Living in a Spamster's Paradise: Deceit and Threats in Phishing Emails



The prevalence of using email as a communication tool for personal and professional purposes makes it a significant attack vector for cybercriminals. Consensus exists that phishing, i.e. use of socially engineered messages to convince recipients into performing actions that benefit the sender, is widespread as a negative phenomenon. However, little is known about its true extent from a criminal law perspective. Similar to how the treatment of phishing in a generic manner does not adequately inform the relevant law, a case-by-case legal analysis of seemingly independent offences would not reveal the true scale and extent of phishing as a social phenomenon. The current research addresses this significant gap in the literature. To study this issue, a qualitative text analysis was performed on (N=42) emails collected over a 30-day period from two email accounts. Secondly, the phishing emails were analysed from an Estonian criminal law perspective. The legal analysis shows that in the period of only one month, the accounts received what amounts to 3 instances of extortion, 29 fraud attempts and 10 cases of personal data processing related misdemeanour offences.

Criminal Law; Cybercrime; Legal Analysis; Phishing Emails; Qualitative Text Analysis

p. 45–66
Author biographies

Kristjan Kikerpill

Independent researcher

Andra Siibak

University of Tartu

Professor in Media Studies, Institute of Social Studies

[1] Atkins, B. and Huang, W. (2013) A Study of Social Engineering in Online Frauds. Open Journal of Social Sciences, 1 (3).

[2] Burgoon, J. K. et al. (1994) Interpersonal Deception: Accuracy in Deception Detection. Communication Monographs, 61.

[3] Burgoon, J. K. et al. (2003) Detecting Deception Through Linguistic Analysis. In: Hsinchun Chen et al. (eds.) Intelligence and Security Informatics, Springer.

[4] Button, M. et al. (2014) Online Frauds: Learning from Victims Why They Fall for These Scams. Australian & New Zealand Journal of Criminology, 47 (3).

[5] Case no. 3-1-1-103-12. (2012) Estonian Supreme Court (Criminal Chamber), 23 November 2012.

[6] Cromwell, C. R., Narvaez, D. and Gomberg, A. (2005) Moral Psychology and Information Ethics: The Effects of Psychological Distance on the Components of Moral Behavior in a Digital World. In: Lee Freeman and A. Graham Peace (eds.). Information Ethics: Privacy and Intellectual Property, Hershey, PA: IdeaGroup.

[7] European Commission. (2017) Special Eurobarometer 464a: Europeans’ Attitudes Towards Cyber Security.

[8] Fluent. (2017) The Inbox Report 2017: Consumer Perceptions of Email.

[9] Grazioli, S. (2004) Where Did They Go Wrong? An Analysis of the Failure of Knowledgeable Internet Consumers to Detect Deception over the Internet. Group Decision and Negotiation, 13.

[10] Hutchings, A. and Hayes, H. (2009) Routine Activity Theory and Phishing Victimization: Who Gets Caught in the ‘Net’?. Current Issues in Criminal Justice, 20 (3).

[11] Jakobsson, M. (2007) The Human Factor in Phishing. Privacy & Security of Consumer Information.

[12] Jaeger, D. et al. (2016) Analysis of Publicly Leaked Credentials and the Long Story of Password (Re-)use. In: 11th International Conference on Passwords (PASS-WORDS2016). Germany: Springer.

[13] Krause, M. and Kulkarni, A. (2015) Predicting Sales E-Mail Responders Using a Natural Language Model. In: Conference on Human Computation & Crowdsourcing 2015, San Diego, USA.

[14] Langenderfer, J. and Shimp, T. A. (2001) Consumer Vulnerability to Scams, Swindles, and Fraud: A New Theory of Visceral Influences on Persuasion. Psychology and Marketing, 18.

[15] Litmus Email Analytics. (2018) Email Client Market Share. Available from: [Accessed 20 November 2018].

[16] MillerSmiles. Phishing scam archives. [online] Available from: [Accessed 20 November 2018].

[17] Ministry of Justice. (2017) Kuritegevus Eestis 2017. In Estonian. Available from: [Accessed 5 November 2018].

[18] Office for National Statistics. (2017) Crime in England and Wales: Year Ending in Dec 2016. Available from: [Accessed 5 November 2018].

[19] Office for National Statistics. (2018) Crime in England and Wales: Year Ending in March 2018. Available from: [Accessed 5 November 2018].

[20] Office of Fair Trading. (2009) The Psychology of Scams: Provoking and Committing Errors of Judgement.

[21] Osula, A-M. (2015) Mutual Legal Assistance & Other Mechanisms for Accessing Extraterritorially Located Data. Masaryk University Journal of Law and Technology, 9 (1).

[22] Penal Code (Karistusseadustik) 2001. SI 2001/61, 364. Estonia: Riigi Teataja (State Gazette). In Estonian. English translation available from: [Accessed 19 November 2018].

[23] Personal Data Protection Act (Isikuandmete kaitse seadus) 2007. SI 2007/24, 127. Estonia: Riigi Teataja (State Gazette). In Estonian. English translation available from: [Accessed 19 November 2018].

[24] Proposal for a Directive of the European Parliament and of the Council on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA. (2017/0226) 13 September. Available from: [Accessed 20 November 2018].

[25] Radicati Group. (2018) Executive Summary. Available from: [Accessed 20 November 2018].

[26] Rajivan, P. and Gonzalez, C. (2018) Creative Persuasion: A Study on Adversarial Behaviors and Strategies in Phishing Attacks. Froniers in Psychology, 135 (9).

[27] Reyns, B. W. (2015) A Routine Activity Perspective on Online Victimisation: Results from the Canadian General Social Survey. Journal of Financial Crime, 42 (4).

[28] Sootak, J. (2010) Karistusõigus. Üldosa. Tallinn: Juura.

[29] Strauss, A. and Corbin, J. (1998) Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Thousand Oaks, CA: Sage Publications.

[30] Symantec. (2018) Internet Security Threat Report. Available from: [Accessed 20 November 2018].

[31] United Nations Office on Drugs and Crime. (2013) Draft Comprehensive Study on Cybercrime. Available from: [Accessed 20 November 2018].

[32] Verizon. (2017) Data Breach Investigations Report, 10th Ed.

[33] Vishwanath, A. et al. (2011) Why Do People Get Phished? Testing Individual Differences in Phishing Vulnerability within an Integrated, Information Processing Model. Decision Support Systems, 51 (3).

[34] Williams, E. J., Beardmore, A. and Joinson, A. N. (2017) Individual Differences in Susceptibility to Online Influence: A Theoretical Review. Computers in Human Behavior, 72.

[35] Williams, E. J., Hinds, J. and Joinson, A. N. (2018) Exploring Susceptibility to Phishing in the Workplace. International Journal of Human-Computer Studies.

[36] Workman, M. (2008) Wisecrackers: A Theory-grounded Investigation of Phishing and Pretext Social Engineering Threats to Information Security. Journal of the American Society for Information Science and Technology, 59 (4).





PDF views