Manage Learn to apply best practices and optimize your operations.

Cyber Crime and Cyber Terrorism Investigator's Handbook

In this excerpt of Cyber Crime and Cyber Terrorism Investigator's Handbook, authors Babak Akhgar, Andrew Staniforth and Francesca Bosco outline the classification, types and categories of cybercrime.

Cyber Crime and Cyber Terrorism Investigator's Handbook cover

The following is an excerpt from Cyber Crime and Cyber Terrorism Investigator's Handbook written by authors Babak Akhgar, Andrew Staniforth and Francesca Bosco and published by Syngress. This section from chapter 12 lists the classifications and types of cybercrime, as well as numerous cybercrime categories including phishing, spam and Internet auction fraud.

What are the classifications and types of cybercrime?

The other approach to defining cybercrime is to develop a classification scheme that links offences with similar characteristics into appropriate groups similar to the traditional crime classifications. Several schemes have been developed over the years. There are suggestions that there are only two general categories: active and passive computer crimes. An active crime is when someone uses a computer to commit the crime, for example, when a person obtains access to a secured computer environment or telecommunications device without authorization (hacking). A passive computer crime occurs when someone uses a computer to both support and advance an illegal activity. An example is when a narcotics suspect uses a computer to track drug shipments and profits.

Literature has widely categorizes four general types of cybercrime by the computer's relationship to the crime:

  • Computer as the Target: theft of intellectual property, theft of marketing information (e.g., customer list, pricing data, or marketing plan), and blackmail based on information gained from computerized files (e.g., medical information, personal history, or sexual preference).
  • Computer as the Instrumentality of the Crime: fraudulent use of automated teller machine (ATM) cards and accounts, theft of money from accrual, conversion, or transfer accounts, credit card fraud, fraud from computer transaction (stock transfer, sales, or billing), and telecommunications fraud.
  • Computer Is Incidental to Other Crimes: money laundering and unlawful banking transactions, organized crime records or books, and bookmaking.
  • Crime Associated with the Prevalence of Computers: software piracy/counterfeiting, copyright violation of computer programs, counterfeit equipment, black market computer equipment and programs, and theft of technological equipment.

Yar (2006), who has subdivided cybercrime into four areas of harmful activity, illustrates a range of activities and behaviors rather than focusing on specific offences. This reflects not only the various bodies of law, but also specific courses of public debate. The four categories are as follows:

Cyber-trespass: the crossing of cyber boundaries into other people's computer systems into spaces where rights of ownership or title have already been established and causing damage, e.g., hacking and virus distribution.

Cyber-deceptions and thefts: the different types of acquisitive harm that can take place within cyberspace. At one level lie the more traditional patterns of theft, such as the fraudulent use of credit cards and (cyber) cash, but there is also a particular current concern regarding the increasing potential for the raiding of online bank accounts as e-banking become more popular.

Cyber-pornography: the breaching of laws on obscenity and decency.

Cyber-violence: the violent impact of the cyber activities of others upon individual, social or political grouping. Whilst such activities do not have to have a direct manifestation, the victim nevertheless feels the violence of the act and can bear long-term psychological scars as a consequence. The activities referred here range from cyber-stalking and hate-speech, to tech-talk.

In addition to the above, Yar (2006) has added a new type of activity which is "crime against the state," describing it as encompassing those activities that breach laws which protect the integrity of the nation's infrastructure, like terrorism, espionage and disclosure of official secrets.

Cyber Crime and Cyber Terrorism Investigator's Handbook

Authors: Babak Akhgar, Andrew Staniforth and Francesca Bosco

Learn more about Cyber Crime and Cyber Terrorism Investigator's Handbook from publisher Syngress

At checkout, use discount code PBTY15 for 25% off

Gordon and Ford (2006) attempted to create a conceptual framework which law makers can use when compiling legal definitions which are meaningful from both a technical and a societal perspective. Under their scheme, they categorize cybercrime into two types:

1. The first type has the following characteristics:

  • It is generally a singular, or discrete, event from the perspective of the victim.
  • It is often facilitated by the introduction of crime-ware programs such as keystroke loggers, viruses, rootkits or Trojan horses into the user's computer system.
  • The introductions can (but not necessarily) be facilitated by vulnerabilities.

2. At the other end of the spectrum is the second type of cybercrime, which includes, but is not limited to, activities such as cyber stalking and harassment, blackmail, stock market manipulation, complex corporate espionage, and planning or carrying out terrorist activities online. The characteristics of this type are as follows:

  • It is generally facilitated by programs that do not fit under the classification of crime-ware. For example, conversations may take place using IM (Instant Messaging), and clients or files may be transferred using the FTP protocol.
  • There are generally repeated contacts or events from the perspective of the user.

Cybercrime categories


Is the act of attempting to trick customers into disclosing their personal security information; their credit card numbers, bank account details, or other sensitive information by masquerading as trustworthy businesses in an e-mail. Their messages may ask the recipients to "update," "validate," or "confirm" their account information.

Phishing is a two time scam, first steals a company's identity and then use it to victimize consumers by stealing their credit identities. The term Phishing (also called spoofing) comes from the fact that Internet scammers are using increasingly sophisticated lures as they "fish" for user's financial information and password data.

Phishing becomes the most commonly used social engineering attack to date due to the fact that it is quite easy to be carried out, no direct communication between hacker and victim is required (i.e., hacker does not need to phone their prey, pretending that they are a technical support staff, etc.). Sending mass-mails to thousands of potential victims increases the chance of getting someone hooked. There are usually three separate steps in order for such attacks to work, these are:

  1. Setting up a mimic web site.
  2. Sending out a convincingly fake e-mail, luring the users to that mimic site.
  3. Getting information then redirect users to the real site.

In step 1, the hacker steals an organization's identity and creates a look-alike web site. This can easily be done by viewing the targeted site's source code, then copying all graphics and HTML lines from that real web site. Due to this tactic, it would really be very hard for even an experienced user to spot the differences. On the mimic web site, usually there will be a log-in form, prompting the user to enter secret personal data. Once the data are entered here, a server-side script will handle the submission, collecting the data and send it to the hacker, then redirect users to the real web site so everything look unsuspicious.

The hardest part of phishing attack that challenges most hackers is in the second step. This does not mean it is technically hard, but grammatically it is! In this step, the hacker will make a convincingly fake e-mail which later will be sent by a "ghost" mailing program, enabling the hacker to fake the source address of the e-mail.

The main purpose of this fake e-mail is to urge the users going to the mimic web site and entering their data that hackers wanted to capture. Commonly employed tactics are asking users to response over emergency matters such as warning that customers need to log-in immediately or their accounts could be blocked; notifying that someone just sends the user some money and they need to log in now in order to get it (this usually is an effective trap to PayPal users), etc. Inside this fake e-mail, users often find a hyperlink, which once clicked, will open the mimic web site so they can "log in." As discussed before, the easiest way to quickly identify a fake e-mail is not just by looking at the address source (since it can be altered to anything) but to check English grammar in the e-mail. You may find this sounds surprising, however, 8 out of 10 scam e-mails have obvious grammar mistakes. Regardless of this, the trick still works.

In the last step, once a user has opened the mimic web site and "log in," their information will be handled by a server-side script. That information will later be sent to hacker via e-mail and user will be redirected to the real web site. However, the confidentiality of user's financial data or secret password has now been breached.

Due to the recent financial crises, mergers and takeovers, many changes have taken place in the financial marketplace. These changes have encouraged scam artists to phish for customers' details.

The key points are:

  • Social engineering attacks have the highest success rate
  • Prevention includes educating people about the value of information and training them to protect it
  • Increasing people's awareness of how social engineers operate
  • Do not click on links in the e-mail message
  • It appears that phishing e-mail scam has been around in one form or another since February 2004 and it seems to be still evolving, similar to the way virus writers share and evolve code.

According to the global phishing survey carried out by the Anti-Phishing working group published in 2013 (APWG, 2013)

  1. Vulnerable hosting providers are inadvertently contributing to phishing. Mass compromises led to 27% of all phishing attacks.
  2. Phishing continues to explode in China, where the expanding middle class is using e-commerce more often.
  3. The number of phishing targets (brands) is up, indicating that e-criminals are spending time looking for new opportunities.
  4. Phishers continue to take advantage of inattentive or indifferent domain name registrars, registries, and subdomain resellers. The number of top-level registries is poised to quintuple over the next 2 years.
  5. The average and median uptimes of phishing attacks are climbing.

According to Symantec Intelligence Report (2013) Fake offerings continue to dominate Social Media attacks, while disclosed vulnerability numbers are up 17% compared to the same period in 2012 (Symantec, 2013).


Another form of Cybercrime is spam mail, which is arguably the most profound product of the Internet's ability to place unprecedented power into the hands of a single person. Spam mail is the distribution of bulk e-mails that advertise products, services or investment schemes, which may well turn out to be fraudulent. The purpose of spam mail is to trick or con customers into believing that they are going to receive a genuine product or service, usually at a reduced price. However, the spammer asks for money or sensible security information like credit card number or other personal information before the deal occur. After disclosing their security information the customer will never hear from the spammer.

Today, spammers who spread malicious code and phishing e-mails are still looking for the best way to reach computer users by using social engineering and technical advances, however, according to a Symantec Intelligence Report (Symantec, 2012), spam levels have continued to drop to 68% of global e-mail traffic in 2012 from 89% highest in 2010.

In April 2012, political spams were back in action targeting primarily US and French population. The complex situation in Syria has also become the subject of spam e-mails too.

In 2012, USA was in second place after India for spam origination with China ranked as number 5 (Kaspersky, 2012).


Hacking is one of the most widely analyzed and debated forms of cyber-criminal activity, and serves as an intense focus for public concerns about the threat that such activity poses to society. The clear-cut definition of hacking is "the unauthorized access and subsequent use of other people's computer systems" (Yar, 2006).

The early hackers had a love of technology and a compelling need to know how it all worked, and their goal was to push programs beyond what they were designed to do. The word hacker did not have the negative connotation as it has today.

The attacks take place in several phases such as information gathering or reconnaissance, scanning and finally entering into the target system. Information gathering involves methods of obtaining information or to open security holes. It is just like the way in which the traditional type of robbery is carried out. The robber will find out the whole information about the place that wants to rob before making attempt. Just like this the computer attacker will try to find out information about the target. Social Engineering is one such method used by an attacker to get information.

Read an excerpt

Download the PDF of chapter 12 to learn more!

There are two main categories under which all social engineering attempts could be classified, computer or technology-based deception and human-based deception. The technology-based approach is to deceive the user into believing that is interacting with the "real" computer system (such as popup window, informing the user that the computer application has had a problem) and get the user to provide confidential information. The human approach is done through deception, by taking advantage of the victim's ignorance, and the natural human inclination to be helpful and liked.

Organized criminals have the resources to acquire the services of the necessary people. The menace of organized crime and terrorist activity grows ever more sophisticated as the ability to enter, control and destroy our electronic and security systems grows at an equivalent rate. Today, certainly, e-mail and the Internet are the most commonly used forms of communication and information sharing. Just over 2 billion people use the Internet every day. Criminal gangs "buying" thrill-seeking hackers and "script kiddies" to provide the expertise and tools, this is called cyber child labor.

Cyber harassment or bullying

Cyber-harassment or bullying is the use of electronic information and communication devices such as e-mail, instant messaging, text messages, blogs, mobile phones, pagers, instant messages and defamatory websites to bully or otherwise harass an individual or group through personal attacks or other means. "At least in a physical fight, there's a start and an end, but when the taunts and humiliation follow a child into their home, it's 'torture,' and it doesn't stop" (Early, 2010). Cyber-bullying, taunts, insults and harassment over the Internet or text messages sent from mobile phones has become rampant among young people, in some cases with tragic consequences. Derek Randel, a motivational speaker, former teacher and founder of, believes that "cyber-bullying has become so prevalent with emerging social media, such as Facebook and text messaging, that it has affected every school in every community" (Early, 2010; StopCyberbullying, 2013).

Identity theft

This is the fastest growing types of fraud in the UK. Identity theft is the act of obtaining sensitive information about another person without his or her knowledge, and using this information to commit theft or fraud. The Internet has given cyber criminals the opportunity to obtain such information from vulnerable companies' database. It has also enabled them to lead the victims to believe that they are disclosing sensitive personal information to a legitimate business; sometimes as a response to an e-mail asking to update billing or membership information; sometimes it takes the form of an application to a (fraudulent) Internet job posting. According to the All Party Parliamentary Group, the available research, both in the UK and globally, indicates that identity fraud is a major and growing problem because of the escalating and evolving methods of gaining and utilizing personal information. Subsequently, it is expected to increase further over the coming years.

This is an issue which is recognized in the highest levels of Government.

In 2012 alone CIFAS, the UK's Fraud Prevention Service, identified and protected over 150,000 victims of these identity crimes (CIFAS, 2012).

Plastic card fraud

Plastic Card Fraud is the unauthorized use of plastic or credit cards, or the theft of a plastic card number to obtain money or property. According to APACS (analysis of policing and community safety framework), the UK payments association, plastic card losses in 2011 was £341m, of which £80m was the result of fraud abroad (Financial fraud action UK, 2012). This typically involves criminals using stolen UK card details at cash machines and retailers in countries that have yet to upgrade to Chip and PIN.

The biggest fraud type in the UK is card-not-present (CNP) fraud. In 2011 65% of total losses was CNP, which was £220.9 Million (down by 3%) (Financial fraud action UK, 2012). CNP fraud encompasses any frauds which involve online, telephone or mail order payment. The problem in countering this type of fraud lies in the fact that neither the card nor the cardholder is present at a physical till point in a shop. There are a number of methods that fraudsters use for obtaining both cards and card details, such as phishing, sending spam e-mails, or hacking companies' database, as aforementioned.

Internet auction fraud

Internet auction fraud is when items bought are fake or stolen goods, or when seller advertises nonexistent items for sale which means goods are paid for but never arrives. Fraudsters often use money transfer services as it is easier for them to receive money without revealing their true identity.

Auction fraud is a classic example of criminals relies on the anonymity of the internet. According to action fraud 2013, some of the most common complaints involve:

  • Buyers receiving goods late, or not at all
  • Sellers not receiving payment
  • Buyers receiving goods that are either less valuable than those advertised or significantly different from the original description
  • Failure to disclose relevant information about a product or the terms of sale.

These fraudulent "sellers" use stolen IDs when they register with the auction sites, therefore tracing them is generally a very difficult tasks.

About the authors:
Babak Akhgar is Professor of Informatics and Director of CENTRIC (Center of Excellence in Terrorism, Resilience, Intelligence and Organized Crime Research) at Sheffield Hallam University (UK) and Fellow of the British Computer Society. He has more than 100 refereed publications in international journals and conferences on information systems with specific focus on knowledge management (KM). He is member of editorial boards of several international journals and has acted as Chair and Program Committee Member for numerous international conferences. He has extensive and hands-on experience in the development, management and execution of KM projects and large international security initiatives (e.g., the application of social media in crisis management, intelligence-based combating of terrorism and organized crime, gun crime, cyber-crime and cyber terrorism and cross cultural ideology polarization). In addition to this he is the technical lead of two EU Security projects: "Courage" on Cyber-Crime and Cyber-Terrorism and "Athena" on the Application of Social Media and Mobile Devices in Crisis Management. He has co-edited several books on Intelligence Management.. His recent books are titled Strategic Intelligence Management (National Security Imperatives and Information and Communications Technologies), Knowledge Driven Frameworks for Combating Terrorism and Organised Crime and Emerging Trends in ICT Security. Prof Akhgar is member of the academic advisory board of SAS UK.

Andrew Staniforth, Detective Inspector and Advisory Board Member and Senior Research Fellow, Centre of Excellence in Terrorism, Resilience, Intelligence and Organised Crime Research (CENTRIC).

Francesca Bosco, Project Officer on Cybercrime and Cybersecurity at UNICRI.

This was last published in October 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats