The near endemic nature of cyber fraud cannot be left unchecked, says a report by the defence and security think-tank, the Royal United Services Institute (RUSI).
Despite its serious impact on the UK, cyber fraud has not received the appropriate coordinated response, according to the report. It says: “Responsibilities for tackling the issue are unclear, creating a sizeable leadership vacuum at the policy level. Financial institutions are usually the first line of defence in any instance of cyber fraud, and are often required to reimburse the victim. But to reduce the harm cyber fraud is having on society, there must be a reduction in the number of victims.”
The paper points to ‘a worrying lack of clarity regarding the definition, understanding and measurement of cyber fraud (and of fraud more generally)’. As for who does what to tackle fraud, the report says that some financial institutions see cyber fraud as a high priority due to the risk of reputational damage, ‘while others are more likely to think of it as just another cost of doing business’. As for information sharing between law enforcement agencies and financial institutions, despite forums and partnerships, it’s ‘inefficient and lacks buy-in’. The overarching challenge for UK law enforcement is ‘to consistently prioritise those crimes that merit the most attention and ensure that the skills of the investigator match the profile of the crime – a task made more difficult due to the cyclical nature of priority setting in many law enforcement agencies’, the report says.
As cyber fraud is an international crime, the document proposes that alternative models of pursuing criminals should be considered; such as ‘technical take-downs’ and asset recovery. As the National Cyber Security Centre (NCSC) has done for cyber security, the National Economic Crime Centre should act as the central agency for ‘protect’ activities and publish clear advice for potential victims, the report argues among its recommendations.
In a foreword, Sir John Hayes MP pointed to the paper’s recommendations including ‘the call for a whole-of-society approach to tackle cyber fraud, including a stronger relationship between law enforcement agencies and the financial services. In particular, I want to champion better information sharing among partners, and see victims prioritised through the allocation of further funding to the National Economic Crime Victim Care Unit.’
In another foreword, Stephen Head, the retired policeman who was the national coordinator for policing economic crime, said that criminals and, in some instances, state actors have used the power of the internet to industrialise fraud. He said: “The current coronavirus pandemic has caused many businesses to accelerate their digital strategies and move online more quickly than anticipated, and it has been alarming to see how quickly cyber fraudsters have responded to these changes and sought to take advantage of the global emergency for their own ends.
For the full, 76-page document, visit the RUSI website.
Comments
Tim Helming, security evangelist at cyber threat intelligence firm DomainTools, said: “The ubiquity of databases of stolen credentials available to purchase for a few dollars on the dark web means that this type of scams have become easier to pull off. This uptick in smaller value fraud that leverages compromised account credentials is an unfortunate example of the reasons why users should be extremely careful not to open unsolicited emails or clicking on suspicious, unsolicited links. When not aimed at stealing funds directly, phishing email campaigns are often the vector through which criminals harvest account details in order to feed the pipeline of further cybercrime.
“While users can trust banks and retailers to be fighting fraudsters from their end, there still needs to be awareness on the part of customers that what they do to protect their digital identity matters a great deal. Reusing passwords across different websites and not enabling stronger controls wherever possible can increase the risk of becoming a victim.”
Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at product firm Nuance Communications, said the report should come as no surprise. “Fraudsters don’t stop their crimes because of a pandemic. In fact, they often seize the immense change that comes with an event like this to ramp up their activity – changing tactics and targeting individuals and businesses whilst they are at their most vulnerable and least protected to manipulate their data and steal their personal information.
“This is why biometrics such as voice and behavioural recognition, fingerprints, and eye scans are critical to a secure online presence. Thanks to years of interacting with smart devices, customers often already feel comfortable with fingerprint ID and facial recognition. Unfortunately, most of these device-side biometric authentication methods don’t have any real impact on stopping fraudsters. This is because, firstly, it is challenging to determine who has created the biometric print, and secondly, the prints are limited to a specific device, making them difficult to leverage across multiple channels and impossible to port from one device to the next. It is therefore server-side biometrics, such as voice biometrics, that will have result in both significant fraud prevention and frictionless, secure, convenient customer experiences.”
“When it comes to fraud, prevention is always better than a cure. In today’s landscape consumers are more aware than ever of the importance to protect their own information, and they will hold accountable the organisations that don’t do enough to protect the information they share with them. Without question, we need to be one step ahead and education around the most effective security solutions- like biometrics – is key.”
And at the cyber firm BlackBerry, Adam Bangle, VP EMEA said: “Cybercriminals exploit confusion and uncertainty. The pandemic has been a case in point with a huge rise in scams and new approaches to exploiting the general public. ‘Silent stealing’ tactics, including unauthorised access to accounts and low level anomalous activity in pay-streams are on the rise. But the success of these scams needn’t be inevitable.
“We know the scams and hacks are coming, so we must all understand what is at stake. Personal data is worth more than ever – bank details, passwords, even shopping basket history, and it can be used in many ways to steal money from bank accounts.
“We must prevent cybercriminals getting hold of the data which allows them to carry out silent fraud. On an individual level, weak passwords and human error – including trusting emails about your order or calls from your bank – will let the hackers in. Organisations that hold customer data also have the responsibility to deploy fully up-to-date cybersecurity that tracks and defends against new threats created by those looking to steal this data. Together, we must all make the job of cyber attackers as difficult as possible. How? By improving cyber hygiene through constant vigilance and exercising zero trust.”
