The UK government Office for National Statistics publicises yearly crime statistics for England and Wales, the most recent being from March 2017. The data runs from April of one year to March of the next. This fits in nicely with the tax year and the old English New Year which was unfortunately changed by the Calendar (New Style) Act of 1750.
This was the second occasion in which computer misuse was treated separately to fraud as a reported statistic although a computer misuse act (now superseded) was published in 1990. Any data will be coming from reported incidents, a victim of fraud may not want to admit to this as it could make them susceptible to further attacks so any figures are likely to be less than the true numbers. There are 2 sources of numbers, firstly that of fraud related crime reported to the police based on a survey of 17,171 adults. Significant scaling up of this data sample is required to produce the published statistics of rate per 1,000 population (taken as 57,885,400 in 2016). This data was gathered by asking fixed questions of the respondents, it does not include exact details of each crime. The other source is of incidents reported to the government agency Action Fraud for which we have 2015/6 (220,691) and 2016/7 (264.056) numbers.
The size of the Action Fraud dataset makes it considerably more statistically significant although it does include cases that were never prosecuted. Both sources could include events that are reported as more than 1 incident even if only a single victim were involved. This data is just too old to include the recent WanaCrypt0r and other ransomware attacks. Would such an event be a single incident, one fraud per organisation or one per affected computer? The scale of the personal or financial loss to each victim is also omitted. To be of more use the data will need some measure of severity or impact. Malware that slows down a computer, redirects web pages or throws pop ups is a crime. This could however be a script kiddie ‘trying it on’, the test for a future variant with a dangerous payload or a link in a chain of compromised sites and software that will lead to significant data loss.
Action Fraud’s data does rely on the public knowing of the organisation’s existence and the knowledge that making a report can lead to a police investigation. The website user has the option to report fraud and receive a police crime reference number or to report a scam that they have lost no money on where they do not wish to directly involve the police. The police themselves can pass case information onto Action Fraud but there is no indication of how common this practice is. The pitiful number of police cases compared to reports received by Action Fraud gives some indication of the proportion of incidents regarded as ‘serious crime’ rather than a nuisance.
The data is most useful when considering proportions of offences rather than the actual numbers. It is hidden as an appendix (table A5) to the national crime statistics. Here are the computer misuse numbers for the last (and only) 2 years.
|April-March figures||15/16||16/17||% of 2017 total|
|Computer misuse crime||13 210||19 537||100%|
|Computer viruses/malware||3 531||7 259||37%|
|Denial of service attack||491||364||2%|
|Denial of service attack (extortion)||179||417||2%|
|Hacking – server||507||691||4%|
|Hacking – personal||2 481||3 637||19%|
|Hacking – social media and email||4 507||5 541||28%|
|Hacking – PBX/dial through||559||510||3%|
|Hacking (extortion)||955||1 118||6%|
There is no great surprise here except what if anything could be classified as hacking PBX/dial through? With the dial up modem relegated to history could some of this be VOIP loss of service? Hacking and virus attacks are the big numbers. Many of the categories bleed into each other. A hacking attack could be the result of malware that has not been noticed until it is too late. The relatively low numbers for denial of service and extortion could be explained by fewer cases that generate higher publicity. Extortion is more likely to attract news media attention than poor computer performance caused by a virus infection.
Only 7.4% (19.537/264,056) of the the 2016/7 fraud cases are directly attributable to computer fraud but many of the cases categorised elsewhere might have been initiated or carried out through a computer. For example the notorious “Nigerian Princess” or 419 scam (804 cases) is classed as an advance fee fraud not as computer misuse. We still receive this type of email but they are often filtered out by email clients and only true victims or dedicated crusaders are likely to report them.
The Office for National Statistics data (table E8) does provide another breakdown on what proportion of fraud crime incidents are regarded as cyber crime.
|Cyber crime||Non cyber crime||Number of incidents|
|Fraud and computer misuse||71||29||1 625|
|Bank and credit account fraud||50||50||787|
|Advance fee fraud||–||–||24|
Note the relatively small number of incidents in each category and that the total (4,356) is roughly 25% of the 17,171 people in the full survey. Exactly what is a cyber crime is not defined? If a credit card is skimmed a computer based device is involved but not in the same manner as on-line identity theft. The nature of the 3% (15 total) computer misuse incidents that are not classed as cyber crime would be interesting to know.
There is clearly a lot of work to do until really useful data is made available. Hopefully the base data is good enough that in time it can be more thoroughly analysed and useful trends presented. The Action Fraud data capture provides something for the computer security industry to work on. The number of incidents involved are of a much more useful data set than the ‘surveys’ published based on at best a few hundred responses and published throughout the web. An opportunity has been missed in not providing more information on the cases, their severity and ultimate resolution. This would provide a much more useful tool for analysis.
To summarise if you suspect or are a victim of cyber crime; report it. The current analysis of the data is poor but as the data volume increases it will become more significant. The data as presented by the UK government suggest that incidents are most likely to be malware or hacks rather than full blown ransomware or denial of service attacks.
Even a minor incident could be the first stage of a more serious attack. Document as much of the incident as possible and call in expert help. Kindus are experienced security professionals, ready and willing to offer advice and support on dealing with and preventing cyber security incidents.