Justice Committee
Oral evidence: Fraud and the Justice System, HC 961
Tuesday 22 March 2022
Ordered by the House of Commons to be published on 22 March 2022.
Members present: Maria Eagle (Chair); Rob Butler; Angela Crawley; Laura Farris; Paul Maynard; Dr Kieran Mullan.
Questions 163 - 211
Witnesses
I: Katy Worobec, Managing Director, Economic Fraud, UK Finance; Luke Taylor, Representative of Telecommunications UK Fraud Forum; and Lulu Freemont, Head of Digital Regulation, techUK.
II: Damian Hinds MP, Minister for Security and Borders, Home Office; and Duncan Tessier, Director for Economic Crime, Home Office.
In the absence of the Chair, Maria Eagle took the Chair.
Written evidence from witnesses:
Witnesses: Katy Worobec, Luke Taylor and Lulu Freemont.
Q163 Chair: This is the third session of the Justice Committee investigation into fraud and the justice system. Our witnesses today are virtual and I shall ask them to introduce themselves to the Committee before we ask the questions that we have for them. Would you like to tell us who you are and what you do?
Katy Worobec: Good afternoon, everybody. My name is Katy Worobec. I am managing director for economic crime at UK Finance, the trade association for financial services. Economic crime in this context covers fraud and financial crime—money laundering, anti-money laundering, bribery and corruption, and sanctions, to name but a few.
Luke Taylor: Good afternoon. My name is Luke Taylor. I work in the telecommunications industry. Today, I represent TUFF, which is the Telecommunications UK Fraud Forum, a membership body for telecoms industry members to tackle fraud and take fraud to prosecution.
Lulu Freemont: Hi, everybody. I am Lulu Freemont, head of digital regulation at techUK. For those of you who do not know, techUK has a broad membership of about 850 tech companies, the majority of which are SMEs, stretching through to cyber companies, defence companies and telecommunications companies. We work across all facets of cyber-enabled crime from fraud to more technical threats, including ransomware and phishing. My expertise is in working on regulation and thinking about how important collaboration is between our members and other private and public sectors. That will be the focus of my answers today. Thank you for having me.
Chair: Thank you for joining us. I am going to ask my colleagues to make their declarations of interest and then we will go straight into questions. I am a non-practising solicitor.
Rob Butler: Prior to my election, I was non-executive director of HMPPS and a magistrate member of the Sentencing Council.
Laura Farris: I am a non-practising barrister.
Q164 Chair: There are none from Mr Maynard and Dr Mullan.
There is an extremely high level of fraud at present in this country. It is going on at a quite shocking level. According to the inspectorate, there are 3.7 million offences a year. Action Fraud records almost 414,000 instances of fraud reported to it in 2020-21, and 400,000 were reported through alternative channels. Only 6,500 defendants were prosecuted in that year, so a lot of this crime is happening and not as much as we might wish is being prosecuted or dealt with. That is just the background.
This is a very high-volume offence. Could you tell us the most common fraud you see? What is driving the tremendous increase we have seen in fraud crimes in recent years? Could we turn first to Katy Worobec?
Katy Worobec: From the perspective of the type of crimes reported to us in UK Finance from our members, the main issue in recent years is a huge growth in what we call push payment fraud, or banking transfer fraud as it is sometimes called. This tends to be the type of fraud where the victim is the focus of the fraudster. That might sound self-evident, but what I mean by that is that in the past we have had a lot of issues with things like card fraud, where the fraudster has to overcome defences put in place by the bank. In push payment fraud, the victim is seen as the weakest link by the fraudster and they are duped into making payments from their account to another account, primarily. That causes all sorts of issues, in the sense that it is more difficult to detect and prevent. It does not matter what security measures are in place in the banking system if the customers themselves are making the payment to the fraudster. That is the first key point.
Building on that, all the time fraudsters tend to hang off world events or things that are happening in the news in order to make some credibility around the types of approaches they make to customers. Typically, they approach a customer to get information from them in the first instance and then play that back in order to sound credible. They talk about things that are going on in the world, such as the pandemic or the war in Ukraine, and use that as a hook to pull people in. It manifests itself in a number of ways, through things like simple impersonation fraud, where somebody is pretending to be from the police, the bank or some other trusted authority, to things like romance fraud, where people are duped into making payments to people who have fake profiles online, or investment fraud, where people are duped into making investments either in stocks and shares that do not exist or in Ponzi scheme-type frauds. The main driver behind them is that the fraudster is focused all the time on the victim as the weakest link.
Q165 Chair: What do you think are the main drivers behind the increase in these kinds of frauds?
Katy Worobec: I think it is because the fraudsters see the victim as the weakest link and it is very difficult to detect that. I am sure that Lulu will be able to comment on this, because we are working together trying to tackle the issues upstream, if you like, where people’s personal and financial details are harvested by the fraudster by advertising or appearing on things like social media platforms. People give away their information and that manifests itself as fraud further down the line.
What we are trying to tackle together is the upstream manifestation of the fraud in social engineering. It is trying to tackle the issue that is driving this type of fraud, which is what we call a kill chain, the piece up front outside the control of the banking industry in its purest sense and which needs the collaboration of telecom industries, online platforms and others to tackle it.
Q166 Chair: Mr Taylor, what do you think are the main drivers behind the increase in fraud crimes that we have seen?
Luke Taylor: It is interesting. For the telecommunications industry, fraud is not just impacting consumers; it impacts their industry as well, regarding their networks and infrastructure. Telcos have seen quite a significant change in the last couple of years. Individual consumers are being scammed and abused through the telecommunications medium. They receive an SMS or a call on their phone and a confidence trickster persuades them to move money or provide information, which the confidence trickster can then change, or to open bank accounts. In theory, there is very broad potential for fraud.
Telcos have historically tackled frauds that impacted them financially. Now they are seeing a lot more consumers contacting them to say, “I’ve been duped or scammed; my phone has been SIM-swapped.” They get a lot more consumer pressure to look at frauds that may not be their direct responsibility, but impact them because their consumers are suffering. They need collaboration with financial institutions, online platforms and so on, to see how they can resolve some of those issues.
As Katy mentioned, Covid is one impact. It is anything topical that people can call about and abuse—for instance, Ukraine or the time of year for submitting personal taxes. All of those things are topical and fraudsters look for the easiest route to try to open a door, gain confidence and extract information or gain financial benefit immediately.
Q167 Chair: Why do you think there is so much more of it now than there used to be?
Luke Taylor: It is a model where, if you fire lots of arrows, a few will hit. There is now the ability to send multiple SMSs; you can make multiple phone calls; you can robocall; you can do a lot of activities. This week, I have probably had several automated calls to say that I am being inquired about as a drug trafficker so, “Please call this number.” If I call the number I will get hooked into a cycle where information is taken from me. They will go off and open my identity.
Telcos suffer from things like subscription fraud where individuals go in, open services and take high-value phones, such as iPhones. That is a huge cost to a telco. Some of it is undertaken by scamming and taking the identities of others. It is volume based. You can do multiple SMSs; you can open up and make lots of robocalls to multiple people. Unfortunately, people who might not be educated about the frauds that are available may take those calls.
Q168 Chair: Ms Freemont, do you have a perspective on this from your professional work?
Lulu Freemont: It is interesting that both of the other witnesses have raised this. It is very similar to what we see. The tech sector is vast. Segments of the tech sector include telecommunications, visual identity providers, cyber companies and defence companies. My response is to look at the full picture. One thing we see is that fraud is not fragmented. There is a value chain and there are responses at each step of the way in that value chain through the tech sector, including telecommunications, all the way through the financial sector and obviously law enforcement.
A lot of work is going on to disrupt different types of fraud, but ultimately the nature of the crime is changing. From techUK’s perspective, we see this as the result of how much our global economy is digitising, and how much the pandemic has caused us to rely a lot more on tech and increase our digital footprint for the wonderful opportunities that we have enjoyed, but, as ever, the fraudsters have learned to adapt and manipulate the system. At each step of the value chain in the tech sector the fraudsters manipulate different systems and processes. I am sure we will get on to this, but that is why we believe we need to work not just within the sector but across sectors, to match the journey of the fraudster, see the journey that the fraudster is taking the victim on and think about how we can streamline our processes, whether that is information sharing or whatever it might be, to have more meaningful interventions.
Our members see different types of fraud across the whole diversity of the sector: identity fraud, purchase scams and investment scams, to name a few. We do not collect research on that in the same way UK Finance does, but we need to think about our response collaboratively.
Q169 Chair: Can you tell us what the industries that you represent are doing to help prevent people falling victim to the burgeoning type and amount of fraud that is going on? I assume you agree with me that fraud undermines public confidence in your industries and in doing things digitally online or whatever. Whichever way somebody has been caught by fraudsters, it is going to undermine their confidence in continuing to use that platform or method of doing things. What are you all doing to help prevent people falling victim to this level of fraud, and what more can be done? There seems to be an increasing amount of fraud and losses.
Lulu Freemont: More can always be done in this space. The fraudsters are beating the system at the moment and manipulating victims, and we are very keen to continue and enhance our work in collaboration on that.
At techUK, we have about 250 to 300 members working across the cyber domain. Many of them are looking at the technological capability that underpins it and that is at the lower cyber-security and defence level that enables us to live and work securely. We have telecoms and ISPs in our membership. I am sure Luke will pick up on this, as they have been working very closely with the Home Office on charters and have developed 159, which is an emergency hotline to report scams.
For some of our larger platforms, we have been collaborating with UK Finance in the Online Fraud Steering Group, which is an important initiative and collaboration set up about nine months ago. Out of that, we are not only trying to tackle the difficult questions around data metrics and information sharing; we have also seen some action from techUK members. Twitter, Meta and Microsoft have all committed to introduce a new advertising onboarding process that requires UK-regulated financial services advertisers to be authorised by the FCA prior to selling financial services adverts. This is in addition to Google, TikTok and Amazon, which already have that in place. It is about investment scams and enhancing co-ordination with the Financial Conduct Authority to make sure that adverts are authorised by the FCA prior to being served on the site.
That is a little snippet of what our members are doing. I cannot speak on behalf of individual ones as such, but at each step of the way, and across the broad membership, members are working on this. What is missing is collaboration. That is why we are so pleased to be working with UK Finance and the National Economic Crime Centre on the fraud steering group.
Q170 Chair: Katy Worobec, can you tell us what you are doing in your industry to try to prevent this huge increase in fraud?
Katy Worobec: Building on what Lulu was talking about, the first aspect is what individual members are doing themselves. Each and every financial services firm will have invested in advanced security systems like real-time transaction analysis and things like behavioural biometrics to try to detect fraud and prevent it as the customer starts using the system.
Taking it back a step, we are responsible for Take Five, which is an educational awareness campaign supported by 30 or more of our members. We use that campaign to try to help victims, or potential victims, of fraud. Some of the techUK members we have been working with are also now supporting the campaign by adding credits on their platform. That is aimed at trying to stop people falling foul of fraud or being a victim in the first place.
At industry level, we have something called the banking protocol. It was put in place a number of years ago and has saved over £174 million in fraud since it was launched in 2016. Staff in branches have the authority to call 999 and get people to attend the branch if they think somebody is being manipulated by a fraudster in real time. It is also being extended to call centres. We have our own police unit, the dedicated card and payments crime unit, which is funded by the industry. That is working to tackle organised criminal gangs involved in these types of fraud, with some great success. It prevented an estimated £85 million of fraud in the first half of last year. There is a whole range of different initiatives, both within individual members and at industry level, which we are putting in place to tackle this type of crime.
Q171 Chair: Thank you. Finally, Mr Taylor?
Luke Taylor: TUFF members are predominantly telecom operators in the UK. All the telecom operators have been looking at and managing fraud for many years, but obviously the frauds have changed over the past few years in that they have migrated to being more consumer-centric. Consumers are impacted through different scams that may be perpetrated through phones. A lot of operators are upgrading technology and expanding their own capabilities to manage and identify fraud. There is also a direct impact on customer care departments. They need to liaise with customer care departments, which usually receive some of the complaints or concerns.
Ofcom, the UK regulator, is introducing new policies, and there are some consultative aspects going on there at the moment on how they can potentially look at improving areas that might assist. A number of frauds are perpetrated by using things like CLI spoofing, where the fraudster mimics a legitimate phone number or SMS. It may look like it is coming from HMRC, Amazon and so on. They are looking to see how they can close down that technology weakness going forward.
Chair: Thank you.
Q172 Paul Maynard: Back in October last year, the Government set up the Joint Fraud Taskforce to encourage both public and private sectors to co‑ordinate more. I know it has been only seven months, but have the witnesses seen any improvements since that time? Has the taskforce made a difference?
Katy Worobec: The Joint Fraud Taskforce was relaunched in October last year, as you noted. It had been going for a number of years under several guises. The latest appearance, chaired by the Security Minister, Damian Hinds, feels much more invigorated, in the sense that there seems to be a real sense of purpose, bringing people to the table perhaps to do things a bit more proactively than we have seen in the past.
The jury is still out on how much difference it will make, but it is important that the Government use their convening power to bring people to the table. We are very much firm believers in the fact that we all need to work together to tackle this type of fraud. It is not something that can be tackled by any one sector on its own; everybody has to come together, by which I mean all parts of Government, ourselves, our sector, the tech sector, the telecoms industry and legal accountancy. Everyone has a part to play, and it is only by bringing people together to focus on the problem that you will make a real difference.
Q173 Paul Maynard: Can Mr Taylor or Ms Freemont identify any steps forward since October?
Luke Taylor: I am afraid I cannot comment on seeing anything visibly different since then. A lot of activity is happening in parallel to that, but, as Katy says, it has to be a collaborative approach. It is a good step, but it needs a lot more collaboration and communication to ensure that we can move forward. People working in silos will not achieve what is needed. There needs to be collaboration across all the industries, consumer groups, individuals and so on. There has to be a whole raft of education and collaboration to allow this to resolve some of the consumer frauds that people see in the press.
Q174 Paul Maynard: I have yet to meet anyone during this inquiry who thinks there does not need to be more co-ordination and co-operation, so we are all agreeing violently that this needs to be done.
Ms Worobec, in your oral evidence to the House of Lords you mentioned the importance of better co-ordination with law enforcement agencies, particularly around information sharing. Can you say a little bit more about the specifics of what you think needs to be done in that particular area?
Katy Worobec: The whole issue of information and intelligence sharing is extremely important in this space. As for information that we share with law enforcement on fraud as the financial services industry, we have a long history. We provide information to the National Fraud Intelligence Bureau and we work in concert with the National Crime Agency in a number of areas.
Where we get stuck sometimes is being able to share information and intelligence across the sector and with other sectors. Feeding information to law enforcement is okay and there are gateways for doing that, but we believe more could be done if we were able to share information more readily between people in the sector and with other sectors. It is easier with fraud. When you begin to stray into money laundering, you get into all sorts of issues around contravening money laundering regulations, and fraud quickly becomes money laundering once funds start moving from one account to another.
I think more can be done to help. We would like to see more legislation to help slow down and freeze payments to allow industry investigation. That is not really possible at the moment given the speed at which transactions move. To summarise, it is less about how we share with law enforcement and more about how we can more readily share between ourselves and across other sectors.
Q175 Paul Maynard: Do you know whether potential new regulation has been discussed at the Joint Fraud Taskforce yet? Does one of you sit on it?
Katy Worobec: The Home Office is certainly well aware of our thoughts on legislation. We are talking to them about how we can get approaches put into the next stage of the economic crime Bill in the third session, around information and intelligence sharing, so we are hopeful that we will make some inroads into that.
Q176 Paul Maynard: Is there anything on that from the other two witnesses? No? Excellent.
My third question is this. Government seem very good at setting up new bodies with new names and new acronyms, but it is probably the same people in the same room with the same biscuits. Do you think Government are properly using their convening power to drive co-ordination and co-operation across the different sectors, or is there more they could be doing? Ms Freemont, take your chance.
Lulu Freemont: You are right that there are lots of different groups and it is definitely something our members feed back to us. There are lots of different demands from different segments of Government to discuss very similar topics, such as fraud, scams or whatever it might be. Having said that, techUK has been very encouraged by our engagement with the Home Office over the past nine months. Prior to that, we were not working with them perhaps as closely as we should have been on some of the key issues.
Nine months ago we were summoned to a ministerial roundtable along with UK Finance and various law enforcement bodies to think about what we could do to collaborate across the tech sector, law enforcement and the financial services sector. That was our first introduction to being part of a group that reports to the Joint Fraud Taskforce—the Online Fraud Steering Group. Because the group follows Home Office structures it feels like it is having a greater impact. Some of the challenge arises when we think about law enforcement agencies and the various groups that stem from those which might have overlapping interests or priorities. How are those groups co‑ordinating or sharing information with one another?
We are relatively new to working with the Home Office on this topic, but from our experience it still feels quite fresh after nine months. We have been encouraged by the group we set up, and we have formed strong working relationships. We are not working with the National Economic Crime Centre under its structures in the same way as other sectors may be, but I have heard that that is where there are sometimes overlapping groups or priorities.
Q177 Paul Maynard: Does either of the other witnesses want to comment?
Katy Worobec: I echo what Lulu said about the Online Fraud Steering Group. It is a force for good in the work we are doing and, as Lulu reminded us, it also sits as part of the Joint Fraud Taskforce structure, lest we forget that.
As to what more Government could do, we have talked about perhaps having some kind of Minister with overall responsibility for fraud. We have Damian Hinds as Security Minister, but he has other responsibilities. Fraud is such a huge problem that it would seem helpful to have a Minister for fraud who would draw together not only other sectors but all the different parts of Government that have skin in the game in dealing with fraud issues.
Paul Maynard: Thank you.
Q178 Angela Crawley: Ms Worobec, how do financial institutions engage with law enforcement specifically to aid the disruption and investigation of crimes? Could you outline some of the measures that have been taken and any further measures that could be taken?
Katy Worobec: I have mentioned our own police unit, the dedicated card and payment crime unit. That is funded by industry, and it is doing a lot of good work in tackling organised criminal gangs. We are supportive of that. Not only is it a mix of Met and City police officers working together, but it has secondees from industry as well, through UK Finance, who are assisting in that fight. It has done some good work in the last year, working with some of the online platforms and telecoms, to tackle some of the crimes we have been discussing.
We are also working with law enforcement in giving intelligence to the National Fraud Intelligence Bureau, which is collated with other intelligence sources and used to pull together cases that are then passed to local forces in the UK. As an industry, we tend not to work directly with many forces in the UK, but we work through bodies like the National Fraud Intelligence Bureau. We also work with the National Economic Crime Centre, being involved in its intelligence cells and bringing together themes and intelligence to help tackle and understand the problems seen in the worst types of crime. It is at several different levels, mainly through pooling—collating—intelligence and passing that to law enforcement, as well as working directly with our own police unit, which is tackling the problem of crime.
Q179 Angela Crawley: Is there more that the finance industry could do? Are there any other measures you have not mentioned that it could take to solve the problem? You mentioned legislation, but what could the finance industry do without legislation?
Katy Worobec: We are exploring how we can make the most of what we have. We are not just waiting for legislation to change; we are trying to push the boundaries of what we are able to do—for example, freezing payments. Where money has gone from one bank to another, we are looking at systems that can detect the money arriving in that account and try to freeze it before it gets moved on and split up into other accounts.
There are financial institutions that have been able to freeze that money. It is done slightly at risk because strictly the legal framework does not allow you to do that, but where there is certainty that the funds are the proceeds of crime, it is possible. We could perhaps be a bit bolder, but it would be helpful, even where legislation perhaps does not need changing, or it is more difficult to make changes to legislation, to get some comfort from regulators about when funds can be frozen and we can slow down payment, so that we do the best we can to stop fraud within the limits of the legislation that we have at the moment.
Angela Crawley: Thank you.
Q180 Laura Farris: I want to ask a few questions about the duties on banks and telecoms companies. Some of the consumer fraud seems to be a developing area of the law. Ms Worobec, you talked about the banking protocol, where bank staff are trained to spot a consumer who might be being manipulated to make transfers. Could I ask you about an area of the law in which there is not really clarity, and that is the duty of a bank where a push payment scam involves asking the customer to transfer funds from their own account to another account hosted by the bank? The customer is lured into a false sense of security because they recognise that they are transferring money to what they think is a legitimate account, and they think they are talking to a member of staff employed by the bank.
There are two questions. First, is there some difference between what are called challenger banks and the more established banks in the amount of due diligence they conduct on new customers? Secondly, do you think enough is required of banks to stop fraudsters hosting fraudulent accounts?
Katy Worobec: One thing I would say up front is that what we see primarily is not that accounts are opened by fraudsters. It is not so much the “Know your customer” piece up front that is failing. What we see is that people with perfectly legitimate accounts are duped into letting them be used by fraudsters as money mules. As an example, often we see on social media fraudsters advertising a quick way to earn money. They do not use these words, but essentially what it amounts to is, “If you let some money go through your account, we will give you a cut of it and you will make money without any effort.” That is the burden of the song. That is the problem we are trying to tackle. It is not so much whether challenger banks have better KYC procedures than some of the more traditional banks; it is about trying to tackle the problem of mule herders.
Q181 Laura Farris: What is that expression?
Katy Worobec: Mule herders. A money mule account is an account where the customer allows money to be laundered through their account. That could be done unwittingly. Often, students and young people are targeted. They do not know that they are committing a crime by allowing their account to be used for money laundering. More pertinently, we really want to try to target what we call mule herders. These people are perhaps advertising on social media and getting young people or people who own accounts to become mules and let their accounts be used. If we can tackle the mule herders and stop them being able to advertise, or stop them using social media to get people on board, that would make a real difference. It is that that we are focusing on.
Q182 Laura Farris: Is it a myth to say that the challenger banks have more robust procedures or are better at offsetting and avoiding these types of approach? Is that not true?
Katy Worobec: It is difficult to say. I do not have evidence to say whether a particular bank has better procedures than another, but we see evidence that existing accounts are being used as money mules, and the herders that cause that are what we really need to tackle. It is probably one of the most difficult issues we face.
Q183 Laura Farris: The other, related question is about when the fraud is perpetrated from a telephone number which the victim recognises as belonging to the bank or whatever—it is typically the bank. There seems to be a loophole in the law where a number can be stolen or misappropriated by a fraudster. Is there anything more the Government could be doing on that, or is it just impossible? Mr Taylor, would that be one for you?
Luke Taylor: There are things in place. Ofcom has just started an initiative to look at where, for instance, number ranges have originally been allocated. Historically, CLI spoofing, as it is called, was used for many years. Marketing companies would call up, pretend to be HSBC and say, “We're selling services on HSBC.” The phone number would come through as a legitimate number that you recognised. Unfortunately, fraudsters also gain the intelligence so that they can do the same.
There is a technological issue as well as a management aspect. Many telcos are looking to implement detection methods to look at SMSs and calls coming in that have been spoofed. Many UK telcos have been quite successful in closing them down. They are closing millions of calls and SMSs per month that have come through in bulk and have been spoofed. There are technological advances, but Ofcom is looking more at the administrative aspect and where some of the number ranges were originally sold, to see if it can manage and control those too.
There are activities going forward, but there probably needs to be oversight to make sure that all telcos are managing them correctly, to see if they can fight it legitimately. It is not just a UK issue; it is global. Many other countries are facing the same issues. Other countries have used regulation, for example STIR/SHAKEN, which is an initiative used by the US; Australia has initiatives that look at CLI checking and validating originating numbers. Ofcom is doing that. It is slow in getting there. It will take time, but telco operators need to be involved in those discussions to ensure that they can bring their own experiences and practices so that the regulations which go forward are practical and usable.
Q184 Laura Farris: Ms Worobec, at the beginning you talked about upstream interception. Banking fraud, which seems to happen so frequently with push payment and the various forms it takes, usually has the same features. The victim of fraud has been duped into believing they are talking to somebody who is trustworthy. They believe the narrative and think that the person is protecting their money rather than taking it from them. What would be your one or two principal upstream solutions to stop that happening in the first place?
Katy Worobec: That is probably the 64 million dollar question. It is exactly the sort of thing we are trying to work on collaboratively with techUK companies. Where can we best intervene in the kill chain or the customer journey? If we could crack the issue of mule herders and stop them touting their wares on social media, that would make a difference.
Q185 Laura Farris: There is stuff coming through in the Online Safety Bill.
Katy Worobec: Yes. That will certainly help. We have been very much advocating that the Online Safety Bill should include aspects of paid-for and non-paid-for advertising. The difficult nut to crack is unpaid advertising, by which I mean the organic stuff I have been talking about— people using social media to try to get others to do what they want. That is more difficult than dealing with paid-for advertising, where there is at least a process to go through and you can intervene and make checks. The issue with organic advertising is that it does not have those checks and balances in place. If we can find a way to try to deal with that, we will cut down the opportunities for fraudsters to get people involved in their processes.
Q186 Laura Farris: Does either of the other witnesses have any alternative to that, or any other solution that they think is important upstream?
Luke Taylor: It is a tough one. It is a lot about education and making some of this more visible. I think it is the responsibility of all industry sectors as well as organisations like ours to try to communicate and educate. It is about making more people aware of how these things can occur, being more vigilant as individuals and constantly pushing warnings and awareness.
Lulu Freemont: To provide some colour, there is sometimes a lack of shared understanding between different sectors of what we are speaking about when referring to online fraud of certain types. Gaining a unified definition and shared understanding of the issues we are trying to solve is fundamental to our success. What a tech company or a platform sees is very different from the cashing-out of money. In identifying the context in which something is happening there is a lot more nuance, which makes it a lot more complicated, as Katy said about the organic content question. The risk of getting that wrong could potentially violate other rights.
It is all at the heart of the Online Safety Bill, which will be coming before Parliament soon. There will not be a quick-fix solution. The regulation will not necessarily stop the problem, and we need to think about understanding the issue, working across sectors to see what each silo is working on and what it is seeing, and thinking about how we can share information across sectors to enable meaningful interventions. As ever, it is not a simple solution, given the complexity of the crime.
Q187 Dr Mullan: I want to carry on with some questions about telecoms and pick up on email fraud. Mr Taylor, just to give some context in terms of the scale of the issue, you mentioned that on a weekly basis you were subject to some kind of tech scam. I think nearly everybody is. I receive scam text messages, scam phone calls and scam emails every single week. The Ofcom study last year suggested that over a three-month period 45 million people were subject to some kind of scan. Do you really think that the multibillion-dollar telecommunications industry is doing enough, if we are subjected to that level of people attempting to steal from us?
Luke Taylor: They obviously could do more, but to put these large telecom organisations in context, they are fighting fraud at many different levels. They are looking at consumer-based frauds but also internal frauds, large frauds that impact their bottom-line revenue. They have teams in place, but naturally a fraud department is usually a cost centre and is reactive. If frauds are increasing or a new fraud occurs, they will react and look to expand resources or technologies. They are probably always slightly lagging behind, but it is a question of firing lots and lots of arrows at lots and lots of calls and SMSs and filtering them out. They are coming across in multiple thousands and millions, so it is about using technology to try to reduce them. The organisations are succeeding at certain levels, but it is constantly changing. Fraudsters and organised criminals are doing this en masse, so organisations have to identify a constant stream of traffic.
Maybe with regulation or more collaboration it could be tackled and fought. Telcos could share information about spoof numbers and so on. They could start to share that quickly and transfer it; if one telco is faced with it, each one will get the same spoofed number range. If they can start sharing and react quicker, it should reduce some of the volumes.
Q188 Dr Mullan: I appreciate that in theory it might affect their bottom line, but in reality is it affecting their bottom line?
Luke Taylor: Some frauds do not, but the larger fraud departments will be fighting international revenue share frauds or PBX hacks. They will also be looking at consumer frauds where there has been a spoofed call and the individual has been scammed out of their savings. The call comes through to the telco and they say, “What’s happened? Okay; you’ve had a phone call and it may look like an SMS from your bank. Let’s start investigating.” Then they start pooling. Who else has been impacted? Where did the number range originate? They start to build a case to close it down in volume. They try to achieve that, but it is a volume‑based game and it needs resource. It is a constant battle.
Q189 Dr Mullan: Do you have any figures to show what percentage of their turnover or profits they dedicate to fighting this stuff?
Luke Taylor: I couldn’t tell you that, but they lose a good few per cent. a year on frauds. I do not think they mimic them in regard to spending on it. They are changing their policy. Historically, fraud has impacted them and now there is a lot more volume of consumer-based fraud. They have a duty of care to look at how they can resolve those frauds. They look at how they are perpetrated, and it is usually through a spoof number, where a number looks like it is from somewhere else. That is what they are looking to investigate and close down.
Q190 Dr Mullan: Do you represent email providers as well? Would you consider them to be telecoms? Are they members of your organisation?
Luke Taylor: The ISPs are the same thing; it is the same aspect. There is a huge volume of them and they are trying to tackle the same thing, but both telcos and ISPs need to start working much more closely together and share some of the intelligence when it occurs. Fraudsters are naturally lazy. They plug a geographic area, perhaps one with fixed lines. They throw out lots and lots of SMSs and phone calls, see how many people bite and then they move on. If they hit one large telco, they go to the next one, but if the telcos can share information more quickly maybe they can be more prepared to tackle some of that.
Q191 Dr Mullan: Take Gmail as an example. It is part of one of the biggest, most profitable and richest companies on the planet. Do you really think they are putting everything they possibly can into stopping it?
Luke Taylor: No, and that is where there should be education and awareness not just for us as consumers but for the corporations, all the way from the CEO down to their customer care department. There is an educational aspect for all sides, not only for us as individuals who have this every day but for large corporations that use telecommunication technology, as well as telecommunications providers. They all need to be aware and educated from CEO level downwards on how fraud can be perpetrated and what they need to do. It is a matter of education and collaboration and we need to push it constantly.
Dr Mullan: I imagine that the people who run these companies have a pretty good idea of what goes on. I tell you why I think it is important. Some of the evidence we have heard is that a majority of this originates in, or is in part related to, foreign jurisdictions, so the prospects of convicting these people are extremely low. While it is their responsibility and they are to blame because they are the criminals, realistically we will not get at them, so the duty of care on the companies is even higher. I think they are some of the cleverest and richest companies in the world and they are failing abjectly. If the test of success is that we as customers are not receiving scam emails, they are completely failing because we receive them all week every week. They could probably do more.
Chair: Thank you.
Q192 Rob Butler: There are just a few minutes left, you will be pleased to hear. I want to ask some questions to wrap up and see whether there are any final points you want to make. We have heard quite a lot of suggestions from you about how things can change and develop. Do you have specific policy recommendations in relation to fraud that you would like the Government to consider? Perhaps I could start with Ms Freemont.
Lulu Freemont: From our perspective, we want a whole-system change response to be encouraged as part of the solution. What we need to get out from the work—it is good work and we should not discredit the work that is going on across the value chain, including the public sector—is that we need to think about how we can co-ordinate a whole-system change response that stretches through each of the private sectors to criminal justice, the police and law enforcement agencies, and provides additional resourcing. That is our big ask.
To take it a step further, we think that that response might need to be digitised. We might need to think about reforming some of our processes and how we can have real-time, actionable responses to the issues, because that is how the fraudsters are manipulating various sectors. That would be our first ask.
The second thing is thinking about incentives for collaboration. Quite often, there is a tendency to blame different sectors, but how can we incentivise trust and transparency? That is something we have been working on closely with UK Finance, thinking about how the Government can prioritise and incentivise collaboration as a long-term solution.
The final thing is about remaining very outcomes-focused with regulation, and thinking about defining the issues and forming a unified definition of fraud that is well understood across different sectors. Those would be our three things, if that is all clear. I would be happy to pick up on anything.
Q193 Rob Butler: Can I pick up exactly what you mean by its being the responsibility of the Government to incentivise this to happen? Could it not be argued that, for a lot of what you have just said, your various industries should all be getting together and doing it themselves? You should not need the Government to act. The point my colleague Dr Mullan made is that many of your industries are hugely rich. Why should you need Government to act in some of these areas? Which of them require legislation and which do not?
Lulu Freemont: To clarify that, it is more about how we talk about the issue. Quite often, there is a bit of a blame game going on when thinking about this, but we want to get to a position where everybody is thinking about what they need to do, what they are responsible for and how we can collaborate. It is not so much about financial incentives or anything of that sort; it is more about the narrative we use in talking about this and how some of the conversations go towards different sectors.
Q194 Rob Butler: Mr Taylor, are there specific policy recommendations that you think the Government should consider?
Luke Taylor: Following on from Lulu, it is the aspect of collaboration and the requirement that telcos, finance and so on collaborate much more. Having Government input to ensure that happens will probably move it forward quicker. The telcos industry in its own right will collaborate with itself, but will it go outside, of its own accord, without fighting its own problems? Having an umbrella aspect to look at this to say that we need all these industries to start working together and sharing information and collaborating would definitely be a nice thing for the Government to push.
Q195 Rob Butler: It is a bit of an indictment of a lot of these companies to say they will not do it unless they are forced to do so by the Government.
Luke Taylor: It is not that. They are working in their own industry. Telcos will be working in their own industry to try to tackle this, but it will not happen on its own. They need to work with finance and move outside their sphere of operation to make it happen. Finance, telcos and e-commerce all need to start working together.
Q196 Rob Butler: Ms Worobec?
Katy Worobec: I support the need for continued collaboration, as you would expect. If I were to have one policy recommendation for Government, I would go back to the point I alluded to earlier about a vehicle that allows firms to take a risk-based approach when processing payment transactions, so that they can hold or slow down a payment where they believe the customer is at risk from fraud, and create a legal framework to follow stolen money at pace through the system and freeze it before criminals can cash it out. The technology exists to do all of that, but the legal framework does not help. If we could get a way of addressing those points, it would really help the industry from our perspective.
Q197 Rob Butler: In terms of the financial institutions, the consumer organisation Which? found that 42% of money lost by customers was reimbursed by the banks. Which? says that the Government should make reimbursement mandatory. Would you agree with that as a policy suggestion?
Katy Worobec: I would not agree with it in the sense that it would address the problem of tackling fraud. What we need to do is address the issue at source. We need to address the problem of tackling the fraud, not the reimbursement. If you think about the problem, we could reimburse 100% of customers, but the fraudsters would still be getting the money. For me, that is the crux of the matter. We want to stop the fraudsters getting the money and getting away with it, so the focus of effort needs to be on how we can work at the front end and stop the fraudsters getting to the victim and getting away with the money.
Chair: Thank you all very much for your time today. We will be moving to our second panel now. I thank Ms Freemont, Mr Taylor and Ms Worobec for their evidence to us this afternoon.
Examination of witnesses
Witnesses: Damian Hinds and Duncan Tessier.
Q198 Chair: Mr Hinds, welcome. This is the third evidence session the Committee has held in respect of our inquiry into fraud and the justice system. We are very grateful that you are here. I think you will have to come back, given what is happening later today, but we are very grateful to begin taking some of your evidence today.
Fraud is a huge and growing crime and a problem that costs billions. Action Fraud estimated that £2.4 billion was lost to fraud in 2020-21. We know that the CPS prosecuted 6,500 defendants in that year, but Action Fraud recorded 413,945 instances of fraud, with approximately another 400,000 reported through alternative channels. The ONS has estimated that only 15% of fraud incidents are reported, which suggests that there may be 5.5 million frauds. The inspectorate has referred to 3.7 million frauds. These are huge numbers. Mark Fenhalls QC, chair of the Bar Council, told us that in his view fraud has not been a priority for anyone. Do you think he is correct about that?
Damian Hinds: Chair, it is a priority for me and I know it is a priority for your Committee, and that is why we are meeting today. I very much welcome that. I am not trying to dodge your question, I will come back to answer it directly. You are right to identify the huge numbers involved. Probably the best source we have is the crime survey for England and Wales, which tells us that one in 11 adults is a victim of fraud in a year. It has become huge, and the growth in computer technology and interconnectedness has made it grow further. In the immediate past, the coronavirus and lockdowns have given further acceleration to those trends.
It must be a high priority. If you add together frauds and wider economic crime and cyber-crime, it is now the majority of crimes. It is not something that comes to people’s minds when they think about crime, but by sheer volume that is what it adds up to. It must be a high priority for us. It is not only about the criminal justice system or tracking down fraudsters and holding them to account; it is about what we do further upstream to protect consumers and try to make sure that fewer of these things happen in the first place. In fact, we have to attack this at every stage in the chain.
I want to introduce Duncan Tessier who is with me today. He is a senior official from the Home Office. Coincidentally, earlier today we had our latest Joint Fraud Taskforce meetings with representatives from the banking sector, accountancy and the technology sector as well as the Serious Fraud Office, Victim Support and Citizens Advice. All of these different groups have to work together to bear down on this crime.
Q199 Chair: Sorry, Mr Tessier, I should have asked you to introduce yourself before we got started. Perhaps you would like to do it now.
Duncan Tessier: Thanks, Chair. I am Duncan Tessier, director for economic crime in the Home Office.
Q200 Chair: Apologies for leaving you out at the beginning of our session.
Which Minister in the Government has responsibility for tackling fraud? I notice that you have economic fraud in your portfolio, Minister, but it is not listed as one of your responsibilities. This may just be a problem in the Government’s list of responsibilities, but it creates a bit of confusion.
Damian Hinds: It is definitely me.
Q201 Chair: It is definitely you.
Damian Hinds: It is not only me, but what you might call general consumer fraud, the volume fraud that you are talking about and that is listed in the crime survey of England and Wales, is absolutely my responsibility in the Home Office. There are other types of fraud too. There is corporate fraud; there is fraud against the public sector, which is the responsibility of Ministers in DWP and HMRC, as you will of course appreciate and will recall from your time there, but when it comes to fraud as a crime, along with economic crime, money laundering, cyber-crime and so on, that sits with me.
Q202 Chair: The majority of it is you, is it?
Damian Hinds: I do not say that with pride, Chair, but, yes, indeed.
Q203 Chair: That is helpful to know. Can you tell us when the fraud action plan will be published and what will be in it?
Damian Hinds: We have a fraud action plan now, and we are working on a new fraud action plan, which will be out later this year. We always have to think about three different time horizons. One is the absolute here and now: the operational effectiveness of what we do to intervene and disrupt as effectively as possible and pursue the criminals. Then we have a three-year horizon. You will recognise that from spending review-type periods. We also want to look further out to more like a 10-year horizon to see how these types of crime are changing. They change more than what we might call traditional crime. That changes as well, but it does not change as much or as quickly as fraudsters and computer criminals can change what they do.
Q204 Chair: As I said at the beginning, Action Fraud said that in 2021, the last year we have figures for, £2.4 billion was lost to fraud. They had over 400,000 reports, and 28,000 were sent to police to investigate. They themselves got through further investigations of 58,000, and 6,500 defendants were prosecuted by the CPS.
Those numbers are an absolute drop in the ocean when we consider the number of people who are being subjected to fraud. Aren’t you simply being overwhelmed? I know that you have given £25 million of funding to support Action Fraud. What is that money supposed to be doing? Is it sufficient to deliver meaningful change? It seems to me that Action Fraud simply are not getting through the work that is being sent to them; it just sits there and ends up being ignored.
Damian Hinds: We are totally redesigning and recreating Action Fraud. That is a big project, which will come to fruition in 2024. That was why I referred to the three different time horizons. In the meantime, we are working on the operation right now—increasing the number of people in the call centre, for example.
On your wider point about the numbers, the volumes are very large. The National Fraud Investigation Bureau is the fulcrum point, which takes Action Fraud cases and works out which of them has enough to go on to make a good investigation and then disseminates them to police forces. They have to make that judgment.
It is worth saying that, within the huge number, it makes sense to subdivide. You have a mixture of quite high-value crimes and crimes that are very hurtful to victims. They are things like investment fraud, which can involve big sums of money, or romance fraud, which to my mind is a particularly horrible type of crime, where the effect on victims can be enormous. Then there are also the higher-volume and lower-value online shopping scams and so on. I am not belittling those, but by way of value and impact they are just not in the same bracket. They are still very bad, but generally there is not as much criminal intel you can put together to make a good investigation.
We have all seen the big volume online crimes. We have all had emails and attempts of varying degrees of seriousness to defraud us online. For those in particular we have to design it out; we have to make it harder for criminals to put that material out there. We have to make it easier for consumers to spot and easier for them to report, and then for the system to be able to disrupt that operation and shut it down.
Q205 Chair: My experience of Action Fraud as a constituency MP of some 25 years’ standing is that, whenever reports are sent to it, that is the last you hear of them; you never hear anything back. When I write to Action Fraud as an MP, I do not get replies for my constituents. It is like a void into which things are dispatched and never do you hear anything ever again. Do you think that is fair?
Damian Hinds: Let me apologise for the experience that you and your constituents have had because that is not how things should be. I know we need to get better and we are getting better. I think the system has already got better, but it still has some way to go.
It is important that people feel agency. For example, there is an existing system for reporting fraudulent emails at report@phishing.gov.uk. It is important that people know that that system has resulted in 76,000 scams being taken down. It is a good statistic. We still have plenty more to get rid of, but I need people to know that, rather than just deleting it, they need to take the time to report it. We have the 7726 number that you can use for forwarding text messages as well. People need to know that that does something, and it does. Because of those actions, it is possible to protect other people from being victims of the same scam.
Q206 Chair: What is the £25 million of funding that is being given to Action Fraud meant to be doing?
Damian Hinds: I might hand over to Duncan for some of this. By way of intro, there are two sides to it. First, there is the ongoing operation of Action Fraud today. City of London police are the sponsoring police force for this type of activity, but there is also a full-scale redesign and re-procurement of the service. Let me hand over to Duncan.
Duncan Tessier: Thanks, Minister. Broadly speaking, what it is doing is, first, replacing the IT system that underpins Action Fraud. That is both the call centre technology and, more importantly, the analytical software which is being used to gather all of the reports and understand what the totality of that means, to find leads and so forth—for example, connecting IP addresses or phone numbers so that you can track down organised crime gangs. The IT reform is one big part of it.
The other bit is uplift in people. The Minister mentioned having more people in the call centre so that they can give a better customer service. Finally, there is more staffing going into Victim Support.
Q207 Chair: How many more people?
Duncan Tessier: I will have to come back to you on that.
Q208 Chair: That’s fine. Please do. It seems to me that the scale of fraud that they are supposed to deal with is enormous. You can see from the figures, some of which I quoted, what they get around to. I am not particularly criticising them about that. It seems to me that they are overwhelmed. I want us to have an understanding of whether or not the extra resource will make a real difference, because at the moment fraud equals impunity in our system.
Damian Hinds: It must not. Yes, we will make a difference, but alone they will not solve our problem. We have to attack this at every stage. Some of the intelligence-led staff are trying to go after particularly the most prevalent, prolific and high-harm gangs. That is part of it. Disrupting the technology that is used is part of it. The money laundering on the back end is a really important part of it. Almost all fraud crimes have some degree of high or low-level money laundering offence attached to them. We have to do all of that. It will not only be about crime reporting and the pursuit of perpetrators, but clearly that is a really important part.
Q209 Chair: I need to be able to tell my constituents when they come to me with an example of fraud that somebody has been caught and punished for what has been done to them. Often, people lose their life savings.
Damian Hinds: I agree.
Q210 Chair: I have never had a constituent come to me with a fraud that has had a conviction at the end of it.
Damian Hinds: People do get caught. I would not want any potential fraudster to think they will get away with it, because they can and do get caught. I do not want to make excuses, but there are extra challenges in this area. Historically, we are used to dealing with proximity crime where a perpetrator and a victim are either in the same place or at least near each other, if your car is broken into or your house is burgled.
This is distance crime. If it is fraud, money laundering or cyber, the perpetrator can be hundreds or thousands of miles away; they can be in a different jurisdiction altogether. Although these are estimates, we know that only a minority of fraud incidents are entirely a British phenomenon. Most fraud, at least partly, involves an overseas element, which makes the pursuit aspect harder and puts an even greater premium on designing out fraud, on disruption, and on making it a difficult environment for fraudsters to operate in.
There are some great things about this country, but unfortunately some of them also make us attractive to fraudsters. One of them is the English language. It means there is potentially a bigger market of consumers here to try to defraud. We have to work harder to make sure that it becomes an inhospitable market.
Chair: I am going to pass over to Mr Maynard, but you may not have much time.
Rob Butler: About 30 seconds.
Q211 Paul Maynard: Is it worth it? We have heard from the Bar Council and the CPS that they want greater expertise and resources going into the prosecution of fraud. They have called for specific, dedicated fraud courts. Is that something the Government are willing to consider and look at?
Damian Hinds: It is an interesting area. There is the fraud court aspect in the Nightingale system. I am not a lawyer and I defer to people inside the justice system and to the great expertise of this Committee on the operation of the court system and how best to optimise it. From our point of view, we are very keen to look at everything and anything that can improve performance in this area. [Interruption.]
Chair: Minister, I fear that at this point we have to close for today, but we will reconvene.
Damian Hinds: We will meet again.
Chair: Thank you and Mr Tessier very much for your time. We will see you on the next occasion.