Sie sind auf Seite 1von 20

Computer crime

From Wikipedia, the free encyclopedia

(Redirected from Cyber crime) Jump to: navigation, search Computer crime refers to any crime that involves a computer and a network.[1] The computer may have been used in the commission of a crime, or it may be the target.[2] Netcrime refers to criminal exploitation of the Internet.[3] Cybercrimes are defined as: "Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)".[4] Such crimes may threaten a nations security and financial health.[5] Issues surrounding this type of crime have become high-profile, particularly those surrounding cracking, copyright infringement, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise. Internationally, both governmental and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Activity crossing international borders and involving the interests of at least one nationstate is sometimes referred to as cyber warfare. The international legal system is attempting to hold actors accountable for their actions through the International Criminal Court.[6]

Contents
[hide]

1 Topology

1.1 Spam 1.2 Fraud 1.3 Obscene or offensive content 1.4 Harassment 1.5 Drug trafficking 1.6 Cyber terrorism 1.7 Cyber warfare

2 Documented cases 3 Combatting Computer Crime 4 See also 5 References 6 Further reading 7 External links

7.1 Government resources

[edit] Topology
Computer crime encompasses a broad range of activities. Generally, however, it may be divided into two categories: (1) crimes that target computers directly; (2) crimes facilitated by computer networks or devices, the primary target of which is independent of the computer network or device.[citation needed] Crimes that primarily target computer networks or devices include:

Computer viruses Denial-of-service attacks Malware (malicious code) Cyberstalking Fraud and identity theft Information warfare Phishing scams

Crimes that use computer networks or devices to advance other ends include:

[edit] Spam
Spam, or the unsolicited sending of bulk email for commercial purposes, is unlawful in some jurisdictions. While anti-spam laws are relatively new, limits on unsolicited electronic communications have existed for some time.[7]

[edit] Fraud
Main article: Computer fraud Computer fraud is any dishonest misrepresentation of fact intended to let another to do or refrain from doing something which causes loss.[citation needed] In this context, the fraud will result in obtaining a benefit by:

Altering computer input in an unauthorized way. This requires little technical expertise and is not an uncommon form of theft by employees altering the data before entry or entering false data, or by entering unauthorized instructions or using unauthorized processes; Altering, destroying, suppressing, or stealing output, usually to conceal unauthorized transactions: this is difficult to detect; Altering or deleting stored data; Altering or misusing existing system tools or software packages, or altering or writing code for fraudulent purposes.

Other forms of fraud may be facilitated using computer systems, including bank fraud, identity theft, extortion, and theft of classified information. A variety of Internet scams target consumers direct.

[edit] Obscene or offensive content


The content of websites and other electronic communications may be distasteful, obscene or offensive for a variety of reasons. In some instances these communications may be illegal.

Over 25 jurisdictions place limits on certain speech and ban racist, blasphemous, politically subversive, libelous or slanderous, seditious, or inflammatory material that tends to incite hate crimes. The extent to which these communications are unlawful varies greatly between countries, and even within nations. It is a sensitive area in which the courts can become involved in arbitrating between groups with strong beliefs. One area of Internet pornography that has been the target of the strongest efforts at curtailment is child pornography.

[edit] Harassment
Whereas content may be offensive in a non-specific way, harassment directs obscenities and derogatory comments at specific individuals focusing for example on gender, race, religion, nationality, sexual orientation. This often occurs in chat rooms, through newsgroups, and by sending hate e-mail to interested parties (see cyber bullying, cyber stalking, harassment by computer, hate crime, Online predator, and stalking). Any comment that may be found derogatory or offensive is considered harassment.

[edit] Drug trafficking


Drug traffickers are increasingly taking advantage of the Internet to sell their illegal substances through encrypted e-mail and other Internet Technology. Some drug traffickers arrange deals at internet cafes, use courier Web sites to track illegal packages of pills, and swap recipes for amphetamines in restricted-access chat rooms. The rise in Internet drug trades could also be attributed to the lack of face-to-face communication. These virtual exchanges allow more intimidated individuals to more comfortably purchase illegal drugs. The sketchy effects that are often associated with drug trades are severely minimized and the filtering process that comes with physical interaction fades away.

[edit] Cyber terrorism


Government officials and Information Technology security specialists have documented a significant increase in Internet problems and server scans since early 2001. But there is a growing concern among federal officials[who?] that such intrusions are part of an organized effort by cyberterrorists, foreign intelligence services, or other groups to map potential security holes in critical systems. A cyberterrorist is someone who intimidates or coerces a government or organization to advance his or her political or social objectives by launching computer-based attack against computers, network, and the information stored on them. Cyber terrorism in general, can be defined as an act of terrorism committed through the use of cyberspace or computer resources (Parker 1983). As such, a simple propaganda in the Internet, that there will be bomb attacks during the holidays can be considered cyberterrorism. As well there are also hacking activities directed towards individuals, families, organized by groups within networks, tending to cause fear among people, demonstrate power, collecting information relevant for ruining peoples' lives, robberies, blackmailing etc. Cyberextortion is a form of cyberterrorism in which a website, e-mail server, or computer system is subjected to repeated denial of service or other attacks by malicious hackers, who demand money in return for promising to stop the attacks. According to the Federal Bureau of Investigation, cyberextortionists are increasingly attacking corporate websites and networks, crippling their ability to operate and demanding payments to restore their service. More than 20

cases are reported each month to the FBI and many go unreported in order to keep the victim's name out of the domain. Perpetrators typically use a distributed denial-of-service attack.[8]

[edit] Cyber warfare

Sailors analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks Main article: Cyber warfare The U.S. Department of Defense (DoD) notes that cyberspace has emerged as a national-level concern through several recent events of geo-strategic significance. Among those are included the attack on Estonia's infrastructure in 2007, allegedly by Russian hackers. "In August 2008, Russia again allegedly conducted cyber attacks, this time in a coordinated and synchronized kinetic and non-kinetic campaign against the country of Georgia. Fearing that such attacks may become the norm in future warfare among nation-states, the concept of cyberspace operations impacts and will be adapted by warfighting military commanders in the future.[9]

[edit] Documented cases


One of the highest profiled banking computer crime occurred during a course of three years beginning in 1970. The chief teller at the Park Avenue branch of New York's Union Dime Savings Bank embezzled over $1.5 million from hundreds of accounts.[10] A hacking group called the MOD (Masters of Deception), allegedly stole passwords and technical data from Pacific Bell, Nynex, and other telephone companies as well as several big credit agencies and two major universities. The damage caused was extensive, one company, Southwestern Bell suffered losses of $370,000 alone.[10] In 1983, a nineteen year old UCLA student used his PC to break into a Defense Department international communications system.[10] Between 1995 and 1998 the Newscorp satellite pay to view encrypted SKY-TV service was hacked several times during an on-going technological arms race between a pan-European hacking group and Newscorp. The original motivation of the hackers was to watch Star Trek reruns in Germany; which was something which Newscorp did not have the copyright to allow.[11] On 26 March 1999, the Melissa worm infected a document on a victim's computer, then automatically sent that document and copy of the virus via e-mail to other people. In February 2000 a individual going by the alias of MafiaBoy began a series denial-of-service attacks against high profile websites, including Yahoo!, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN. About fifty computers at Stanford University, and also computers at the University of California at Santa Barbara, were amongst the zombie computers sending pings in

DDoS attacks. On 3 August 2000, Canadian federal prosecutors charged MafiaBoy with 54 counts of illegal access to computers, plus a total of ten counts of mischief to data for his attacks. The Russian Business Network (RBN) was registered as an internet site in 2006. Initially, much of its activity was legitimate. But apparently the founders soon discovered that it was more profitable to host illegitimate activities and started hiring its services to criminals. The RBN has been described by VeriSign as "the baddest of the bad".[12] It offers web hosting services and internet access to all kinds of criminal and objectionable activities, with an individual activities earning up to $150 million in one year. It specialized in and in some cases monopolized personal identity theft for resale. It is the originator of MPack and an alleged operator of the Storm botnet. On 2 March 2010, Spanish investigators busted 3[clarification needed] in infection of over 13 million computers around the world. The "botnet" of infected computers included PCs inside more than half of the Fortune 1000 companies and more than 40 major banks, according to investigators. In August 2010 the international investigation Operation Delego, operating under the aegis of the Department of Homeland Security, shut down the international pedophile ring Dreamboard. The website had approximately 600 members, and may have distributed up to 123 terabytes of child pornography (roughly equivalent to 16,000 DVDs). To date this is the single largest U.S. prosecution of an international child pornography ring; 52 arrests were made worldwide.[13]

[edit] Combatting Computer Crime


A computer can be a source of evidence. Even when a computer is not directly used for criminal purposes, may contain records of value to criminal investigators.

Computer virus
From Wikipedia, the free encyclopedia (Redirected from Computer viruses) Jump to: navigation, search Not to be confused with Malware.

A computer virus is a computer program that can replicate itself[1] and spread from one computer to another. The term "virus" is also commonly, but erroneously used, to refer to other types of malware, including but not limited to adware and spyware programs that do not have a reproductive ability. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by other computers.[2][3] As stated above, the term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, even those that do not have the ability to replicate themselves. Malware includes computer viruses, computer worms, Trojan horses, most rootkits, spyware, dishonest adware and other malicious or unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while

a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer system's data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to themselves. Some viruses do nothing beyond reproducing themselves. An example of a virus which is not a malware, but is putatively benevolent is Fred Cohen's compression virus.[4] However, antivirus professionals do not accept the concept of benevolent viruses, as any desired function can be implemented without involving a virus (automatic compression, for instance, is available under the Windows operating system at the choice of the user). Any virus will by definition make unauthorised changes to a computer, which is undesirable even if no damage is done or intended.

Contents
[hide]

Denial-of-service attack
From Wikipedia, the free encyclopedia (Redirected from Denial-of-service attacks) Jump to: navigation, search "DoS" redirects here. For other uses, see DOS (disambiguation).

DDoS Stacheldraht Attack diagram.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person, or multiple people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.[1] One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations. When the DoS Attacker sends many packets of information and requests to a single network adapter, each computer in the network would experience effects from the DoS attack.

Malware
From Wikipedia, the free encyclopedia Jump to: navigation, search

Beast, a Windows-based backdoor Trojan horse.

Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. While it is sometimes software, it can also appear in the form of script or code. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the

data it contains, without consent.[1] The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software.[2] Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, most rootkits, and other malicious programs. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U.S. states, including California and West Virginia.[3][4] Malware is not the same as defective software, that is, software that has a legitimate purpose but contains harmful bugs. Sometimes, malware is disguised as genuine software, and may come from an official site. Therefore, some security programs may call malware "potentially unwanted programs" or "PUP". Though a computer virus is malware that can reproduce itself, the term is sometimes used erroneously to refer to the entire category. An example of a computer virus which is not a malware, but is benevolent is Fred Cohen's compression virus.[5]

Cyberstalking
From Wikipedia, the free encyclopedia Jump to: navigation, search This article needs attention from an expert on the subject. See the talk page for details. WikiProject Psychology or the Psychology Portal may be able to help recruit an expert. (August 2011)

"Wikistalker" redirects here. For cyberstalking as it pertains to Wikipedia, see Wikipedia:Harassment#Wikihounding.

Cyberstalking is the use of the Internet or other electronic means to stalk or harass an individual, a group of individuals, or an organization. It may include false accusations, monitoring, making threats, identity theft, damage to data or equipment, the solicitation of minors for sex, or gathering information in order to harass. The definition of "harassment" must meet the criterion that a reasonable person, in possession of the same information, would regard it as sufficient to cause another reasonable person distress.[1] Cyberstalking is different from spatial or offline stalking. However, it sometimes leads to it, or is accompanied by it.[2]

Definitions
Further information: Stalking

Stalking is a continuous process, consisting of a series of actions, each of which may be entirely legal in itself. Technology ethics professor Lambr Royakkers writes that: "Stalking is a form of mental assault, in which the perpetrator repeatedly, unwantedly, and disruptively breaks into the life-world of the victim, with whom he has no relationship (or no longer has), with motives that are directly or indirectly traceable to the affective sphere. Moreover, the separated acts that make up the intrusion cannot by themselves cause the mental abuse, but do taken together (cumulative effect)."[3] CyberAngels has written about how to identify cyberstalking: When identifying cyberstalking "in the field," and particularly when considering whether to report it to any kind of legal authority, the following features or combination of features can be considered to characterize a true stalking situation: malice, premeditation, repetition, distress, obsession, vendetta, no legitimate purpose, personally directed, disregarded warnings to stop, harassment, and threats.[4] A number of key factors have been identified:
False accusations. Many cyberstalkers try to damage the reputation of their victim and turn other people against them. They post false information about them on websites. They may set up their own websites, blogs or user pages for this purpose. They post allegations about the victim to newsgroups, chat rooms or other sites that allow public contributions, such as Wikipedia or Amazon.com.
[5]

Attempts to gather information about the victim. Cyberstalkers may approach their victim's friends, family and work colleagues to obtain personal information. They may advertise for information on the Internet, or hire a private detective. They often will monitor the victim's online activities and attempt to trace their IP address in an effort to gather more information about their victims.
[6]

Encouraging others to harass the victim. Many cyberstalkers try to involve third parties in the harassment. They may claim the victim has harmed the stalker or his/her family in some way, or may post the victim's name and telephone number in order to encourage others to join the pursuit. False victimization. The cyberstalker will claim that the victim is harassing him/her. Bocij writes that this phenomenon has been noted in a number of wellknown cases. Attacks on data and equipment. They may try to damage the victim's computer by sending viruses. Ordering goods and services. They order items or subscribe to magazines in the victim's name. These often involve subscriptions to pornography or ordering sex toys then having them delivered to the victim's workplace. Arranging to meet. Young people face a particularly high risk of having cyberstalkers try to set up meetings between them.

Fraud
From Wikipedia, the free encyclopedia Jump to: navigation, search

Criminal law
Part of the common law series

Element (criminal law) Actus reus Mens rea Causation Concurrence Scope of criminal liability Complicity Corporate Vicarious Inchoate offenses

Attempt Conspiracy Solicitation Offence against the person

Assault Battery False imprisonment Kidnapping Mayhem Sexual assault Homicide crimes Murder Felony murder Manslaughter Negligent homicide Vehicular homicide Crimes against property Arson Blackmail Burglary Embezzlement Extortion False pretenses Larceny Possessing stolen property Robbery Theft Crimes against justice Compounding Misprision Obstruction Perjury Malfeasance in office Perverting the course of justice Defenses to liability Defense of self Defence of property Consent Diminished responsibility Duress Entrapment Ignorantia juris non excusat Infancy Insanity Intoxication defense

Justification Mistake (of law) Necessity Loss of Control (Provocation) Other common law areas Contracts Evidence Property Torts Wills, trusts and estates Portals Criminal justice Law

v d e

Tort law
Part of the common law series

Intentional torts Assault Battery False imprisonment Intentional infliction of emotional distress (IIED) Transferred intent Property torts Trespass (land chattels) Conversion Detinue Replevin Trover Defenses

Assumption of risk Comparative negligence Contributory negligence Consent Necessity Statute of limitations Self-defense Defense of others Defense of property Shopkeeper's privilege Negligence Duty of care Standard of care Proximate cause Res ipsa loquitur Calculus of negligence Rescue doctrine Duty to rescue Specific types Negligent infliction of emotional distress (NIED) Employment-related Entrustment Malpractice (legal medical) Liability torts Product liability Quasi-tort Ultrahazardous activity Nuisance Public nuisance Rylands v. Fletcher Dignitary torts

Defamation Invasion of privacy False light Breach of confidence Abuse of process Malicious prosecution Alienation of affections Seduction Economic torts Fraud Tortious interference Conspiracy Restraint of trade Liability, remedies Last clear chance Eggshell skull Vicarious liability Volenti non fit injuria Ex turpi causa non oritur actio Neutral reportage Damages Injunction Torts and conflict of laws Joint and several liability Comparative responsibility Market share liability Duty to visitors Trespassers Licensees Invitees Attractive nuisance Other common law areas Contracts Criminal law Evidence Property Wills, trusts and estates Portals Law

v d e

In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation. Defrauding people or entities of money or valuables is a common purpose of fraud, but there have also been fraudulent "discoveries", e.g., in science, to gain prestige rather than immediate monetary gain. A hoax also involves deception, but without the intention of gain or of damaging or depriving the victim.

Identity theft
From Wikipedia, the free encyclopedia Jump to: navigation, search This article may have too long an introduction for its overall length. Please help by moving some material from it into the body of the article. For more information please read the layout guide and Wikipedia's lead section guidelines. (December 2011)

Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name. The victim of identity theft (here meaning the person whose identity has been assumed by the identity thief) can suffer adverse consequences if they are held accountable for the perpetrator's actions. Organizations and individuals who are duped or defrauded by the identity thief can also suffer adverse consequences and losses, and to that extent are also victims. The term identity theft was coined in 1964[1] however it is not literally possible to steal an identityless ambiguous terms are identity fraud or impersonation. "Determining the link between data breaches and identity theft is challenging, primarily because identity theft victims often do not know how their personal information was obtained," and identity theft is not always detectable by the individual victims, according to a report done for the FTC.[2] Identity fraud is often but not necessarily the consequence of identity theft. Someone can steal or misappropriate personal information without then committing identity theft using the information about every person, such as when a major data breach occurs. A US Government Accountability Office study determined that "most breaches have not resulted in detected incidents of identity theft".[3] the report also warned that "the full extent is unknown". A later unpublished study by Carnegie Mellon University noted that "Most often, the causes of identity theft is not known," but reported that someone else concluded that "the probability of becoming a

victim to identity theft as a result of a data breach is ... around only 2%".[4] More recently, an association of consumer data companies noted that one of the largest data breaches ever, accounting for over four million records, resulted in only about 1,800 instances of identity theft, according to the company whose systems were breached.[5] A recent article entitled, Cyber Crime Made Easy" explained the level to which hackers are using malicious software. As one security specialist named Gunter Ollmann said, Interested in credit card theft? Theres an app for that. This statement summed up the ease with which these hackers are accessing all kinds of information online. The new program for infecting users computers is called Zeus; and the program is so hacker friendly that even an inexperienced hacker can operate it. Although the hacking program is easy to use, that fact does not diminish the devastating effects that Zeus (or other software like Zeus) can do to a computer and the user. For example, the article stated that programs like Zeus can steal credit card information, important documents, and even documents necessary for homeland security. If the hacker were to gain this information, it would mean identity theft or even a possible terrorist attack. (Giles, Jim. "Cyber Crime Made Easy." New Scientist 205.2752 (2010): 20-21. Academic Search Premier. EBSCO. Web. 3 Oct. 2010.)

Information warfare
From Wikipedia, the free encyclopedia Jump to: navigation, search The examples and perspective in this article deal primarily with the United States and do not represent a worldwide view of the subject. Please improve this article and discuss the issue on the talk page.
(March 2010)

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (July 2008)

Warfare

Military history Eras[show] Prehistoric

Ancient Medieval Gunpowder Industrial Modern Battlespace[show] Air Information Land Sea Space Weapons[show] Armor Artillery Biological Cavalry Chemical Electronic Infantry Nuclear Psychological Tactics[show] Attrition warfare Guerrilla warfare Maneuver warfare Siege Total war Trench warfare Conventional warfare Unconventional warfare Asymmetric warfare Counter-insurgency Network-centric warfare AirLand Battle Cold war Proxy war Strategy[show]

Economic Grand Operational Organization[show] Ranks Command and control Staff Intelligence Education and training Logistics[show] Technology and equipment Materiel Supply chain management Military engineering Lists[show] Battles Commanders Operations Sieges Wars War crimes Weapons Writers
Portal v d e

The term Information Warfare (IW) is primarily an American concept involving the use and management of information technology in pursuit of a competitive advantage over an opponent. Information warfare may involve collection of tactical information, assurance(s) that one's own information is valid, spreading of propaganda or disinformation to demoralize or manipulate[1] the enemy and the public, undermining the quality of opposing force information and denial of information-collection opportunities to opposing forces. Information warfare is closely linked to psychological warfare.

The American focus tends to favour technology, and hence tends to extend into the realms of Electronic Warfare, Cyber Warfare, Information Assurance and Computer Network Operations / Attack / Defence. Most of the rest of the world use the much broader term of "Information Operations" which, although making use of technology, focuses on the more human-related aspects of information use, including (amongst many others) social network analysis, decision analysis and the human aspects of Command and Control.

Phishing
From Wikipedia, the free encyclopedia Jump to: navigation, search Not to be confused with fishing, pish, or Phish. For more information about Wikipedia-related phishing attempts, see Wikipedia:Phishing e-mails

An example of a phishing e-mail, disguised as an official e-mail from a (fictional) bank. The sender is attempting to trick the recipient into revealing confidential information by "confirming" it at the phisher's website. Note the misspelling of the words received and discrepancy. Also note that although the URL of the bank's webpage appears to be legitimate, the hyperlink would actually be pointed at the phisher's webpage.

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail spoofing or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing

is an example of social engineering techniques used to deceive users,[2] and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing,[4] probably influenced by phreaking,[5] [6] and alludes to "baits" used in hopes that the potential victim will "bite" by clicking a malicious link or opening a malicious attachment, in which case their financial information and passwords may then be stolen.