Phishing victimization among Malaysian

young adults: cyber routine activities

theory and attitude in information
sharing online
Yi Yong Lee, Chin Lay Gan and Tze Wei Liew

Abstract Yi Yong Lee, Chin Lay Gan

Purpose – The purpose of this paper is to understand the influence of exposure to motivated offenders who and Tze Wei Liew are all
may alter the vulnerability levels to phishing victimization. This is particularly focused on explaining the influences based at Faculty of
of individuals’ online lifestyles and attitudes toward information sharing online on phishing susceptibility. Business, Multimedia
Design/methodology/approach – This conceptual paper explores the risk of phishing victimization University, Melaka,
using criminological theories. The authors draw on empirical evidence from existing cybercrime literature Malaysia.
and revisit routine activities theory (RAT) and lifestyle RAT (LRAT) to elucidate the risk of phishing
victimization. This paper proposes that cyber-RAT, which was developed from RAT and LRAT, could
interpret phishing victimization. Grounded on the intervention-based theory against cybercrime phishing,
this study suggests that an attitude toward precautionary behavior (information sharing online) is
essential to mitigate the phishing victimization risk.
Findings – This paper aims to provide a clear insight into the understanding of phishing victimization risk
using theoretical and empirical evidence.
Originality/value – The theoretical perspective outlined provides the understanding of the impacts of
online routine activities on a phishing attack which in turn will increase the awareness of phishing threats.
The important role of the precautionary countermeasure, that is, attitudes toward information sharing
online is highlighted to reconcile the phishing victimization risk.
Keywords Phishing prevention, Cyber risky activities, Attitude, Information sharing,
Online security management, Young adults, Phishing
Paper type Conceptual paper

1. Introduction
Phishing is defined as “an act of deception whereby impersonation is used to obtain
information from a target” (Lastdrager, 2014, p. 1). Anti-Phishing Working Group, an
international coalition unifying the global responses to cybercrime, particularly in the Received 10 June 2022
Revised 22 July 2022
government or non-governmental organization communities, industry and law-enforcement 2 August 2022
sectors, further defines phishing as “a criminal mechanism employing both social engineering Accepted 11 August 2022
and technical subterfuge to steal consumers’ identity data and financial account credentials” This work was supported by
(Frauenstein and Flowerday, 2020, p. 1). Phishing attack is the fifth most common cause of Ministry of Higher Education
Malaysia under the
security attacks and it possesses the highest success rate (Verizon, 2019). Fundamental Research Grant
Scheme (Grant No. FRGS/1/
The internet brings convenience to the users to facilitate communication on social media; 2020/SS0/MMU/02/4).
nevertheless, “The Internet gives the criminal enterprise global reach and the whole world to Conflict of interest: On behalf of
all authors, the corresponding
hide in” (Hallam Baker, 2008, p. 2; House and Raja, 2019, p. 1). Previous empirical studies author states that there is no
have indicated that internet users spending time socializing online (e.g. day-to-day online conflict of interest.

DOI 10.1108/JAP-06-2022-0011 VOL. 24 NO. 3/4 2022, pp. 179-194, © Emerald Publishing Limited, ISSN 1466-8203 j THE JOURNAL OF ADULT PROTECTION j PAGE 179
 activities) may increase the odds of being exposed to cybercrime threats, particularly, falling
trap to a phishing attack (Ngo et al., 2020; Graham and Triplett, 2016; Ghani and Ghazali,
2019). Changes in individuals’ daily routines, such as an increment of time spent online, will
lead them to have a high likelihood of becoming vulnerable cybercrime victims (Kikerpill, 2020;
Tharshini et al., 2022). More specifically, the aforementioned discussions are supported by the
routine activity theory (RAT). RAT explains and links the relationship between individual online
routine activities and cybercrime victimization risk (Kikerpill, 2020; Leukfeldt and Yar, 2016;
Leukfeldt, 2014; Choi and Lee, 2017; Choi et al., 2019). In addition, the Malaysian National
Cyber Security Agency disclosed that cybercrime cases such as phishing in Malaysia have
increased by 82.5% during the lockdown periods (Tharshini et al., 2022). This is because
people spent more time online because of the recent spread of COVID-19 as they were
abiding by the government-imposed lockdowns (Kikerpill, 2020).
When targeted victims publicly disclose their personal information online to fraudsters, they
allow phishers to misuse it (Jansen and Leukfeldt, 2016; Shillair et al., 2015). Research has
indicated that the more information was divulged, the higher the chances of an individual
falling into a phishing attack (Rocha Flores et al., 2014; Jansen and Leukfeldt, 2015). In this
regard, people will lose their identity privacy because of the invasion of privacy by phishing
attackers (Mohamed, 2013; Kamruzzaman et al., 2016; Mohd Zaharon and Mohd Ali, 2021).
As such, vigilant behavior toward personal information sharing online plays a significant role
in preventing successful phishing attacks (Jansen and van Schaik, 2019).
In phishing research, younger populations are an extremely important group of study
(Vishwanath, 2015) either in the Asian or western context (Graham and Triplett, 2016;
Vishwanath, 2015; Kob et al., 2020). This is because this group of people is increasingly
targeted by phishers nowadays (Vishwanath, 2015). Supported by prior empirical study
(Sheng et al., 2010), it was revealed that among the targeted vulnerable victims, young adults
between 18 and 25 years seem to more easily fall into the phishing trap. In addition, several
studies showed that young adults were more likely to fall for fraud than elder adults
(Lichtenberg et al., 2016; Ross et al., 2014; Sugiura, 2013). The study of Graham and Triplett
(2016) found that more than 30% of the respondents have acknowledged ever receiving
phishing emails and the younger population occupied and even surpassed 50%. Vishwanath
(2015) conducted experimental research to investigate phishing victimization among university
students. The study further indicated that around four-fifths of the young respondents would
click the link attached to the phishing email (Vishwanath, 2015). A recent report indicated that
at least 1 person out of every 14 targeted victims will get successfully phished (De Kimpe
et al., 2018). The victims would either unintentionally open the attachments or click the link in
phishing content (De Kimpe et al., 2018).
In this conceptual paper, we, therefore, aim to explore and discuss the vulnerability of
cybercrime phishing within the Malaysian context. The following Section 2 incorporates a
review of research related to phishing and clarifies the theories in connection to phishing.
This paper begins by elucidating how cybercrime phishing is generally theorized in the
criminological literature and discusses the application of RAT and its shortcomings in
explaining victim behavior in online contexts. Taking back to the roots of Choi and Lee’s
(2017) cyber-routine activities theory (cyber-RAT), this article proposes that cyber-RAT
would be able to explain cybercrime victimization (Choi and Lee, 2017; Choi et al., 2019),
particularly phishing victimization. Finally, this paper sought to advance the understanding
of phishing victimization and accentuate the importance of attitude toward information
sharing online to inform phishing prevention strategies among young adults.

2. Understanding the phishing victimization within Malaysian context: the risks and
consequences
Phishing has become a major cyber threat that leads to dire consequences for individuals
and organizations alike (Shan et al., 2016; Kob et al., 2020). Although only a small

PAGE 180 j THE JOURNAL OF ADULT PROTECTION j VOL. 24 NO. 3/4 2022
percentage of targeted victims respond to the scammer’s request, phishing’s return on
investment can still be relatively high (Saudi et al., 2007). The Malaysian police have
recorded an increase in cybercrime phishing (fraud) cases, which cause losses of vast
monetary amounts (Mohd Zaharon and Mohd Ali, 2021). Besides the direct financial losses,
phishing attacks can compromise organizations’ image (Saudi et al., 2007). Relatedly,
customers may lose confidence in a specific company if they believe its legitimate
notifications are phishing messages (Shan et al., 2016).
Phishing is categorized as a primary threat to online banking in Malaysia, which leads to
significant economic losses. The Central Bank of Malaysia (BNM) reported that the bank
loses 0.00002% from any financial transaction because of phishing (Sharifah et al., 2019).
RM1m has been lost because of fraud (online banking) issues in the first six months of 2019
(Sharifah et al., 2019). In Malaysia, up to 94% of reported cybercrime cases were phishing
related (Sharifah et al., 2019). The Malaysia Computer Emergency Response Team
(MyCERT) reported that the number of cybercrime cases (fraud and spam) decreased by
about 281 cases in 2017 compared to 2016 and 165 cases in 2020 compared to 2019.
Collectively, there was a significant increase in the number of cybercrime cases throughout
the period, rising from 4,466 cases in 2016 to 7,738 cases in 2020. The number of fraud and
spam incidents has escalated tremendously in these recent years, with most of these
incidents being phishing related (Sharifah et al., 2019; Shan et al., 2016). According to
MyCERT (2021), 4,440 cases of cybercrime (fraud and spam) were reported
to CyberSecurity Malaysia for the first six months of the years 2018–2019 as compared to
7,620 cases for the same period of the years 2020–2021. Cyber fraud and spam cases
have spiked by a whopping 71.6% compared to the same period from 2018 to 2019. In
general, victims were being attacked by the following several types of phishing (Mohd
Zaharon and Mohd Ali, 2021; Heartfield and Loukas, 2015):
䊏 spoofing e-mail/spear phishing;
䊏 smishing;
䊏 vishing; and
䊏 instant messaging phishing.

2.1 Spoofing emails/spear phishing

Spoofing email refers to the creation of email messages with a spurious sender email
address (Mohd Zaharon and Mohd Ali, 2021). The fraudsters send email messages to the
targeted victims through Gmail or Outlook, in which the email content tricks the receivers
into opening the email (Gupta et al., 2017; Mohd Zaharon and Mohd Ali, 2021). The
receivers may fall into the deception threats when they read or click on the email (Mohd
Zaharon and Mohd Ali, 2021). The concept of spear phishing (also known as “whaling”) was
first introduced in the year 2005 (Gupta et al., 2017). Spear phishing applied a similar
deception technique with spoofing email (Mohd Zaharon and Mohd Ali, 2021). But, the
phishers only targeted prominent people or high-rank officers, such as senior executives of
an organization (Mohd Zaharon and Mohd Ali, 2021). The phishers usually applied tactics
using the display of the trusted organizations or individuals’ names and delivering email
messages to trap the victims (Mohd Zaharon and Mohd Ali, 2021).

2.2 Smishing
Smishing is the other type of phishing attack. Smishing is a phishing technique in which the
phishing messages were sent through text messages or short messaging services (SMS)
(Romney and Steinbart, 2018). Attackers commonly attack the victims by sending text
messages that impersonate the sources informing the message receivers about account

VOL. 24 NO. 3/4 2022 j THE JOURNAL OF ADULT PROTECTION j PAGE 181
 numbers or information having been suspended (Mohd Zaharon and Mohd Ali, 2021). The
content of the text message includes a forged website link or dialing the mobile number to
verify the vital account information (Mohd Zaharon and Mohd Ali, 2021). The message’s
content may also include an attachment or software for the receiver to download. The
software or attachment usually has malware or virus which can hack the receiver’s phones,
and the fraudsters can access and steal the receiver’s sensitive information.

2.3 Vishing
Vishing is a phishing technique in which the deceiver conducted a phishing attack via
phone calls (Romney and Steinbart, 2018). The fraudsters use telephone services to trick
the victims into surrendering personal information and data to the attackers (Mohd Zaharon
and Mohd Ali, 2021). The deceivers call the victims and pretend they are from legitimate
agencies, such as police, customs, banks and enforcement agencies (Mohd Zaharon and
Mohd Ali, 2021). The victims will usually follow all the instructions and subsequently, will fall
into the phishing traps (Mohd Zaharon and Mohd Ali, 2021).

2.4 Instant messaging phishing

Furthermore, recent research has indicated that mobile users are more easily vulnerable to
phishing attacks – about three times more susceptible than general phishing attacks (Goel
and Jain, 2018). Over 83% of successful mobile phishing attacks originate from mobile
device users, which is relatively more than email phishing attacks (Verkijika, 2019).
Attackers often send scam mobile device messages to the targeted victims (Verkijika, 2019;
Williams et al., 2017) for two reasons:

1. a high mobile device adoption; and

2. mobile application software, including social media, SMS, WhatsApp and Skype,
generally possess less scrutinized sources or features that can verify the legitimate
sources of particular messages (Verkijika, 2019).
These phenomena have been recognized as instant messaging phishing (Heartfield and
Loukas, 2015).
Hence, mobile instant messaging is a popular channel for phishers to anonymously deliver
fake information and semirelevant links to targeted victims (Saudi et al., 2007). For instance,
the Malaysian Communications and Multimedia Commission (MCMC) has cautioned about
a potential scam that allows unauthorized persons to take over one’s WhatsApp account
(MCMC, 2021). The agency notes that scammers/phishers use various tactics to trick users
into revealing their WhatsApp’s six-digit verification codes by starting a conversation and
requesting the victims to provide the transaction authorization code number sent to their
smartphone. Victims replying to the phishers’ requests will be subject to phishers’
deceptions, threats and other malicious intents.

3. Understanding the phishing victimization within Malaysian context: phishing

victimization and young adults
Compared to other generation cohorts, Malaysian younger generations are at the risk of
being vulnerable to cybercrime victims (Hasan et al., 2020). Hasan et al. (2020) pointed out
that Malaysian Generation Z, that is, individuals’ age range fall between 18 and 23 years,
having lower perception and awareness of cybercrime lead them to have a higher likelihood
to become victims of cybercrime (Hasan et al., 2020). Likewise, Ghani and Ghazali (2019)
studied young Malaysian vulnerability to cybercrime, particularly focusing on those between
the age of 18 and 29 years. The research further indicated that cyber frauds were the most
common cybercrimes encountered by the respondents (Ghani and Ghazali, 2019).

PAGE 182 j THE JOURNAL OF ADULT PROTECTION j VOL. 24 NO. 3/4 2022
Specifically, the above-mentioned statement could be seen and verified by the recent
newspaper report which revealed that the phishing or scam victims mostly were from this
age group (Dayak Daily, 2021; The Sun Daily, 2021). Fresh graduates or university students
are now becoming the targeted victims, more likely to fall into fraud attacks (Chua, 2015;
Singh, 2021; Loh, 2021).
Young Malaysians aged between 18 and 29 years were found to be easily exposed to cyber
threats that may put them at risk (Mohd et al., 2016; Li et al., 2021; Kob et al., 2020). Malaysian
youths are at the risk of cybercrime because of their exposure and engagement to the digital
technology that acts as a prominent channel in leaving them vulnerable to cybercrime attacks
(Mohd et al., 2016). This is because the younger people are claimed to be impulsive and do
not properly make thorough evaluations of a certain situation before making decisions (Kob
et al., 2020). This age group of people has less exposure to financial risk, leading them to be
more susceptible to phishing attacks and victimization (Kob et al., 2020).

4. Routine activities theory revisited

4.1 Routine activities theory
The routine activities theory (RAT) consists of three major components that are “motivated
offender,” “suitable targets” and “absence of capable guardianship” (Cohen and Felson,
1979). Researchers operationalized “motivated offender” to “proximity to motivated to the
offender” and “exposure to risk situations” by measuring internet users’ online frequency
(Ngo et al., 2020; Leanna, 2020; Milani et al., 2020). “Suitable target” was operationalized
as the “visible of the victims via the types of activities that the victim participates in,
contributes to the degree to which the victim is a suitable target from the perspective of a
would-be offender” (Leukfeldt and Yar, 2016, p. 8). “Capable guardianship” was
operationalized as “online security management.” The assumption made by Cohen and
Felson (1979) is that when “a motivated offender,” “a suitable target” and “the absence of a
capable guardian” converge, victimization and crime happen (Lastdrager, 2014; Holt and
Bossler, 2009; Akers and Sellers, 2013; Leukfeldt, 2014; Leukfeldt and Yar, 2016). In other
words, if one of the elements is missing, cybercrime victimization can be evaded. The RAT
emphasizes that offenders offer an enticing chance for cybercrime victimization through the
convergence in physical space, potential victims and lack of adequate protection (Hsieh
and Kevin Wang, 2018).

4.2 Lifestyle routine activities theory

According to Hindelang et al. (1978), the lifestyle routine activities theory (LRAT) focuses on
the internet users’ daily social interactions instead of concentrating on the characteristics of
individual causal variables or individual offenders. Engaging in risky online activities
associated with vocational and leisure activities (Hindelang et al., 1978) can increase the
likelihood of cybercrime victimization (Choi et al., 2019; Choi and Lee, 2017). Like the RAT,
the lifestyle exposure theory has two quintessential tenets: motivated offender and capable
guardianship (Hindelang et al., 1978). Both the RAT and the lifestyle exposure theory
indicate that effective social network security management can lower social media users’
online victimization odds (Choi and Lee, 2017). That is, good online security management
(i.e. engaging in privacy online) decreases cybercrime victimization, particularly phishing
victimization (Naci and Christopher, 2020; Leanna, 2020; Jansen and Leukfeldt, 2016;
Leukfeldt and Yar, 2016; Milani et al., 2020; Ab Rahman et al., 2017; Kabiri et al., 2020).

4.3 Cyber routine activities theory

Choi (2008) first proposed the cyber-RAT. Cyber-RAT was developed and incorporated
from the LRAT (Hindelang et al., 1978) and the RAT (Cohen and Felson, 1979). As the RAT

VOL. 24 NO. 3/4 2022 j THE JOURNAL OF ADULT PROTECTION j PAGE 183
 extends from the LRAT, previous research has indicated that both theories are concentric
(Choi, 2008). Thus, Choi (2008) converges these theories to form the cyber-RAT, positing
that risky online behavior and capable digital guardianship significantly affect computer-
crime victimization. That is, the cyber-RAT is proposed to investigate cybercrime
victimization (cyberbullying, computer crime, etc.) by adopting the concepts of risky online
behavior and cybersecurity management (Choi, 2008; Choi and Lee, 2017; Choi et al.,
2019).
The cyber-RAT is initially proposed to address computer-crime victimization (Choi, 2008).
Although the primary focus of the cyber-RAT is on computer hacking, Choi (2008) contends
that the theory can address other cybercrime activities. Recently, the approach was used to
examine cyber interpersonal transgression and violence victimization (Choi and Lee, 2017;
Choi et al., 2019). The cyber-RAT can be adopted to investigate both the offending and
victimization behaviors in the virtual world (Choi and Lee, 2017) by incorporating two
independent causal variables:

1. “the concept of digital guardianship,” such as cybersecurity, and

2. the “online vocational and leisure activities” (Choi, 2008).

Choi and Lee (2017) further extended the cyber-RAT by adding social networking activities
as independent variables while predicting cybercrime victimization.
While RAT and the LRAT can potentially address victimization, there is still a need for
research to develop an integrated view for predicting cybercrime victimization (Choi, 2008;
Choi and Lee, 2017). To some extent, the application of the cyber-RAT in explaining the
causes of cybercrime of phishing victimization is yet to be definitive. Moreover, there is
limited research adopting the cyber-RAT in addressing the risk of phishing victimization.
Furthermore, researchers argued that whether the viability of the victimological theories
(RAT and LRAT) that are constructed for examining conventional crime would also be
applicable in the cybercrime context (Reyns, 2017, pp. 35–54; Cheng et al., 2020, p. 7).
Thus, this study proposes that cyber-RAT is able to investigate cybercrime phishing
victimization.
Prior research has shown that engaging in cyber social media activities, for example,
sharing personal information on social media, increases the risk of cybercrime victimization
(Choi and Lee, 2017; Ahmad and Thurasamy, 2022). Specifically, participating in risky
cyber leisure activities and vocational activities significantly influences cybercrimes
victimization, such as cyber interpersonal violence victimization (Choi and Lee, 2017) and
cyberbullying victimization (Choi et al., 2019). Therefore, inferences can be made about the
implication of risky cyber behavior (social media activities, vocational activities, leisure
activities) concerning phishing victimization risk. Moreover, effective online security
management, for example, adopting security and privacy protection measures on social
media, can prohibit social media users’ details from unauthorized access (Choi et al., 2019;
Choi and Lee, 2017). This is to say that effective online security management can decrease
the risk of phishing victimization.

5. Understanding the impacts of online routine activities on the vulnerability of

cybercrime phishing: empirical evidence
Scopus (ScienceDirect), Taylor and Francis and Emerald Insight were used to retrieve all
the papers (both conceptual and research papers). Searching was conducted using the
following keywords: “routine activities theory,” “cyber routine activities theory,” “phishing or
fraud victimization” and “cybercrime victimization.” Based on the synthesis of the literature
review, this paper identifies 12 empirical studies adopting RAT and LRAT to explain
phishing victimization (see Table 1). Past research has used the RAT as a theoretical base
for explaining phishing victimization (Adam Kavon and Henry, 2021; Leanna, 2020;

PAGE 184 j THE JOURNAL OF ADULT PROTECTION j VOL. 24 NO. 3/4 2022
 Table 1 Summary of empirical studies applying LRAT/RAT to cybercrime phishing
Author(s) Research area (country) Theory adopted Independent variable(s) Dependent variable(s)

Naci and Cybercrime victimization: LRAT Exposure and proximity to Malware infection;
Christopher (2020) hacking, malware infection, motivated offenders ; target hacking victimization;
phishing (England and suitability ; online phishing victimization
Wales) guardianship
Adam Kavon and Phishing (USA) RAT Wide and narrow attacks; Phishing
Henry (2021) motivation; technological
proficiency differential; target
value; machine learning;
multifactor authorization; human
weakness; ransomware;
deepfakes; target training/
testing
Leanna (2020) Online target hardening RAT Exposure to motivated Privacy and data
behaviors (USA) offenders ; perceived protection behavior
guardianship protections ;
perceived difficulties of target
hardening ; individual
characteristics
Jansen and Online banking fraud RAT; Capable guardians and Online banking fraud
Leukfeldt (2016) victimization (Netherlands) PMT protective factors ; suitability victimization
factors ; anatomy of phishing
and malware attacks
Leukfeldt (2014) Phishing for suitable targets RAT (does not largely Online activities with high Phishing victimization
(Netherlands) explains phishing visibility ; accessibility
victimization)
Graham and Triplett Reducing phishing RAT Digital literacy Phishing victimization
(2016) victimization (USA)
Ngo et al. (2020) Victimization in cyberspace LRAT Online frequency; online Phishing victimization
activity ; online posting
Leukfeldt and Yar Comparison between RAT Value ; visibility ; accessibility ; Cybercrime
(2016) different cybercrime personal guardian ; technical victimization
contexts (Netherlands) guardian
Milani et al. (2020) Exposure to cyber RAT Digital guardianship ; General cybercrime
victimization (Swiss) contextual awareness ; victimization
computer literacy
Saad et al. (2018) Cyber romance scam RAT; apriori algorithm Age ; education ; marital Cyber romance scams
victimization (Malaysia) status; income; lack of victimization
cybercrime awareness ; low
computer skills
Ab Rahman et al. Implications of emerging RAT Motivation; opportunity; Impacts of emerging
(2017) technologies to incident guardianship cyber threats to incident
handling and digital handling and digital
forensic strategies forensic strategies
Fansher and Randa Risky social media LRAT Risky behaviors ; exposure to Cyberstalking
(2018) behaviors and the potential potential offenders victimization
for victimization
Notes: RAT = routine activity theory; LRAT = lifestyle routine activity theory; SEM = structural equation modeling; PMT = protection
motivation theory; M = mediating variable.  Sig. at 0.05 level

Jansen and Leukfeldt, 2016; Leukfeldt, 2014; Graham and Triplett, 2016; Leukfeldt and Yar,
2016; Milani et al., 2020; Saad et al., 2018; Ab Rahman et al., 2017). Besides participation in
risky online activities, capable guardianship (digital guardianship: online security
management) has been identified as a well-known correlate to phishing victimization (Adam
Kavon and Henry, 2021; Leukfeldt, 2014; Graham and Triplett, 2016; Leukfeldt and Yar,
2016; Milani et al., 2020; Saad et al., 2018).
Saad et al. (2018) adopted the RAT to examine cyber romance scam victimization in
Malaysia. Research involving interviews with Malaysian adults has been conducted to

VOL. 24 NO. 3/4 2022 j THE JOURNAL OF ADULT PROTECTION j PAGE 185
 identify the predictors influencing information security awareness of phishing attacks.
Previous empirical studies have also applied LRAT as a theoretical base to examine
whether engaging in lifestyles or routine activities will increase a person’s proximity and
exposure to motivated offenders (phishers) and consequently enhance individuals’ risks of
phishing victimization (Naci and Christopher, 2020; Ngo et al., 2020; Fansher and Randa,
2018).
Despite the potential applicability of the RAT within the cybercrime context, Yar (2005)
argued that the use of the theory might be limited because of the temporally disorganized
nature of cyberspace (i.e. virtual environments are spatially and temporally disconnected)
(Hsieh and Kevin Wang, 2018). The RAT values and emphasizes the “physical convergence
of space and time between the motivated offender and targeted victims” (Choi and Lee,
2017, p. 6). Given the evolution of digital technology, the physical convergence of the victim
and offender in space and time may not constitute vital factors to predict cyber victimization
(Pratt et al., 2010; Choi and Lee, 2017; Reyns and Henson, 2015). Specifically, the concept
of “proximity to the motivated offender” from RAT denotes the physical accessibility and
physical visibility and the physical distance of the targeted victim to the offender (Ngo et al.,
2020). In the virtual environment, it has been noted that the potential victim cannot be
physically assessed or seen by the motivated offender (Ngo et al., 2020). Likewise,
researchers denoted that “cyberspace does not exhibit a spatio-temporal ontology to the
physical world” (Smith and Stamatakis, 2020, p. 444). This is because, in the virtual
environment, cybercrime can happen without a motivated offender or a suitable target
occupying a similar physical place or at the same time (Smith and Stamatakis, 2020).
Therefore, physical visibility and proximity may be irrelevant in predicting internet users’
cybercrime victimization behavior (Ngo et al., 2020; Vakhitova et al., 2016).
Similarly, recent RAT works have asserted that it is not easy to investigate and prosecute
cybercrime when it occurs on the internet (Choi, 2015; Choi and Lee, 2017; Hsieh and Kevin
Wang, 2018). This is because the nature of cyberspace allows offenders to victimize users
without face-to-face meetings (Choi, 2015). Recently, studies have demonstrated that the
RAT does not largely explain crime victimization, particularly phishing-related victimization
(Hutchings and Hayes, 2009; Ngo and Paternoster, 2011; Leukfeldt, 2014). For example,
target suitability (visibility and accessibility) and capable guardianship do not essentially
predict phishing victimization (Leukfeldt, 2014; Ngo and Paternoster, 2011), also target
suitability comprising value and inertia does not significantly predict phishing victimization
(Ngo and Paternoster, 2011; Hutchings and Hayes, 2009).
In the cyberspace context, it has been noted that internet users’ exposure to motivated
offenders significantly impacted their risk of being victimized by cybercrime (Ngo et al.,
2020; Kikerpill, 2020; Smith and Stamatakis, 2020). In the virtual environment, although the
offender and victim do not meet up at a similar physical location, they do converge within a
networked device or system (Smith and Stamatakis, 2020). Specifically, the more the
individuals engage in online activities, the higher the chances the individuals will be
exposed to the victimization risk (Choi and Lee, 2017; Choi et al., 2019; Ngo et al., 2020;
Pratt et al., 2010; Naci and Christopher, 2020; Smith and Stamatakis, 2020). As supported
by RAT, the theory denoted that the higher accessibility and visibility of the internet users to
offenders, the higher the possibility an individual will be victimized by the phishing attacks
(Leukfeldt, 2014; Ngo et al., 2020).
The visibility of the internet user, via different types of online activities that he or she
engages in, contributes to “the extent to which the victim is a suitable target from the
perspective of a would-be offender” (Leukfeldt and Yar, 2016; Ngo et al., 2020). Recent
empirical studies found that engaging in cyber risky activities significantly predicted
cybercrime victimization, increasing one’s chances to be victimized (Choi et al., 2019; Choi
and Lee, 2017). Specifically, participating in the cyber risky leisure activities significantly
impacted cybercrimes victimization, such as cyber interpersonal violence victimization

PAGE 186 j THE JOURNAL OF ADULT PROTECTION j VOL. 24 NO. 3/4 2022
(Choi and Lee, 2017) and cyberbullying victimization (Choi et al., 2019). A few studies
highlighted the significant relationship between cyber risky social media lifestyle/activities
(i.e. social networking sites) activities and cybercrime victimization risk. Findings posited
that engaging in social networking site activities would increase the chances of being
victimized. Choi and Lee (2017) found that participating in cyber social networking sites
activities, for example, sharing personal information on social media, increases the risk of
cyber interpersonal violence victimization. Likewise, recent empirical research indicated
that participating in cyber risky lifestyles or activities are having a higher likelihood of being
victimized and threatened by cyberbullying (Choi et al., 2019).
Researchers opined that individuals expected social position and social roles affect their
lifestyle patterns, contributing to the individual’s decision to participate in certain activities
(Choi et al., 2019). An individual is predisposed to cybercrime depending on his or her
activities, social structure and interactions that provide opportunities for victimization
(Cohen and Felson, 1979; Hindelang et al., 1978; Choi et al., 2019). Specifically, engaging
in vocational and leisure activities has direct and significant influences on explaining the risk
of victimization, that is, computer-crime victimization (Choi, 2008). Therefore, this study
posited that the influence of engaging in cyber vocational and leisure activities would be
able to explain the phishing victimization risk.
Ineffective online security management may have a likelihood to increase one’s
susceptibility to cybercrime victimization, such as cyber interpersonal violence victimization
and cyberbullying victimization (Choi et al., 2019; Choi and Lee, 2017). Online security
management refers to “how conscious one’s cybersecurity is managed” (Choi and Lee,
2017). Based on the justification and explanation of Choi and Lee (2017), lack of online
security management will lead to online victimization. The poor or ineffective online security
management, including one’s not participating in privacy protection on social media, can
then permit anyone to access and view their personal details (Choi et al., 2019; Choi and
Lee, 2017). In this situation, the motivated offenders may have the chance to gather the
potential victim’s information (Choi et al., 2019; Choi and Lee, 2017). Therefore, this study
posited that effective online security management would be able to explain the phishing
victimization risk.
Considering that previous and recent empirical studies have revealed that exposure to
motivated offenders could increase the chances of cybercrime phishing victimization
(Leukfeldt, 2014; Ngo et al., 2020; Graham and Triplett, 2016), this paper proposes that
routine online activities, as derived from the cyber-RAT (Choi, 2008; Choi and Lee, 2017),
can predict the risk of phishing victimization.

6. Recommendations for phishing prevention: the importance of attitudes toward

sharing personal information online
According to the protection motivation theory (PMT), protection motivation acts as a
mediator in predicting the intention toward security behavior (Floyd et al., 2000; Chenoweth
et al., 2009). The term “protection motivation” has been reframed as “attitude toward
protection behavior” against cybercrime in general (Anderson and Agarwal, 2010; Martens
et al., 2019; Herath and Rao, 2009). Supported by the PMT, attitude acts as a pivotal
mediator in investigating individual behavioral intention and security measures against
cybercrime (Jansen and van Schaik, 2019; Martens et al., 2019). When a person does not
see any cybercrime threat, and even in the nonexistence of cybercrime victimization risk, a
person will likely still have a firm attitude toward protection behavior (Ibrahim et al., 2020).
To promote security behavior, particularly against phishing attacks, a negative attitude
toward sharing personal information online was found to be a significant variable in
predicting phishing susceptibility in the western context (Jansen and van Schaik, 2019).

VOL. 24 NO. 3/4 2022 j THE JOURNAL OF ADULT PROTECTION j PAGE 187
 There is a limited study on victims’ attitudes and susceptibility to cybercrime victimization
(Arufe-Giraldez et al., 2019; Espelage et al., 2017). Arufe-Gira ldez et al. (2019) call
particular attention to the apprehensions between attitude toward behavior and
victimization. Recent research has found that individuals’ attitudes were significantly related
to nonphysical bullying victimization (Espelage et al., 2017) and susceptibility to phishing
victimization (Jansen and van Schaik, 2019). Therefore, inferences can be made relating to
the importance of an individual’s attitude in predicting phishing victimization risk.
Attitude toward protection behavior can be a pivotal factor to raise internet users’
awareness of threats (Jansen and van Schaik, 2019). One’s attitude could provide
behavioral advice on the ways or directions to process phishing messages and mitigate the
danger, particularly cybercrime phishing attacks (Jansen and van Schaik, 2019; Martens
et al., 2019). Because this study explores the risk of phishing victimization, raising individual
threat awareness is essential to decrease the risk. Besides having threat knowledge, one
should foster an attitude, that is, a positive attitude toward protective behavior (i.e. not
sharing personal information) is vital in the security behavior (Jansen and van Schaik, 2019).
When the individuals recognize their vulnerability as potential cybercrime phishing victims,
they will have a positive attitude toward protective behavior (Rogers, 1975; Martens et al.,
2019). Therefore, this paper underscores the critical role of attitude – specifically, one’s
attitude can decrease one’s chances of being victimized by phishing attackers.
A recent empirical study has studied the relationship between online risky leisure activity
and attitude change. In the offline context, participation in physical leisure activities may
lead to one’s attitude change. Specifically, engaging in leisure activities could increase
one’s satisfaction level with the activity, which subsequently shows a positive attitude
toward the activities (Eskiler et al., 2019). In the cybercrime context, it was confirmed that
when individuals are exposed frequently to the virtual environment, it will lead them to have
attitudes change toward cybercrime activities, such as online software piracy (Petrescu
et al., 2018).
Participation in the cyber risky vocational activity will also increase one’s accessibility and
visibility in cyberspace (Ngo et al., 2020; Hutchings and Hayes, 2009; Choi, 2008;
Leukfeldt, 2014; Leukfeldt and Yar, 2016). Similar to the cyber risky leisure and social media
activities, it also increases the individual’s proximity to the motivated offenders and thus,
more easily to be targeted by the offenders (Ngo et al., 2020; Choi, 2008). In the research
field of shoplifting context, researchers noted that higher target suitability leads to one’s
attitude change toward shoplifting (Korgaonkar et al., 2019). Thus, this study hypothesized
that engaging in the cyber risky vocational activity leads to one’s attitude change,
particularly attitude toward information sharing online.
In the cybercrime context, authors have noted that the higher accessibility of an individual in
the online platform will leave them vulnerable to cybercrime victimization (Ngo et al., 2020;
Reyns et al., 2011; Choi and Lee, 2017). This is because when individuals frequently shared
and posted their personal information online, they will be suitable targets for cybercrime
offenders because of higher accessibility and visibility (Ngo et al., 2020). As such,
researchers opined that higher target suitability will lead to one’s attitude change,
particularly in the online software piracy context (Petrescu et al., 2018). Therefore, this study
posited that participation in instant messaging activities will generate a positive attitude,
specifically, attitude toward sharing information online.
Online capable guardianship was found to have a significant relationship with attitude
(Korgaonkar et al., 2019; Petrescu et al., 2018). Online capable guardianship was
operationalized as online security management (Choi et al., 2019; Choi and Lee, 2017).
Studies indicated that digital guardianship works effectively in determining the offender’s
attitude, specifically, attitude toward shoplifting (Korgaonkar et al., 2019) and online
software piracy (Petrescu et al., 2018), respectively. Likewise, this study hypothesized that

PAGE 188 j THE JOURNAL OF ADULT PROTECTION j VOL. 24 NO. 3/4 2022
effective online security management leads to a negative attitude toward information
sharing online. In other words, individuals who effectively manage online security settings
on social media are less likely to share personal information online. As such, it will generate
a negative attitude toward sharing information online.
Figure 1 presents an example of a phishing message attack, positioning individuals’
attitudes toward information sharing as the key takeaway in understanding cyber phishing
victimization. First, the attacker designs a phishing message and then sends the phishing
message to the phishing victim. In a successful phishing attack, the victim assumes that the
content is legitimately sent from authorized parties and thus, supplies the phisher with their
personal information. Conversely, if the potential victim regards the message as not
legitimate, they will refuse to provide the confidential information requested by the phishers.
Therefore, this paper accentuates the importance of attitude in phishing prevention.
Congruent with some theoretical perspectives (Jansen and van Schaik, 2019; Martens
et al., 2019), this paper proposes that attitude is a significant predictor in mitigating the risk
of phishing victimization. More specifically, a positive attitude toward precautionary
behavior (not sharing information online) can mitigate the cybercrime susceptibility to
phishing (Jansen and van Schaik, 2019).

7. Conclusion
This conceptual paper proposes that the cyber-RAT can explain the risk of phishing
victimization. Many studies have ascertained that the more the individual is exposed to the
virtual environment (engaging in online social media activities, leisure activities and
vocational activities), the higher the chances the individual will be attacked by cybercrime
phishing (Ngo and Paternoster, 2011; Ngo et al., 2020; Leukfeldt, 2014). Moreover, effective
digital guardianship and online security management could lessen internet users’ visibility
from motivated offenders, thereby reducing the cybercrime victimization risk (Choi et al.,
2019; Choi and Lee, 2017). Furthermore, internet users’ exposure to potentially motivated
offenders would change their attitude (Petrescu et al., 2018; Korgaonkar et al., 2019), which
significantly influences the risk of crime victimization (Ellrich, 2016; Jansen and van Schaik,
2019). In particular, the MCMC’s report indicated that Malaysian young adults actively
participate in social media for sharing and disseminating information (MCMC, 2020).

Figure 1 Illustration of the overall proposed research framework with attitude as a key
takeaway in the phishing prevention

VOL. 24 NO. 3/4 2022 j THE JOURNAL OF ADULT PROTECTION j PAGE 189
 Collectively, this paper submits that the cyber-RAT could explain the risk of phishing
victimization and stresses the importance of attitude toward information sharing online for
phishing prevention among Malaysian young adults. Last but not least, this study proposes
that more delivery strategies at the young adult level may be required to mitigate the
phishing victimization risk. Nevertheless, there are conflicting studies denoting that elderly
people have a high likelihood or low likelihood to become victims of fraud compared to
younger people (Cross, 2021; Mohammed, 2020). Researchers opined that “while everyone
is vulnerable, some people may be more vulnerable to particular scams than others”
(Cross, 2021, p. 106). As such, the consideration of different types of cybercrime victim
behavior and its relationship to demographics seem worth uncovering (Cross, 2021).
Moreover, most daily services are nowadays closely intertwined with the internet and the
internet connects people of different ages around the globe (Mohammed, 2020). Therefore,
future research may consider discussing and examining the relationship between phishing
victimization amongst older adults.

References
Ab Rahman, N.H., Kessler, G.C. and Choo, K.K. (2017), “Implications of emerging technologies to
incident handling and digital forensic strategies”, Contemporary Digital Forensic Investigations of Cloud
and Mobile Applications, pp. 131-146.
Adam Kavon, G.T. and Henry, N.P. (2021), “Phishing evolves: analyzing the enduring cybercime”,
Victims & Offenders, Vol. 16 No. 3, pp. 316-342.
Ahmad, R. and Thurasamy, R. (2022), “A systematic literature review of routine activity theory’s
applicability in cybercrimes”, Journal of Cyber Security and Mobility, Vol. 11 No. 3, pp. 405-432.
Akers, R.L. and Sellers, C.S. (2013), Criminological Theories: Introduction, Evaluation, and Application,
6th ed., Oxford University, New York, NY.
Anderson, C. and Agarwal, R. (2010), “Practicing safe computing: a multimethod empirical examination
of home computer user security behavioral intentions”, MIS Quarterly, Vol. 34 No. 3, pp. 613-643.
ldez, V., Zurita-Ortega, F., Padial-Ruz, R. and Castro-Sa
Arufe-Gira  nchez, M. (2019), “Association between level
of empathy, attitude towards physical education and victimization in adolescents: a multi-group structural
equation analysis”, International Journal of Environmental Research and Public Health, Vol. 16 No. 13, pp. 1-13.
Cheng, C., Chan, L. and Chau, C. (2020), “Individual differences in susceptibility to cybercrime
victimization and its psychological aftermath”, Computers in Human Behavior, Vol. 108, pp. 1-10.
Chenoweth, T., Minch, R. and Gattiker, T. (2009), “Application of protection motivation theory to adoption
of protective technologies”, Proceedings of the 42nd Hawaii International, pp. 1-10.
Choi, K.S. (2008), “Computer crime victimization and integrated theory: an empirical assessment”,
International Journal of Cyber Criminology, Vol. 2 No. 1, pp. 308-333.
Choi, K. (2015), Cybercriminology and Digital Investigation, LFB Scholarly, El Paso.
Choi, K.S. and Lee, J.R. (2017), “Theoretical analysis of cyber-interpersonal violence victimization and
offending using cyber-routine activities theory”, Computers in Human Behavior, Vol. 73, pp. 394-402.
Choi, K.S., Cho, S.J. and Lee, J.R. (2019), “Impacts of online risky behaviors and cybersecurity
management on cyberbullying and traditional bullying victimization among Korean youth: application of
cyber-routine activities theory with latent class analysis”, Computers in Human Behavior, Vol. 100,
pp. 1-10.
Chua, A. (2015), “Student loses RM1,040 in internet scam”, available at: www.thestar.com.my/metro/
community/2015/10/07/student-loses-rm1040-in-internet-scam/ (accessed 2 February 2022).
Cohen, L.E. and Felson, M. (1979), “Social change and crime rate trends: a routine activities approach”,
American Sociological Review, Vol. 44 No. 4, pp. 588-608.
Cross, C. (2021), “Theorising the impact of COVID-19 on the fraud victimisation of older persons”, The
Journal of Adult Protection, Vol. 23 No. 2, pp. 98-109.
Dayak Daily, D.D. (2021), “Student loses RM14000 to RM350 iPad scam”, available at: www.dayakdaily.
com/student-loses-rm14000-to-rm350-ipad-scam/ (accessed 2 February 2022).

PAGE 190 j THE JOURNAL OF ADULT PROTECTION j VOL. 24 NO. 3/4 2022
De Kimpe, L., Walrave, M., Hardyns, W., Pauwels, L. and Ponnet, K. (2018), “You’ve got mail! Explaining
individual differences in becoming a phishing target”, Telematics and Informatics, Vol. 35 No. 5, pp. 1277-1287.
Ellrich, K. (2016), “Burnout and violent victimization in police officers: a dual process model”, Journal of
Police Strategies & Management, Vol. 39 No. 4, pp. 1-19.
Eskiler, E., Yildiz, Y. and Ayhan, C. (2019), “The effect of leisure benefits on leisure satisfaction: extreme
sports”, Turkish Journal of Sport and Exercise, Vol. 21 No. 1, pp. 16-20.
Espelage, D.L., Hong, J.S., Kim, D.H. and Nan, L. (2017), “Empathy, attitude towards bullying, theory-of-
mind, and non-physical forms of bully perpetration and victimization among US middle school students”,
Child & Youth Care Forum, Vol. 47 No. 1, pp. 1-16.
Fansher, A.K. and Randa, R. (2018), “Risky social media behaviors and the potential for victimization: a
descriptive look at college students victimized by someone met online”, Violence and Gender, pp. 1-9.
Floyd, D., Prentice-Dun, S. and Rogers, R. (2000), “A meta-analysis of research on protection motivation
theory”, Journal of Applied Social Psychology, Vol. 30 No. 2, pp. 407-429.
Frauenstein, E.D. and Flowerday, S. (2020), “Susceptibility to phishing on social network sites: a
personality information processing model”, Computers & Security, Vol. 94.
Ghani, N.M. and Ghazali, S. (2019), “The vulnerability of young women to cybercrime: a case study in
Penang”, ICH 2019 International Conference on Humanities. Vol. 89, pp. 443-455.
Goel, D. and Jain, A.K. (2018), “Mobile phishing attacks and defence mechanisms: state of art and open
research challenges”, Computers & Security, Vol. 73, pp. 519-544.
Graham, R. and Triplett, R. (2016), “Capable guardians in the digital environment: the role of digital”,
Deviant Behavior, Vol. 38 No. 12, pp. 1371-1382.
Gupta, B.B., Tewari, A., Jain, A.K. and Agrawal, D.P. (2017), “Fighting against phishing attacks: state of
the art and future challenges”, Neural Computing and Applications, Vol. 28 No. 12, pp. 3629-3654.
Hallam Baker, P. (2008), The DotCrime Manifesto: How to Stop Internet Crime, Pearson Education,
Boston, MA.

Hasan, M.S., Rahman, R.A., Abdillah, S.F. and Omar, N. (2020), “Perception and awareness of young
internet users towards cybercrime: evidence from Malaysia”, Journal of Social Sciences, Vol. 11 No. 4,
pp. 395-404.
Heartfield, R. and Loukas, G. (2015), “A taxonomy of attacks and a survey of defence mechanisms for
semantic social engineering attacks”, ACM Computing Surveys, Vol. 48 No. 3, pp. 1-39.
Herath, T. and Rao, H.R. (2009), “Protection motivation and deterrence: a framework for security policy
compliance in organisations”, European Journal of Information Systems, Vol. 18 No. 2, pp. 106-125.

Hindelang, M.J., Gottfredson, M.R. and Garofalo, J. (1978), Victims of Personal Crime: An Empirical
Foundation for a Theory of Personal Victimization, Cambridge, MA.

Holt, T.J. and Bossler, A.M. (2009), “Examining the applicability of lifestyle-routine activities theory for
cybercrime victimization”, Deviant Behavior, Vol. 30 No. 1, pp. 1-25.

House, D. and Raja, M.K. (2019), “Phishing: message appraisal and the exploration of fear and self-
confidence”, Behaviour & Information Technology, Vol. 39 No. 11, pp. 1-21.
Hsieh, M.L. and Kevin Wang, S.Y. (2018), “Routine activities in a virtual space: a Taiwanese case of an
ATM hacking spree”, International Journal of Cyber Criminology, Vol. 12 No. 1, pp. 333-352.
Hutchings, A. and Hayes, H. (2009), “Routine activity theory and phishing victimisation: who gets caught
in the ‘net’?”, Current Issues in Criminal Justice, Vol. 20 No. 3, pp. 433-452.
Ibrahim, M.A., Fiza, A.R., Nor, A.A. and Amando, P.S. (2020), “Dimensions of protection behaviors: a
systematic literature review”, Journal of Theoretical and Applied Information Technology, Vol. 98 No. 17,
pp. 3668-3697.
Jansen, J. and Leukfeldt, R. (2015), “How people help fraudsters steal their money: an analysis of 600
online banking fraud cases”, Proceedings of the 2015 Workshop on Socio-Technical Aspects in Security
and Trust, pp. 24-31.

Jansen, J. and Leukfeldt, R. (2016), “Phishing and malware attacks on online banking customers in The
Netherlands: a qualitative analysis of factors leading to victimization”, International Journal of Cyber
Criminology, Vol. 10 No. 1, pp. 79-91.

VOL. 24 NO. 3/4 2022 j THE JOURNAL OF ADULT PROTECTION j PAGE 191
 Jansen, J. and van Schaik, P. (2019), “The design and evaluation of a theory-based intervention to
promote security behaviour against phishing”, International Journal of Human-Computer Studies,
Vol. 123, pp. 40-55.
Kabiri, S., Choi, J.Y., Shadmanfaat, S.M. and Lee, J. (2020), “Cyberstalking victimization: an empirical
assessment of RAT among female Iranian college students”, Journal of Interpersonal Violence, pp. 1-27.
Kamruzzaman, M., Islam, M.A., Islam, M.S., Hossain, M.S. and Hakim, M.A. (2016), “Plight of youth
perception on cyber crime in South Asia”, American Journal of Information Science and Computer
Engineering, Vol. 2 No. 4, pp. 22-28.
Kikerpill, K. (2020), “The individual’s role in cybercrime prevention: internal spheres of protection and our
ability to safeguard them”, Kybernetes, Vol. 50 No. 4, pp. 1015-1026.

Kob, T.N., Abdul Rahim, F. and Azman, F. (2020), “Phishing attack simulation: measuring susceptibility
among undergraduate students”, 2020 8th International Conference on Information Technology and
Multimedia (ICIMU), Selangor, Malaysia.
Korgaonkar, P.K., Gironda, J.T., Petrescu, M., Krishen, A.S. and Mangleburg, T.F. (2019), “Preventing
shoplifting: exploring online comments to propose a model”, Psychology Marketing, pp. 1-13.
Lastdrager, E.E. (2014), “Achieving a consensual definition of phishing based on a systematic review of
the literature”, Crime Science, Vol. 3 No. 1, pp. 1-10.
Leanna, I. (2020), “Predicting online target hardening behaviors: an extension of routine activity theory for
privacy-enhancing technologies and techniques”, Deviant Behavior, pp. 1-18.
Leukfeldt, E.R. (2014), “Phishing for suitable targets in The Netherlands: routine activity theory and
phishing victimization”, Cyberpsychology, Behavior, and Social Networking, Vol. 17 No. 8, pp. 551-555.

Leukfeldt, E.R. and Yar, M. (2016), “Applying routine activity theory to cybercrime: a theoretical and
empirical analysis”, Deviant Behavior, Vol. 37 No. 3, pp. 263-280.

Li, K.Y., Zahiri, M.A. and Jumaa, N.F. (2021), “Eye on digital media literacy from the perspective of
‘generation Z”, 7th International Conference on Communication and Media, European Publisher,
pp. 248-253.
Lichtenberg, P.A., Sugarman, M.A., Paulson, D., Ficker, I.J. and Rahman-Filipiak, A.A. (2016),
“Psychological and functional vulnerability predicts fraud cases in older adults: results of a longitudinal
study”, Clinical Gerontologist, Vol. 39 No. 1, pp. 48-63.

Loh, I. (2021), “19-year-old student loses RM37,000 in Macau scam”, available at: www.thestar.com.my/
news/nation/2021/08/17/19-year-old-student-loses-rm37000-in-macau-scam (accessed 2 February 2022).
Martens, M., De Wolf, R. and De Marez, L. (2019), “Investigating and comparing the predictors of the
intention towards taking security measures against malware, scams and cybercrime in general”,
Computers in Human Behavior, Vol. 92, pp. 139-150.
MCMC (2020), “Internet users survey 2020”, Malaysian Communications and Multimedia Commission,
available at: www.mcmc.gov.my/skmmgovmy/media/General/pdf/IUS-2020-Report.pdf (accessed 5
May 2022).
MCMC (2021), “Waspada taktik penipuan ambil alih akaun WhatsApp – MCMC”, Malaysian
Communications and Multimedia Commision, available at: www.mcmc.gov.my/en/media/press-
clippings/waspada-taktik-penipuan-ambil-alih-akaun-whatsapp (accessed 2 January 2022).
Milani, R., Caneppele, S. and Burkhardt, C. (2020), “Exposure to cyber victimization: results from a Swiss
survey”, Deviant Behavior, pp. 1-14.
Mohamed, D. (2013), “Combating the threats of cybercrimes in Malaysia: the efforts, the cyberlaws and
the traditional laws”, Computer Law & Security Review, Vol. 29 No. 1, pp. 66-76.

Mohammed, I.A. (2020), “Phishing awareness and elderly users in social media”, International Journal of
Computer Science and Network Security, Vol. 20 No. 9, pp. 114-119.

Mohd Zaharon, N.F. and Mohd Ali, M. (2021), “Phishing as cyber fraud: the implications and
governance”, Hong Kong Journal of Social Sciences, Vol. 57, pp. 120-133.
Mohd, S. Senadjki, A. Rahim, S.R. Nathan, T.M. Lee, C.Y. and Wahab, M.A. (2016), “Cybercrime among
Malaysian youth”, Behind the Scenes: The Ugly and Bad Side of Modern Technology on Youth, available
at: www.researchgate.net/publication/334824052_Cybercrime_among_Malaysian_ (accessed 5 May
2022).

PAGE 192 j THE JOURNAL OF ADULT PROTECTION j VOL. 24 NO. 3/4 2022
MyCERT (2021), “Incident statistics”, available at: MyCERT,MalaysiaComputerEmergencyResponseTeam:
www.mycert.org.my/portal/statistics-content?menu=b75e037d-6ee3-4d11-8169-66677d694932&
id=477c37dd-ba64-4dd2-87ad-ff0bfc1d8bf2 (accessed 2 January 2022).

Naci, A. and Christopher, J.L. (2020), “Exploring the human factor in cyber-enabled and cyber-
dependent crime victimisation: a lifestyle routine activities approach”, Internet Research, Vol. 30 No. 6,
pp. 1665-1687.
Ngo, F.T. and Paternoster, R. (2011), “Cybercrime victimization: an examination of individual and
situational level factors”, International Journal of Cyber Criminology, Vol. 5 No. 1, pp. 773-793.
Ngo, F.T., Piquero, A.R., LaPrade, J. and Duong, B. (2020), “Victimization in cyberspace: is it how long we
spend online, what we do online, or what we post online?”, Criminal Justice Review, Vol. 45 No. 4, pp. 1-22.
Petrescu, M., Gironda, J.T. and Korgaonkar, P.K. (2018), “Online piracy in the context of routine activities
and subjective norms”, Journal of Marketing Management, Vol. 34 Nos 3/4, pp. 314-346.
Pratt, T.C., Holtfreter, K. and Reisig, M.D. (2010), “Routine online activity and internet fraud targeting:
extending the generality of routine activity theory”, Journal of Research in Crime and Delinquency, Vol. 47
No. 3, pp. 267-296.
Reyns, B.W. (2017), Routine Activity Theory and Cybercrime: A Theoretical Appraisal and Literature
Review: Technocrime and Criminological Theory, Routledge.
Reyns, B.W. and Henson, B. (2015), “The thief with a thousand faces and the victim with none: identifying
determinants for online identity theft victimization with routine activity theory”, International Journal of
Offender Therapy and Comparative Criminology, Vol. 60 No. 10, pp. 1-21.

Reyns, B., Henson, B. and Fisher, B.S. (2011), “Being pursued online. Applying cyberlifestyle-routine
activities theory to cyberstalking victimization”, Criminal Justice and Behavior, Vol. 38 No. 11,
pp. 1149-1169.
Rocha Flores, W., Holm, H., Svensson, G. and Ericsson, G. (2014), “Using phishing experiments and
scenario-based surveys to understand security behaviours in practice”, Information Management &
Computer Security, Vol. 22 No. 4, pp. 393-406.
Rogers, R.W. (1975), “A protection motivation theory of fear appeals and attitude change”, The Journal of
Psychology, Vol. 91 No. 1, pp. 93-114.

Romney, M.B. and Steinbart, P.J. (2018), Accounting Information Systems, 14th ed., Pearson Education,
London.
Ross, M., Grossmann, I. and Schryer, E. (2014), “Contrary to psychological and popular opinion, there is
no compelling evidence that older adults are disproportionately victimized by consumer fraud”,
Perspectives on Psychological Science, Vol. 9 No. 4, pp. 427-442.
Saad, M.E., Sheikh Abdullah, S.N. and Murah, M.Z. (2018), “Cyber romance scam victimization analysis
using routine activity theory versus apriori algorithm”, International Journal of Advanced Computer
Science and Applications, Vol. 9 No. 12, pp. 479-485.

Saudi, M.M., Ismail, S., Tamil, E.M. and Mohd, Y.I. (2007), “Phishing: challenges and issues in Malaysia”,
International Journal of Learning, Vol. 14 No. 8, pp. 79-88.
Shan, T.L., Samy, G.N., Shanmugam, B., Azam, S., Yeo, K.C. and Kannoorpatti, K. (2016), “Heuristic
systematic model based guidelines for phishing victims”, IEEE 2016 IEEE Annual India Conference
(INDICON), Bangalore, India, pp. 1-6.
Sharifah, R.M., Sahrom, M. and Amirah, M.O. (2019), “Measuring the effectiveness of phishing detection
tool: comparative study on pattern matching and user rating technique”, Journal of Computers, Vol. 14
No. 4, pp. 302-310.
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. and Downs, J. (2010), “Who falls for phish?: a
demographic analysis of phishing susceptibility and effectiveness of interventions”, Proceedings of the
28th international conference on Human factors in computing systems, Atlanta, GA.
Shillair, R., Cotten, S.R., Tsai, H.Y., Alhabash, S., LaRose, R. and Rifon, N.J. (2015), “Online safety begins
with you and me: convincing internet users to protect themselves”, Computers in Human Behavior,
Vol. 48, pp. 199-207.
Singh, S. (2021), “Fresh graduate conned of almost RM139,000 in online scam”, The Star, availabe at: www.
thestar.com.my/news/nation/2021/07/30/fresh-graduate-conned-of-almost-rm139000-in-online-scam (accessed
3 February 2022).

VOL. 24 NO. 3/4 2022 j THE JOURNAL OF ADULT PROTECTION j PAGE 193
 Smith, T.E. and Stamatakis, N. (2020), “Defining cybercrime in terms of routine activity and spatial
distribution: issues and concerns”, International Journal of Cyber Criminology, Vol. 14 No. 2, pp. 433-459.

Sugiura, L. (2013), “To deceive or not to deceive! Legal implications of phishing covert research”,
International Journal of Intellectual Property Management, Vol. 6 No. 4, pp. 285-293.
Tharshini, N.K., Mas’ud, F.H. and Hassan, Z. (2022), “Level of cybercrime threat during the outbreak of
COVID-19 pandemic: a study in Malaysia”, International Journal of Academic Research in Business and
Social Sciences, Vol. 12 No. 5, pp. 40-51.
The Sun Daily (2021), “Graduate loses RM138,990 in job scam”, The Sun Daily, available at: www.
thesundaily.my/home/graduate-loses-rm138990-in-job-scam-IC8141129 (accessed 6 January 2022).
Vakhitova, Z.I., Reynald, D.M. and Townsley, M. (2016), “Toward the adaptation of routine activity and
lifestyle exposure theories to account for cyber abuse victimization”, Journal of Contemporary Criminal
Justice, Vol. 32 No. 2, pp. 169-188.
Verizon (2019), “Data breach investigations report (DBIR)”, United States: Verizon, available at: www.
enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf (accessed 2 January
2022).
Verkijika, S.F. (2019), “‘If you know what to do, will you take action to avoid mobile phishing attacks’: self-
efficacy, anticipated regret, and gender”, Computers in Human Behavior, Vol. 101, pp. 286-296.
Vishwanath, A. (2015), “Examining the distinct antecedents of e-mail habits and its influence on the
outcomes of a phishing attack”, Journal of Computer-Mediated Communication, Vol. 20 No. 5,
pp. 570-584.
Williams, E.J., Beardmore, A. and Joinson, A.N. (2017), “Individual differences in susceptibility to online
influence: a theoretical review”, Computers in Human Behavior, Vol. 72, pp. 412-421.
Yar, M. (2005), “The novelty of cyber crime: an assessment in light of routine activity theory”, European
Journal of Criminology, Vol. 2 No. 4, pp. 407-427.

Further reading
Central Bank of Malaysia (2017), “Fraud and scam notice”, Retrieved from Central Bank of Negara
Malaysia, available at: www.bnm.gov.my/fraud-and-scam-notices (accessed 2 January 2022).

About the authors

Yi Yong Lee is a Graduate Research Assistant at Multimedia University, Melaka, Malaysia.
She is currently pursuing her PhD (management) at the Faculty of Business, Multimedia
University, Malaysia.

Chin Lay Gan is a Senior Lecturer at the Faculty of Business, Multimedia University
Malaysia. Her research interests and publications are in areas of technology-assisted
learning and consumer behavior in marketing. Chin Lay Gan is the corresponding author
and can be contacted at: gan.chin.lay@mmu.edu.my
Tze Wei Liew is a Senior Lecturer at the Faculty of Business, Multimedia University Malaysia.
He leads the Human-Centric Technology Interaction Special Interest Group in the faculty.
His research interests and contributions fall within cognitive psychology, human–computer
interaction and media psychology.

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com

PAGE 194 j THE JOURNAL OF ADULT PROTECTION j VOL. 24 NO. 3/4 2022