Financial Fraud Action UK represents the UK banking and credit industry’s campaign to combat financial losses from fraud. It is difficult to specify to what extent fraud is a computer based crime. Gaining information to impersonate someone’s identity for personal gain could be achieved through social media searches, emails and spoof websites or through redirecting mail, sifting through discarded receipts and spoof phone calls. The computing connection provides a means to an end but it is not a new crime. The story of Frank Abagnale, dramatised as ‘Catch me if you can’ illustrates the potential of fraud with technology little more sophisticated than a telephone. Some new fraud offences have come about that would not have been possible without access to a computer, ransomware being the currently popular bogeyman.
In most serious fraud someone is going to lose money and the financial services industry want to make sure that it is not them. With electronic transfer of funds it may be possible to get the money back where it belongs if the institutions react quickly enough. They do not have an easy job. Consider this scenario: You make a significant payment and soon afterwards get a phone call from the bank. They will not process the payment without verifying certain security details. How would you know that it is the bank that is calling? Even so giving out answers to security questions over the phone invalidates the security of those same questions. No matter what precautions are in place if someone is absolutely, if wrongly, convinced that the payment is genuine they will endeavour to get it processed.
Financial security procedures and the ability to follow where money goes is forcing criminals to move away from direct bank account fraud to the use of (almost) untraceable Bitcoin payments. Any payments required through Bitcoin or an unfamiliar gateway should automatically be regarded as suspicious.
Financial Fraud Action claim that in 2016 they secured 78 convictions for fraud, prevented £6.10 out of every £10 of attempted fraud. Stolen credit card details can be used for ‘card not present’ fraud. Instances of this have increased from £220.9m in 2011 to £432.3m in 2016. ‘Only’ £62.8m of card losses in 2016 were due to retailer face-to-face fraud, an indication of how important remote purchasing is to funding the card fraudster. Internet purchases would be partially responsible for this although it is much more secure to pay by card over the Internet than by phone as some independent electronic record of the transaction will have taken place. Total e-commerce sales in the UK in 2016 were £199 billion, however for every £100 spent online at UK merchants only 9.5 pence was fraudulent. For online merchants based overseas, 24.3 pence for every £100 was fraudulent. Fraud losses on UK issued cards totalled £618 million in 2016, a 9% increase from £567.5 million in 2015. These stolen card details could have been harvested from phone and paper based deception scams or through malware and data hacks.
On-line banking fraud has dropped 24% from 2015 to 2016 to £101.8m. This could be due to improved bank security and vigilance. It reinforces the belief that credit card information is of more use to the fraudster than bank account details alone. The GDPR regulations come into force from 28th May 2018. This imposes greater penalties for non-compliance than the current legislation. If financial data is not properly secured the host could suffer the ‘double whammy’ of losing the data and the associated customer confidence together with a substantial fine for not protecting that data. Businesses should consider whether they really need to hold financial information and to investigate if that information could be anonymised. Any potential ‘convenience’ to the customer of not having to provide banking details for each transaction would be easily outweighed by the penalties of not adequately securing that data.
Financial Fraud Action have not released specific figures for losses from phishing but the number of phishing websites specifically targeting UK banks and building societies in 2016 was 14,673. There has been a general downward trend since a peak of 111,286 in 2011.
Fraud often relies on the willingness of the ‘mark’ to freely provide information to a trusted source. Sophisticated encryption techniques and restricted levels of access to employees can do little to prevent this. Data itself is of limited use if at some stage someone or something is not able to access it. Good practice and general awareness are the keys to stopping fraud. Kindus are able to provide company audits, advice and staff training to optimise fraud protection.
To conclude here are the ‘Take Five’ steps to avoiding fraud:
(1) Never disclose security details.
(2) Don’t assume that an email, text or phone call is genuine.
(3) Don’t be rushed.
(4) Listen to your instincts.
(5) Stay in control.