- Security TWENTY
- Women in Security
Action Fraud should be renamed the ‘National Fraud and Cybercrime Reporting Centre’, to reflect that cyber crime is not only about fraud, but voyeurism, harassment and domestic disputes, according to a new report.
For many victims of computer crime, security behaviours were ‘not strong’ and only a minority became more cautious in their online behaviour after, according to an academic study of victims of computer misuse for the Home Office.
As a sign of how ‘security behaviours’ or lack of them might be behind falling victim to a cyber crime, some victims had no idea how they had fallen victim. Several described ‘weak point’ moments where they described what they considered generally strong resilience, but at a particular time they had fallen victim. They may have been in a rush, focusing on a task or wider personal issues. These could be exploited by good social engineering by the criminals.
Some victims reported poor security habits such as poor passwords, using the same passwords and easily guessable passwords, such as family names. Several victims reported to using either no anti-virus, free versions or not updating it. Risky behaviours were admitted by some victims as a probable cause of their incident, such as visiting unlawful websites to watch pirated movies.
All that said, the researchers found that ‘many victims did not know what had happened and wanted to know’. Most victims regard CMC (computer misuse crime) as an equivalent crime to traditional crimes like burglary, as stressed by Prof Mark Button, pictured, Director of the Centre for Counter Fraud Studies at the Institute of Criminal Justice Studies, University of Portsmouth. He led the interviews of victims. He said: “There has been a perception that cyber-crimes don’t have as bad an impact as some physical crimes, but this report shows that computer misuse crime has similar, and in some cases a worse impact, than comparable traditional crimes such as burglary. We found victims who compared the cyber attacks to physical assaults, some rape and some contemplating suicide as a consequence.”
The survey victims felt net financial losses ranging from £2 to £10,000, with a mean of £657 and median of £250. Many victims experience no financial loss at all. Some do not experience a direct financial loss from the crime, but experience costs in dealing with the consequences of the crime, such as time on the phone to banks and the official reporting line for England and Wales, Action Fraud; and purchasing antivirus software.
Other losses ranged from loss of computer files and never being able to recover them all; damage to reputation (one victim interviewed had details of a past rape exposed); and health and psychological impacts such as anger, anxiety, fear, isolation and embarrassment.
The researchers found frustration among some victims at the perceived or actual lack of action, whether they reported to their bank or internet service provider or Facebook, or to police (some via 999) or Action Fraud. According to the report: “Some victims struggled to secure police acceptance of their case when there was clear evidence of a crime.”
Other than letters, few victims recalled any substantive support to better equip them to prevent incidents.
Prof Mark Button said: “Despite nearly a million computer misuse crimes being reported in the 2018 England and Wales crime survey, just 23,683 were recorded by Action Fraud. This illustrates significant under-reporting and highlights a subsequent lack of support for those who have often been left deeply affected by the crimes.”
The report calls on the UK’s official National Cyber Security Centre (NCSC) to work with key bodies such as Action Fraud, Getsafeonline; relevant service providers, such as banks, social networking sites, email providers etc who receive cybercrime reports, to provide a common set of words and website links.
The Portsmouth researchers defined computer misuse crime (CMC) as the cyber-dependent crimes largely grouped under the 1990 Computer Misuse Act of hacking related offences, computer virus/malware/spyware related infections, denial of service
attacks and ransomware. As plentiful other evidence has shown, cyber crimes are under-reported to the authorities and there is much ‘attrition’ – in other words, even if police take a report of a cyber crime, very few reports come to anything.
As the report points out, ‘the central challenge of the name Action Fraud is for many victims this does not sound like a body cybercrime should be reported to, particularly when it does not involve fraud’.
Some of the victims for this research were supplied via the National Fraud Intelligence Bureau and the categories victims were often recorded under were not always accurate. For example there was one victim of spam mail classed as a hacking victim, a victim of hacking classified as ransomware and a victim of a phishing attempt listed as a hacking victim.
To read the full 16-page report, visit the Portsmouth University website.