Stop Scams UK – Written evidence (FDF0057)

Stop Scams UK’s Submission to the 2006 Fraud Act and Digital Fraud Committee

Stop Scams UK welcomes the opportunity to contribute to the work of the Fraud Act 2006 and Digital Fraud Committee. Our submission is made up of an introduction to Stop Scams UK, some background information on the impact of scams, an overview of our work to date and our planned delivery for 2022. We have also included our thinking on the 2006 Fraud Act as it relates to digital fraud.

This response complements those submitted by our members and should be read in conjunction with those responses. Also submitted is a copy of Stop Scams UK’s annual report, which sets out the work undertaken by the organisation in 2021. Stop Scams UK would welcome the opportunity to meet with Committee members to discuss our submission as well as our wider work.

About Stop Scams UK

Stop Scams UK is an industry led collaboration made up of responsible businesses from across the banking, technology and telecoms sectors who have come together to help stop scams at source. Stop Scams UK currently has 17 members. These are: Barclays, BT, the Co-operative Bank, Gamma, Google, HSBC, KCOM, Lloyds Banking Group, Meta, Microsoft, Nationwide, NatWest, Santander, Starling, TalkTalk, Three, and TSB.

Stop Scams UK exists to facilitate cross-sector collaboration. We know that for scams to be successful, they will touch on at least two, if not each of the banking, technology and telecoms sectors. We believe that it will only be through enabling, leading and delivering collaboration across these sectors that systemic solutions to scams will be realised. We provide the resource, leadership and trusted space for our members to share problems, identity opportunities, overcome blockers and drive projects forward to the benefit of consumers and business.

In September last year, Stop Scams UK launched 159 an easily memorable short code phone service that connects the customers of many of the UK’s retail banks directly, safely and securely with their bank, should they receive an unexpected or suspicious call on a financial matter. Over 80,000 calls have now been made to 159 and the service was recently expanded to accommodate an even larger number of banks, including the Co-operative Bank, the Nationwide Building Society, and TSB.

In addition to 159, Stop Scams UK is delivering a programme of work to enable and pilot improved data sharing between our members. Both policy makers and industry stakeholders have recognised that better data sharing will be critical to helping stop scams. Our data sharing work is one of a number of R&D projects, which include work on information gathering accounts and spam call tracing, that are currently being taken forward by Stop Scams UK and its members. More detail on 159 and other Stop Scams UK initiatives is provided below.

We note that as Stop Scams UK is not a trade body, we do not have to take whole sectors or industries with us. Instead, our work programme is shaped, informed and driven by our members - businesses who want to do more and to move fast. This means that we are able to deliver at pace, realising projects quickly, effectively, at scale and on a cross-sector basis.

Scams in Context

As the Committee has rightly recognised, scams and fraud are a significant and systemic problem. Not only do they cause real harm and distress to consumers, but they undermine trust in businesses and economic activity.

The true size of the fraud problem is hard to quantify. However, the evidence suggests that fraud and scams are growing at exponential rates. The Crime Survey for England and Wales (TCSEW) records that 5.1 million fraud offences were committed in the year ending in September 2021, a 36% increase on the comparable figure for 2019. Fraud offences reported to the police also rose by 27% (to 413,417 offences) and ONS figures show that as many 109 people per 1000 have been scammed, in comparison to 21 per 1000 falling victim to burglary.[1]

According to figures published by UK Finance, in the first six months of 2021 reported Authorised Push Payment Fraud – a type of scam where victims are manipulated by criminals, often through social engineering, into making payments to scammers – was 60% above the equivalent level for 2020, with the losses incurred by consumers and businesses 71% higher.[2] To put this in cash terms, criminal gangs stole over £355m from individuals and small businesses in that same period by pretending to be a bank or other service provider and encouraging them to make a payment or transfer money.[3] Although these numbers are alarming, they do not tell the complete story: we know that the distress caused to scam victims can be enormous.

Collectively we have a mountain to climb. Scammers are making use of increasingly sophisticated means to try and defraud people, combining websites, text messages and phone calls, as also complex and nefarious ‘social engineering’ scripts. The only way to effectively tackle this harm is for businesses across each of these platforms and sectors to work together on the development of technical solutions to scams and for that action to be backed by appropriate and proportionate regulation. This is why collaboration of the sort fostered by Stop Scams UK is so essential.

The 2006 Fraud Act

Stop Scams UK does not believe there is anything inherently wrong with the 2006 Fraud Act. It defines fraud appropriately and clearly has a value to prosecutors as has been demonstrated in evidence provided to the Committee by the Crown Prosecution Service.

It is our view that that difficulties in tackling fraud sit not with the Act and how fraud is defined within it but with the inherent complexity of prosecuting fraud and the historically low levels of resource that have been made available to enforcement agencies for the prevention, investigation and prosecution of fraud and scams. These issues are compounded by the difficulties in tackling fraud and scams committed using digital technologies, particularly from abroad.

It will only be through enabling, leading and delivering collaboration across the banking, technology and telecoms sectors that systemic solutions to scams will be realised. However, many businesses find such collaboration difficult. Regulation and legal considerations have rightly incentivised competition within sectors. The financial costs of fraud and scams also do not affect industry sectors equally. Privacy and data security considerations can also raise challenges for collaboration.

To overcome these challenges, greater coordination of anti-scam and anti-fraud activity is needed as is more incentive for businesses to cooperate with one another, including where appropriate, new guidance from Government and regulators. Where it is needed, this should seek to enable collaboration for the purposes of preventing fraud and scams. Industry members have been clear that concerns around privacy regulation can have an inhibiting impact on efforts to collaborate; new guidance could help remedy this.

Stop Scams UK initiatives

159

In September 2021 Stop Scams UK launched 159, our first major public-facing initiative. 159 is an easily memorable short code number that connects the users of many of the UK’s retail bank current accounts directly, safely and securely with their bank. We believe that more scam victims will be protected if they are provided with a simple, memorable service that enables them to contact their bank, each and every time they receive unexpected communication about a financial matter.

In this way, we can break the scam journey at that critical moment when the consumer is at most risk of being socially engineered and making a payment. So even if scammers are able to make contact with potential victims, that link will be broken before any information is shared or any payment is made.

Stop Scams UK has launched 159 as a pilot. Over 80,000 calls have now been made to the service. It is estimated that the average bank impersonation scam costs the consumer in excess of £4,500 [4] which means 159 has potentially already saved UK consumers a considerable sum of money and prevented untold distress. This has been achieved without any consumer facing advertising, a decision made to enable the value and the mechanics of the service to be tested without putting existing customer service systems under additional pressure.

The early use of 159 suggests that the service has the potential to become a powerful consumer facing tool; a reflex response to suspicious or unexpected calls about financial matters. We plan to develop the product further using insight from the pilot to demonstrate the overwhelming public interest necessary to ask Ofcom to consult on making 159 a mandatory “Type A” number like 999, 101, or 111.

Stop Scams UK collaborative pilots and learning:

Alliance Partners URL Blocking Proof of Concept

Through Stop Scams UK, BT and TalkTalk have implemented a proof of concept to test an additional layer of protection to prevent customers from inadvertently accessing phishing domains, particularly fake banking websites. Alliance partners, led by BT and working with Stop Scams UK, share malicious domain data feeds which are then blocked by network operators at the DNS domain level, protecting customers across both mobile networks and fixed broadband lines.

The Proof of Concept is unique, enabling partners to block harmful domains in a matter of minutes, and offering a speed and agility that is not matched by other blocking initiatives. As of February 2022, over 33,000 phishing domains had been blocked by BT’s Trust and Safety Centre as a consequence of this work.

Intelligence Gathering Accounts

Stop Scams UK members working with TalkTalk have set up intelligence gathering accounts - 1000 calling lines - linked to banking accounts managed by trained analysts. These accounts are used to obtain scam intelligence. Where possible they are used to block live scam connections, as well as to investigate and respond to changing scammer behaviours.

The pilot has delivered valuable insight, including that many scam attempts were more about enabling opportunities for social engineering rather than technical in nature (ie malware scams). The pilot has now been expanded to include Microsoft and other Stop Scams UK members.

Scam Call Tracing Pilot

This pilot has been led by Stop Scams UK members Gamma and Microsoft who jointly developed an approach for identifying scam calls on the Gamma network and then identified the details necessary for calls to be traced back. Using anonymised datasets, Gamma was able to run scripts to identify suspicious calls to the scammer’s area code.

The results of the pilot have led to the development of a methodology that has enabled both the identification of scam calls, and also an ability to trace their origin using repeatable scripts. The next stage for the project is the launch of a further phase with a new, improved dataset to establish a repeatable, scalable, and automated methodology for tracing scam calls. This could help limit the ability of scammers to use voice calls to contact victims.

Ambitions for 2022

Our strategy for 2022 focuses on the delivery of a number of products and services to help stop scams at source, and how these can be scaled up and delivered at pace.

Development of 159

Our first priority for 159 is the upgrade of the technology to enable the service to grow and the number of participating banks to be increased further. A key element of this development work will be to provide the evidence base to enable the communications regulator, Ofcom, to consult on whether 159 should be made a mandatory number similar to 999 or 111. Placing the service on a sustainable commercial and legal footing will also include delivering robust governance as the service grows beyond the initial pilot.

We hope that the development of 159 will also open up new opportunities for data capture and data sharing, and also an enhanced ability to route and triage calls to offer a better service to. consumers. An enhanced capability to capture data could deliver new insight on emerging threats and scam journeys. Stop Scams UK will explore how any data generated through 159 could be shared with regulators and others, such as the NCSC, so it contributes to wider work to combat scams and keep UK consumers and citizens safe.

URL Blocking

Stop Scams UK will also broaden and accelerate its work on URL blocking with the Alliance Partnership led by BT. We recognise the high-quality blocking and takedown services which already exist, but they can involve multiple partners and can sometimes take up to 5 days for a malicious domain to be blocked once identified. Alliance partners have established a process that can reduce this to as little as 15 minutes.

Stop Scams UK will work to formalise and expand the governance around this process and extend it to other members, enabling much larger numbers of malicious domains to be taken down at pace. This work is being complemented by the production and publication of legal advice and guidance on how parties can work together to block malicious domains in a way that is consistent with the legislative and regulatory framework.

Data Sharing Work

Our members, regulators and government have all identified that improved data sharing will be critical to combatting all forms of scams. They have also recognised that sharing data is not straightforward, and that more needs to be done to identify practical, lawful and effective solutions.

Stop Scams UK has launched a programme of work, which includes a research component to be undertaken jointly with RUSI, that will help our members share data with one another for the purpose of stopping scams. This will include sharing insight, intelligence and scam signals. This work will focus on establishing:

1) What forms of data sharing will be most useful in stopping scams;

2) Whether that data exists in usable, shareable forms;

3) How that data could be shared, looking at both immediate quick wins as well as long-term solutions; and

4) Regulatory and legal considerations.

We envisage that this work will lead not just to the development of data sharing pilots but also the production of guidance, advice, governance and process design, emphasising practical real-world solutions.

22 April 2022