The UK’s Response to Cyber Fraud: A Strategic Vision

Abstract

THE UK PUBLIC is more likely to experience fraud than any other crime. Its widespread nature is partly because it is amplified by the internet, making it a cyber-enabled crime type. The scale of cyber fraud continues to increase at such a pace that it has become difficult to manage, let alone eradicate. It affects the UK public and businesses (both large and small) and undermines the functioning of a modern, digital society. Despite its serious impact on the UK, cyber fraud has not received the appropriate level of coordinated response. Responsibilities for tackling the issue are unclear, creating a sizable leadership vacuum at the policy level. Financial institutions are usually the first line of defence in any instance of cyber fraud, and are often required to reimburse the victim. But to reduce the harm cyber fraud is having on society, there must be a reduction in the number of victims in the first instance. In the current model, this puts enormous pressure on UK law enforcement agencies and financial institutions to work together effectively. Pursuing criminals, reducing the crime rate and preventing re victimisation remain key law enforcement responsibilities that require a functioning relationship between them. Cyber fraud occurs over three main stages, prompting a multi-pronged response involving a range of stakeholders. First, data is unlawfully obtained from victims via various means including social engineering or phishing emails, leading to the theft of data from individuals or businesses. Next, stolen data is used to fraudulently transfer or divert funds into accounts controlled by criminals. Finally, the illicitly obtained funds must then be moved and laundered to conceal their origin. Despite wide variation in the type of victims and perpetrators involved (from individual opportunist criminals to sophisticated international organised crime groups), all stages of cyber fraud present pinch points for financial institutions and law enforcement agencies to detect and prevent the successful commission of the crime. The aim of this paper is to provide targeted, long-term recommendations for stakeholders across government, law enforcement and the private sector by delineating roles and responsibilities for tackling cyber fraud. In doing so, the authors recommend that the existing components for tackling cyber fraud require an ambitious strategic approach to use current stakeholders and mechanisms effectively. The findings and conclusions are based on in-depth qualitative and quantitative research comprising a literature review, interviews, workshops and a survey, engaging with stakeholders from across these sectors. The paper outlines several significant issues hampering the current model. Research has highlighted a worrying lack of clarity regarding the definition, understanding and measurement of cyber fraud (and of fraud more generally). There are differences in the way incidents are defined and recorded between financial institutions and law enforcement agencies, suggesting a need to standardise terminology and reporting practices. The current model suffers from contrasting levels of prioritisation of cyber fraud across different stakeholders. Some financial institutions see cyber fraud as a high priority due to the risk of reputational damage, while others are more likely to think of it as just another cost of doing business. Meanwhile, for most law enforcement agencies, it is not always considered a high priority compared to violent or drug-related crimes due to its less visible and less physically harmful nature. The lack of sufficient funds for police to respond to cyber fraud cases effectively is another by-product of its seemingly victimless nature. Moreover, when operations are conducted successfully, their impact does not always receive sufficient visibility and recognition. This can make prioritising cyber fraud for law enforcement a thankless pursuit and therefore undesirable. Information sharing between law enforcement agencies and financial institutions is inefficient and lacks buy-in. Despite numerous information-sharing partnerships and industry forums, significant limitations remain in the processes used to share information and in the quality of data that is provided. An effective system, proposed in this paper, would require sustainability, scalability, reciprocity and multi-functionality. None of the existing partnerships are assessed as fulfilling these four criteria. Successfully prosecuting the perpetrators of cyber fraud remains a significant barrier due to the international nature of the crime and a reliance on cross-border alignment. The cost and time of investigations often compound this issue. Alternative models of pursuing criminals should be considered to help tackle cyber fraud. Law enforcement efforts should be built around a ‘pursue’ response that uses disruption activities like technical takedowns, while exploring practical avenues for arrests and asset recovery where possible. Underlying this should be a focus on protecting vulnerable people from becoming victims of cyber fraud, ensuring that they receive a service befitting of the harm caused by the crime. As technology continues to develop, the cybercrime landscape is rapidly evolving, requiring an agile, coordinated and strategic approach across law enforcement, government and the private sector. To build an effective response to the threat, this paper calls on the Home Office to lay out the UK government’s vision for tackling cyber fraud in a dedicated strategy underpinned with investment. This strategy should be designed and implemented with the support of UK business. The authors outline a series of recommendations which should form the basis of this approach moving forward. Show more