UK Finance Economic Crime Office’s report that 1.2 billion pounds stolen through cyber fraud
March 25, 2019 |
UK Finance has released its Annual Report Fraud the Facts 2019: the definitive overview of payment industry fraud. As if any more information was required, it highlights the impact of data breaches on the commission of acts of fraud.
The brief overview to this 53 page report provides grim reading:
Unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £844.8 million in 2018, an increase of 16 per cent compared to 2017.
Banks and card companies prevented £1.66 billion in unauthorised fraud in 2018. This represents incidents that were detected and prevented by firms and is equivalent to £2 in every £3 of attempted fraud being stopped.
In addition to this, in 2018 UK Finance members reported 84,624 incidents of authorised push payment scams with gross losses of £354.3 million.
In summary the report noted:
- Data breaches are a “major contributor” to fraud experienced in the UK;
- The number of phishing websites targeted against UK banks and building societies fell with the focus switching to impersonating other organisations such as online retailers, travel and leisure firms, HMRC and telecommunication companies instead.
- Criminals using more low-tech methods such as distraction thefts and card entrapments to steal physical debit and credit cards, which are then used to commit fraud
- £1.2 billion was successfully stolen “through fraud and scams” in 2018 with personal data stolen from businesses used to perpetrate much of that fraud.
- “Information stolen through a data breach can be used for months or even years after the event,”
- unauthorised financial fraud losses across payment cards, remote banking and cheques rose 16% in 2018 to total £844.8 million.
- authorised push payment fraud accounted for a further £354.3m of losses.
- on a more optimistic note banks and payment card providers helped prevent further fraud totalling £1.66bn in 2018 through “advanced security systems and innovations”
The industry responses have been:
- investing in advanced security systems to protect customers, including real-time transaction analysis, behavioural biometrics on devices and technology to identify the different sound tones that every phone has and the environment that they are in.
- delivering the Banking Protocol – a rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place.
- sponsoring a specialist police unit, the Dedicated Card and Payment Crime Unit (DCPCU), which tackles the organised criminal groups responsible for financial fraud and scams.
- working with consumer groups to develop a voluntary code to better protect customers and reduce the occurrence of APP fraud.
- working with Pay.UK to implement Mule Insights Tactical Solution (MITS), a new technology that will help track suspicious payments and identify money mule accounts, and Confirmation of Payee, an account name checking service for when a payment is made, that will help to prevent authorised push payment scams.
- hosting and part-funding the government-led programme to reform the system of economic crime information sharing, known in the industry as Suspicious Activity Reports (SARs), so that it meets the needs of crime agencies, regulators, consumers and businesses
- working closely with mobile network operators and the messaging industry to trial a new anti-spoofing system to help root out scam text messages.
- helping customers stay safe from fraud and spot the signs of a scam through the Take Five to Stop Fraud campaign, in collaboration with the Home Office
Some of those responses are present in one form or another in Australia but generally the response has been less sophisticated.
While data breaches are a constant threat there are established and generally quite simple steps businesses can take to avoid falling victim to scams such as multi-factor authentication and internal processes for change of bank details. In addition proper and ongoing training to avoid social engineering, phishing and ransomware attacks should be part of any organisations operations. Which unfortunately is commonly not the case.