We know more and more about the financial cost of cybercrime, but there has been very little work on its emotional cost. David Modic and I decided to investigate. We wanted to empirically test whether there are emotional repercussions to becoming a victim of fraud (Yes, there are). We wanted to compare emotional and financial impact across different categories of fraud and establish a ranking list (And we did). An interesting, although not surprising, finding was that in every tested category the victim’s perception of emotional impact outweighed the reported financial loss.
A victim may think that they will still be able to recover their money, if not their pride. That really depends on what type of fraud they facilitated. If it is auction fraud, then their chances of recovery are comparatively higher than in bank fraud – we found that 26% of our sample would attempt to recover funds lost in a fraudulent auction and approximately half of them were reimbursed (look at this presentation). There is considerable evidence that banks are not very likely to believe someone claiming to be a victim of, say, identity theft and by extension bank fraud. Thus, when someone ends up out of pocket, they will likely also go through a process of secondary victimisation where they will be told they broke some small-print rule like having the same pin for two of their bank cards or not using the bank’s approved anti-virus software, and are thus not eligible for any refund and it is all their own fault, really.
You can find the article here or here. (It was published in IEEE Security & Privacy.)
This paper complements and extends our earlier work on the costs of cybercrime, where we show that the broader economic costs to society of cybercrime – such as loss of confidence in online shopping and banking – also greatly exceed the amounts that cybercriminals actually manage to steal.
“… where they will be told they broke some small-print rule like … not using the bank’s approved anti-virus software, and are thus not eligible for any refund …”
My banks all promote a free download Trusteer Rapport after clicking ‘Log In’ but before presenting the actual login fields (which strikes me as a particularly bad time to interrupt this workflow). I don’t have it installed and won’t be doing so.
Are there any real examples of a bank refusing to reimburse a customer because of a lack of, or non-approved, third-party software?
Thanks,
Chris
Professor Anderson, as above, are there any real examples of a bank refusing to reimburse a customer because of a lack of, or non-approved, third-party software? Or was that a hypothetical scenario in your article which has not been seen to take place for real yet?
Thanks,
Chris
Chris
See here for how the UK banks changed their rules to insist on this. And yes, there are enough cases where people are told to get stuffed; if the bank’s first responders jump to the conclusion that somehow it was your fault, there are all sorts of excuses that they can and do use. These tend to be of a “gross negligence” flavour in the UK, and more like “you gave someone else your password, so you actually authorised the transaction” in the USA. It is common in many countries for frauds following equipment theft to be blamed on the customer, as here; we had a case in the UK involving over £100k. So don’t use a banking app on a phone or tablet if you’re going to take it out of the house.
Many thanks. Actually I don’t use banking apps at all, since they offer very limited value to me but provide a way for the banks to use them against me in the kind of situations you described.