The ONS has published its overview of fraud and computer misuse statistics for England and Wales. It has also published the dataset on which this is based. Taken together, the two make for some interesting reading and how a very different view to that of the cybersecurity industry.
The Crime Statistics for England and Wales cover the period ending September 2017. They show 272,980 offences reported to Action Fraud, a new record. This is just the tip of the iceberg. The report goes on to say: “Analysis of the CSEW revealed that only 14% of incidents of fraud and computer misuse either come to the attention of the police or are reported by the victim to Action Fraud.”
For consumers there is some good and bad news in these numbers. Overall fraud and computer misuse against individuals is down. However, the chance of being a victim of fraud and computer crime is still much higher than many other crimes. The report claims that fraud and computer misuse is 10 times higher than theft from the person and 35 times higher than robbery.
If the news is good for consumers, it is bad for businesses. Analysis of the statistics show that criminals are turning their attention away from individuals and towards businesses. Action Fraud data shows a 60% increase in businesses reporting computer misuse.
The numbers from the ONS
The numbers from the ONS, when it comes to individuals, are interesting. It not only looks at what has been reported but also the age of the victim, their job title and their net worth. It makes for very interesting reading and gives some indication on the impact on businesses.
Last year there were 4.7 million incidents of fraud and computer misuse experienced by those aged 16 or over. That number is 15% down on the previous year. Looking further into the details, fraud has fallen 10% to 3.2 million offences. One area where there has been a significant fall is advanced fee fraud. This is often where people pay for tickets and other goods that are not delivered. There has been a significant crackdown in this area by trading standards.
Those aged 35-44 were more likely to be victims (7.4%) These are also likely to be in managerial and professional occupations which is the most likely group by profession (8%). Students and those age 16-24 make up 4.9% and are much more likely to suffer violence than they are fraud or computer misuse.
Computer misuse also showed a big decline. It was down 24% to just 1.5 million offences with virus attacks down 26% to 1 million offences. Unfortunately, unauthorised access to personal information, including hacking, has shown no significant change. These numbers do not include large data breaches from companies. These are just about attacks against individuals.
The most likely people to be victims of computer misuse are households with an income of more than 50k (4.4%). Poorer households have just a 2.5% risk.
One-off attacks or repeated attacks
Taking into account the number of breaches by retailers, telco’s and websites, it is easy to think that most people are subjected to multiple attacks. The ONS data disagrees. Its numbers show that: “the large majority of victims of fraud and computer misuse had been a victim only once (81%), with the remaining 19% having experienced more than one offence (within the same 12-month crime reference period).”
What about those that suffered repeated attacks? It seems that victims of bank and credit account fraud were more than 3 time as likely (15%) to suffer repeated attacks than any other types of fraud (for example, consumer and retail fraud, 5%).
The data also shows that 2.4 million offences involved initial loss of money or goods to the victim. This accounts for 73% of recorded cases with 63% losing less than £250. Interestingly 84% received a full refund from their financial services provider.
What does this mean?
For individuals the news here is more positive than it is negative. The system to refund card owners when they are defrauded seems to work in the majority of cases. However, the underreporting of cases is a major challenge. This is something that needs to be addressed. Reporting small scale fraud on a credit or debit card to the police is not a good experience. This may be one of the reasons for a lack of reports.
For businesses the situation is more serious. The focus of computer misuse on 35-44 year olds who hold managerial positions will almost certainly lead to credential loss. This allows the hackers to go after a target with deeper pockets. The ONS numbers do not provide enough data to analyse how many of these victims work for companies who later suffered an attack. The likelihood is that given the known attacks out there, many of them were targeted for those credentials.
According to Tim Ayling, Director, Fraud & Risk Intelligence at RSA Security: “Despite a marginal drop in recorded cases, it’s clear from the CSEW results that cyber criminals are still having an online fraud frenzy, as criminals continue to profit from posing as major retailers, banks and brands online to trick you into giving up valuable personal and financial data.
“In general, users should avoid clicking on links to websites from emails, if it is from an unknown source. Instead, search for the website using an engine. Secondly, always be sure to check the URL of a site you’re visiting to make sure that it is correct before entering any details – often with spoofed sites there will be a few letters in the wrong place that will give clues that it is not official, the devil really is in the detail. Thirdly, check the address bar to ensure you are visiting a secure site, and that no warnings appear in your browser. Lastly, if you have any doubts, check official company websites for a phone number, and call to get validation before sharing any personal information.”