faked or spoofed by using technologies such as proxy servers, anonymity networks, and virtual private networks (VPNs) to hide the true identity and location of cybercriminals (Holt and Bossler, 2015 ; Leukfeldt and Holt, 2019 ). As a result, the attribution of cybercriminal becomes extremely challenging and requires a high level of expertise and coordination from law enforcement agencies and cybersecurity teams (Lusthaus et al., 2020 ). Therefore, instead of capturing where cybercriminals reside in physical space, most studies using these technical data are measuring the possible locations where the cyberattacks or cybercrimes originate, even if part of them could be locations where cybercriminals choose to host their botnets or spam servers. Though there is partial support that certain types of cyberattacks originate from physically proximate IP addresses (Maimon et al., 2015 ), more elaborate and comprehensive research is lacking.

In this study, we used a novel cybersecurity data set, the IP addresses from FireHOL blocklist (FireHOL, 2021 ), as a proxy to measure cybercrime. The FireHOL IP blocklist is a composition of multiple sources of illegitimate or malicious IP addresses, which can be used on computer systems (i.e., servers, routers, and firewalls) to block access from and to these IPs. These IPs are related to certain types of cybercrime activities, including abuse, attacks, botnets, malware, command and control, and spam. We adopt FireHOL level 1 blocklist, which consists of ~2900 subnets and over 600 million unique IPs, with a minimum of false positives. The anonymous IPs, which are used by other parties to hide their true identities, such as open proxies, VPN providers, etc., were excluded from the analysis. Next, we applied an open-source IP geolocation database, IP2Location™ Lite, to map these unique IP addresses in specific geographic locations in the form of country/region/city and longitude/altitude pair. The location accuracy of the IP geolocation is high at the national and regional levels, with ~98% accuracy at the country level and 60% at the city level. In order to reduce uncertainty, we focused on the analysis at the state/region level. At last, we calculated the counts of unique IPs located within each subnational area to measure the global distribution of cybercrimes.

Although FireHOL IP blocklist has the same restrictions as other technical data, it was used in this study for several reasons. The basic function of IP addresses in the modern internet makes it an indispensable element in different phases of cybercrime, it is also the key ingredient of cybercrime attribution and digital evidence collection. As a result, an IP-based firewall is one of the most effective and commonly used preventive measures for cybersecurity defence. FireHOL IP blocklist has the advantage of global coverage and includes different cybercrime types. It dynamically collects cybercrime IPs from multiple sources around the world. Although it is difficult to determine whether the IPs in the blocklist are the real sources of cybercrime or come from infected machines, it does reflect the geographical distribution of the malicious IPs that are related to certain cybercrime activities. Besides, it provides a more fine-grained estimate of the subnational cybercrime geography than country-level statistics.

Explanatory variables

We adopted a broad set of explanatory variables to characterise the social, economic, political, technological, and cybersecurity conditions based on the conceptual model presented above (Fig. 1 ). The social environment is represented by population, the population aged 15–64, education index, nighttime light index, and human development index (HDI); The economic condition is measured by income index, GDP growth, Gini index, unemployment (% of the total labour force) and poverty rate; The political environment is measure by 5 dimensions of the World Governance Indicators (WGI), including control of corruption, government effectiveness, rule of law, political stability and absence of violence/terrorism, voice and accountability. The technological environment is reflected by the internet infrastructure (the number of internet data centres and internet exchange centres), internet users (% of the population), international bandwidth (per internet user), secure internet server (per 1 million people), and fixed broadband subscriptions (per 100 people). Moreover, we applied the five dimensions of the Global Cybersecurity Index (GCI) to assess the level of commitment among various nations to cybersecurity, including legal measures, technical measures, organisational measures, capacity development measures, cooperation measures, and one overall cybersecurity index (the sum of the 5 measures above). Population, income index, education index, HDI, nighttime light, and infrastructure data are collected at the subnational administrative level, while other variables are derived at the country level. Log transformations (base 10) were used to improve normality for variables with skewed distributions, including population, nighttime light, infrastructure, fixed broadband, secure internet server, and bandwidth. All variables were normalised for further analysis.

Generalised linear models (GLMs)

In this study, GLMs were used to assess the potential influence of various explanatory variables on cybercrime and to identify the most important factors. A GLM is an extension of a regular regression model that includes nonnormal response distributions and modelling functions (Faraway, 2016 ). GLM analyses were conducted at two scales: the global scale and the income group scale. All GLMs were built in R version 4.1.2 using the “glm” function of the “stats” package (R, Core Team, 2013 ), and a gaussian distribution is used as the link function. The Akaike information criterion (AIC), the determination coefficient ( R 2 ), and the significance level of the predictors ( p -value) are used to evaluate GLMs. The model with the lowest AIC and highest R 2 value is chosen as the optimal model. Variance inflation factors (VIFs) were calculated using the “car” package (Fox et al., 2012 ) to test for collinearity between quantitative explanatory variables prior to the GLM analysis. Variables with a VIF value greater than 10 (VIF > 10) were regarded as collinearity generators and were therefore excluded from further analysis. The relative contribution and coefficients of each GLM were plotted using the “GGally” package.

Structural equation modelling (SEM)

SEM was used to examine the causal relationships within the networks of interacting factors, thereby distinguishing the direct from indirect drivers of cybercrime. SEM is a powerful, multivariate technique found increasingly in scientific investigations to test and evaluate multivariate causal relationships (Fan et al., 2016 ). SEM differs from other modelling approaches in that it tests both the direct and indirect effects on pre-assumed causal relationships. The following fit indices were considered to evaluate model adequacy: (a) root mean square error of approximation (RMSEA), which is a “badness of fit” index in which 0 indicates a perfect fit while higher values indicate a lack of fit; (b) standardised root mean square residual (SRMR), which is similar to RMSEA and should be less than 0.09 for good model fit; (c) comparative fit index (CFI), which represents the amount of variance that has been accounted for in a covariance matrix ranging from 0.0 to 1.0, with a higher CFI value indicating better model fit; (d) Tucker–Lewis index (TLI), which is a non-normed fit index (NNFI) that proposes a fit index independent of sample size. In this study, SEM analysis was conducted using AMOS (Arbuckle, 2011 ).

Spatial distribution of cybercrime IPs

We mapped the subnational distribution of cybercrime IPs globally, which reveals significant spatial variability (see Fig. 2 ). On a global scale, most cybercrime IPs were located in North America, Central and Eastern Europe, East Asia, India, and eastern Australia. Meanwhile, areas with low numbers of cybercrime IPs were primarily found in large parts of Africa except for South Africa, western and northern parts of South America, Central America, some regions of the Middle East, southern parts of Central Asia, and some regions of Southeast Asia. On a continental scale, we found that the number of cybercrime IPs increased gradually from Africa to Europe. The two continents with the most cybercrime IPs were North America and Europe, with North America showing more variations. This trend seems to be closely associated with the regional socioeconomic development level. To further investigate this relationship, we grouped the subnational regions by income level according to the World Bank classification rules. We found a more evident pattern, with high-income regions hosting the majority of cybercrime IPs and lower-middle-income regions hosting the least.

figure 2

a Number of cybercrime IPs at the subnational level. b Log-transformed cybercrime IP count by continent: Africa (AF), Asia/Oceania (AS/OC), South America (SA), North America (NA) and Europe (EU). c Log-transformed cybercrime IP count by income group: low-income (LI), lower-middle-income (LMI), upper-middle-income (UMI) and high-income (HI) groups. The centre line, boxes, and whiskers show the means, 1 standard error (SE), and 95% confidence interval (CI), respectively.

Major factors influencing cybercrime

GLMs were built based on the 5 categories of 26 representative influential variables identified in the conceptual framework. After excluding 8 collinear variables (i.e., government effectiveness, rule of law, HDI, and 5 cybersecurity measures) and 7 nonsignificant variables (GDP growth, unemployment, poverty, political stability, voice and accountability, bandwidth, and internet users), the global scale GLM model includes 11 variables with an R 2 value of 0.82. Figure 3 shows the relative contribution of each predictor variable to the model. Globally, the social and technological factors contribute most to the model, with relative contribution rates of 53.4% and 30.1%, respectively. Infrastructure alone explains up to 18.1% of the model variance in cybercrimes ( R 2 to 0.504). However, the inclusion of the population and education index improves the explanation of model variance by 18.3% and 28.5%, respectively ( R 2 to 0.596 and 0.766). This is also the case with GLMs of different income groups, indicating that despite the main effects of technological factors, the inclusion of a broad set of socioeconomic factors significantly improves the accuracy of models that attempt to quantify the driving forces of cybercrime.

figure 3

Relative contribution of predictor variables to cybercrime.

When assessed by income group, we noted that although the social and technological factors were the most important factors in explaining cybercrime, the contribution of each variable varies by income group. For example, the contribution of the income index decreases gradually from low-income regions to wealthier regions, while the Gini index is more significant in upper-middle regions and high-income regions than in low-income regions and lower-middle-income regions. Fixed broadband subscriptions contributed the most in low-income regions and the least in high-income regions. Additionally, cybersecurity preparedness has a greater influence on low-income and lower-middle-income regions.

Estimated effect of factors on cybercrime

The coefficient values in Fig. 4 represent effect sizes from the GLMs for the relationship between cybercrime and the five categories of contextual factors. At the global scale, cybercrime is positively correlated with social, economic, and technological factors, suggesting that most cybercrimes are launched in regions with a higher population, higher urbanisation, better educational and economic conditions, and, most importantly, improved internet infrastructure and communication conditions. By contrast, cybercrime is negatively related to political and cybersecurity factors, indicating that the control of corruption and the commitment to cybersecurity show certain inhibitory effects on cybercrime.

figure 4

The coefficient values are represented as dots, significant variables are represented as filled dots, nonsignificant variables are represented as hollow dots, and bars represent 95% CIs.

From the perspective of income groups, the ways contextual factors affect cybercrime remain basically consistent with the global results, but subtle differences are observed. In low-income countries, the influence of the income index on cybercrime is the strongest, and cybercrime is significantly associated with a higher income index, higher education index, better infrastructure, and higher fixed broadband subscriptions. This pattern may indicate that in low-income countries, wealthier areas tend to have more cybercrimes due to the existence of better communication conditions in these areas. However, in high-income countries, where the internet is universally available, the roles of income index and fixed broadband subscriptions gradually weaken. In contrast, the effects of the Gini index and education are stronger in wealthier countries, indicating that economic inequality and education in these countries can be important drivers of cybercrime. Moreover, the control of corruption is negatively related to cybercrime in lower-middle, upper-middle, and high-income regions.

Pathways of factors for cybercrime

To understand the intricate interactions among different predictors, we perform SEM based on the conceptual model. The SEM model is composed of five latent variables, representing the social, economic, political, technological, and cybersecurity context, and each latent variable has five components reflected by the explanatory variables. Overall SEM fit is assessed, showing a good fit (CFI = 0.917, TLI = 0.899, SRMR = 0.058). SEM confirms many of the hypotheses in the conceptual model, and all relationships are statistically significant. Fig. 5 shows the results of SEM.

figure 5

Black arrows indicate a positive effect, red arrows indicate a negative effect, and values on the straight arrows between variables represent the standardised path coefficients.

According to the SEM, all the hypotheses are tested and supported. Specifically, social, economic, and technological factors have direct positive effects on cybercrime (standardised path coefficients of direct effect are 0.03, 0.10, and 0.61, respectively), indicating that when social, economic, and technological factors go up by 1 standard deviation, cybercrime goes up by 0.03, 0.10, and 0.61 standard deviations, respectively. By contrast, the political and cybersecurity factors have direct negative effects on cybercrime (standardised path coefficients of direct effect are −0.22 and −0.07, respectively), indicating that 1 standard deviation rise in political and cybersecurity factors are associated with 0.22 and 0.07 standard deviations decrease of cybercrime, respectively. It is worth noting that although the direct effects of social and economic factors on cybercrimes are relatively small, their indirect effects on cybercrime through the mediation of technological and political factors are non-negligible.

In sum, SEM quantifies the direct and indirect effects of social, economic, political, technological, and cybersecurity factors on cybercrime, consistent with the hypotheses outlined in the conceptual model. More importantly, the results suggest that even though cybercrimes are primarily determined by technological factors, the direct and indirect effects of underlying social, economic, political, and cybersecurity also play significant roles. This suggests that the technological factor is a necessary but not sufficient condition for the occurrence of cybercrime.

In the current study, we mapped the global subnational distribution of cybercrimes based on a novel cybersecurity data set, the FireHOL IP blocklist. Given the widespread difficulty in obtaining cybercrime data, the data sources used in this study could provide an alternative measure of the subnational cybercrime level on a global scale. Compared to country-level studies (Amin et al., 2021 ; Garg et al., 2013 ; Goel and Nelson, 2009 ; Solano and Peinado, 2017 ; Sutanrikulu et al., 2020 ), the results present a more fine-grained view of the spatial distribution of cybercrime. The map reveals high spatial variability of cybercrime between and within countries, which appears to be closely related to local socioeconomic development status.

To recognise the driving forces behind cybercrime, we proposed a theoretical framework that encompasses the social, economic, political, technological, and cybersecurity factors influencing cybercrime, drawing on existing theoretical and empirical research. On this basis, we used GLMs to identify the major factors and their contributions to cybercrime and SEM to quantify the direct and indirect effects of these driving forces. The GLM results show that using technological factors alone as explanatory variables is insufficient to account for cybercrime, and the inclusion of a broad suite of social, economic, political, technological, and cybersecurity factors can remarkably improve model performance. Global scale modelling indicates that cybercrime is closely associated with socioeconomic and internet development, as developed regions have more available computers and better communication conditions that facilitate the implementation of cybercrime. Some studies have argued that wealthier areas might have fewer incentives for cybercrime, while poorer areas could benefit more from cybercrime activities (Ki et al., 2006 ; Kigerl, 2012 ; Kshetri, 2010 ). However, our study shows that the technological factors constituted by the internet infrastructure and communication conditions are necessary for the production of cybercrime, rendering wealthier areas more convenient for committing cybercrime.

Meanwhile, the GLMs of the 4 income groups demonstrate important differential impacts of the explanatory variables on cybercrime. For example, in low-income countries, where the overall internet penetration rate is low, cybercrime originates mainly in more developed areas with better internet infrastructure, higher internet penetration, and higher education levels. A typical example is the “Yahoo Boys” in Nigeria, referring to young Nigerians engaged in cyber fraud through Yahoo mail, mostly well-educated undergraduates with digital skills (Lazarus and Okolorie, 2019 ). A range of factors, such as a high rate of unemployment, a lack of legitimate economic opportunities, a prevalence of cybercrime subculture, a lack of strong cybercrime laws, and a high level of corruption, have motivated them to obtain illegal wealth through cybercrime. In contrast, cybercrime in high-income regions originates in areas with a high Gini index and a high education level. One possible explanation for this finding may be that well-educated individuals who live in countries with a high Gini index are paid less for their skills than their counterparts, which motivates them to engage in cybercrimes to improve their lives.

Encouragingly, both the GLM and SEM results suggest that political factors and cybersecurity preparedness can mitigate the incidence of cybercrime to some extent, in agreement with the hypotheses. Though previous country-level studies suggest that countries facing more cybersecurity threats tend to have a high level of cybersecurity preparedness (Makridis and Smeets, 2019 ; Calderaro and Craig, 2020 ), our results indicate that cybersecurity preparedness could in turn reduce cybercrimes that originate from a country. This emphasises the importance of government intervention and cybersecurity capacity building. The necessary intervening measures may include the enactment and enforcement of laws, regulation of telecommunication operators and internet service providers (ISPs), strengthening of strike force by security and judicial departments, and improvement of cybersecurity capacity. Given the interconnectedness of cyberspace and the borderless nature of cybercrime, it must be recognised that cybersecurity is not a problem that can be solved by any single country. Thus, enhancing international cooperation in legal, technical, organisational, and capacity aspects of cybersecurity becomes an essential way to tackle cybersecurity challenges.

As presented through SEM, technological factors are closely associated with the development of socioeconomic development and serve as a mediator between socio-economic conditions and cybercrime. In the past decades, ICTs have developed unevenly across different parts of the world due to a range of geographic, socioeconomic, and demographic factors, which has led to the global digital divide (Pick and Azari, 2008 ). The disparities in internet access in different regions have largely determined the spatial patterns of cybercrime. Currently, developing countries (especially those within Asia, Africa, and Latin America) are the fastest-growing regions in terms of ICT infrastructure and internet penetration (Pandita, 2017 ). However, even in developed countries, the progress of technological innovation has outpaced the establishment of legal regulations, national institutions and frameworks, policies and strategies, and other mechanisms that could help manage the new challenges (Bastion and Mukku, 2020 ). Many developing countries are facing difficulties in combating cybercrime due to a lack of adequate financial and human resources, legal and regulatory frameworks, and technical and institutional capacities, providing a fertile ground for cybercrime activities. In this vein, it is extremely urgent and necessary to enhance the cybersecurity capacities of developing countries and engage them in the international cooperation of cybersecurity, ensuring that they can maximize the socio-economic benefits of technological development instead of being harmed by it.

Cybercrime is a sophisticated social phenomenon rooted in deep and comprehensive geographical and socioeconomic causes. This study offers an alternative perspective in solving cybersecurity problems instead of pure technical measures. We believe that improvements in cybersecurity require not only technological, legal, regulatory, and policing measures but also broader approaches that address the underlying social, economic, and political issues that influence cybercrime. While the results presented in this study are preliminary, we hope that this work will provide an extensible framework that can be expanded for future studies to investigate the driving forces of cybercrime.

However, our study has several limitations due to the disadvantages of data. First and foremost, the geo-localisation of cybercrimes or cybercriminals remains a major challenge for cybercrime research. Although the FireHOL IP blocklist has the potential to measure global cybercrime at a high spatial resolution, IP-based measures may not accurately capture the true locations of cybercriminals, as they may simply exploit places with better ICT infrastructure. Therefore, caution should be exercised in interpreting the associations between cybercrime and socioeconomic factors. Future studies combining survey data, police and court judgement data, and cybercrime attribution techniques are needed to further validate the accuracy and validity of IP-based technical data in measuring the geography of cybercrime and gain a deeper understanding of the driving forces of cybercrime. Besides, COVID-19 has greatly changed the way we live and work, and many studies have suggested that the pandemic has increased the frequency of cybercrimes within the context of economic recession, high unemployment, accelerated digital transformation, and unprecedented uncertainty (Lallie et al., 2021 ; Eian et al., 2020 ; Pranggono and Arabo, 2021 ). Unfortunately, the blocklist data cannot well capture this dynamic due to a lack of temporal attributes. Furthermore, different types of cybercrime can be influenced by different mechanisms. We use the total amount of all types of cybercrime IPs instead of looking into a specific type of cybercrime, given that such segmentation may result in data sparsity for some groups. Future studies are needed to determine how different categories of cybercrimes are affected by socioeconomic factors. At last, micro-level individual and behaviour characteristics and more fine-grained explanatory variables should be included to better understand cybercrime.

Data availability

The FireHOL IP lists data are publicly available at the FireHOL website ( and ); population, education index, income index, HDI, and subnational regions data are available from Global Data Lab ( ); nighttime light data are available from the Earth Observation Group ( ); Population aged 15–64, Gini index, GDP growth, unemployment, poverty rate, control of corruption, government effectiveness, rule of law, political stability and absence of violence/terrorism, and voice and accountability, are obtained from World Bank ( ), the internet users, international bandwidth, secure internet server, and fixed broadband subscriptions are available from International Telecommunication Union (ITU) ( ); the internet infrastructure are collected from TeleGeography ( ) and the World Data Centers Database ( ); the legal measures, technical measures, organisational measures, capacity development, cooperation measures and overall cybersecurity index were obtained from the Global Cybersecurity Index (GCI) of the ITU ( ).

Amin RW, Sevil HE, Kocak S, Francia G, Hoover P (2021) The spatial analysis of the malicious uniform resource locators (URLs): 2016 dataset case study. Information 12(1):2

Article   Google Scholar  

Anderson R, Barton C, Böhme R, Clayton R, Van Eeten MJ, Levi M, Moore T, Savage S (2013) Measuring the cost of cybercrime. In: The economics of information security and privacy. Springer, pp. 265–300

Anderson R, Barton C, Bölme R, Clayton R, Ganán C, Grasso T, Levi M, Moore T, Vasek M (2019) Measuring the changing cost of cybercrime. The 18th Annual Workshop on the Economics of Information Security.

Arbuckle JL (2011) IBM SPSS Amos 20 user’s guide. Amos Development Corporation, SPSS Inc. pp. 226–229

Asal V, Mauslein J, Murdie A, Young J, Cousins K, Bronk C (2016) Repression, education, and politically motivated cyberattacks. J Glob Secur Stud 1(3):235–247

Bastion G, Mukku S (2020) Data and the global south: key issues for inclusive digital development.

Bergmann MC, Dreißigacker A, von Skarczinski B, Wollinger GR (2018) Cyber-dependent crime victimization: the same risk for everyone? Cyberpsychol Behav Soc Network 21(2):84–90

Brenner SW (2013) Cybercrime: re-thinking crime control strategies. Crime online: Willan. pp. 12–28

Brewer R, de Vel-Palumbo M, Hutchings A, Holt T, Goldsmith A, Maimon D (2019) Cybercrime prevention: theory and applications. Springer

Bruggemann R, Koppatz P, Scholl M, Schuktomow R (2022) Global cybersecurity index (GCI) and the role of its 5 pillars. Soc Indic Res 159(1):125–143

Calderaro A, Craig AJ (2020) Transnational governance of cybersecurity: policy challenges and global inequalities in cyber capacity building. Third World Q 41(6):917–938

Castillo D, Falzon J (2018) An analysis of the impact of Wannacry cyberattack on cybersecurity stock returns. Rev Econ Financ 13:93–100

Google Scholar  

Clough J (2015) Principles of cybercrime. Cambridge University Press

Dupont B, Holt T (2022) The human factor of cybercrime. Soc Sci Comput Rev 40(4):860–864

Ehrlich I (1996) Crime, punishment, and the market for offenses. J Econ Perspect 10(1):43–67

Eian IC, Yong LK, Li MYX, Qi YH, Fatima Z (2020) Cyber attacks in the era of covid-19 and possible solution domains. Preprints 2020, 2020090630

Eslahi M, Salleh R, Anuar NB (2012) ‘Bots and botnets: an overview of characteristics, detection and challenges’. 2012 IEEE International Conference on Control System, Computing and Engineering. IEEE, pp. 349–354

Fan Y, Chen J, Shirkey G, John R, Wu SR, Park H, Shao C (2016) Applications of structural equation modeling (SEM) in ecological studies: an updated review. Ecol Process 5(1):1–12

Faraway JJ (2016) Extending the linear model with R: generalized linear, mixed effects and nonparametric regression models. Chapman and Hall/CRC

FireHOL (2021) FireHOL. FireHOL IP lists. [Accessed on Aug 21, 2021]

Fox J, Weisberg S, Adler D, Bates D, Baud-Bovy G, Ellison S, Firth D, Friendly M, Gorjanc G, Graves,S (2012) Package ‘car’, Vienna: R Foundation for Statistical Computing, 16

Garg V, Koster T, Camp LJ (2013) Cross-country analysis of spambots. EURASIP J Inform Secur 2013(1):1–13

Ghafur S, Kristensen S, Honeyford K, Martin G, Darzi A, Aylin P (2019) A retrospective impact analysis of the WannaCry cyberattack on the NHS. NPJ Digit Med 2(1):1–7

Goel RK, Nelson MA (2009) Determinants of software piracy: economics, institutions, and technology. J Technol Transfer 34(6):637–658

Hall T, Sanders B, Bah M, King O, Wigley E (2020) Economic geographies of the illegal: the multiscalar production of cybercrime. Trend OrganCrime 24:282–307

Ho HTN, Luong HT (2022) Research trends in cybercrime victimization during 2010–2020: a bibliometric analysis. SN Soc Sci 2(1):1–32

Holt T, Bossler A (2015) Cybercrime in progress: Theory and prevention of technology-enabled offenses. Routledge

Holt TJ (2017) Cybercrime through an interdisciplinary lens. Routledge

Holt TJ, Bossler AM (2014) An assessment of the current state of cybercrime scholarship. Deviant Behav 35(1):20–40

Holt TJ, Burruss GW, Bossler AM (2018) Assessing the macro-level correlates of malware infections using a routine activities framework. Int J Offender Ther Comp Criminol 62(6):1720–1741

Article   PubMed   Google Scholar  

Holt TJ, Schell BH (2011) Corporate hacking and technology-driven crime. Igi Global

Hoque N, Bhattacharyya DK, Kalita JK (2015) Botnet in DDoS attacks: trends and challenges. IEEE Commun Surv Tutor 17(4):2242–2270

Howell CJ, Burruss GW (2020) Datasets for analysis of cybercrime. In: The Palgrave handbook of international cybercrime and cyberdeviance. Palgrave Macmillan. pp. 207–219

Hutchings A, Hayes H (2009) Routine activity theory and phishing victimisation: who gets caught in the ‘net’? Curr Issues Crim Justice 20(3):433–452

Ki E-J, Chang B-H, Khang H (2006) Exploring influential factors on music piracy across countries. J Commun 56(2):406–426

Kigerl A (2012) Routine activity theory and the determinants of high cybercrime countries. Soc Sci Comput Rev 30(4):470–486

Kigerl A (2016) Cyber crime nation typologies: K-means clustering of countries based on cyber crime rates. Int J Cyber Criminol10(2): 147–169

Kigerl A (2021) Routine activity theory and malware, fraud, and spam at the national level, Crime Law Soc Chang 76:109–130

Kshetri N (2010) Diffusion and effects of cyber-crime in developing economies. Third World Q 31(7):1057–1079

Kumar S, Carley KM (2016) ‘Approaches to understanding the motivations behind cyber attacks’. 2016 IEEE Conference on Intelligence and Security Informatics (ISI). IEEE, pp. 307–309

Lallie HS, Shepherd LA, Nurse JR, Erola A, Epiphaniou G, Maple C, Bellekens X (2021) Cyber security in the age of covid-19: a timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Comput Secur 105:102248

Article   PubMed   PubMed Central   Google Scholar  

Lazarus S, Okolorie GU (2019) The bifurcation of the Nigerian cybercriminals: Narratives of the Economic and Financial Crimes Commission (EFCC) agents. Telemat Informat 40:14–26

Leukfeldt R, Holt TJ (2019) The human factor of cybercrime. Routledge

Lianos H, McGrath A (2018) Can the general theory of crime and general strain theory explain cyberbullying perpetration? Crime Delinq 64(5):674–700

Lusthaus J, Bruce M, Phair N (2020) ‘Mapping the geography of cybercrime: a review of indices of digital offending by country’. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW): IEEE, pp. 448–453

Lusthaus J, Varese F (2021) Offline and local: the hidden face of cybercrime. Policing J Policy Pract 15(1):4–14

Maimon D, Wilson T, Ren W, Berenblum T (2015) On the relevance of spatial and temporal dimensions in assessing computer susceptibility to system trespassing incidents. Br J Criminol 55(3):615–634

Makridis CA, Smeets M (2019) Determinants of cyber readiness. J Cyber Policy 4(1):72–89

Mandelcorn S, Modarres M, Mosleh A (2013) An explanatory model of cyberattacks drawn from rational choice theory. Trans Am Nuclear Soc 109(1):1869–1871

McAfee (2021) McAfee and the Center for Strategic and International Studies (CSIS). The Hidden Costs of Cybercrime. [Accessed on Aug 21, 2021]

McGuire M, Dowling S (2013) Cyber-crime: a review of the evidence summary of key findings and implications Home Office Research Report 75, Home Office, United Kingdom, Oct. 30p

Meke E (2012) Urbanization and cyber Crime in Nigeria: causes and consequences. Eur J Comput Sci Inform Technol 3(9):1–11

Mezzour G, Carley L, Carley KM (2014) Global mapping of cyber attacks. Available at SSRN 2729302

Mikkola M, Oksanen A, Kaakinen M, Miller BL, Savolainen I, Sirola A, Zych I, Paek H-J (2020) Situational and individual risk factors for cybercrime victimization in a cross-national context. Int J Offender Ther Comparat Criminol

Mohurle S, Patil M (2017) A brief study of wannacry threat: ransomware attack 2017. Int J Adv Res Comput Sci 8(5):1938–1940

Neal S (2014) Cybercrime, transgression and virtual environments. Crime: Willan, pp. 71–104

Ngo FT, Paternoster R (2011) Cybercrime victimization: an examination of individual and situational level factors. Int J Cyber Criminol 5(1):773

Onuora A, Uche D, Ogbunude F, Uwazuruike F (2017) The challenges of cybercrime in Nigeria: an overview. AIPFU J School Sci 1(2):6–11

Overvest B, Straathof B (2015) What drives cybercrime? Empirical evidence from DDoS attacks. CPB Netherlands Bureau for Economic Policy Analysis

Pandita R (2017) Internet: a change agent an overview of internet penetration & growth across the world. Int J Inform Dissemination Technol 7(2):83

Payne BK (2020) Defining cybercrime. The Palgrave handbook of international cybercrime and cyberdeviance. Palgrave Macmillan. pp. 3–25

Phillips K, Davidson JC, Farr RR, Burkhardt C, Caneppele S, Aiken MP (2022) Conceptualizing cybercrime: definitions, typologies and taxonomies. Forensic Sci 2(2):379–398

Pick JB, Azari R (2008) Global digital divide: Influence of socioeconomic, governmental, and accessibility factors on information technology. Inform Technol Dev 14(2):91–115

Pranggono B, Arabo A (2021) COVID‐19 pandemic cybersecurity issues. Internet Technol Lett 4(2):e247

Pratt TC, Holtfreter K, Reisig MD (2010) Routine online activity and internet fraud targeting: extending the generality of routine activity theory. J Res Crime Delinquency 47(3):267–296

R (Core Team, 2013) R: A language and environment for statistical computing. R Core Team

Sarre R, Lau LY-C, Chang LY (2018) Responding to cybercrime: current trends. Taylor & Francis

Solano PC, Peinado AJR (2017) ‘Socio-economic factors in cybercrime: Statistical study of the relation between socio-economic factors and cybercrime’. 2017 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA): IEEE, pp. 1–4

Srivastava SK, Das S, Udo GJ, Bagchi K (2020) Determinants of cybercrime originating within a nation: a cross-country study. J Glob Inf Technol Manag 23(2):112–137

Sutanrikulu A, Czajkowska S, Grossklags J (2020) ‘Analysis of darknet market activity as a country-specific, socio-economic and technological phenomenon’. 2020 APWG Symposium on Electronic Crime Research (eCrime): IEEE, pp. 1–10

UNODC (2013) Comprehensive study on cybercrime. United Nations, New York

Van Eeten M, Bauer JM, Asghari H, Tabatabaie S (2010) The role of internet service providers in botnet mitigation an empirical analysis based on spam data. TPRC

Waldrop MM (2016) How to hack the hackers: The human side of cybercrime. Nature 533: 164–167

Wall D (2007) Cybercrime: the transformation of crime in the information age. Polity

Walters GD (2015) Proactive criminal thinking and the transmission of differential association: a cross-lagged multi-wave path analysis. Crim Just Behav 42(11):1128–1144

Watters, PA, McCombie, S, Layton, R and Pieprzyk, J (2012) Characterising and predicting cyber attacks using the Cyber Attacker Model Profile (CAMP). J Money Laund Control . ISSN: 1368-5201

Williams ML (2016) Guardians upon high: an application of routine activities theory to online identity theft in Europe at the country and individual level. Br J Criminol 56(1):21–48

Author information

Research Article

Mapping the global geography of cybercrime with the World Cybercrime Index

Roles Data curation, Formal analysis, Investigation, Methodology, Visualization, Writing – original draft

* E-mail: [email protected]

Affiliations Department of Sociology, University of Oxford, Oxford, United Kingdom, Canberra School of Professional Studies, University of New South Wales, Canberra, Australia

ORCID logo

Roles Conceptualization, Investigation, Methodology, Writing – original draft

Affiliations Department of Sociology, University of Oxford, Oxford, United Kingdom, Oxford School of Global and Area Studies, University of Oxford, Oxford, United Kingdom

Roles Formal analysis, Methodology, Writing – review & editing

Affiliations Department of Sociology, University of Oxford, Oxford, United Kingdom, Leverhulme Centre for Demographic Science, University of Oxford, Oxford, United Kingdom

Roles Funding acquisition, Methodology, Writing – review & editing

Affiliation Department of Software Systems and Cybersecurity, Faculty of IT, Monash University, Victoria, Australia

Roles Conceptualization, Funding acquisition, Methodology, Writing – review & editing

Affiliation Centre d’études européennes et de politique comparée, Sciences Po, Paris, France

  • Miranda Bruce, 
  • Jonathan Lusthaus, 
  • Ridhi Kashyap, 
  • Nigel Phair, 
  • Federico Varese


  • Published: April 10, 2024
  • Peer Review
  • Reader Comments

Although the geography of cybercrime attacks has been documented, the geography of cybercrime offenders–and the corresponding level of “cybercriminality” present within each country–is largely unknown. A number of scholars have noted that valid and reliable data on offender geography are sparse [ 1 – 4 ], and there are several significant obstacles to establishing a robust metric of cybercriminality by country. First, there are the general challenges associated with the study of any hidden population, for whom no sampling frame exists [ 5 , 6 ]. If cybercriminals themselves cannot be easily accessed or reliably surveyed, then cybercriminality must be measured through a proxy. This is the second major obstacle: deciding what kind of proxy data would produce the most valid measure of cybercriminality. While there is much technical data on cybercrime attacks, this data captures artefacts of the digital infrastructure or proxy (obfuscation) services used by cybercriminals, rather than their true physical location. Non-technical data, such as legal cases, can provide geographical attribution for a small number of cases, but the data are not representative of global cybercrime. In short, the question of how best to measure the geography of cybercriminal offenders is complex and unresolved.

There is tremendous value in developing a metric for cybercrime. Cybercrime is a major challenge facing the world, with the most sober cost estimates in the hundreds of millions [ 7 , 8 ], but with high-end estimates in the trillions [ 9 ]. By accurately identifying which countries are cybercrime hotspots, the public and private sectors could concentrate their resources on these hotspots and spend less time and funds on cybercrime countermeasures in countries where the problem is limited. Whichever strategies are deployed in the fight against cybercrime (see for example [ 10 – 12 ]), they should be targeted at countries that produce the largest cybercriminal threat [ 3 ]. A measure of cybercriminality would also enable other lines of scholarly inquiry. For instance, an index of cybercriminality by country would allow for a genuine dependent variable to be deployed in studies attempting to assess which national characteristics–such as educational attainment, Internet penetration, or GDP–are associated with cybercrime [ 4 , 13 ]. These associations could also be used to identify future cybercrime hubs so that early interventions could be made in at-risk countries before a serious cybercrime problem develops. Finally, this metric would speak directly to theoretical debates on the locality of cybercrime, and organized crime more generally [ 11 – 14 ]. The challenge we have accepted is to develop a metric that is both global and robust. The following sections respectively outline the background elements of this study, the methods, the results, and then discussion and limitations.

Profit-driven cybercrime, which is the focus of this paper/research, has been studied by both social scientists and computer scientists. It has been characterised by empirical contributions that have sought to illuminate the nature and organisation of cybercrime both online and offline [ 15 – 20 ]. But, as noted above, the geography of cybercrime has only been addressed by a handful of scholars, and they have identified a number of challenges connected to existing data. In a review of existing work in this area, Lusthaus et al. [ 2 ] identify two flaws in existing cybercrime metrics: 1) their ability to correctly attribute the location of cybercrime offenders; 2) beyond a handful of examples, their ability to compare the severity and scale of cybercrime between countries.

Building attribution into a cybercrime index is challenging. Often using technical data, cybersecurity firms, law enforcement agencies and international organisations regularly publish reports that identify the major sources of cyber attacks (see for example [ 21 – 24 ]). Some of these sources have been aggregated by scholars (see [ 20 , 25 – 29 ]). But the kind of technical data contained in these reports cannot accurately measure offender location. Kigerl [ 1 ] provides some illustrative remarks:

Where the cybercriminals live is not necessarily where the cyberattacks are coming from. An offender from Romania can control zombies in a botnet, mostly located in the United States, from which to send spam to countries all over the world, with links contained in them to phishing sites located in China. The cybercriminal’s reach is not limited by national borders (p. 473).

As cybercriminals often employ proxy services to hide their IP addresses, carry out attacks across national boundaries, collaborate with partners around the world, and can draw on infrastructure based in different countries, superficial measures do not capture the true geographical distribution of these offenders. Lusthaus et al. [ 2 ] conclude that attempts to produce an index of cybercrime by country using technical data suffer from a problem of validity. “If they are a measure of anything”, they argue, “they are a measure of cyber-attack geography”, not of the geography of offenders themselves (p. 452).

Non-technical data are far better suited to incorporating attribution. Court records, indictments and other investigatory materials speak more directly to the identification of offenders and provide more granular detail on their location. But while this type of data is well matched to micro-level analysis and case studies, there are fundamental questions about the representativeness of these small samples, even if collated. First, any sample would capture cases only where cybercriminals had been prosecuted, and would not include offenders that remain at large. Second, if the aim was to count the number of cybercrime prosecutions by country, this may reflect the seriousness with which various countries take cybercrime law enforcement or the resources they have to pursue it, rather than the actual level of cybercrime within each country (for a discussion see [ 30 , 31 ]). Given such concerns, legal data is also not an appropriate approach for such a research program.

Furthermore, to carry out serious study on this topic, a cybercrime metric should aim to include as many countries as possible, and the sample must allow for variation so that high and low cybercrime countries can be compared. If only a handful of widely known cybercrime hubs are studied, this will result in selection on the dependent variable. The obvious challenge in providing such a comparative scale is the lack of good quality data to devise it. As an illustration, in their literature review Hall et al. [ 10 ] identify the “dearth of robust data” on the geographical location of cybercriminals, which means they are only able to include six countries in their final analysis (p. 285. See also [ 4 , 32 , 33 ]).

Considering the weaknesses within both existing technical and legal data discussed above, Lusthaus et al. [ 2 ] argue for the use of an expert survey to establish a global metric of cybercriminality. Expert survey data “can be extrapolated and operationalised”, and “attribution can remain a key part of the survey, as long as the participants in the sample have an extensive knowledge of cybercriminals and their operations” (p. 453). Up to this point, no such study has been produced. Such a survey would need to be very carefully designed for the resulting data to be both reliable and valid. One criticism of past cybercrime research is that surveys were used whenever other data was not immediately available, and that they were not always designed with care (for a discussion see [ 34 ]).

In response to the preceding considerations, we designed an expert survey in 2020, refined it through focus groups, and deployed it throughout 2021. The survey asked participants to consider five major types of cybercrime– Technical products/services ; Attacks and extortion ; Data/identity theft ; Scams ; and Cashing out/money laundering –and nominate the countries that they consider to be the most significant sources of each of these cybercrime types. Participants then rated each nominated country according to the impact of the offenses produced there, and the professionalism and technical skill of the offenders based there. Using the expert responses, we generated scores for each type of cybercrime, which we then combined into an overall metric of cybercriminality by country: the World Cybercrime Index (WCI). The WCI achieves our initial goal to devise a valid measure of cybercrime hub location and significance, and is the first step in our broader aim to understand the local dimensions of cybercrime production across the world.


Identifying and recruiting cybercrime experts is challenging. Much like the hidden population of cybercriminals we were trying to study, cybercrime experts themselves are also something of a hidden population. Due to the nature of their work, professionals working in the field of cybercrime tend to be particularly wary of unsolicited communication. There is also the problem of determining who is a true cybercrime expert, and who is simply presenting themselves as one. We designed a multi-layered sampling method to address such challenges.

The heart of our strategy involved purposive sampling. For an index based entirely on expert opinion, ensuring the quality of these experts (and thereby the quality of our survey results) was of the utmost importance. We defined “expertise” as adult professionals who have been engaged in cybercrime intelligence, investigation, and/or attribution for a minimum of five years and had a reputation for excellence amongst their peers. Only currently- or recently-practicing intelligence officers and investigators were included in the participant pool. While participants could be from either the public or private sectors, we explicitly excluded professionals working in the field of cybercrime research who are not actively involved in tracking offenders, which includes writers and academics. In short, only experts with first-hand knowledge of cybercriminals are included in our sample. To ensure we had the leading experts from a wide range of backgrounds and geographical areas, we adopted two approaches for recruitment. We searched extensively through a range of online sources including social media (e.g. LinkedIn), corporate sites, news articles and cybercrime conference programs to identify individuals who met our inclusion criteria. We then faced a second challenge of having to find or discern contact information for these individuals.

Complementing this strategy, the authors also used their existing relationships with recognised cybercrime experts to recruit participants using the “snowball” method [ 35 ]. This both enhanced access and provided a mechanism for those we knew were bona fide experts to recommend other bona fide experts. The majority of our participants were recruited in this manner, either directly through our initial contacts or through a series of referrals that followed. But it is important to note that this snowball sampling fell under our broader purposive sampling strategy. That is, all the original “seeds” had to meet our inclusion criteria of being a top expert in the first instance. Any connections we were offered also had to meet our criteria or we would not invite them to participate. Another important aspect of this sampling strategy is that we did not rely on only one gatekeeper, but numerous, often unrelated, individuals who helped us with introductions. This approach reduced bias in the sample. It was particularly important to deploy a number of different “snowballs” to ensure that we included experts from each region of the world (Africa, Asia Pacific, Europe, North America and South America) and from a range of relevant professional backgrounds. We limited our sampling strategy to English speakers. The survey itself was likewise written in English. The use of English was partly driven by the resources available for this study, but the population of cybercrime experts is itself very global, with many attending international conferences and cooperating with colleagues from across the world. English is widely spoken within this community. While we expect the gains to be limited, future surveys will be translated into some additional languages (e.g. Spanish and Chinese) to accommodate any non-English speaking experts that we may not otherwise be able to reach.

Our survey design, detailed below, received ethics approval from the Human Research Advisory Panel (HREAP A) at the University of New South Wales in Australia, approval number HC200488, and the Research Ethics Committee of the Department of Sociology (DREC) at the University of Oxford in the United Kingdom, approval number SOC_R2_001_C1A_20_23. Participants were recruited in waves between 1 August 2020 and 30 September 2021. All participants provided consent to participate in the focus groups, pilot survey, and final survey.

Survey design

The survey comprised three stages. First, we conducted three focus groups with seven experts in cybercrime intelligence/investigations to evaluate our initial assumptions, concepts, and framework. These experts were recruited because they had reputations as some of the very top experts in the field; they represented a range of backgrounds in terms of their own geographical locations and expertise across different types of cybercrime; and they spanned both the public and private sectors. In short, they offered a cross-section of the survey sample we aimed to recruit. These focus groups informed several refinements to the survey design and specific terms to make them better comprehensible to participants. Some of the key terms, such as “professionalism” and “impact”, were a direct result of this process. Second, some participants from the focus groups then completed a pilot version of the survey, alongside others who had not taken part in these focus groups, who could offer a fresh perspective. This allowed us to test technical components, survey questions, and user experience. The pilot participants provided useful feedback and prompted a further refinement of our approach. The final survey was released online in March 2021 and closed in October 2021. We implemented several elements to ensure data quality, including a series of preceding statements about time expectations, attention checks, and visual cues throughout the survey. These elements significantly increased the likelihood that our participants were both suitable and would provide full and thoughtful responses.

The introduction to the survey outlined the survey’s two main purposes: to identify which countries are the most significant sources of profit-driven cybercrime, and to determine how impactful the cybercrime is in these locations. Participants were reminded that state-based actors and offenders driven primarily by personal interests (for instance, cyberbullying or harassment) should be excluded from their consideration. We defined the “source” of cybercrime as the country where offenders are primarily based, rather than their nationality. To maintain a level of consistency, we made the decision to only include countries formally recognised by the United Nations. We initially developed seven categories of cybercrime to be included in the survey, based on existing research. But during the focus groups and pilot survey, our experts converged on five categories as the most significant cybercrime threats on a global scale:

  • Technical products/services (e.g. malware coding, botnet access, access to compromised systems, tool production).
  • Attacks and extortion (e.g. DDoS attacks, ransomware).
  • Data/identity theft (e.g. hacking, phishing, account compromises, credit card comprises).
  • Scams (e.g. advance fee fraud, business email compromise, online auction fraud).
  • Cashing out/money laundering (e.g. credit card fraud, money mules, illicit virtual currency platforms).

After being prompted with these descriptions and a series of images of world maps to ensure participants considered a wide range of regions/countries, participants were asked to nominate up to five countries that they believed were the most significant sources of each of these types of cybercrime. Countries could be listed in any order; participants were not instructed to rank them. Nominating countries was optional and participants were free to skip entire categories if they wished. Participants were then asked to rate each of the countries they nominated against three measures: how impactful the cybercrime is, how professional the cybercrime offenders are, and how technically skilled the cybercrime offenders are. Across each of these three measures, participants were asked to assign scores on a Likert-type scale between 1 (e.g. least professional) to 10 (e.g. most professional). Nominating and then rating countries was repeated for all five cybercrime categories.

This process, of nominating and then rating countries across each category, introduces a potential limitation in the survey design: the possibility of survey response fatigue. If a participant nominated the maximum number of countries across each cybercrime category– 25 countries–by the end of the survey they would have completed 75 Likert-type scales. The repetition of this task, paired with the consideration that it requires, has the potential to introduce respondent fatigue as the survey progresses, in the form of response attrition, an increase in careless responses, and/or increased likelihood of significantly higher/lower scores given. This is a common phenomenon in long-form surveys [ 36 ], and especially online surveys [ 37 , 38 ]. Jeong et al [ 39 ], for instance, found that questions asked near the end of a 2.5 hour survey were 10–64% more likely to be skipped than those at the beginning. We designed the survey carefully, refined with the aid of focus groups and a pilot, to ensure that only the most essential questions were asked. As such, the survey was not overly long (estimated to take 30 minutes). To accommodate any cognitive load, participants were allowed to complete the survey anytime within a two-week window. Their progress was saved after each session, which enabled participants to take breaks between completing each section (a suggestion made by Jeong et al [ 39 ]). Crucially, throughout survey recruitment, participants were informed that the survey is time-intensive and required significant attention. At the beginning of the survey, participants were instructed not to undertake the survey unless they could allocate 30 minutes to it. This approach pre-empted survey fatigue by discouraging those likely to lose interest from participating. This compounds the fact that only experts with a specific/strong interest in the subject matter of the survey were invited to participate. Survey fatigue is addressed further in the Discussion section, where we provide an analysis suggesting little evidence of participant fatigue.

In sum, we designed the survey to protect against various sources of bias and error, and there are encouraging signs that the effects of these issues in the data are limited (see Discussion ). Yet expert surveys are inherently prone to some types of bias and response issues; in the WCI, the issue of selection and self-selection within our pool of experts, as well as geo-political biases that may lead to systematic over- or under-scoring of certain countries, is something we considered closely. We discuss these issues in detail in the subsection on Limitations below.

cybercrime research papers

This “type” score is then multiplied by the proportion of experts who nominated that country. Within each cybercrime type, a country could be nominated a possible total of 92 times–once per participant. We then multiply this weighted score by ten to produce a continuous scale out of 100 (see Eq (2) ). This process prevents countries that received high scores, but a low number of nominations, from receiving artificially high rankings.

cybercrime research papers

The analyses for this paper were performed in R. All data and code have been made publicly available so that our analysis can be reproduced and extended.

We contacted 245 individuals to participate in the survey, of which 147 agreed and were sent invitation links to participate. Out of these 147, a total of 92 people completed the survey, giving us an overall response rate of 37.5%. Given the expert nature of the sample, this is a high response rate (for a detailed discussion see [ 40 ]), and one just below what Wu, Zhao, and Fils-Aime estimate of response rates for general online surveys in social science: 44% [ 41 ]. The survey collected information on the participants’ primary nationality and their current country of residence. Four participants chose not to identify their nationality. Overall, participants represented all five major geopolitical regions (Africa, the Asia-Pacific, Europe, North America and South America), both in nationality and residence, though the distribution was uneven and concentrated in particular regions/countries. There were 8 participants from Africa, 11 participants from the Asia Pacific, 27 from North America, and 39 from Europe. South America was the least represented region with only 3 participants. A full breakdown of participants’ nationality, residence, and areas of expertise is included in the Supporting Information document (see S1 Appendix ).

Table 1 shows the scores for the top fifteen countries of the WCI overall index. Each entry shows the country, along with the mean score (out of 10) averaged across the participants who nominated this country, for three categories: impact, professionalism, and technical skill. This is followed by each country’s WCI overall and WCI type scores. Countries are ordered by their WCI overall score. Each country’s highest WCI type scores are highlighted. Full indices that include all 197 UN-recognised countries can be found in S1 Indices .


  • PPT PowerPoint slide
  • PNG larger image
  • TIFF original image

Some initial patterns can be observed from this table, as well as the full indices in the supplementary document (see S1 Indices ). First, a small number of countries hold consistently high ranks for cybercrime. Six countries–China, Russia, Ukraine, the US, Romania, and Nigeria–appear in the top 10 of every WCI type index, including the WCI overall index. Aside from Romania, all appear in the top three at least once. While appearing in a different order, the first ten countries in the Technical products/services and Attacks and extortion indices are the same. Second, despite this small list of countries regularly appearing as cybercrime hubs, the survey results capture a broad geographical diversity. All five geopolitical regions are represented across each type. Overall, 97 distinct countries were nominated by at least one expert. This can be broken down into the cybercrime categories. Technical products/services includes 41 different countries; Attacks and extortion 43; Data/identity theft 51; Scams 49; and Cashing out/money laundering 63.

Some key findings emerge from these results, which are further illustrated by the following Figs 1 and 2 . First, cybercrime is not universally distributed. Certain countries are cybercrime hubs, while many others are not associated with cybercriminality in a serious way. Second, countries that are cybercrime hubs specialise in particular types of cybercrime. That is, despite a small number of countries being leading producers of cybercrime, there is meaningful variation between them both across categories, and in relation to scores for impact, professionalism and technical skill. Third, the results show a longer list of cybercrime-producing countries than are usually included in publications on the geography of cybercrime. As the survey captures leading producers of cybercrime, rather than just any country where cybercrime is present, this suggests that, even if a small number of countries are of serious concern, and close to 100 are of little concern at all, the remaining half are of at least moderate concern.


Base map and data from OpenStreetMap and OpenStreetMap Foundation.


To examine further the second finding concerning hub specialisation, we calculated an overall “Technicality score”–or “T-score”–for the top 15 countries of the WCI overall index. We assigned a value from 2 to -2 to each type of cybercrime to designate the level of technical complexity involved. Technical products/services is the most technically complex type (2), followed by Attacks and extortion (1), Data/identity theft (0), Scams (-1), and finally Cashing out and money laundering (-2), which has very low technical complexity. We then multiplied each country’s WCI score for each cybercrime type by its assigned value–for instance, a Scams WCI score of 5 would be multiplied by -1, with a final modified score of -5. As a final step, for each country, we added all of their modified WCI scores across all five categories together to generate the T-score. Fig 3 plots the top 15 WCI overall countries’ T-scores, ordering them by score. Countries with negative T-scores are highlighted in red, and countries with positive scores are in black.


Negative values correspond to lower technicality, positive values to higher technicality.

The T-score is best suited to characterising a given hub’s specialisation. For instance, as the line graph makes clear, Russia and Ukraine are highly technical cybercrime hubs, whereas Nigerian cybercriminals are engaged in less technical forms of cybercrime. But for countries that lie close to the centre (0), the story is more complex. Some may specialise in cybercrime types with middling technical complexity (e.g. Data/identity theft ). Others may specialise in both high- and low-tech crimes. In this sample of countries, India (-6.02) somewhat specialises in Scams but is otherwise a balanced hub, whereas Romania (10.41) and the USA (-2.62) specialise in both technical and non-technical crimes, balancing their scores towards zero. In short, each country has a distinct profile, indicating a unique local dimension.

This paper introduces a global and robust metric of cybercriminality–the World Cybercrime Index. The WCI moves past previous technical measures of cyber attack geography to establish a more focused measure of the geography of cybercrime offenders. Elicited through an expert survey, the WCI shows that cybercrime is not universally distributed. The key theoretical contribution of this index is to illustrate that cybercrime, often seen as a fluid and global type of organized crime, actually has a strong local dimension (in keeping with broader arguments by some scholars, such as [ 14 , 42 ]).

While we took a number of steps to ensure our sample of experts was geographically representative, the sample is skewed towards some regions (such as Europe) and some countries (such as the US). This may simply reflect the high concentration of leading cybercrime experts in these locations. But it is also possible this distribution reflects other factors, including the authors’ own social networks; the concentration of cybercrime taskforces and organisations in particular countries; the visibility of different nations on networking platforms like LinkedIn; and also perhaps norms of enthusiasm or suspicion towards foreign research projects, both inside particular organisations and between nations.

To better understand what biases might have influenced the survey data, we analysed participant rating behaviours with a series of linear regressions. Numerical ratings were the response and different participant characteristics–country of nationality; country of residence; crime type expertise; and regional expertise–were the predictors. Our analysis found evidence (p < 0.05) that participants assigned higher ratings to the countr(ies) they either reside in or are citizens of, though this was not a strong or consistent result. For instance, regional experts did not consistently rate their region of expertise more highly than other regions. European and North American experts, for example, rated countries from these regions lower than countries from other regions. Our analysis of cybercrime type expertise showed even less systematic rating behaviour, with no regression yielding a statistically significant (p < 0.05) result. Small sample sizes across other known participant characteristics meant that further analyses of rating behaviour could not be performed. This applied to, for instance, whether residents and citizens of the top ten countries in the WCI nominated their own countries more or less often than other experts. On this point: 46% of participants nominated their own country at some point in the survey, but the majority (83%) of nominations were for a country different to the participant’s own country of residence or nationality. This suggested limited bias towards nominating one’s own country. Overall, these analyses point to an encouraging observation: while there is a slight home-country bias, this does not systematically result in higher rating behaviour. Longitudinal data from future surveys, as well as a larger participant pool, will better clarify what other biases may affect rating behaviour.

There is little evidence to suggest that survey fatigue affected our data. As the survey progressed, the heterogeneity of nominated countries across all experts increased, from 41 different countries nominated in the first category to 63 different countries nominated in the final category. If fatigue played a significant role in the results then we would expect this number to decrease, as participants were not required to nominate countries within a category and would have been motivated to nominate fewer countries to avoid extending their survey time. We further investigated the data for evidence of survey fatigue in two additional ways: by performing a Mann-Kendall/Sen’s slope trend test (MK/S) to determine whether scores skewed significantly upwards or downwards towards the end of the survey; and by compiling an intra-individual response variability (IRV) index to search for long strings of repeated scores at the end of the survey [ 43 ]. The MK/S test was marginally statistically significant (p<0.048), but the results indicated that scores trended downwards only minimally (-0.002 slope coefficient). Likewise, while the IRV index uncovered a small group of participants (n = 5) who repeatedly inserted the same score, this behaviour was not more likely to happen at the end of the survey (see S7 and S8 Tables in S1 Appendix ).

It is encouraging that there is at least some external validation for the WCI’s highest ranked countries. Steenbergen and Marks [ 44 ] recommend that data produced from expert judgements should “demonstrate convergent validity with other measures of [the topic]–that is, the experts should provide evaluations of the same […] phenomenon that other measurement instruments pick up.” (p. 359) Most studies of the global cybercrime geography are, as noted in the introduction, based on technical measures that cannot accurately establish the true physical location of offenders (for example [ 1 , 4 , 28 , 33 , 45 ]). Comparing our results to these studies would therefore be of little value, as the phenomena being measured differs: they are measuring attack infrastructure, whereas the WCI measures offender location. Instead, looking at in-depth qualitative cybercrime case studies would provide a better comparison, at least for the small number of higher ranked countries. Though few such studies into profit-driven cybercrime exist, and the number of countries included are limited, we can see that the top ranked countries in the WCI match the key cybercrime producing countries discussed in the qualitative literature (see for example [ 3 , 10 , 32 , 46 – 50 ]). Beyond this qualitative support, our sampling strategy–discussed in the Methods section above–is our most robust control for ensuring the validity of our data.

Along with contributing to theoretical debates on the (local) nature of organized crime [ 1 , 14 ], this index can also contribute to policy discussions. For instance, there is an ongoing debate as to the best approaches to take in cybercrime reduction, whether this involves improving cyber-law enforcement capacity [ 3 , 51 ], increasing legitimate job opportunities and access to youth programs for potential offenders [ 52 , 53 ], strengthening international agreements and law harmonization [ 54 – 56 ], developing more sophisticated and culturally-specific social engineering countermeasures [ 57 ], or reducing corruption [ 3 , 58 ]. As demonstrated by the geographical, economic, and political diversity of the top 15 countries (see Table 1 ), the likelihood that a single strategy will work in all cases is low. If cybercrime is driven by local factors, then mitigating it may require a localised approach that considers the different features of cybercrime in these contexts. But no matter what strategies are applied in the fight against cybercrime, they should be targeted at the countries that produce the most cybercrime, or at least produce the most impactful forms of it [ 3 ]. An index is a valuable resource for determining these countries and directing resources appropriately. Future research that explains what is driving cybercrime in these locations might also suggest more appropriate means for tackling the problem. Such an analysis could examine relevant correlates, such as corruption, law enforcement capacity, internet penetration, education levels and so on to inform/test a theoretically-driven model of what drives cybercrime production in some locations, but not others. It also might be possible to make a kind of prediction: to identify those nations that have not yet emerged as cybercrime hubs but may in the future. This would allow an early warning system of sorts for policymakers seeking to prevent cybercrime around the world.


In addition to the points discussed above, the findings of the WCI should be considered in light of some remaining limitations. Firstly, as noted in the methods, our pool of experts was not as large or as globally representative as we had hoped. Achieving a significant response rate is a common issue across all surveys, and is especially difficult in those that employ the snowball technique [ 59 ] and also attempt to recruit experts [ 60 ]. However, ensuring that our survey data captures the most accurate picture of cybercrime activity is an essential aspect of the project, and the under-representation of experts from Africa and South America is noteworthy. More generally, our sample size (n = 92) is relatively small. Future iterations of the WCI survey should focus on recruiting a larger pool of experts, especially those from under-represented regions. However, this is a small and hard-to-reach population, which likely means the sample size will not grow significantly. While this limits statistical power, it is also a strength of the survey: by ensuring that we only recruit the top cybercrime experts in the world, the weight and validity of our data increases.

Secondly, though we developed our cybercrime types and measures with expert focus groups, the definitions used in the WCI will always be contestable. For instance, a small number of comments left at the end of the survey indicated that the Cashing out/money laundering category was unclear to some participants, who were unsure whether they should nominate the country in which these schemes are organised or the countries in which the actual cash out occurs. A small number of participants also commented that they were not sure whether the ‘impact’ of a country’s cybercrime output should be measured in terms of cost, social change, or some other metric. We limited any such uncertainties by running a series of focus groups to check that our categories were accurate to the cybercrime reality and comprehensible to practitioners in this area. We also ran a pilot version of the survey. The beginning of the survey described the WCI’s purpose and terms of reference, and participants were able to download a document that described the project’s methodology in further detail. Each time a participant was prompted to nominate countries as a significant source of a type of cybercrime, the type was re-defined and examples of offences under that type were provided. However, the examples were not exhaustive and the definitions were brief. This was done partly to avoid significantly lengthening the survey with detailed definitions and clarifications. We also wanted to avoid over-defining the cybercrime types so that any new techniques or attack types that emerged while the survey ran would be included in the data. Nonetheless, there will always remain some elasticity around participant interpretations of the survey.

Finally, although we restricted the WCI to profit-driven activity, the distinction between cybercrime that is financially-motivated, and cybercrime that is motivated by other interests, is sometimes blurred. Offenders who typically commit profit-driven offences may also engage in state-sponsored activities. Some of the countries with high rankings within the WCI may shelter profit-driven cybercriminals who are protected by corrupt state actors of various kinds, or who have other kinds of relationships with the state. Actors in these countries may operate under the (implicit or explicit) sanctioning of local police or government officials to engage in cybercrime. Thus while the WCI excludes state-based attacks, it may include profit-driven cybercriminals who are protected by states. Investigating the intersection between profit-driven cybercrime and the state is a strong focus in our ongoing and future research. If we continue to see evidence that these activities can overlap (see for example [ 32 , 61 – 63 ]), then any models explaining the drivers of cybercrime will need to address this increasingly important aspect of local cybercrime hubs.

This study makes use of an expert survey to better measure the geography of profit-driven cybercrime and presents the output of this effort: the World Cybercrime Index. This index, organised around five major categories of cybercrime, sheds light on the geographical concentrations of financially-motivated cybercrime offenders. The findings reveal that a select few countries pose the most significant cybercriminal threat. By illustrating that hubs often specialise in particular forms of cybercrime, the WCI also offers valuable insights into the local dimension of cybercrime. This study provides a foundation for devising a theoretically-driven model to explain why some countries produce more cybercrime than others. By contributing to a deeper understanding of cybercrime as a localised phenomenon, the WCI may help lift the veil of anonymity that protects cybercriminals and thereby enhance global efforts to combat this evolving threat.

The data collection for this project was carried out as part of a partnership between the Department of Sociology, University of Oxford and UNSW Canberra Cyber. The analysis and writing phases received support from CRIMGOV.

  • View Article
  • Google Scholar
People also looked at

Review article, phishing attacks: a recent comprehensive study and a new anatomy.

  Cardiff School of Technologies, Cardiff Metropolitan University, Cardiff, United Kingdom

With the significant growth of internet usage, people increasingly share their personal information online. As a result, an enormous amount of personal information and financial transactions become vulnerable to cybercriminals. Phishing is an example of a highly effective form of cybercrime that enables criminals to deceive users and steal important data. Since the first reported phishing attack in 1990, it has been evolved into a more sophisticated attack vector. At present, phishing is considered one of the most frequent examples of fraud activity on the Internet. Phishing attacks can lead to severe losses for their victims including sensitive information, identity theft, companies, and government secrets. This article aims to evaluate these attacks by identifying the current state of phishing and reviewing existing phishing techniques. Studies have classified phishing attacks according to fundamental phishing mechanisms and countermeasures discarding the importance of the end-to-end lifecycle of phishing. This article proposes a new detailed anatomy of phishing which involves attack phases, attacker’s types, vulnerabilities, threats, targets, attack mediums, and attacking techniques. Moreover, the proposed anatomy will help readers understand the process lifecycle of a phishing attack which in turn will increase the awareness of these phishing attacks and the techniques being used; also, it helps in developing a holistic anti-phishing system. Furthermore, some precautionary countermeasures are investigated, and new strategies are suggested.


The digital world is rapidly expanding and evolving, and likewise, as are cybercriminals who have relied on the illegal use of digital assets—especially personal information—for inflicting damage to individuals. One of the most threatening crimes of all internet users is that of ‘identity theft’ ( Ramanathan and Wechsler, 2012 ) which is defined as impersonating the person’s identity to steal and use their personal information (i.e., bank details, social security number, or credit card numbers, etc.) by an attacker for the individuals’ own gain not just for stealing money but also for committing other crimes ( Arachchilage and Love, 2014 ). Cyber criminals have also developed their methods for stealing their information, but social-engineering-based attacks remain their favorite approach. One of the social engineering crimes that allow the attacker to perform identity theft is called a phishing attack. Phishing has been one of the biggest concerns as many internet users fall victim to it. It is a social engineering attack wherein a phisher attempts to lure the users to obtain their sensitive information by illegally utilizing a public or trustworthy organization in an automated pattern so that the internet user trusts the message, and reveals the victim’s sensitive information to the attacker ( Jakobsson and Myers, 2006 ). In phishing attacks, phishers use social engineering techniques to redirect users to malicious websites after receiving an email and following an embedded link ( Gupta et al., 2015 ). Alternatively, attackers could exploit other mediums to execute their attacks such as Voice over IP (VoIP), Short Message Service (SMS) and, Instant Messaging (IM) ( Gupta et al., 2015 ). Phishers have also turned from sending mass-email messages, which target unspecified victims, into more selective phishing by sending their emails to specific victims, a technique called “spear-phishing.”

Cybercriminals usually exploit users with a lack of digital/cyber ethics or who are poorly trained in addition to technical vulnerabilities to reach their goals. Susceptibility to phishing varies between individuals according to their attributes and awareness level, therefore, in most attacks, phishers exploit human nature for hacking, instead of utilising sophisticated technologies. Even though the weakness in the information security chain is attributed to humans more than the technology, there is a lack of understanding about which ring in this chain is first penetrated. Studies found that certain personal characteristics make some persons more receptive to various lures ( Iuga et al., 2016 ; Ovelgönne et al., 2017 ; Crane, 2019 ). For example, individuals who usually obey authorities more than others are more likely to fall victim to a Business Email Compromise (BEC) that is pretending to be from a financial institution and requests immediate action by seeing it as a legitimate email ( Barracuda, 2020 ). Greediness is another human weakness that could be used by an attacker, for example, emails that offering either great discounts, free gift cards, and others ( Workman, 2008 ).

Various channels are used by the attacker to lure the victim through a scam or through an indirect manner to deliver a payload for gaining sensitive and personal information from the victim ( Ollmann, 2004 ). However, phishing attacks have already led to damaging losses and could affect the victim not only through a financial context but could also have other serious consequences such as loss of reputation, or compromise of national security ( Ollmann, 2004 ; Herley and Florêncio, 2008 ). Cybercrime damages have been expected to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 according to Cybersecurity Ventures ( Morgan, 2019 ). Phishing attacks are the most common type of cybersecurity breaches as stated by the official statistics from the cybersecurity breaches survey 2020 in the United Kingdom ( GOV.UK, 2020 ). Although these attacks affect organizations and individuals alike, the loss for the organizations is significant, which includes the cost for recovery, the loss of reputation, fines from information laws/regulations, and reduced productivity ( Medvet et al., 2008 ).

Phishing is a field of study that merges social psychology, technical systems, security subjects, and politics. Phishing attacks are more prevalent: a recent study ( Proofpoint, 2020 ) found that nearly 90% of organizations faced targeted phishing attacks in 2019. From which 88% experienced spear-phishing attacks, 83% faced voice phishing (Vishing), 86% dealt with social media attacks, 84% reported SMS/text phishing (SMishing), and 81% reported malicious USB drops. The 2018 Proofpoint 1 annual report ( Proofpoint, 2019a ) has stated that phishing attacks jumped from 76% in 2017 to 83% in 2018, where all phishing types happened more frequently than in 2017. The number of phishing attacks identified in the second quarter of 2019 was notably higher than the number recorded in the previous three quarters. While in the first quarter of 2020, this number was higher than it was in the previous one according to a report from Anti-Phishing Working Group (APWG 2 ) ( APWG, 2018 ) which confirms that phishing attacks are on the rise. These findings have shown that phishing attacks have increased continuously in recent years and have become more sophisticated and have gained more attention from cyber researchers and developers to detect and mitigate their impact. This article aims to determine the severity of the phishing problem by providing detailed insights into the phishing phenomenon in terms of phishing definitions, current statistics, anatomy, and potential countermeasures.

The rest of the article is organized as follows. Phishing Definitions provides a number of phishing definitions as well as some real-world examples of phishing. The evolution and development of phishing attacks are discussed in Developing a Phishing Campaign . What Attributes Make Some People More Susceptible to Phishing Attacks Than Others explores the susceptibility to these attacks. The proposed phishing anatomy and types of phishing attacks are elaborated in Proposed Phishing Anatomy . In Countermeasures , various anti-phishing countermeasures are discussed. The conclusions of this study are drawn in Conclusion .

Phishing Definitions

Various definitions for the term “phishing” have been proposed and discussed by experts, researchers, and cybersecurity institutions. Although there is no established definition for the term “phishing” due to its continuous evolution, this term has been defined in numerous ways based on its use and context. The process of tricking the recipient to take the attacker’s desired action is considered the de facto definition of phishing attacks in general. Some definitions name websites as the only possible medium to conduct attacks. The study ( Merwe et al., 2005 , p. 1) defines phishing as “a fraudulent activity that involves the creation of a replica of an existing web page to fool a user into submitting personal, financial, or password data.” The above definition describes phishing as an attempt to scam the user into revealing sensitive information such as bank details and credit card numbers, by sending malicious links to the user that leads to the fake web establishment. Others name emails as the only attack vector. For instance, PishTank (2006) defines phishing as “a fraudulent attempt, usually made through email, to steal your personal information.” A description for phishing stated by ( Kirda and Kruegel, 2005 , p.1) defines phishing as “a form of online identity theft that aims to steal sensitive information such as online banking passwords and credit card information from users.” Some definitions highlight the usage of combined social and technical skills. For instance, APWG defines phishing as “a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials” ( APWG, 2018 , p. 1). Moreover, the definition from the United States Computer Emergency Readiness Team (US-CERT) states phishing as “a form of social engineering that uses email or malicious websites (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity” ( CISA, 2018 ). A detailed definition has been presented in ( Jakobsson and Myers, 2006 , p. 1), which describes phishing as “a form of social engineering in which an attacker, also known as a phisher, attempts to fraudulently retrieve legitimate users’ confidential or sensitive credentials by mimicking electronic communications from a trustworthy or public organization in an automated fashion. Such communications are most frequently done through emails that direct users to fraudulent websites that in turn collect the credentials in question.”

In order to understand the anatomy of the phishing attack, there is a necessity for a clear and detailed definition that underpins previous existent definitions. Since a phishing attack constitutes a mix of technical and social engineering tactics, a new definition (i.e., Anatomy) has been proposed in this article, which describes the complete process of a phishing attack. This provides a better understanding for the readers as it covers phishing attacks in depth from a range of perspectives. Various angles and this might help beginner readers or researchers in this field. To this end, we define phishing as a socio-technical attack, in which the attacker targets specific valuables by exploiting an existing vulnerability to pass a specific threat via a selected medium into the victim’s system, utilizing social engineering tricks or some other techniques to convince the victim into taking a specific action that causes various types of damages.

Figure 1 depicts the general process flow for a phishing attack that contains four phases; these phases are elaborated in Proposed Phishing Anatomy . However, as shown in Figure 1 , in most attacks, the phishing process is initiated by gathering information about the target. Then the phisher decides which attack method is to be used in the attack as initial steps within the planning phase. The second phase is the preparation phase, in which the phisher starts to search for vulnerabilities through which he could trap the victim. The phisher conducts his attack in the third phase and waits for a response from the victim. In turn, the attacker could collect the spoils in the valuables acquisition phase, which is the last step in the phishing process. To elaborate the above phishing process using an example, an attacker may send a fraudulent email to an internet user pretending to be from the victim’s bank, requesting the user to confirm the bank account details, or else the account may be suspended. The user may think this email is legitimate since it uses the same graphic elements, trademarks, and colors of their legitimate bank. Submitted information will then be directly transmitted to the phisher who will use it for different malicious purposes such as money withdrawal, blackmailing, or committing further frauds.

FIGURE 1 . General phishing attack process.

Real-World Phishing Examples

Some real-world examples of phishing attacks are discussed in this section to present the complexity of some recent phishing attacks. Figure 2 shows the screenshot of a suspicious phishing email that passed a University’s spam filters and reached the recipient mailbox. As shown in Figure 2 , the phisher uses the sense of importance or urgency in the subject through the word ‘important,’ so that the email can trigger a psychological reaction in the user to prompt them into clicking the button “View message.” The email contains a suspicious embedded button, indeed, when hovering over this embedded button, it does not match with Uniform Resource Locator (URL) in the status bar. Another clue in this example is that the sender's address is questionable and not known to the receiver. Clicking on the fake attachment button will result in either installation of a virus or worm onto the computer or handing over the user’s credentials by redirecting the victim onto a fake login page.

FIGURE 2 . Screenshot of a real suspicious phishing email received by the authors’ institution in February 2019.

More recently, phishers take advantage of the Coronavirus pandemic (COVID-19) to fool their prey. Many Coronavirus-themed scam messages sent by attackers exploited people’s fear of contracting COVID-19 and urgency to look for information related to Coronavirus (e.g., some of these attacks are related to Personal Protective Equipment (PPE) such as facemasks), the WHO stated that COVID-19 has created an Infodemic which is favorable for phishers ( Hewage, 2020 ). Cybercriminals also lured people to open attachments claiming that it contains information about people with Coronavirus within the local area.

Figure 3 shows an example of a phishing e-mail where the attacker claimed to be the recipient’s neighbor sending a message in which they pretended to be dying from the virus and threatening to infect the victim unless a ransom was paid ( Ksepersky, 2020 ).

FIGURE 3 . Screenshot of a coronavirus related phishing email ( Ksepersky, 2020 ).

Another example is the phishing attack spotted by a security researcher at Akamai organization in January 2019. The attack attempted to use Google Translate to mask suspicious URLs, prefacing them with the legit-looking “ ” address to dupe users into logging in ( Rhett, 2019 ). That attack followed with Phishing scams asking for Netflix payment detail for example, or embedded in promoted tweets that redirect users to genuine-looking PayPal login pages. Although the tricky/bogus page was very well designed in the latter case, the lack of a Hypertext Transfer Protocol Secure (HTTPS) lock and misspellings in the URL were key red flags (or giveaways) that this was actually a phishing attempt ( Keck, 2018 ). Figure 4A shows a screenshot of a phishing email received by the Federal Trade Commission (FTC). The email promotes the user to update his payment method by clicking on a link, pretending that Netflix is having a problem with the user's billing information ( FTC, 2018 ).

FIGURE 4 . Screenshot of the (A) Netflix scam email and (B) fraudulent text message (Apple) ( Keck, 2018 ; Rhett, 2019 )

Figure 4B shows a text message as another example of phishing that is difficult to spot as a fake text message ( Pompon et al., 2018 ). The text message shown appears to come from Apple asking the customer to update the victim’s account. A sense of urgency is used in the message as a lure to motivate the user to respond.

Developing a Phishing Campaign

Today, phishing is considered one of the most pressing cybersecurity threats for all internet users, regardless of their technical understanding and how cautious they are. These attacks are getting more sophisticated by the day and can cause severe losses to the victims. Although the attacker’s first motivation is stealing money, stolen sensitive data can be used for other malicious purposes such as infiltrating sensitive infrastructures for espionage purposes. Therefore, phishers keep on developing their techniques over time with the development of electronic media. The following sub-sections discuss phishing evolution and the latest statistics.

Historical Overview

Cybersecurity has been a major concern since the beginning of APRANET, which is considered to be the first wide-area packet-switching network with distributed control and one of the first networks to implement the TCP/IP protocol suite. The term “Phishing” which was also called carding or brand spoofing, was coined for the first time in 1996 when the hackers created randomized credit card numbers using an algorithm to steal users' passwords from America Online (AOL) ( Whitman and Mattord, 2012 ; Cui et al., 2017 ). Then phishers used instant messages or emails to reach users by posing as AOL employees to convince users to reveal their passwords. Attackers believed that requesting customers to update their account would be an effective way to disclose their sensitive information, thereafter, phishers started to target larger financial companies. The author in ( Ollmann, 2004 ) believes that the “ph” in phishing comes from the terminology “Phreaks” which was coined by John Draper, who was also known as Captain Crunch, and was used by early Internet criminals when they phreak telephone systems. Where the “f” in ‘fishing’ replaced with “ph” in “Phishing” as they both have the same meaning by phishing the passwords and sensitive information from the sea of internet users. Over time, phishers developed various and more advanced types of scams for launching their attack. Sometimes, the purpose of the attack is not limited to stealing sensitive information, but it could involve injecting viruses or downloading the malicious program into a victim's computer. Phishers make use of a trusted source (for instance a bank helpdesk) to deceive victims so that they disclose their sensitive information ( Ollmann, 2004 ).

Phishing attacks are rapidly evolving, and spoofing methods are continuously changing as a response to new corresponding countermeasures. Hackers take advantage of new tool-kits and technologies to exploit systems’ vulnerabilities and also use social engineering techniques to fool unsuspecting users. Therefore, phishing attacks continue to be one of the most successful cybercrime attacks.

The Latest Statistics of Phishing Attacks

Phishing attacks are becoming more common and they are significantly increasing in both sophistication and frequency. Lately, phishing attacks have appeared in various forms. Different channels and threats are exploited and used by the attackers to trap more victims. These channels could be social networks or VoIP, which could carry various types of threats such as malicious attachments, embedded links within an email, instant messages, scam calls, or other types. Criminals know that social engineering-based methods are effective and profitable; therefore, they keep focusing on social engineering attacks, as it is their favorite weapon, instead of concentrating on sophisticated techniques and toolkits. Phishing attacks have reached unprecedented levels especially with emerging technologies such as mobile and social media ( Marforio et al., 2015 ). For instance, from 2017 to 2020, phishing attacks have increased from 72 to 86% among businesses in the United Kingdom in which a large proportion of the attacks are originated from social media ( GOV.UK, 2020 ).

The APWG Phishing Activity Trends Report analyzes and measures the evolution, proliferation, and propagation of phishing attacks reported to the APWG. Figure 5 shows the growth in phishing attacks from 2015 to 2020 by quarters based on APWG annual reports ( APWG, 2020 ). As demonstrated in Figure 5 , in the third quarter of 2019, the number of phishing attacks rose to 266,387, which is the highest level in three years since late 2016. This was up 46% from the 182,465 for the second quarter, and almost double the 138,328 seen in the fourth quarter of 2018. The number of unique phishing e-mails reported to APWG in the same quarter was 118,260. Furthermore, it was found that the number of brands targeted by phishing campaigns was 1,283.

FIGURE 5 . The growth in phishing attacks 2015–2020 by quarters based on data collected from APWG annual reports.

Cybercriminals are always taking advantage of disasters and hot events for their own gains. With the beginning of the COVID-19 crisis, a variety of themed phishing and malware attacks have been launched by phishers against workers, healthcare facilities, and even the general public. A report from Microsoft ( Microsoft, 2020 ) showed that cyber-attacks related to COVID-19 had spiked to an unprecedented level in March, most of these scams are fake COVID-19 websites according to security company RiskIQ ( RISKIQ, 2020 ). However, the total number of phishing attacks observed by APWG in the first quarter of 2020 was 165,772, up from the 162,155 observed in the fourth quarter of 2019. The number of these unique phishing reports submitted to APWG during the first quarter of 2020 was 139,685, up from 132,553 in the fourth quarter of 2019, 122,359 in the third quarter of 2019, and 112,163 in the second quarter of 2019 ( APWG, 2020 ).

A study ( KeepnetLABS, 2018 ) confirmed that more than 91% of system breaches are caused by attacks initiated by email. Although cybercriminals use email as the main medium for leveraging their attacks, many organizations faced a high volume of different social engineering attacks in 2019 such as Social Media Attacks, Smishing Attacks, Vishing Attacks, USB-based Attacks (for example by hiding and delivering malware to smartphones via USB phone chargers and distributing malware-laden free USBs) ( Proofpoint, 2020 ). However, info-security professionals reported a higher frequency of all types of social engineering attacks year-on-year according to a report presented by Proofpoint. Spear phishing increased to 64% in 2018 from 53% in 2017, Vishing and/or SMishing increased to 49% from 45%, and USB attacks increased to 4% from 3%. The positive side shown in this study is that 59% of suspicious emails reported by end-users were classified as potential phishing, indicating that employees are being more security-aware, diligent, and thoughtful about the emails they receive ( Proofpoint, 2019a ). In all its forms, phishing can be one of the easiest cyber attacks to fall for. With the increasing levels of different phishing types, a survey was conducted by Proofpoint to identify the strengths and weaknesses of particular regions in terms of specific fundamental cybersecurity concepts. In this study, several questions were asked of 7,000 end-users about the identification of multiple terms like phishing, ransomware, SMishing, and Vishing across seven countries; the US, United Kingdom, France, Germany, Italy, Australia, and Japan. The response was different from country to country, where respondents from the United Kingdom recorded the highest knowledge with the term phishing at 70% and the same with the term ransomware at 60%. In contrast, the results showed that the United Kingdom recorded only 18% for each Vishing and SMishing ( Proofpoint, 2019a ), as shown in Table 1 .

TABLE 1 . Percentage of respondents understanding multiple cybersecurity terms from different countries.

On the other hand, a report by Wombat security reflects responses from more than 6,000 working adults about receiving fraudulent solicitation across six countries; the US, United Kingdom, Germany, France, Italy, and Australia ( Ksepersky, 2020 ). Respondents from the United Kingdom stated that they were recipients of fraudulent solicitations through the following sources: email 62%, phone call 27%, text message 16%, mailed letter 8%, social media 10%, and 17% confirmed that they been the victim of identity theft ( Ksepersky, 2020 ). However, the consequences of responding to phishing are serious and costly. For instance, the United Kingdom losses from financial fraud across payment cards, remote banking, and cheques totaled £768.8 million in 2016 ( Financial Fraud Action UK, 2017 ). Indeed, the losses resulting from phishing attacks are not limited to financial losses that might exceed millions of pounds, but also loss of customers and reputation. According to the 2020 state of phish report ( Proofpoint, 2020 ), damages from successful phishing attacks can range from lost productivity to cash outlay. The cost can include; lost hours from employees, remediation time for info security teams’ costs due to incident response, damage to reputation, lost intellectual property, direct monetary losses, compliance fines, lost customers, legal fees, etc.

There are many targets for phishing including end-user, business, financial services (i.e., banks, credit card companies, and PayPal), retail (i.e., eBay, Amazon) and, Internet Service Providers (, 2018 ). Affected organizations detected by Kaspersky Labs globally in the first quarter of 2020 are demonstrated in Figure 6 . As shown in the figure, online stores were at the top of the targeted list (18.12%) followed by global Internet portals (16.44%) and social networks in third place (13.07%) ( Ksepersky, 2020 ). While the most impersonated brands overall for the first quarter of 2020 were Apple, Netflix, Yahoo, WhatsApp, PayPal, Chase, Facebook, Microsoft eBay, and Amazon ( Checkpoint, 2020 ).

FIGURE 6 . Distribution of organizations affected by phishing attacks detected by Kaspersky in quarter one of 2020.

Phishing attacks can take a variety of forms to target people and steal sensitive information from them. Current data shows that phishing attacks are still effective, which indicates that the available existing countermeasures are not enough to detect and prevent these attacks especially on smart devices. The social engineering element of the phishing attack has been effective in bypassing the existing defenses to date. Therefore, it is essential to understand what makes people fall victim to phishing attacks. What Attributes Make Some People More Susceptible to Phishing Attacks Than Others discusses the human attributes that are exploited by the phishers.

What Attributes Make Some People More Susceptible to Phishing Attacks Than Others

Why do most existing defenses against phishing not work? What personal and contextual attributes make them more susceptible to phishing attacks than other users? Different studies have discussed those two questions and examined the factors affecting susceptibility to a phishing attack and the reasons behind why people get phished. Human nature is considered one of the most affecting factors in the process of phishing. Everyone is susceptible to phishing attacks because phishers play on an individual’s specific psychological/emotional triggers as well as technical vulnerabilities ( KeepnetLABS, 2018 ; Crane, 2019 ). For instance, individuals are likely to click on a link within an email when they see authority cues ( Furnell, 2007 ). In 2017, a report by PhishMe (2017) found that curiosity and urgency were the most common triggers that encourage people to respond to the attack, later these triggers were replaced by entertainment, social media, and reward/recognition as the top emotional motivators. However, in the context of a phishing attack, the psychological triggers often surpass people’s conscious decisions. For instance, when people are working under stress, they tend to make decisions without thinking of the possible consequences and options ( Lininger and Vines, 2005 ). Moreover, everyday stress can damage areas of the brain that weakens the control of their emotions ( Keinan, 1987 ). Several studies have addressed the association between susceptibility to phishing and demographic variables (e.g., age and gender) as an attempt to identify the reasons behind phishing success at different population groups. Although everyone is susceptible to phishing, studies showed that different age groups are more susceptible to certain lures than others are. For example, participants with an age range between 18 and 25 are more susceptible to phishing than other age groups ( Williams et al., 2018 ). The reason that younger adults are more likely to fall for phishing, is that younger adults are more trusting when it comes to online communication, and are also more likely to click on unsolicited e-mails ( Getsafeonline, 2017 ). Moreover, older participants are less susceptible because they tend to be less impulsive ( Arnsten et al., 2012 ). While some studies confirmed that women are more susceptible than men to phishing as they click on links in phishing emails and enter information into phishing websites more often than men do. The study published by Getsafeonline (2017) identifies a lack of technical know-how and experience among women than men as the main reason for this. In contrast, a survey conducted by antivirus company Avast found that men are more susceptible to smartphone malware attacks than women ( Ong, 2014 ). These findings confirmed the results from the study ( Hadlington, 2017 ) that found men are more susceptible to mobile phishing attacks than women. The main reason behind this according to Hadlington (2017) is that men are more comfortable and trusting when using mobile online services. The relationships between demographic characteristics of individualls and their ability to correctly detect a phishing attack have been studied in ( Iuga et al., 2016 ). The study showed that participants with high Personal Computer (PC) usage tend to identify phishing efforts more accurately and faster than other participants. Another study ( Hadlington, 2017 ) showed that internet addiction, attentional, and motor impulsivity were significant positive predictors for risky cybersecurity behaviors while a positive attitude toward cybersecurity in business was negatively related to risky cybersecurity behaviors. On the other hand, the trustworthiness of people in some web sites/platforms is one of the holes that the scammers or crackers exploit especially when it based on visual appearance that could fool the user ( Hadlington, 2017 ). For example, fraudsters take advantage of people’s trust in a website by replacing a letter from the legitimate site with a number such as instead of . Another study ( Yeboah-Boateng and Amanor, 2014 ) demonstrates that although college students are unlikely to disclose personal information as a response to an email, nonetheless they could easily be tricked by other tactics, making them alarmingly susceptible to email phishing attacks. The reason for that is most college students do not have a basis in ICT especially in terms of security. Although security terms like viruses, online scams and worms are known by some end-users, these users could have no knowledge about Phishing, SMishing, and Vishing and others ( Lin et al., 2012 ). However, study ( Yeboah-Boateng and Amanor, 2014 ) shows that younger students are more susceptible than older students, and students who worked full-time were less likely to fall for phishing.

The study reported in ( Diaz et al., 2020 ) examines user click rates and demographics among undergraduates by sending phishing attacks to 1,350 randomly selected students. Students from various disciplines were involved in the test, from engineering and mathematics to arts and social sciences. The study observed that student susceptibility was affected by a range of factors such as phishing awareness, time spent on the computer, cyber training, age, academic year, and college affiliation. The most surprising finding is that those who have greater phishing knowledge are more susceptible to phishing scams. The authors consider two speculations for these unexpected findings. First, user’s awareness about phishing might have been increased with the continuous falling for phishing scams. Second, users who fell for the phish might have less knowledge about phishing than they claim. Other findings from this study agreed with findings from other studies that is, older students were more able to detect a phishing email, and engineering and IT majors had some of the lowest click rates as shown in Figure 7 , which shows that some academic disciplines are more susceptible to phishing than others ( Bailey et al., 2008 ).

FIGURE 7 . The number of clicks on phishing emails by students in the College of Arts, Humanities, and Social Sciences (AHSS), the College of Engineering and Information Technology (EIT), and the College of Natural and Mathematical Sciences (NMS) at the University of Maryland, Baltimore County (UMBC) ( Diaz et al., 2020 ).

Psychological studies have also illustrated that the user’s ability to avoid phishing attacks affected by different factors such as browser security indicators and user's awareness of phishing. The author in ( Dhamija et al., 2006 ) conducted an experimental study using 22 participants to test the user’s ability to recognize phishing websites. The study shows that 90% of these participants became victims of phishing websites and 23% of them ignored security indexes such as the status and address bar. In 2015, another study was conducted for the same purpose, where a number of fake web pages was shown to the participants ( Alsharnouby et al., 2015 ). The results of this study showed that participants detected only 53% of phishing websites successfully. The authors also observed that the time spent on looking at browser elements affected the ability to detect phishing. Lack of knowledge or awareness and carelessness are common causes for making people fall for a phishing trap. Most people have unknowingly opened a suspicious attachment or clicked a fake link that could lead to different levels of compromise. Therefore, focusing on training and preparing users for dealing with such attacks are essential elements to minimize the impact of phishing attacks.

Given the above discussion, susceptibility to phishing varies according to different factors such as age, gender, education level, internet, and PC addiction, etc. Although for each person, there is a trigger that can be exploited by phishers, even people with high experience may fall prey to phishing due to the attack sophistication that makes it difficult to be recognized. Therefore, it is inequitable that the user has always been blamed for falling for these attacks, developers must improve the anti-phishing systems in a way that makes the attack invisible. Understanding the susceptibility of individuals to phishing attacks will help in better developing prevention and detection techniques and solutions.

Proposed Phishing Anatomy

Phishing process overview.

Generally, most of the phishing attacks start with an email ( Jagatic et al., 2007 ). The phishing mail could be sent randomly to potential users or it can be targeted to a specific group or individuals. Many other vectors can also be used to initiate the attack such as phone calls, instant messaging, or physical letters. However, phishing process steps have been discussed by many researchers due to the importance of understanding these steps in developing an anti-phishing solution. The author in the study ( Rouse, 2013 ) divides the phishing attack process into five phases which are planning, setup, attack, collection, and cash. A study ( Jakobsson and Myers, 2006 ) discusses the phishing process in detail and explained it as step-by-step phases. These phases include preparation for the attack, sending a malicious program using the selected vector, obtaining the user’s reaction to the attack, tricking a user to disclose their confidential information which will be transmitted to the phisher, and finally obtaining the targeted money. While the study ( Abad, 2005 ) describes a phishing attack in three phases: the early phase which includes initializing attack, creating the phishing email, and sending a phishing email to the victim. The second phase includes receiving an email by the victim and disclosing their information (in the case of the respondent) and the final phase in which the defrauding is successful. However, all phishing scams include three primary phases, the phisher requests sensitive valuables from the target, and the target gives away these valuables to a phisher, and phisher misuses these valuables for malicious purposes. These phases can be classified furthermore into its sub-processes according to phishing trends. Thus, a new anatomy for phishing attacks has been proposed in this article, which expands and integrates previous definitions to cover the full life cycle of a phishing attack. The proposed new anatomy, which consists of 4 phases, is shown in Figure 8 . This new anatomy provides a reference structure to look at phishing attacks in more detail and also to understand potential countermeasures to prevent them. The explanations for each phase and its components are presented as follows:

FIGURE 8 . The proposed anatomy of phishing was built upon the proposed phishing definition in this article, which concluded from our understanding of a phishing attack.

Figure 8 depicts the proposed anatomy of the phishing attack process, phases, and components drawn upon the proposed definition in this article. The proposed phishing anatomy explains in detail each phase of phishing phases including attackers and target types, examples about the information that could be collected by the attacker about the victim, and examples about attack methods. The anatomy, as shown in the figure, illustrates a set of vulnerabilities that the attacker can exploit and the mediums used to conduct the attack. Possible threats are also listed, as well as the data collection method for a further explanation and some examples about target responding types and types of spoils that the attacker could gain and how they can use the stolen valuables. This anatomy elaborates on phishing attacks in depth which helps people to better understand the complete phishing process (i.e., end to end Phishing life cycle) and boost awareness among readers. It also provides insights into potential solutions for phishing attacks we should focus on. Instead of always placing the user or human in an accusation ring as the only reason behind phishing success, developers must be focusing on solutions to mitigate the initiation of the attack by preventing the bait from reaching the user. For instance, to reach the target’s system, the threat has to pass through many layers of technology or defenses exploiting one or more vulnerabilities such as web and software vulnerabilities.

Planning Phase

This is the first stage of the attack, where a phisher makes a decision about the targets and starts gathering information about them (individuals or company). Phishers gather information about the victims to lure them based on psychological vulnerability. This information can be anything like name, e-mail addresses for individuals, or the customers of that company. Victims could also be selected randomly, by sending mass mailings or targeted by harvesting their information from social media, or any other source. Targets for phishing could be any user with a bank account and has a computer on the Internet. Phishers target businesses such as financial services, retail sectors such as eBay and Amazon, and internet service providers such as MSN/Hotmail, and Yahoo ( Ollmann, 2004 ; Ramzan and Wuest, 2007 ). This phase also includes devising attack methods such as building fake websites (sometimes phishers get a scam page that is already designed or used, designing malware, constructing phishing emails. The attacker can be categorized based on the attack motivation. There are four types of attackers as mentioned in studies ( Vishwanath, 2005 ; Okin, 2009 ; EDUCBA, 2017 ; APWG, 2020 ):

▪ Script kiddies: the term script kiddies represents an attacker with no technical background or knowledge about writing sophisticated programs or developing phishing tools but instead they use scripts developed by others in their phishing attack. Although the term comes from children that use available phishing kits to crack game codes by spreading malware using virus toolkits, it does not relate precisely to the actual age of the phisher. Script kiddies can get access to website administration privileges and commit a “Web cracking” attack. Moreover, they can use hacking tools to compromise remote computers so-called “botnet,” the single compromised computer called a “zombie computer.” These attackers are not limited to just sit back and enjoy phishing, they could cause serious damage such as stealing information or uploading Trojans or viruses. In February 2000, an attack launched by Canadian teen Mike Calce resulted in $1.7 million US Dollars (USD) damages from Distributed Denial of Service (DDoS) attacks on CNN, eBay, Dell, Yahoo, and Amazon ( Leyden, 2001 ).

▪ Serious Crackers: also known as Black Hats. These attackers can execute sophisticated attacks and develop worms and Trojans for their attack. They hijack people's accounts maliciously and steal credit card information, destroy important files, or sell compromised credentials for personal gains.

▪ Organized crime: this is the most organized and effective type of attacker and they can incur significant damage to victims. These people hire serious crackers for conducting phishing attacks. Moreover, they can thoroughly trash the victim's identity, and committing devastated frauds as they have the skills, tools, and manpower. An organized cybercrime group is a team of expert hackers who share their skills to build complex attacks and to launch phishing campaigns against individuals and organizations. These groups offer their work as ‘crime as a service’ and they can be hired by terrorist groups, organizations, or individuals.

▪ Terrorists: due to our dependency on the internet for most activities, terrorist groups can easily conduct acts of terror remotely which could have an adverse impact. These types of attacks are dangerous since they are not in fear of any aftermath, for instance going to jail. Terrorists could use the internet to the maximum effect to create fear and violence as it requires limited funds, resources, and efforts compared to, for example, buying bombs and weapons in a traditional attack. Often, terrorists use spear phishing to launch their attacks for different purposes such as inflicting damage, cyber espionage, gathering information, locating individuals, and other vandalism purposes. Cyber espionage has been used extensively by cyber terrorists to steal sensitive information on national security, commercial information, and trade secrets which can be used for terrorist activities. These types of crimes may target governments or organizations, or individuals.

Attack Preparation

After making a decision about the targets and gathering information about them, phishers start to set up the attack by scanning for the vulnerabilities to exploit. The following are some examples of vulnerabilities exploited by phishers. For example, the attacker might exploit buffer overflow vulnerability to take control of target applications, create a DoS attack, or compromise computers. Moreover, “zero-day” software vulnerabilities, which refer to newly discovered vulnerabilities in software programs or operating systems could be exploited directly before it is fixed ( Kayne, 2019 ). Another example is browser vulnerabilities, adding new features and updates to the browser might introduce new vulnerabilities to the browser software ( Ollmann, 2004 ). In 2005, attackers exploited a cross-domain vulnerability in Internet Explorer (IE) ( Symantic, 2019 ). The cross-domain used to separate content from different sources in Microsoft IE. Attackers exploited a flaw in the cross-domain that enables them to execute programs on a user's computer after running IE. According to US-CERT, hackers are actively exploiting this vulnerability. To carry out a phishing attack, attackers need a medium so that they can reach their target. Therefore, apart from planning the attack to exploit potential vulnerabilities, attackers choose the medium that will be used to deliver the threat to the victim and carry out the attack. These mediums could be the internet (social network, websites, emails, cloud computing, e-banking, mobile systems) or VoIP (phone call), or text messages. For example, one of the actively used mediums is Cloud Computing (CC). The CC has become one of the more promising technologies and has popularly replaced conventional computing technologies. Despite the considerable advantages produced by CC, the adoption of CC faces several controversial obstacles including privacy and security issues ( CVEdetails, 2005 ). Due to the fact that different customers could share the same recourses in the cloud, virtualization vulnerabilities may be exploited by a possible malicious customer to perform security attacks on other customers’ applications and data ( Zissis and Lekkas, 2012 ). For example, in September 2014, secret photos of some celebrities suddenly moved through the internet in one of the more terrible data breaches. The investigation revealed that the iCloud accounts of the celebrities were breached ( Lehman and Vajpayee, 2011 ). According to Proofpoint, in 2017, attackers used Microsoft SharePoint to infect hundreds of campaigns with malware through messages.

Attack Conducting Phase

This phase involves using attack techniques to deliver the threat to the victim as well as the victim’s interaction with the attack in terms of responding or not. After the victim's response, the system may be compromised by the attacker to collect user's information using techniques such as injecting client-side script into webpages ( Johnson, 2016 ). Phishers can compromise hosts without any technical knowledge by purchasing access from hackers ( Abad, 2005 ). A threat is a possible danger that that might exploit a vulnerability to compromise people’s security and privacy or cause possible harm to a computer system for malicious purposes. Threats could be malware, botnet, eavesdropping, unsolicited emails, and viral links. Several Phishing techniques are discussed in sub- Types and Techniques of Phishing Attacks .

Valuables Acquisition Phase

In this stage, the phisher collects information or valuables from victims and uses it illegally for purchasing, funding money without the user’s knowledge, or selling these credentials in the black market. Attackers target a wide range of valuables from their victims that range from money to people’s lives. For example, attacks on online medical systems may lead to loss of life. Victim’s data can be collected by phishers manually or through automated techniques ( Jakobsson et al., 2007 ).

The data collection can be conducted either during or after the victim’s interaction with the attacker. However, to collect data manually simple techniques are used wherein victims interact directly with the phisher depending on relationships within social networks or other human deception techniques ( Ollmann, 2004 ). Whereas in automated data collection, several techniques can be used such as fake web forms that are used in web spoofing ( Dhamija et al., 2006 ). Additionally, the victim’s public data such as the user’s profile in social networks can be used to collect the victim’s background information that is required to initialize social engineering attacks ( Wenyin et al., 2005 ). In VoIP attacks or phone attack techniques such as recorded messages are used to harvest user's data ( Huber et al., 2009 ).

Types and Techniques of Phishing Attacks

Phishers conduct their attack either by using psychological manipulation of individuals into disclosing personal information (i.e., deceptive attack as a form of social engineering) or using technical methods. Phishers, however, usually prefer deceptive attacks by exploiting human psychology rather than technical methods. Figure 9 illustrates the types of phishing and techniques used by phishers to conduct a phishing attack. Each type and technique is explained in subsequent sections and subsections.

FIGURE 9 . Phishing attack types and techniques drawing upon existing phishing attacks.

Deceptive Phishing

Deceptive phishing is the most common type of phishing attack in which the attacker uses social engineering techniques to deceive victims. In this type of phishing, a phisher uses either social engineering tricks by making up scenarios (i.e., false account update, security upgrade), or technical methods (i.e., using legitimate trademarks, images, and logos) to lure the victim and convince them of the legitimacy of the forged email ( Jakobsson and Myers, 2006 ). By believing these scenarios, the user will fall prey and follow the given link, which leads to disclose his personal information to the phisher.

Deceptive phishing is performed through phishing emails; fake websites; phone phishing (Scam Call and IM); social media; and via many other mediums. The most common social phishing types are discussed below;

Phishing e-Mail

The most common threat derived by an attacker is deceiving people via email communications and this remains the most popular phishing type to date. A Phishing email or Spoofed email is a forged email sent from an untrusted source to thousands of victims randomly. These fake emails are claiming to be from a person or financial institution that the recipient trusts in order to convince recipients to take actions that lead them to disclose their sensitive information. A more organized phishing email that targets a particular group or individuals within the same organization is called spear phishing. In the above type, the attacker may gather information related to the victim such as name and address so that it appears to be credible emails from a trusted source ( Wang et al., 2008 ), and this is linked to the planning phase of the phishing anatomy proposed in this article. A more sophisticated form of spear phishing is called whaling, which targets high-rank people such as CEOs and CFOs. Some examples of spear-phishing attack victims in early 2016 are the phishing email that hacked the Clinton campaign chairman John Podesta’s Gmail account ( Parmar, 2012 ). Clone phishing is another type of email phishing, where the attacker clones a legitimate and previously delivered email by spoofing the email address and using information related to the recipient such as addresses from the legitimate email with replaced links or malicious attachments ( Krawchenko, 2016 ). The basic scenario for this attack is illustrated previously in Figure 4 and can be described in the following steps.

1. The phisher sets up a fraudulent email containing a link or an attachment (planning phase).

2. The phisher executes the attack by sending a phishing email to the potential victim using an appropriate medium (attack conducting phase).

3. The link (if clicked) directs the user to a fraudulent website, or to download malware in case of clicking the attachment (interaction phase).

4. The malicious website prompts users to provide confidential information or credentials, which are then collected by the attacker and used for fraudulent activities. (Valuables acquisition phase).

Often, the phisher does not use the credentials directly; instead, they resell the obtained credentials or information on a secondary market ( Jakobsson and Myers, 2006 ), for instance, script kiddies might sell the credentials on the dark web.

Spoofed Website

This is also called phishing websites, in which phishers forge a website that appears to be genuine and looks similar to the legitimate website. An unsuspicious user is redirected to this website after clicking a link embedded within an email or through an advertisement (clickjacking) or any other way. If the user continues to interact with the spoofed website, sensitive information will be disclosed and harvested by the phisher ( CSIOnsite, 2012 ).

Phone Phishing (Vishing and SMishing)

This type of phishing is conducted through phone calls or text messages, in which the attacker pretends to be someone the victim knows or any other trusted source the victim deals with. A user may receive a convincing security alert message from a bank convincing the victim to contact a given phone number with the aim to get the victim to share passwords or PIN numbers or any other Personally Identifiable Information (PII). The victim may be duped into clicking on an embedded link in the text message. The phisher then could take the credentials entered by the victim and use them to log in to the victims' instant messaging service to phish other people from the victim’s contact list. A phisher could also make use of Caller IDentification (CID) 3 spoofing to dupe the victim that the call is from a trusted source or by leveraging from an internet protocol private branch exchange (IP PBX) 4 tools which are open-source and software-based that support VoIP ( Aburrous et al., 2008 ). A new report from Fraud Watch International about phishing attack trends for 2019 anticipated an increase in SMishing where the text messages content is only viewable on a mobile device ( FraudWatchInternational, 2019 ).

Social Media Attack (Soshing, Social Media Phishing)

Social media is the new favorite medium for cybercriminals to conduct their phishing attacks. The threats of social media can be account hijacking, impersonation attacks, scams, and malware distributing. However, detecting and mitigating these threats requires a longer time than detecting traditional methods as social media exists outside of the network perimeter. For example, the nation-state threat actors conducted an extensive series of social media attacks on Microsoft in 2014. Multiple Twitter accounts were affected by these attacks and passwords and emails for dozens of Microsoft employees were revealed ( Ramzan, 2010 ). According to Kaspersky Lab’s, the number of phishing attempts to visit fraudulent social network pages in the first quarter of 2018 was more than 3.7 million attempts, of which 60% were fake Facebook pages ( Raggo, 2016 ).

The new report from predictive email defense company Vade Secure about phishers’ favorites for quarter 1 and quarter 2 of 2019, stated that Soshing primarily on Facebook and Instagram saw a 74.7% increase that is the highest quarter-over- quarter growth of any industry ( VadeSecure, 2021 ).

Technical Subterfuge

Technical subterfuge is the act of tricking individuals into disclosing their sensitive information through technical subterfuge by downloading malicious code into the victim's system. Technical subterfuge can be classified into the following types:

Malware-Based Phishing

As the name suggests, this is a type of phishing attack which is conducted by running malicious software on a user’s machine. The malware is downloaded to the victim’s machine, either by one of the social engineering tricks or technically by exploiting vulnerabilities in the security system (e.g., browser vulnerabilities) ( Jakobsson and Myers, 2006 ). Panda malware is one of the successful malware programs discovered by Fox-IT Company in 2016. This malware targets Windows Operating Systems (OS). It spreads through phishing campaigns and its main attack vectors include web injects, screenshots of user activity (up to 100 per mouse click), logging of keyboard input, Clipboard pastes (to grab passwords and paste them into form fields), and exploits to the Virtual Network Computing (VNC) desktop sharing system. In 2018, Panda malware expanded its targets to include cryptocurrency exchanges and social media sites ( F5Networks, 2018 ). There are many forms of Malware-based phishing attacks; some of them are discussed below:

Key Loggers and Screen Loggers

Loggers are the type of malware used by phishers and installed either through Trojan horse email attachments or through direct download to the user’s personal computer. This software monitors data and records user keystrokes and then sends it to the phisher. Phisher uses the key loggers to capture sensitive information related to victims, such as names, addresses, passwords, and other confidential data. Key loggers can also be used for non-phishing purposes such as to monitor a child's use of the internet. Key loggers can also be implemented in many other ways such as detecting URL changes and logs information as Browser Helper Object (BHO) that enables the attacker to take control of the features of all IE’s, monitoring keyboard and mouse input as a device driver and, monitoring users input and displays as a screen logger ( Jakobsson and Myers, 2006 ).

Viruses and Worms

A virus is a type of malware, which is a piece of code spreading in another application or program by making copies of itself in a self-automated manner ( Jakobsson and Myers, 2006 ; F5Networks, 2018 ). Worms are similar to viruses but they differ in the execution manner, as worms are executed by exploiting the operating systems vulnerability without the need to modify another program. Viruses transfer from one computer to another with the document that they are attached to, while worms transfer through the infected host file. Both viruses and worms can cause data and software damaging or Denial-of-Service (DoS) conditions ( F5Networks, 2018 ).

Spying software is a malicious code designed to track the websites visited by users in order to steal sensitive information and conduct a phishing attack. Spyware can be delivered through an email and, once it is installed on the computer, take control over the device and either change its settings or gather information such as passwords and credit card numbers or banking records which can be used for identity theft ( Jakobsson and Myers, 2006 ).

Adware is also known as advertising-supported software ( Jakobsson and Myers, 2006 ). Adware is a type of malware that shows the user an endless pop-up window with ads that could harm the performance of the device. Adware can be annoying but most of it is safe. Some of the adware could be used for malicious purposes such as tracking the internet sites the user visits or even recording the user's keystrokes ( cisco, 2018 ).

Ransomware is a type of malware that encrypts the user's data after they run an executable program on the device. In this type of attack, the decryption key is held until the user pays a ransom (cisco, 2018). Ransomware is responsible for tens of millions of dollars in extortion annually. Worse still, this is hard to detect with developing new variants, facilitating the evasion of many antivirus and intrusion detection systems ( Latto, 2020 ). Ransomware is usually delivered to the victim's device through phishing emails. According to a report ( PhishMe, 2016 ), 93% of all phishing emails contained encryption ransomware. Phishing, as a social engineering attack, convinces victims into executing actions without knowing about the malicious program.

A rootkit is a collection of programs, typically malicious, that enables access to a computer or computer network. These toolsets are used by intruders to hide their actions from system administrators by modifying the code of system calls and changing the functionality ( Belcic, 2020 ). The term “rootkit” has negative connotations through its association with malware, and it is used by the attacker to alert existing system tools to escape detection. These kits enable individuals with little or no knowledge to launch phishing exploits. It contains coding, mass emailing software (possibly with thousands of email addresses included), web development software, and graphic design tools. An example of rootkits is the Kernel kit. Kernel-Level Rootkits are created by replacing portions of the core operating system or adding new code via Loadable Kernel Modules in (Linux) or device drivers (in Windows) ( Jakobsson and Myers, 2006 ).

Session Hijackers

In this type, the attacker monitors the user’s activities by embedding malicious software within a browser component or via network sniffing. The monitoring aims to hijack the session, so that the attacker performs an unauthorized action with the hijacked session such as financial transferring, without the user's permission ( Jakobsson and Myers, 2006 ).

Web Trojans

Web Trojans are malicious programs that collect user’s credentials by popping up in a hidden way over the login screen ( Jakobsson and Myers, 2006 ). When the user enters the credentials, these programs capture and transmit the stolen credentials directly to the attacker ( Jakobsson et al., 2007 ).

Hosts File Poisoning

This is a way to trick a user into going to the phisher’s site by poisoning (changing) the host’s file. When the user types a particular website address in the URL bar, the web address will be translated into a numeric (IP) address before visiting the site. The attacker, to take the user to a fake website for phishing purposes, will modify this file (e.g., DNS cache). This type of phishing is hard to detect even by smart and perceptive users ( Ollmann, 2004 ).

System Reconfiguration Attack

In this format of the phishing attack, the phisher manipulates the settings on a user’s computer for malicious activities so that the information on this PC will be compromised. System reconfigurations can be changed using different methods such as reconfiguring the operating system and modifying the user’s Domain Name System (DNS) server address. The wireless evil twin is an example of a system reconfiguration attack in which all user’s traffic is monitored via a malicious wireless Access Point (AP) ( Jakobsson and Myers, 2006 ).

Data theft is an unauthorized accessing and stealing of confidential information for a business or individuals. Data theft can be performed by a phishing email that leads to the download of a malicious code to the user's computer which in turn steals confidential information stored in that computer directly ( Jakobsson and Myers, 2006 ). Stolen information such as passwords, social security numbers, credit card information, sensitive emails, and other personal data could be used directly by a phisher or indirectly by selling it for different purposes.

Domain Name System Based Phishing (Pharming)

Any form of phishing that interferes with the domain name system so that the user will be redirected to the malicious website by polluting the user's DNS cache with wrong information is called DNS-based phishing. Although the host’s file is not a part of the DNS, the host’s file poisoning is another form of DNS based phishing. On the other hand, by compromising the DNS server, the genuine IP addresses will be modified which results in taking the user unwillingly to a fake location. The user can fall prey to pharming even when clicking on a legitimate link because the website’s domain name system (DNS) could be hijacked by cybercriminals ( Jakobsson and Myers, 2006 ).

Content Injection Phishing

Content-Injection Phishing refers to inserting false content into a legitimate site. This malicious content could misdirect the user into fake websites, leading users into disclosing their sensitive information to the hacker or it can lead to downloading malware into the user's device ( Jakobsson and Myers, 2006 ). The malicious content could be injected into a legitimate site in three primary ways:

1. Hacker exploits a security vulnerability and compromises a web server.

2. Hacker exploits a Cross-Site Scripting (XSS) vulnerability that is a programming flaw that enables attackers to insert client-side scripts into web pages, which will be viewed by the visitors to the targeted site.

3. Hacker exploits Structured Query Language (SQL) injection vulnerability, which allows hackers to steal information from the website’s database by executing database commands on a remote server.

Man-In-The-Middle Phishing

The Man In The Middle attack (MITM) is a form of phishing, in which the phishers insert communications between two parties (i.e. the user and the legitimate website) and tries to obtain the information from both parties by intercepting the victim’s communications ( Ollmann, 2004 ). Such that the message is going to the attacker instead of going directly to the legitimate recipients. For a MITM, the attacker records the information and misuse it later. The MITM attack conducts by redirecting the user to a malicious server through several techniques such as Address Resolution Protocol (ARP) poisoning, DNS spoofing, Trojan key loggers, and URL Obfuscation ( Jakobsson and Myers, 2006 ).

Search Engine Phishing

In this phishing technique, the phisher creates malicious websites with attractive offers and use Search Engine Optimization (SEO) tactics to have them indexed legitimately such that it appears to the user when searching for products or services. This is also known as black hat SEO ( Jakobsson and Myers, 2006 ).

URL and HTML Obfuscation Attacks

In most of the phishing attacks, phishers aim to convince a user to click on a given link that connects the victim to a malicious phishing server instead of the destination server. This is the most popular technique used by today's phishers. This type of attack is performed by obfuscating the real link (URL) that the user intends to connect (an attempt from the attacker to make their web address look like the legitimate one). Bad Domain Names and Host Name Obfuscation are common methods used by attackers to fake an address ( Ollmann, 2004 ).


A range of solutions are being discussed and proposed by the researchers to overcome the problems of phishing, but still, there is no single solution that can be trusted or capable of mitigating these attacks ( Hong, 2012 ; Boddy, 2018 ; Chanti and Chithralekha, 2020 ). The proposed phishing countermeasures in the literature can be categorized into three major defense strategies. The first line of defense is human-based solutions by educating end-users to recognize phishing and avoid taking the bait. The second line of defense is technical solutions that involve preventing the attack at early stages such as at the vulnerability level to prevent the threat from materializing at the user's device, which means decreasing the human exposure, and detecting the attack once it is launched through the network level or at the end-user device. This also includes applying specific techniques to track down the source of the attack (for example these could include identification of new domains registered that are closely matched with well-known domain names). The third line of defense is the use of law enforcement as a deterrent control. These approaches can be combined to create much stronger anti-phishing solutions. The above solutions are discussed in detail below.

Human Education (Improving User Awareness About Phishing)

Human education is by far an effective countermeasure to avoid and prevent phishing attacks. Awareness and human training are the first defense approach in the proposed methodology for fighting against phishing even though it does not assume complete protection ( Hong, 2012 ). End-user education reduces user's susceptibility to phishing attacks and compliments other technical solutions. According to the analysis carried out in ( Bailey et al., 2008 ), 95% of phishing attacks are caused due to human errors; nonetheless, existing phishing detection training is not enough for combating current sophisticated attacks. In the study presented by Khonji et al. (2013) , security experts contradict the effectiveness and usability of user education. Furthermore, some security experts claim that user education is not effective as security is not the main goal for users and users do not have a motivation to educate themselves about phishing ( Scaife et al., 2016 ), while others confirm that user education could be effective if designed properly ( Evers, 2006 ; Whitman and Mattord, 2012 ). Moreover, user training has been mentioned by many researchers as an effective way to protect users when they are using online services ( Dodge et al., 2007 ; Salem et al., 2010 ; Chanti and Chithralekha, 2020 ). To detect and avoid phishing emails, a combined training approach was proposed by authors in the study ( Salem et al., 2010 ). The proposed solution uses a combination of tools and human learning, wherein a security awareness program is introduced to the user as a first step. The second step is using an intelligent system that detects the attacks at the email level. After that, the emails are classified by a fuzzy logic-based expert system. The main critic of this method is that the study chooses only limited characteristics of the emails as distinguishing features ( Kumaraguru et al., 2010 ; CybintCyberSolutions, 2018 ). Moreover, the majority of phishing training programs focus on how to recognize and avoid phishing emails and websites while other threatening phishing types receive less attention such as voice phishing and malware or adware phishing. The authors in ( Salem et al., 2010 ) found that the most used solutions in educating people are not useful if they ignore the notifications/warnings about fake websites. Training users should involve three major directions: the first one is awareness training through holding seminars or online courses for both employees within organizations or individuals. The second one is using mock phishing attacks to attack people to test users’ vulnerability and allow them to assess their own knowledge about phishing. However, only 38% of global organizations claim they are prepared to handle a sophisticated cyber-attack ( Kumaraguru et al., 2010 ). Wombat Security’s State of the Phish™ Report 2018 showed that approximately two-fifths of American companies use computer-based online awareness training and simulated phishing attacks as educating tools on a monthly basis, while just 15% of United Kingdom firms do so ( CybintCyberSolutions, 2018 ). The third direction is educating people by developing games to teach people about phishing. The game developer should take into consideration different aspects before designing the game such as audience age and gender, because people's susceptibility to phishing is varying. Authors in the study ( Sheng et al., 2007 ) developed a game to train users so that they can identify phishing attacks called Anti-Phishing Phil that teaches about phishing web pages, and then tests users about the efficiency and effectiveness of the game. The results from the study showed that the game participants improve their ability to identify phishing by 61% indicating that interactive games might turn out to be a joyful way of educating people. Although, user’s education and training can be very effective to mitigate security threats, phishing is becoming more complex and cybercriminals can fool even the security experts by creating convincing spear phishing emails via social media. Therefore, individual users and employees must have at least basic knowledge about dealing with suspicious emails and report it to IT staff and specific authorities. In addition, phishers change their strategies continuously, which makes it harder for organizations, especially small/medium enterprises to afford the cost of their employee education. With millions of people logging on to their social media accounts every day, social media phishing is phishers' favorite medium to deceive their victims. For example, phishers are taking advantage of the pervasiveness of Facebook to set up creative phishing attacks utilizing the Facebook Login feature that enables the phisher to compromise all the user's accounts with the same credentials (VadeSecure). Some countermeasures are taken by Social networks to reduce suspicious activities on social media such as Two-Factor authentication for logging in, that is required by Facebook, and machine-learning techniques used by Snapchat to detect and prevent suspicious links sent within the app ( Corrata, 2018 ). However, countermeasures to control Soshing and phone phishing attacks might include:

• Install anti-virus, anti-spam software as a first action and keep it up to date to detect and prevent any unauthorized access.

• Educate yourself about recent information on phishing, the latest trends, and countermeasures.

• Never click on hyperlinks attached to a suspicious email, post, tweet, direct message.

• Never trust social media, do not give any sensitive information over the phone or non-trusted account. Do not accept friend requests from people you do not know.

• Use a unique password for each account.

Training and educating users is an effective anti-phishing countermeasure and has already shown promising initial results. The main downside of this solution is that it demands high costs ( Dodge et al., 2007 ). Moreover, this solution requires basic knowledge in computer security among trained users.

Technical Solutions

The proposed technical solutions for detecting and blocking phishing attacks can be divided into two major approaches: non-content based solutions and content-based solutions ( Le et al., 2006 ; Bin et al., 2010 ; Boddy, 2018 ). Both approaches are briefly described in this section. Non-content based methods include blacklists and whitelists that classify the fake emails or webpages based on the information that is not part of the email or the webpage such as URL and domain name features ( Dodge et al., 2007 ; Ma et al., 2009 ; Bin et al., 2010 ; Salem et al., 2010 ). Stopping the phishing sites using blacklist and whitelist approaches, wherein a list of known URLs and sites is maintained, the website under scrutiny is checked against such a list in order to be classified as a phishing or legitimate site. The downside of this approach is that it will not identify all phishing websites. Because once a phishing site is taken down, the phisher can easily register a new domain ( Miyamoto et al., 2009 ). Content-based methods classify the page or the email relying on the information within its content such as texts, images, and also HTML, java scripts, and Cascading Style Sheets (CSS) codes ( Zhang et al., 2007 ; Maurer and Herzner, 2012 ). Content-based solutions involve Machine Learning (ML), heuristics, visual similarity, and image processing methods ( Miyamoto et al., 2009 ; Chanti and Chithralekha, 2020 ). and finally, multifaceted methods, which apply a combination of the previous approaches to detect and prevent phishing attacks ( Afroz and Greenstadt, 2009 ). For email filtering, ML techniques are commonly used for example in 2007, the first email phishing filter was developed by authors in ( Fette et al., 2007 ). This technique uses a set of features such as URLs that use different domain names. Spam filtering techniques ( Cormack et al., 2011 ) and statistical classifiers ( Bergholz et al., 2010 ) are also used to identify a phishing email. Authentication and verification technologies are also used in spam email filtering as an alternative to heuristics methods. For example, the Sender Policy Framework (SPF) verifies whether a sender is valid when accepting mail from a remote mail server or email client ( Deshmukh and raddha Popat, 2017 ).

The technical solutions for Anti-phishing are available at different levels of the delivery chain such as mail servers and clients, Internet Service Providers (ISPs), and web browser tools. Drawing from the proposed anatomy for phishing attacks in Proposed Phishing Anatomy , authors categorize technical solutions into the following approaches:

1. Techniques to detect the attack after it has been launched. Such as by scanning the web to find fake websites. For example, content-based phishing detection approaches are heavily deployed on the Internet. The features from the website elements such as Image, URL, and text content are analyzed using Rule-based approaches and Machine Learning that examine the presence of special characters (@), IP addresses instead of the domain name, prefix/suffix, HTTPS in domain part and other features ( Jeeva and Rajsingh, 2016 ). Fuzzy Logic (FL) has also been used as an anti-phishing model to help classify websites into legitimate or ‘phishy’ as this model deals with intervals rather than specific numeric values ( Aburrous et al., 2008 ).

2. Techniques to prevent the attack from reaching the user's system. Phishing prevention is an important step to defend against phishing by blocking a user from seeing and dealing with the attack. In email phishing, anti-spam software tools can block suspicious emails. Phishers usually send a genuine look-alike email that dupes the user to open an attachment or click on a link. Some of these emails pass the spam filter because phishers use misspelled words. Therefore, techniques that detect fake emails by checking the spelling and grammar correction are increasingly used, so that it can prevent the email from reaching the user's mailbox. Authors in the study ( Fette et al., 2007 ) have developed a new classification algorithm based on the Random Forest algorithm after exploring email phishing utilizing the C4.5 decision tree generator algorithm. The developed method is called "Phishing Identification by Learning on Features of Email Received" (PILFER), which can classify phishing email depending on various features such as IP based URLs, the number of links in the HTML part(s) of an email, the number of domains, the number of dots, nonmatching URLs, and availability of JavaScripts. The developed method showed high accuracy in detecting phishing emails ( Afroz and Greenstadt, 2009 ).

3. Corrective techniques that can take down the compromised website, by requesting the website's Internet Service Provider (ISP) to shut down the fake website in order to prevent more users from falling victims to phishing ( Moore and Clayton, 2007 ; Chanti and Chithralekha, 2020 ). ISPs are responsible for taking down fake websites. Removing the compromised and illegal websites is a complex process; many entities are involved in this process from private companies, self-regulatory bodies, government agencies, volunteer organizations, law enforcement, and service providers. Usually, illegal websites are taken down by Takedown Orders, which are issued by courts or in some jurisdictions by law enforcement. On the other hand, these can be voluntarily taken down by the providers themselves as a result of issued takedown notices ( Moore and Clayton, 2007 ; Hutchings et al., 2016 ). According to PHISHLABS ( PhishLabs, 2019 ) report, taking down phishing sites is helpful but it is not completely effective as these sites can still be alive for days stealing customers' credentials before detecting the attack.

4. Warning tools or security indicators that embedded into the web browser to inform the user after detecting the attack. For example, eBay Toolbar and Account Guard ( eBay Toolbar and Account Guard, 2009 ) protect customer’s eBay and PayPal passwords respectively by alerting the users about the authenticity of the sites that users try to type the password in. Numerous anti-phishing solutions rely mainly on warnings that are displayed on the security toolbar. In addition, some toolbars block suspicious sites to warn about it such as McAfee and Netscape. A study presented in ( Robichaux and Ganger, 2006 ) conducted a test to evaluate the performance of eight anti-phishing solutions, including Microsoft Internet Explorer 7, EarthLink, eBay, McAfee, GeoTrust, Google using Firefox, Netscape, and Netcraft. These tools are warning and blocking tools that allow legitimate sites while block and warn about known phishing sites. The study also found that Internet Explorer and Netcraft Toolbar showed the most effective results than other anti-phishing tools. However, security toolbars are still failing to avoid people falling victim to phishing despite these toolbars improving internet security in general ( Abu-Nimeh and Nair, 2008 ).

5. Authentication ( Moore and Clayton, 2007 ) and authorization ( Hutchings et al., 2016 ) techniques that provide protection from phishing by verifying the identity of the legitimate person. This prevents phishers from accessing a protected resource and conducting their attack. There are three types of authentication; single-factor authentication requires only username and password. The second type is two-factor authentication that requires additional information in addition to the username and password such as an OTP (One-Time Password) which is sent to the user’s email id or phone. The third type is multi-factor authentication using more than one form of identity (i.e., a combination of something you know, something you are, and something you have). Some widely used methods in the authorization process are API authorization and OAuth 2.0 that allow the previously generated API to access the system.

However, the progressive increase in phishing attacks shows that previous methods do not provide the required protection against most existing phishing attacks. Because no single solution or technology could prevent all phishing attacks. An effective anti-phishing solution should be based on a combination of technical solutions and increased user awareness ( Boddy, 2018 ).

Solutions Provided by Legislations as a Deterrent Control

A cyber-attack is considered a crime when an individual intentionally accesses personal information on a computer without permission, even if the individual does not steal information or damage the system ( Mince-Didier, 2020 ). Since the sole objective of almost all phishing attacks is to obtain sensitive information by knowingly intending to commit identity theft, and while there are currently no federal laws in the United States aimed specifically at phishing, therefore, phishing crimes are usually covered under identity theft laws. Phishing is considered a crime even if the victim does not actually fall for the phishing scam, the punishments depend on circumstances and usually include jail, fines, restitution, probation ( Nathan, 2020 ). Phishing attacks are causing different levels of damages to the victims such as financial and reputational losses. Therefore, law enforcement authorities should track down these attacks in order to punish the criminal as with real-world crimes. As a complement to technical solutions and human education, the support provided by applicable laws and regulations can play a vital role as a deterrent control. Increasingly authorities around the world have created several regulations in order to mitigate the increase of phishing attacks and their impact. The first anti-phishing laws were enacted by the United States, where the FTC in the US added the phishing attacks to the computer crime list in January 2004. A year later, the ‘‘Anti-Phishing Act’’ was introduced in the US Congress in March 2005 ( Mohammad et al., 2014 ). Meanwhile, in the United Kingdom, the law legislation is gradually conforming to address phishing and other forms of cyber-crime. In 2006, the United Kingdom government improved the Computer Misuse Act 1990 intending to bring it up to date with developments in computer crime and to increase penalties for breach enacted penalties of up to 10 years ( eBay Toolbar and Account Guard, 2009 ; PhishLabs, 2019 ). In this regard, a student in the United Kingdom who made hundreds of thousands of pounds blackmailing pornography website users was jailed in April 2019 for six years and five months. According to the National Crime Agency (NCA), this attacker was the most prolific cybercriminal to be sentenced in the United Kingdom ( Casciani, 2019 ). Moreover, the organizations bear part of the responsibility in protecting personal information as stated in the Data Protection Act 2018 and EU General Data Protection Regulation (GDPR). Phishing websites also can be taken down through Law enforcement agencies' conduct. In the United Kingdom, websites can be taken down by the National Crime Agency (NCA), which includes the National Cyber Crime Unit, and by the City of London Police, which includes the Police Intellectual Property Crime Unit (PIPCU) and the National Fraud Intelligence Bureau (NFIB) ( Hutchings et al., 2016 ).

However, anti-phishing law enforcement is still facing numerous challenges and limitations. Firstly, after perpetrating the phishing attack, the phisher can vanish in cyberspace making it difficult to prove the guilt attributed to the offender and to recover the damages caused by the attack, limiting the effectiveness of the law enforcement role. Secondly, even if the attacker’s identity is disclosed in the case of international attackers, it will be difficult to bring this attacker to justice because of the differences in countries' legislations (e.g., exchange treaties). Also, the attack could be conducted within a short time span, for instance, the average lifetime for a phishing web site is about 54 h as stated by the APWG, therefore, there must be a quick response from the government and the authorities to detect, control and identify the perpetrators of the attack ( Ollmann, 2004 ).

Phishing attacks remain one of the major threats to individuals and organizations to date. As highlighted in the article, this is mainly driven by human involvement in the phishing cycle. Often phishers exploit human vulnerabilities in addition to favoring technological conditions (i.e., technical vulnerabilities). It has been identified that age, gender, internet addiction, user stress, and many other attributes affect the susceptibility to phishing between people. In addition to traditional phishing channels (e.g., email and web), new types of phishing mediums such as voice and SMS phishing are on the increase. Furthermore, the use of social media-based phishing has increased in use in parallel with the growth of social media. Concomitantly, phishing has developed beyond obtaining sensitive information and financial crimes to cyber terrorism, hacktivism, damaging reputations, espionage, and nation-state attacks. Research has been conducted to identify the motivations and techniques and countermeasures to these new crimes, however, there is no single solution for the phishing problem due to the heterogeneous nature of the attack vector. This article has investigated problems presented by phishing and proposed a new anatomy, which describes the complete life cycle of phishing attacks. This anatomy provides a wider outlook for phishing attacks and provides an accurate definition covering end-to-end exclusion and realization of the attack.

Although human education is the most effective defense for phishing, it is difficult to remove the threat completely due to the sophistication of the attacks and social engineering elements. Although, continual security awareness training is the key to avoid phishing attacks and to reduce its impact, developing efficient anti-phishing techniques that prevent users from being exposed to the attack is an essential step in mitigating these attacks. To this end, this article discussed the importance of developing anti-phishing techniques that detect/block the attack. Furthermore, the importance of techniques to determine the source of the attack could provide a stronger anti-phishing solution as discussed in this article.

Furthermore, this article identified the importance of law enforcement as a deterrent mechanism. Further investigations and research are necessary as discussed below.

1. Further research is necessary to study and investigate susceptibility to phishing among users, which would assist in designing stronger and self-learning anti-phishing security systems.

2. Research on social media-based phishing, Voice Phishing, and SMS Phishing is sparse and these emerging threats are predicted to be significantly increased over the next years.

3. Laws and legislations that apply for phishing are still at their infant stage, in fact, there are no specific phishing laws in many countries. Most of the phishing attacks are covered under traditional criminal laws such as identity theft and computer crimes. Therefore, drafting of specific laws for phishing is an important step in mitigating these attacks in a time where these crimes are becoming more common.

4. Determining the source of the attack before the end of the phishing lifecycle and enforcing law legislation on the offender could help in restricting phishing attacks drastically and would benefit from further research.

It can be observed that the mediums used for phishing attacks have changed from traditional emails to social media-based phishing. There is a clear lag between sophisticated phishing attacks and existing countermeasures. The emerging countermeasures should be multidimensional to tackle both human and technical elements of the attack. This article provides valuable information about current phishing attacks and countermeasures whilst the proposed anatomy provides a clear taxonomy to understand the complete life cycle of phishing.

This article is part of the Research Topic

2021 Editor's Pick: Computer Science

  • Business and industry
  • Science and innovation
  • Artificial intelligence

Research on the cyber security of AI

A collection of government research reports on the cyber security of artificial intelligence, including surveys and literature reviews.

Cyber security risks to artificial intelligence

Cyber security risks to artificial intelligence (pdf).

PDF , 546 KB , 36 pages

AI cyber security survey - main report

Ai cyber security survey - main report (pdf).

PDF , 844 KB , 25 pages

AI cyber security survey - technical report

Ai cyber security survey - technical report (pdf).

PDF , 686 KB , 31 pages

Cyber security for AI recommendations

PDF , 503 KB , 31 pages

Study of research and guidance on the cyber security of AI

PDF , 802 KB , 23 pages

As part of the £2.6 billion  National Cyber Strategy  the government is working to protect and promote the UK online. This includes taking the lead in the technologies vital to cyber power and securing the next generation of connected technologies, including artificial intelligence ( AI ).

To ensure the opportunities of AI are fully realised, systems must be developed, deployed and operated in a secure and responsible way. The research reports published here support the government’s policy work on the cyber security of AI and complement the call for views on AI cyber security being held between May and July 2024.

For more information and to provide your input, please see the Call for Views on the Cyber Security of AI .

This work was announced at the CyberUK 2024 conference. 

For more information, please read the press notice

This is part of our plan to ensure the UK continues to be a leading responsible and democratic cyber power, with a secure digital economy.

