1 Introduction
Technologies play a growing role in connecting people with their finances: by providing new ways to bank [
25,
47], earn [
55], pay [
21,
62], send gifts [
73], and track expenditure [
43,
49,
86]. However, many survivors of intimate partner violence (IPV) — who may also experience technology-facilitated abuse [
12,
22] — are especially vulnerable to financial services’ “turn to digital” [
27]. IPV is a severe societal problem which affects one in four women and one in six men in the United States across their lifetime[
13]. Financial abuse is a highly prevalent yet over looked component of IPV [
81], that includes harmful behaviors that target a survivors’ financial independence [
44,
68], making it hard for a survivor to leave [
75,
77], seek help [
74], or resist further harm [
24,
63]. While many works have explored how digital technologies exacerbate financially-motivated offenses (e.g., fraud, identity-related crime [
16,
39,
57], elder financial abuse [
7,
31,
47]), we have yet to identify such work in IPV contexts.
We provide an in-depth analysis into how abusers of IPV use, and may even motivated by, technology to financially harm survivors and their dependents. We do this by conducting a retrospective review of a technology clinic based in a major metropolitan area in the United States (U.S.) to analyze the clinical records of 158 IPV survivors who have experienced technological and financial abuse. These research efforts identified that abusers use various technical, non-technical and deceptive strategies to harm a survivor’s financial stability and well-being, which we organize into an attack taxonomy. We discuss how abusers specifically target a survivor’s password managers and activate a fraudulent password recovery process to gain access to a survivor’s financial information and accounts. Following this, abusers may compromise survivors’ accounts to make non-consensual purchases, alter existing orders or subscriptions, and sell a survivor’s digital assets (e.g., stocks and cryptocurrencies). In extreme cases, abusers leveraged their authority as owners or authorized users of a survivor’s accounts to rack up coerced debt or deplete a survivor’s service allowance. Abusers did not require compromised access to a survivor to harm them, such as maliciously targeting a survivor’s online business or making multiple credit card applications in a survivor’s name to damage their credit score.
To help us retain focus on those responsible for causing such harm [
8], we also conducted 16 interviews with financial advocates to illuminate abusers’ potential motivations for abuse, and the consequences for survivors. We characterize these attacks by discussing the four motivations that underpin each attack, which include how abusers use technology to
exploit,
monitor,
restrict and
sabotage a survivor’s ability to establish financial stability and freedom. We discuss how an abuser did not require physical access to a survivor’s devices, knowledge of confidential financial information, or even the need to interact directly with a survivor (online or offline) to cause financial harm. Perhaps most concernedly, most attacks identified either aimed to
restrict a survivor’s expenditure or directly
sabotage their finances, which do not require an abuser to benefit from such behavior financially. Such findings around financial restriction and sabotage differentiate such attacks from identity-related crimes (e.g., such as ‘identity theft’) due to their persistent, targeted nature on a target, and the complex social goals of the offender. As different methods and motivations for attack require tailored approaches to combat, we conclude with a discussion for how our discoveries have implications: for survivors at acute risk of being targeted; for designers of financial systems to respond to intimate threats who are
not primarily motivated financially; and for research around where technology and financial abuse research goes from here.
Our paper makes three contributions to the Human-Computer Interaction (HCI) and computer security community. First, we directly extend and refactor Freed et al.’s [
29] comprehensive
attack taxonomy to evidence how IPV abusers leverage financial technologies, non-financial technologies, and social engineering attacks to inflict financial harm on survivors and their dependents. Second, we identify
four motivations that underpin and characterize these abusive attacks and link these to protective strategies for how survivors attempt to defend their financial accounts and information. Finally, we contribute concrete design approaches by
adversarial thinking about intimate threats and
consentful interactions to guide how existing financial systems can be re-designed to address some of the challenges survivors report facing upon attempting to rebuild their financial stability. Broadly, our work calls on the financial sector to address the pressing concern of financial abuse in intimate contexts by adequate customer service training and taking on the challenge of detecting financially abusive interactions.
2 Background and Related Work
Intimate partner violence (IPV) — also known as domestic violence (United Kingdom) or family violence (Australia) — is a significant and devastating problem for individuals, communities, and society. IPV is characterized by a pattern of abusive behavior, or aggression in a current or former intimate relationship that gains or maintains power and control over someone through physical, sexual, emotional, economic or psychological means [
13,
72,
74].
Financial abuse, the primary focus of this work, addresses money, finances, and the use of finances which is a subcategory of economic abuse — the control of economic resources more broadly, such as education and housing [
60]. For this work, we refer to people who use patterns of abusive behaviour as
abusers, and people who are subject to them as
survivors.
Financial abuse has recently been recognised as a distinct form of abuse [
26,
60], rather than solely a consequence of IPV [
21], and is present in the majority of cases of IPV [
68]. Such abuse includes behaviors used to coerce and control a survivor’s ability to acquire, use and maintain financial resources, such as bank accounts, credit cards, and loans [
2,
78], directly damaging their financial security and independence from their abuser. Any behaviours that target a survivor’s financial freedom represent a significant barrier for a survivor to leave the relationship [
77], use protective strategies if leaving is unfeasible [
63], or refrain from returning to an abuser [
68]. However, the aftermath of financial abuse can be life-long and continue after a relationship has ended, such as exposing survivors to homelessness, job loss, poverty, and poor health outcomes [
41,
67]. Abusers, in a similar vein to identity thieves [
39], may saddle survivors with large debts through stealing their income, damage their financial reputation, and leave few savings or assets in their name to rebuild their financial lives [
3,
44,
67]. Survivors who occupy low socio-economic statuses (e.g., be on fixed income [
90]), be financially dependent on their abuser (e.g., be disabled [
4,
50,
64]), or be financially responsible for other individuals (e.g., children, elderly parents [
37,
44]) are acutely vulnerable to this devastating form of abuse.
Recent work in HCI has demonstrated that digital technologies play a significant role in IPV contexts by providing an abuser with the ability to surpass geographic and spatial boundaries to exacerbate their abuse [
14,
22,
33,
61,
91]. For instance, Freed et al. [
29] offer an invaluably comprehensive attack taxonomy that demonstrates how abusers may gain access to a survivor’s accounts through owning devices or services, compromising a survivor’s accounts, posting harmful messages about them, or disclosing private information. Recent work has also indicated that abusers may use surveillance and spyware to track a survivor’s location and control their behavior [
9,
82]. However, technology-enabled financial harms in intimate relationships – which scholars argue can be easily overlooked by service providers and researchers [
20,
34,
92] – have yet to be scrutinized in significant depth. Although several lessons can be drawn from identity-related crimes [
39,
46] and elder financial abuse [
47], evaluating their suitability for IPV contexts are still in their infancy. A small number of survivor-focused studies describe a few accounts of how abusers may have tampered with online bank accounts remotely [
92], withheld finances from joint accounts [
20], and sent harassing messages through payment transfers [
34]. Nevertheless, such findings do not illuminate
how abusers gain access, theorize
why they do so, and investigate how abusers may cause financial harm beyond online banking. Indeed, as many survivors of IPV lack a bank account entirely [
32] and with more financial services becoming digitized each year, it is essential to explore how
all areas of their financial activity may be affected. Arguably, in line with calls from fraud and identity theft scholars [
3,
59], an important way to prevent financial abuse is to mitigate its occurrence in the first place. As such, building a solid picture of when and how technology mediates financial abuse in IPV contexts is the first step in designing policy and practice that protects survivors’ financial stability and supports their attempts to regain financial independence.
Investigating the role that digital financial systems play in IPV contexts also responds to recent calls in HCI for more insight into financial household management [
86], family settings [
32], and personal financial tracking [
5,
43,
49]. Indeed, valuable work has already shown how inflexible financial infrastructure can lead to specific complications people who are unbanked or underbanked [
10,
32,
38], cash- or cheque-reliant [
85], people who face historical exclusion based on race [
21], and people who may be targeted due to lack of technical knowledge [
16,
47]. Such complications may directly threaten affirmative and informed consent [
40,
76,
96] — the gold standards for sensitive design that respect privacy, trust, and autonomy of the user — it is thereby vital to scrutinise how consent to financial services can, and is, being undermined by adversaries. Arguably, any lessons learned for consentful design in financial services for specific population groups, such as survivors of financial abuse, can not only work toward improved outcomes in IPV contexts, but for the broader population as well. Recent work on digitized financial banking [
19,
23], e-wallets [
42], and payment systems [
17], also call for greater transparency in how they could be used abusively in more intimate contexts. For instance, scholars have consistently shown that mobile money or branchless banking applications use weak authentication and fail to secure authentication data in transit [
65]. With terms and conditions that hold the customer responsible for fraudulent activity, consumers are left with no recourse to dispute fraudulent transactions, even if conducted abusively by a malicious insider [
65,
68] such as an abuser with direct access to a device.
4 Tech-enabled Financial Attacks
We identify that technology already plays a significant role in facilitating new paths to control access to a survivor’s financial resources, which we explicate in two complementary sections. Firstly, we demonstrate how abusers of IPV use a combination of non-financial and financial services to inflict financial harm on survivors, which we present through five categories. Second, with the help of financial advocates, we categorize these attacks according to four motivations that underpin financially abusive behaviors.
In our analysis, we discovered that abusers use a combination of social engineering techniques, non-financial technologies, and financial technologies to target a survivor’s resources, assets and data. We organize these attacks into five high-level
attack categories shown in Table
1 and directly extend the invaluable taxonomy as offered by [
29] to financial contexts. Abusers may be the
(1) owner or an authorized user of a survivor’s financial account or exploit a survivor’s authentication mechanisms to conduct an
(2) account compromise. Abusers could construct
(3) harmful posts or reports, or use
(4) deception and identity theft to manipulate a survivor psychologically. Finally, abusers
(5) bypass physical defences to destroy property such as financial records or work devices. In our study, we identified abusers who use technology to carry out abuse do so via categories previously identified by HCI communities (account/device compromise, harmful messages, and ownership-based attacks as identified in [
29]), however, we provide a novel, comprehensive analysis of how technology abuse
also directly leads to financial harms.
4.1 Ownership-/Authorized-user-Based
Survivors may often use devices or accounts that abusers have bought, allowing an abuser to have privileged access and perform actions that may be unable to standard users (e.g., viewing service usage statistics). However, we identified situations where survivors described being convinced by an abuser to add them as an authorized user on their online financial accounts and credit card plans, allowing an abuser to make purchases on a survivor’s credit account and card. Authorized users differ from being added to a family plan as the account holder (often a survivor in our dataset) is legally responsible for any expenditure accrued, while an authorized user is not. If an abuser deliberately abuses their authorized user privileges, this hurts the account holder’s credit score.
Ownership-based. Survivors shared that an abuser was often the primary (and sometimes the sole) owner of an online financial account in their relationship, which abusers used to digitally and physically restrict their access to banking infrastructure. A few survivors shared how survivors were not permitted to own a smartphone and so were physically unable able to access mobile banking or peer-to-peer payments:
“He made sure that I don’t get anywhere near finances... everything, every single thing, all accounts, all bank accounts, any accounts, everything is 100% under his name... I was invisible to the banks and utility providers.” (S21)
Survivors also disclosed that abusers could also digitally restrict access to a financial account, such as ensuring that a survivor was not registered or named on any online accounts. As transfers and changes often have to be done by the account holder or as an authorized user, survivors shared they had been unable to make savings or transfer money to their children. When an abuser did list a survivor on their bank or credit account, we found survivors described they would still receive verbal threats to remove them from using a financial account. For instance, a survivor (S51) shared that she was an authorized user on her ex-husband’s credit account, allowing her access to finances when she could not work. However, her ex-husband continuously threatened her with removal from his account should she do something that upset him. Abusers leveraged physical or digital control of the household financial accounts to their advantage, and a few survivors shared cases where the only income they received was through their abuser, which they referred to as “an allowance” (S128). Abusers could provide this ‘allowance’ through cash handouts, cheques, or even top-up cards where a partner would allocate a fixed amount each month to their survivor to spend yet refuse to provide more money when requested.
Some survivors also shared how they used devices that were purchased by — and therefore legally owned — by an abuser, which facilitated their everyday interactions with money, such as making mobile payments, tracking their expenditures, and cash cheques remotely. However, we saw descriptions of attacks where abusers leveraged third parties to remove or seize these devices from a survivor, often following the end of a relationship or moving out of a shared domestic environment:
“he brought the cops [police] around to where I lived, he showed them the receipts and since we were the legal owner... and he took all my devices... phones, tablet, laptop... everything... even the kids’ devices” (S157)
These attacks often required the use of law enforcement or the use of repossession agents to enforce the seizure. In all cases in our dataset, the abuser provided devices as financial gifts to a survivor, which had the added impact of causing psychological distress to a survivor and their dependents.
Authorized User-based. Many survivors described how they maintained a range of online subscriptions, including services for work (e.g., cloud storage) or entertainment (e.g., music, film streaming). As many of these services are now explicitly designed to serve families or couples, survivors shared stories of how they added partners and family members to their accounts, generally at their partner’s request. However, abusers were reported to abuse these privileges, such as refusing to pay “their fair share” (S45) by financial contributions, despite formerly agreeing to. Some survivors described how an abuser used this privilege to deplete their paid-for service allowance, such as the number of downloads or call minutes:
“he would spend all day online gaming... so we would always run out [of the Internet]... the kids would then have to use school’s WiFi.” (S55)
Many survivors also reported cases where abusers deliberately depleted their online services to build debts in their names. For instance, one survivor shared how their partner had continuously rang up charges to expensive numbers, which depleted their phone credit, ensuring they could not use their phone contract to call family members. In using their authorized user access, abusers also made several non-consensual purchases online or in-person using a survivor’s account and financial details. In online contexts, abusers made expensive purchases from popular online shopping sites, organize holidays, and also made decisions to participate in high-risk activities such as gambling or purchasing drugs. A few survivors acknowledged that most couples do not ultimately oversee the other’s spending; however, spending by an abuser was excessive and frequently drove the survivor into debt.
Survivors described how abusers would also leverage their physical access to take their financial card details and add them to their own digital wallet (‘e-wallet‘). Adding a survivor’s financial information to their phone ensured that abusers did not need to take or withhold a survivor’s physical credit or debit card, but still had the benefit of using the details:
“I knew he had been spending... I received an email from the store, it was a receipt from an area of the city I do not visit... and it was for hundreds of dollars that I definitely would not have agreed to spend.” (S11)
4.2 Account Compromise
In this category of attacks, abusers did not have legitimate or authorized access to a survivor’s financial assets or accounts. Many survivors shared descriptions of how abusers compromised their authorization information to do so, such as physically accessing their devices. Alternatively, abusers accessed their information while they were distracted, occupied, or by compelling them to disclose their details by the threat of violence (discussed in-depth in Section
4.4). Prior studies have identified these compromises in IPV [
29,
82,
91] and identity theft [
3,
39], however, survivors revealed two new approaches: compromising a
password manager and exploiting a
password recovery process.
Preventing Survivor Re-Access. A few survivors described how they used standalone password managers to store their financial information, including card numbers, security card codes, bank customer numbers, and even personal identification numbers (PINs) for debit and credit cards. However, as many modern browsers or operating systems have built-in password managers (e.g., KeyChain, Google Password Manager), some survivors had not realized that they had inadvertently agreed for the browser to save these authentication details for a later session. One survivor (S92) expressed embarrassment at using a password manager in an insecure manner, including using a weak master password, a guessable PIN, or turning the automatic locking system off due to frustration at being asked to re-enter the password consciously when needed. If an abuser compromised access to this password manager — through physical access, they could gain access to all their financial information, including emergency password reset codes. Abusers who were unable to guess a password could then use request a password recovery or reset link to intercept to gain access to the system.
We identified that peer-to-peer payment applications (P2PPs) and branchless banking applications proved especially vulnerable to this form of intimate attack as some prominent brands do not require passwords or secret answers for authentication (in line with [
65]). A few survivors shared how abusers only needed to know a their phone number and were able to receive a two-factor authentication notification to access their financial account. Once authorized as a survivor, abusers could lock them out of their bank, credit, peer-to-peer payment applications, or investment accounts to prevent re-access. Some survivors were then forced by an abuser to try to continuously restore access to a financial account, being unable to abandon the services (without taking a significant financial loss [
3]) with service agents who were unaware of the dynamics of a financially abusive relationship:
“I am either on the phone to the fraud team or customer service... I was bounced around, and no one wanted to take ownership of this problem” (S115)
In extreme cases, preventing re-access to financial accounts included using compromised access to submit a cancellation request of a survivor’s credit card or online financial account. Survivors shared that if this cancellation is successful, a credit issuer shared that they were under no legal obligation to reinstate the account, leaving a permanent mark on a survivor’s credit report:
“he closed out my credit card, and the company refused to reinstate it... it screwed up my credit [score] as it was my oldest account” (S5)
Making Changes to Purchases or Transfers. Many survivors also described how abusers would use their compromised access to purchase new items or services directly, frequently using their account or card to do so. Survivors described how abusers felt a sense of entitlement following this non-consensual authorized access to transfer any of a survivor’s income into their own accounts on a regular basis. For instance, when one survivor challenged an abuser about why they had authorized a transfer from their account, they had responded that they did not “feel like spending their own money” (S85). As abusers had made purchases or transfers through a survivor’s account, sometimes using their devices, customer service representatives struggled to recommend the next steps as the fraudulent charges appeared to be ‘authorized’:
“Then it showed that on my shopping account I bought a piece of furniture, I did not buy that!... when I called to complain the company said it looked ‘fine’, but it was not as I did had not made that purchase. He had with my card information...” (S131)
A few survivors shared cases where abusers had used compromised access to their accounts to make alterations to existing orders or purchases, predominantly on online shopping websites. These included “cancelling grocery shopping orders” (S62), changing delivery slots when such purchases would arrive, and a survivor’s delivery information. One survivor (S131) shared these actions which they perceived as annoying had undermined their ability to purchase items for themselves, their children and their friends. A small number of survivors identified cases where an abuser, posing as a survivor, would make non-consensual upgrades to subscription tiers to luxury or premium versions that cost more money. As subscription services charges are subtle, with auto-renew on by default, survivors who were subject to this attack were unaware of these changes until months afterwards.
Some abusers also used their ability to compromise survivor accounts to delete digital assets that survivors purchased through subscription sites or shopping services. These included deleting “entire libraries” (S73) of music, digital photo albums, games, and digital art, all of which had been purchased or commissioned by the survivor. One survivor shared that they cultivated these digital collections for years; this also represented a feeling of loss at having to start from scratch:
“he sold that artwork that I had commissioned for my family members, it meant so much for me to pass that on to them when the time was right... and he sold it to some nobody online...” (S16)
In some cases, these changes included removing the assets by selling them through online investment accounts such as stocks and shares and brand-new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs). Sales of stocks or shares were incredibly challenging for survivors as such sales are heavily regulated via federal and national regulations, making them difficult, if not impossible, to revoke. Likewise, as cryptocurrencies are built on digital currency protocols of immutable hash codes, transactions cannot be altered or cancelled once initiated.
4.3 Harmful Messages or Reports
Abusers did not require access to conduct harmful attacks on a survivor’s finances and well-being or even choose to directly interact with a survivor to control their behavior financially. Digital technologies made many of these financial attacks possible due to their ability to provide an abuser with anonymity, such as creating a fake profile online, or submitting an anonymous tip-off to a financial agency over the phone. Some survivors described how an abuser knew confidential financial information about them to tailor their attacks. However, survivors shared accounts where abusers used this information in attacks that were motivated to harm or damage their finances, indicating abusers may be also motivated by complex social goals that go beyond financial exploitation as often found in cases of identity theft.
False Reviews and Fraudulent Reports. To recuperate finances lost during their time with an abuser, many survivors shared that they had started their own online business, frequently hosted on social media sites. However, a small number of survivors shared that abusers had crafted multiple fake profiles to leave significant amounts of negative feedback known as ‘review bombing’ on survivor’s public storefronts:
“I run a niche business; there are not many online providers who do what I do in my area. When he continuously leaves negative reviews to bring my rating down... it makes my business look bad and existing customers bring it up.” (S40)
As many online businesses rely on good ratings and reviews to invite new customers or show on new search results, a few survivors described how any unwarranted negative feedback could directly affect their financial earnings. One survivor (S68) disclosed they had attempted to report the abuser, only for an abuser to make more accounts, many of which the platform never removed. Disputing fake negative reviews and building an online business proved costly, where another survivor shared that it would take them away from being able to “engage with their real customers” (S10) and set up new images of stock and services.
In many cases, survivors described how their abuser had fraudulently reported their businesses, and public fundraising attempts to the platform hosters for fraudulently “misleading donors” (S83) or customers. As several survivors often used fake names online to help them keep a low profile from their abuser, this could result in the temporary takedown of the page by the website host or platform before re-established due to a mismatch between stated identities. We also saw reports of abusers who made several anonymous fraudulent reports on survivors who received financial support through state institutions, including the social security administration, a financial benefit provider in the U.S. for low-income households:
“He made a report about how I was spending my benefits as if it is not restrictive enough as it is... it stopped money coming into the house, I had to ask friends for cash... it was humiliating”. (S117)
These actions inevitably deprived the survivor of the cash benefits that they could use for groceries and rent and impacted any children under the survivor’s care.
Outsourcing Financial Attacks. Survivors shared how abusers would disclose and distribute known financial data, such as authentication details, social security numbers, bank passwords or full card numbers, with others, such as on public forums. While the breach of personal information can occur at a business-wide level (e.g., the Experian leak of 2015), some cases described abusers posting financial information on online forums and would also pair these posts with personal messages that contained links to the forum posts to the survivor:
“whatever I do with my bank accounts, they [abuser and new partner] still find ways around the changes I make to protect myself... one time they posted my new bank account and password on a classified ads site” (S11).
These actions indicated to survivors that their abusers were directly behind the attacks; however, as survivors were not the original content posters, they could not easily take the information down. As an abuser had outsourced these attacks, one survivor (S108) described that it was hard to know if an abuser was behind an attack that directly used their information or if another user online used it as an opportunity to take advantage.
Unfortunately, we also saw banks begin to be exploited as third parties in an abuser’s attempt to harass and intimate their survivor. For instance, some accounts described how abusers would bombard a survivor with security alerts (e.g., “someone has tried accessing your account”, “log in an attempt”) that survivors had in place on their accounts as a way around contacting them directly. The frequency and wording of many alerts proved alarming to many survivors who experienced this and had a cumulative impact on their mental well-being.
4.4 Deception and Identity Theft
As per Eriksson and Ulmestig [
26], we identified that survivors’ experiences of financial abuse came with other forms of abuse, notably psychological and emotional abuse. Survivors described abusers as using deception to convince them to disclose information, limit their knowledge of existing financial accounts, or use strategies that would make survivors question their sanity [
71] or ‘gaslighting’. Controlling access to a survivor’s financial information is a core part of financial abuse [
2], and we saw a disturbing manifestation of this where many survivors could not control access to their
privacy of this financial information. Survivors were acutely aware of the level of authority an abuser had with new knowledge about them (e.g., attacks in Section
4.3).
Deceiving Survivors. Some survivors stated that abusers regularly used psychological manipulation and gaslighting to control the oversight survivors had over their personal and household finances. Deceptive behavior included deliberately hiding, destroying or deleting digital evidence of an abuser’s financial products, such as debts, bank statements or receipts, that kept the survivor in the dark about their finances. We saw examples where an abuser had reassured a survivor that they had “paid a utility bill online” (S31) only for the survivor to discover that this had gone unpaid through a reminder email. One survivor explained that their ex-partner even went through the process of printing false receipts of a plane ticket she was unable to afford on her own:
“He would print out something that said he had a plane ticket on hold for me to go back home, but it never really happened, there was no plane ticket... It was just a game to him”. (S13)
Many survivors shared instances where their abusers would attempt to socially manipulate them into sharing private financial details across a range of different contexts, such as posing as “genuine customers interested in making a purchase” (S39) through their online business. In one case, a survivor shared that their abuser had created a new, fraudulent business to elicit financial information:
“I noticed a business profile on social media, so I was interested in following them as they looked cool... then questions about my outgoing costs started... then he replied from his account by mistake and then I realised it was him”’. (S6)
In a similar case (S111), one survivor felt isolated as they could not determine legitimate customers from their abuser and took protective privacy measures that directly damaged their earnings.
Deceiving Others Connected to Survivors. In our data set, we read descriptions of how financial institutions and banks rarely had additional levels of verification that necessitated properly authenticating new applicants for a credit or debit card. Many survivors disclosed how abusers exploited this lack of online security by using a their personal financial information to apply for multiple credit cards online in their name fraudulently. Applications for credit cards and loans necessitated a creditor looking at a survivor’s credit file to determine how much risk they posed as a borrower, known often as a hard pull or hard credit inquiry:
“She set up various credit cards from a variety of different banks without my permission, using my social security, prepaid cards, you name it, my score tanked”. (S32)
These requests acted as permanent marks on a survivor’s credit history, and nearly all accounts disclosed that this directly negatively impacted their credit scores for at least two years following the application. These documents contained further confidential information about a survivor that they did not want to be made public, including public records (e.g., files for bankruptcy), and account information (e.g., missed payments). Although credit bureaus can prevent requests for new credit reports and accounts through credit freezes, consumer uptake of these tools is low due to a lack of awareness, a conflation with tools on other financial products, and usability concerns [
95]. In two cases survivors described considering freezes, but hesitated to disclose their status as a survivor of IPV out of concern of being stigmatized and thereby receiving negative financial marks on their accounts. These concerns illustrate a common misconception on freezes—that customers need to disclose a reason for a freeze request (as found by Zou et. al. [
95]).
Survivors described situations where abusers would also interfere with their ability to earn through socially manipulating financial coordinators at their workplace to redirect salary and benefits. If successful, this attack was challenging for survivors to manage as employers were resistant to re-compensating the survivor of lost income, and due to short time restrictions for withdrawals of transfers for online transfers:
“My husband called up my work to share the ‘correct’ details for an account he described as ‘our’ joint account... My work didn’t confirm it with me... when I returned I discovered he had stolen two weeks’ worth of my salary”. (S133)
4.5 Bypass Physical Security
Finally, survivors described how abusers pursued their physical possessions and property. Abusers used tactics to repeatedly invade a survivor’s sense of privacy around finances through destroying, damaging, or withholding their digital devices and bypassing home security systems to steal financial documents and authentication information. These attacks were motivated to destroy and steal physical representations of information and devices to control their interactions with finances and their financial institutions. While some of these strategies mirror dumpster diving and mail interception found in cases of targeted identity theft [
39], the post-attack taunt that abusers used against survivors appeared to be a distinctively psychologically harmful variant of these attacks.
Targeting Devices. Abusers may destroy devices that they legally own [
29]; however, our accounts show how abusers also destroy other people’s devices to control them. These devices included phones, cameras, speakers, laptops, tablets, external hard drives and physical cryptocurrency wallets that survivors had to insure repeatedly to protect them from damage. A few survivors shared how they were subject to
“lengthy claims processes” (C69) through customer service to report a device damaged or stolen, only to discover that they needed to pay off the amount in full before getting a new device. However, some abusers withheld their devices for a particular period to control their ability to coordinate work arrangements. When abusers did this, it had a uniquely harmful impact on survivors who conducted business online or needed digital devices for their jobs in the creative industry:
“... he would take my phone away and keep it for a day or two. I would panic because this is where my money comes through. That is the number my customers call me on, and I need this phone.” (S12)
During this time, a few survivors described how abusers prevented from receiving emergency money from friends and family, including money sent via text messages such as Apple Cash or through peer-to-peer payment applications (e.g., Venmo and Cash App). Withholding rather than stealing a device meant survivors faced barriers to submitting an official report to try and legally reclaim the item. One survivor (S20) shared that law enforcement would eventually dispute the phone as stolen if it was physically back in their possession. As personal devices play a significant role in authentication approaches, such as through the use of authenticator apps and two-factor authentication (2FA), we saw a significant overlap of this attack with locking a survivor out of their financial accounts (discussed in Section
4.2).
Targeting Physical Copies of Financial Data. Abusers also demonstrated significant dedication to the gathering, collecting and stealing financial information related to a survivor’s online accounts, typically targeting from their home and places of work (akin to intimate partner surveillance [
9,
82,
88] and social engineering [
46]). Several shared how their abusers had targeted physical copies of bank statements, medical or utility bills, account details, card details and mail containing cards or PIN codes:
“I failed to receive papers from the bank... important ones with card details and PINs. On another occasion, some letters had been opened and placed back in the mailbox... to send a message” (S9).
A few survivors shared that these attacks also targeted the addresses of the survivors’ trusted family members, who were used as a “safe place to visit” (S58) following the relationship. These physical violations of a survivor’s privacy also extended to abusers accessing their trash, such as dumpster diving for information. Several survivors shared that they had considered that someone else other than an abuser could have also performed this attack. However, in each case, their abusers had paired these attacks with conversations with survivors that contained references to accounts that would have otherwise been unknown:
“I do not even throw out a scrap of paper without shredding it because I am just constantly frightened that he will have insight into what is happening in my life.” (S6).