The UK Fraud Epidemic is Now a National Security Threat
In late January, a BBC article proclaimed that the “fraud epidemic is now a national security threat” in the U.K. This article was based on a think-tank report that discussed the escalating fraud impact on society and it was highly critical of the policy response from the U.K. government and law enforcement agencies. The report concluded that fraud was “everyone’s problem but no-one’s priority” and that the U.K. was now a low-risk and high-reward jurisdiction for organised crime gangs undertaking fraud.
So, is this just attention-grabbing commentary or a serious suggestion that fraud should be treated the same as terrorism, espionage, and cyber threats to national infrastructure?
Is this a fair assessment?
It is certainly true that fraud is a significant and growing problem. U.K. crime statistics for 2020 show that 3.7 million incidents of fraud were reported by individuals and businesses, making it the most prevalent crime type, affecting approximately 1 in 14 adults in the U.K. per year.
It also seems inevitable that next year’s figures will be even worse following the explosion in payment fraud scams throughout the Covid-19 pandemic. The U.K. Citizen Advice Bureau estimated that 1 in 3 people in the U.K. were targeted by pandemic-related scams in just a 6-month period in 2020.
The growth and scale of the fraud threat reflects the increased involvement of organised crime groups (OCGs) in fraud schemes that are using more sophisticated technology and scalable attack methods. As more and more aspects of life (particularly management of our finances and assets) move to digital and online platforms, they stand to be exploited by OCGs who have invested in the technology and possess the skills to do so.
Shouldn’t the banks or police be stopping this?
Of course they should, and they do. The issue is the extent to which they are successful and extent to which they prioritise this versus a range of other activity.
Banks & FIs
Each bank will have fraud controls, systems, and processes in place to protect customers from fraud – some of which are explicit regulatory requirements, such as the PSD2 requirements for security of online payments. And most banks invest significant amounts in security, strong customer authentication, and transaction monitoring.
Nearly all U.K. banks prevent the majority of fraud attempts – UK Finance (the banking industry body) reported that U.K. banks prevented £6.88 of every £10 of unauthorised fraud transactions attempted in 2019.
That’s a lot of fraud being stopped, and a lot of time and effort being invested by banks in not only preventing fraud, but also resolving issues for victims by refunding financial losses and offering support in how to protect themselves.
Banks are doing a great deal to stop fraud, however, the reality is that investing in next-gen fraud prevention technology is an economic decision. From a business perspective, the cost of the fraud system or control should achieve at least an equivalent saving in reduced fraud, which unfortunately means that spending £2 to save £1 in fraud isn’t a practical decision.
Ultimately what this means is that symptom are getting treated, but the patient isn’t getting cured.. Banks stop a lot of the fraud and limit the return on investment for the fraudsters, but they don’t stop the fraudsters from trying again, and again, and again…
It is difficult to assess the effectiveness of law enforcement in tackling fraud and the limited data that exists does not indicate a high level of success. According to The Telegraph, 7,725 fraud offences resulted in a prosecution in the 12 months to March 2019, which is the equivalent of 1 in 500 reported frauds being prosecuted by police.
Why is this? Lots of reasons, but some of the key ones are funding, priorities, and structure.
Funding drives the level of resource law enforcement have at their disposal and priorities are how the deploy these resources. Unfortunately, fraud can sometimes be seen as a ‘victimless crime’ that is ‘the banks problem’.
In addition, the U.K. law enforcement response is structured with regional forces (addressing local crime) and national level units (addressing organised and cross-region, and cross-border crime). Most fraud is undertaken by organised crime gangs operating nationally and internationally. Consequently, it’s beyond the scope and priority for most regional forces.
Anyone in the U.K. who watches TV will recognise (content warning: stereotypical media references follow!) the image of the dedicated, but overworked CID detective dealing with a bulging in-tray of violent crime cases in the real-world… who doesn’t have the resources, knowledge, or the skills to target predominantly online financial crime in the cyber-world.
In the U.K., the National Crime Agency (NCA) are tasked with tackling organised crime, but they are massively out resourced by organised crime gangs. The BBC article and think-tank paper reported fraud generates £190bn per year in revenues for organised crime, compared to c£450m in funding for the NCA (to tackle all forms of organised crime – not just fraud!).
What are the Government doing?
According to the think tank report: not enough, which could lead one to believe that despite the growing scale of the problem, there is no national strategy for tackling the issue, all while the police response is underfunded.
In recent years, the fraud and security focus has been driven by and aligned to European regulation and the SEPA – with the 2nd Payment Services Directive mandating requirements for additional security for online payments and account access (which should help reduce fraud over the next few years).
The U.K. government has also supported public-private partnerships for data-sharing and law enforcement collaboration. Collaboration between banks and police can only help, though they are often worlds apart – with the law enforcement community’s use of ‘intelligence’ at odds with banks’ reliance and focus on ‘data and analytics’; meaning there can be a lack of transferability, understanding, and reliance on the other party’s methods. Much of the progress in this area has been driven by private industry – with both banking and insurance industries funding dedicated law enforcement units to help tackle their specific challenges (to secure support that would likely be lacking if they didn’t fund it).
The U.K. Government and regulators have also supported a Consumer Association-led effort to progress a solution for payment fraud scams (which has so far yielded limited success). In the ever-increasing drive to digital and online, unsophisticated and vulnerable consumers have been left exposed to increased fraud. And as banks have improved their security, fraudsters now actively target victims directly by phone, SMS, and increasingly via social media platforms and duping them into transferring their money.
Much of the drive from the payment scam reduction effort seems to be to shift liability onto the banks to refund customers. While this is a worthy aim to protect vulnerable customers from potentially catastrophic financial losses, it doesn’t solve the problem and would not result in less fraud (just shifting the cost from consumer to banks).
The way forward?
The BBC article and the think-tank report concluded that core to the “UK fraud epidemic” is a lack of intelligence and understanding, which limits law enforcement operational response. Effectively, that law enforcement don’t understand the problem so can’t deal with it.
The report talks about this as both a ‘symptom and a cause’, with the lack of priority and response from law enforcement being the symptom and lack of intelligence and understanding the cause.
The report concludes that filling this intelligence gap by raising the profile and priority of fraud (to make it a National Security Threat) and devoting additional resources via the Intelligence Services & GCHQ (in addition to the NCA) would help fill this gap. Better intelligence would then enable regional forces to take targeted action at local level.
It will be interesting to see if the report prompts debate and action from government – certainly something needs to change to address the fraud epidemic facing the UK.