Credit service agency Experian has reported that the UK loses over £190 billion per year to fraud. That staggering number comes from its Annual Fraud Indicator 2017 report. £190 billion is equivalent to £10,000 per family. It is more than 9% of the UK’s projected GDP for 2017 ($2,496 (£2,080) billion according to Statistics Times). That figure is also more than the GDP of countries such as Romania, Qatar and Hungary.
Private sector fraud accounts for the bulk of this figure £140 billion. The rest is made up of £40.3 billion in the public sector, £6.8 billion aimed at individuals and £2.3 billion from charities.
In June, the National Audit Office report on online crime said: “For too long, as a low value but high volume crime, online fraud has been overlooked by government, law enforcement and industry. It is now the most commonly experienced crime in England and Wales and demands an urgent response.”
The September minutes of the Joint Fraud Taskforce Oversight Board shows that progress is being made on reducing Cardholder Not Present fraud. It also looked at how fraud reporting should be made easier. One of the downsides of the latter is that it will inevitably show an increase in reported cases leading to a short term blip as the scale of fraud becomes better understood.
Technology driving greater levels of fraud
Technology is blamed for opening up new avenues for fraud. Online banking fraud was up 226% in the last year and telephone banking fraud by 178%. Both of these currently rely on systems that can be circumvented by keyloggers and other tools. They are also open to user credentials being accessed when people do their banking in public spaces.
Commuters will call their bank on the way home or do online shopping where they are asked security questions and other data. Most systems rely on voice response and that means anyone nearby can grab details. It is not unusual for someone to hear someone providing their full credit card details including security code. It is not just train stations. Airline lounges and coffee shops are also major hotspots for listening in for this data. Once criminals have credit card data they can use them for Cardholder Not Present scams.
CEO fraud or Business Email Comprise is also on the rise despite some high profile public cases. This is where fraudsters send emails pretending to be from a CEO. Those emails insist on monies being transferred or invoices being paid. This level of fraud is as much organisational as it is technology.
Experian also sees technology as part of the solution
Fixing this fraud problem also relies on technology. Many large financial institutions run complex fraud detection systems. These look at transactions and apply a complex series of validations to detect fraud. This requires large amounts of computing power and data. Insurance companies and some banks also share data to improve fraud detection.
For many mid-sized and smaller companies this is not a solution. There is a need for better solutions to be available to them through cloud computing. Fraud Prevention as a Service solutions have been talked about but there limits. The majority of the solutions currently available are focused on online banking. Given the rise in fraud in that sector they do not appear to be doing well.
The solution may lay with machine learning systems. This is fine for regular payments and B2B transactions. It will require a lot more validation and data in order to work for B2C transactions.
Another route is new regulation measures. One of these is mentioned in the report, Payment Services Directive 2. Another is the EU Payment Services Directive. The latter was discussed at the September Joint Fraud Taskforce Oversight Board and is due to be implemented by December 2018. As with GDPR, it will be implemented by the UK prior to it leaving the EU.
What does this mean?
Although the risk of fraud has increased there is no need for people to panic. Most personal fraud can be prevented through better personal security. Not giving out password data to financial institutions in public places is one solution. Don’t make purchases over the phone when sitting on a train, tube, coffee shop or airline lounge is another.
Companies need to pay more attention to invoices coming in and also to their cybersecurity. With so much banking being carried out online, keyloggers are able to grab all the accesses required to get into bank accounts. Better staff training is also required to spot phishing attacks and BEC attempts.
Banks also need to do more to protect their customers. This includes the use of multi-factor authentication as a default. Some banks now send out fingerprint readers so that customers can authenticate payments. They replace the old card machines that relied on the PIN number which was often easy to steal.
Fraud has always been and will always be with us. While technology makes it easier for the fraudster in some ways it also makes it easier to defeat. Should technology companies to do more to protect customers? It is easy to say yes but it also assumes that people will use the solutions available to them. As with cybersecurity, the gap between availability of solutions and their take-up is large. Technology can only protect those that choose to use it.