BT Group – Written evidence (FDF0067)
Summary
Legal and law enforcement aspects
What BT does to protect its customers from fraud
Further details on each of these activities can be found in the Annex.
BT response to Call for evidence questions
Fraud Landscape
BT response
1.0 The Telecommunications Fraud Sector Charter outlines the specific fraud risks / reasons for vulnerability in the telecommunications sector which are outlined below:
1.1 Fraud risks directly affecting telecommunications customers
1.2 Fraud risks resulting in wider customer financial fraud
1.2 Online fraud risks for businesses
The most common types of cybercrime facing businesses, according to the Federation of Small Businesses (FSB) are:
1.3 Further information / research on the most prevalent phone and online scams targeted at individuals was published by Ofcom in October 2021.
1.4 Online scammers have become very sophisticated in the social engineering of victims to hand over key information / personal details and are using multiple communication channels and spoofing well-known companies and organisations. The FCA’s Perimeter Report 2020/21 stated that “fraudsters have unprecedentedly cheap access to an online population of consumers who find it difficult to differentiate legitimate offers from fraudulent ones.” For businesses particularly SMEs
insufficient staff training along with poorly implemented IT policies make it easy for scammers to commit fraud. For example, small businesses who are using dated versions of Internet Explorer
present security holes for cybercriminals to exploit. Upgrading to the latest version of a browser will block most web phishing attempts and a wide range of other web-based attacks.
BT response
2.1 With regards to economic developments the global economy is seeing an increase in energy/fuel costs, and supply chain delays are increasing the cost of food/ some consumer goods. These increases are putting financial pressure on individuals which may create a need for additional income, at any cost including fraudulent behaviour. Furthermore, people are increasingly investing in cryptocurrencies which will provide criminals with an opportunity to commit fraud.
2.2 It is likely that fraudsters will seek to increasingly use social media or search engines to commit fraud particularly investment fraud as reported by Action Fraud. Therefore, it is welcome that the Government is making changes to the Online Safety Bill to protect people from scam adverts online and consulting on a wider overhaul of how online advertising is regulated in the UK, including proposals to improve transparency and accountability and tackle harmful, fraudulent and misleading adverts. UK Finance[1] has stated that “the current legal and regulatory framework needs to be updated to keep pace with the rapid growth in these online scams. Currently, the tech giants are not properly held accountable for fraudulent content promoted on their platforms. In some cases, these firms are even being paid by the criminals to place scam adverts on their platforms. It cannot be right that online platforms are profiting from these scams, while the rest of society is left to pay the price”
2.3 techUK have established that organisations are under increased consumer pressure to provide a seamless and frictionless user experience, with consumers saying they’ll abandon an online transaction if security checks take longer than 30 seconds. That provides fraudsters with opportunities to exploit. To help mitigate the risk of faster/fewer security checks organisations will invest in new identity verification processes such as facial and age recognition technology, and also deploy behavioural biometrics/artificial intelligence to monitor human behavioural patterns and consumer transactions to detect suspect payments.
2.4 The rise of encrypted services creates new opportunities for fraudsters, about which telecoms companies can do nothing. Encrypted services are marketed as better protecting the users data from hacking, and this is true for technical attacks seeking to capture valuable information such as bank details. However, if a user is deceived into contact with a fraudster on an encrypted platform such as WhatsApp or Apple’s iMessage (the way many Apple phone users message each other) then teclos have no visibility of any aspect of these communications, and the measures discussed in this response are not relevant.
BT response:
3.0 Yes fraud is a priority for BT. We have a BT Group wide team working on it, that meet regularly with Marc Allera, CEO of BT’s Consumer business and other members of BT’s Executive Committee.
3.1 We have made significant investment and will continue to do so to protect our customers. Our approach / key activities to protect our customers is as follows:
3.2 BT is part of the Communication Crime Strategy Group (CCSG) which is made up of a number of CPs whose aim is to tackle fraud across our sector. The CGSG judge that more needs to be done by law enforcement to respond effectively to the changing nature of fraud and how its resources should be best applied to combat it. In particular, police effort in dealing with fraud should reflect fraud’s impact when considered as equivalent to other forms of crime against individuals and property. Graeme Biggar, Director General of the National Crime Agency, commented to the Treasury Committee in January 2021 “In the UK, we do not place the highest priority on fraud across law enforcement and policing. […] in the CSEW, it accounted for about a third of the crime that is reported. It is a lot less in actual reports that actually get to the police—about 12%—which I can explain in a bit. [However] Only about 1% or less of police resources and personnel are devoted to fraud”.
3.3 We recognise that the scale of the problem from telecommunications fraud such as phone and SMS scams is still very significant. We believe more progress can be made through greater coordination within the sector, across other sectors, with law enforcement and various Government agencies. The Treasury Committee Economic Crime Report also highlights that there a large number of agencies responsible for tackling fraud who have different priorities for types of fraud. This can be confusing for not only victims but businesses because this can lead to differing advice and guidance. It is also a barrier to effective counter fraud cooperation. We would agree with the Treasury Committee Economic Crime Report that there should be “a single law enforcement agency with clear responsibilities and objectives.”
3.4 We agree with the Treasury Committee Economic Crime Report[2] that the low prioritisation of economic crime from many stakeholders, including parts of Government and law enforcement may be because it “does not happen in the street, but often in people’s homes. Consumers often, apart from inconvenience, do not suffer directly, since they may be repaid by banks”.
4.0 A great majority of landline scam calls originate outside the UK so the role of international actors is vital to tackling this type of fraud. We have an investigation specialist based in India who works with industry particularly Microsoft and law enforcement agencies. Securing Indian Police action has recently improved with raids, arrests and confiscation of equipment but more needs to be done. The number of voice scams reported into Action Fraud (and BT) drops significantly when law enforcement activity does take place in India.
4.1 A barrier to increased and effective cooperation between UK law enforcement agencies and their international counterparts is having insufficient resource with priority likely to be given to domestic criminal activities which are easier to prosecute. Another barrier is that traditional mutual legal assistance regimes are not designed for the digital age, with processes being slow and too lengthy to facilitate effective cross-border collection of electronic evidence.
Action to Tackle Fraud
BT response
5.0 See paragraph 3.3. The City of London Police play an effective role in tackling fraud but it only has limited resources to deal with the very large problem of fraud. Furthermore, local Police Forces do not have dedicated time and expertise to properly investigate and tackle fraud. In our sector we are also seeing a delay in cases reaching the Courts particularly when suspect(s) plead not guilty. We welcome the Police Uplift Programme which is increasing policing resources across regional organised crime units and also within the City of London Police. We also understand that the City of London Police – Action Fraud - are looking at procuring new IT systems which should improve their ability to tackle fraud.
BT response
6.0 As above.
BT response
7.0 The private sector has a key responsibility to detect, prevent and help their customers when they become victims. As digital fraud is a complex crime perpetrated across multiple industries the private sector should work with each other, financial institutions, regulatory bodies such as Ofcom, Government and law enforcement to reduce the incidence and impact of digital fraud.
7.1 However, addressing fraud will always be an arms race between those of us seeking to prevent it and the perpetrators. As fraud has become difficult to achieve, fraudsters have shifted to social engineering that relies on human fallibility. As industry manages down the risks e.g. preventing large sums of money from easily being transferred online – fraudsters will likely shift back to data hacking to steal money digitally. Likewise, new and unregulated sectors like cryptocurrencies create new opportunities to defraud individuals. Sadly, it will never be possible to completely protect the public from fraud, though it is possible to greatly reduce the volume of fraud that is initiated, or if initiated goes on to succeed.
7.2 A balance needs to be found between on-going efforts and innovations to prevent and disrupt fraud and other industry investment that is proportionate. The telecommunications sector is a low return industry compared to big tech[3], or banking so we weigh these choices carefully. However, we are also motivated to ensure our customers can be confident using our products and services, so our interests our aligned with our customers in continuing to invest and innovate to combat fraud that originates via our services.
The Telecommunications Sector Fraud Charter and the telecommunications sector involvement with the National Economic Crime Centre has only been in place for around six months so its success in tackling fraud is still being evaluated but early indication is that it is seeing improved coordination.
BT Response
8.0 In our view legislative and regulatory requirements do not present a significant obstacle to data sharing in this area, given the extent of the threat to the public posed by online fraud. The General Data Protection Regulation provides several lawful bases for processing which may be applicable depending upon the circumstances, most commonly:
Where there are issues in this area, they tend to involve the question of whether in the specific circumstances of the case, the sharing of personal data is proportionate i.e. adequate and relevant for the purposes of processing.
8.1 Such sharing may also involve processing special category data. Article 9 of the UK GDPR provides the basis on which special category data may be processed, including that:
8.2 The basis for the processing under UK law is provided in the DPA 2018. Section 10(3) of the DPA provides that the requirement above is met if a condition set out in Part 2 of Schedule 1 to the Act applies.
8.3 Part 2 of Schedule 1 requires a data controller processing special category data on the basis of substantial public interest to have in place an appropriate policy document setting out the basis for compliance with data protection requirements. Additionally, paragraph 10 of Schedule 1 provides:
8.4 The obtaining of network information relating to online fraud risk will also usually involve an interception of communications. This can generally be carried out on the basis that the provider has contractual basis for monitoring and blocking, and in some cases passing information to the
relevant public authorities. However sections 45 and 46 of the Investigatory Powers Act, and the Investigatory Powers (Interception by Businesses etc.) Regulations also provide a lawful basis for such monitoring. Section 45 relates to interception by telecommunications providers of communications on the service which they provide, and section 46 interception by businesses more generally, of communications sent via networks which they control.
8.5 Regulation 3(2) of the Regulations provides that lawful interception of communications by a telecommunications system controller may take place for the prevention or detection of crime. We are required to make reasonable efforts to inform our customers that we may undertake such interception, which we do via our public Privacy Policies. Other provisions under Parts 2 and 3 of the Act may also enable warrants or authorisations to be given to CPs to provide intercepted content or retained communications data to various public authorities, and there are other powers such as a Production Order under Schedule 1 of the Police and Criminal Evidence Act 1984.
8.6 In general, therefore we consider that we have an adequate legal and regulatory basis for data sharing in this area.
BT response
9.0 A key element in tackling fraud is to ensure that individuals/customers are provided with the necessary advice and tools to guard against fraud. We believe that our customers are generally well informed about the risks of fraud and how to prevent them but recognise that more can be done, for example promoting the 7726 service for scam text/mobile calls. Furthermore, certain groups of older people may not be well informed because of their personal circumstances such as social isolation, and cognitive impairment. We promote and provide all of our customers with advice and information which covers types of scams, how customers can protect themselves, how to report a scam, the latest scams, and popular links for more advice e.g. Action Fraud. Also, via our BT Skills for Tomorrow and Tech Tips campaigns we provide online videos on how to stay safe online e.g. how to avoid online phishing. Customers without internet access can also call our Nuisance Calls Advice Line (NCAL) on 0800 661 441 for advice and to report nuisance calls. We’ve also worked with the National Cyber Security Centre on all our security education and advice for customers. Customers can also call our call centre colleagues who are trained to provide advice.
Legislative Remedies
BT response
10.0 BT’s main experience is in the area of scam calls, online and online-enabled fraud. To the extent that we are in a position to comment, we note that successful fraud prosecutions are complex and difficult even in the offline world, given the difficulty of proving elements such as dishonesty and knowledge/intent particularly where a defendant may be remote from any loss caused to the victim. These issues are only amplified in the case of international scam calls and online fraud, where the difficulty of tracing perpetrators and the ease and volume of production of fraudulent communications through various different channels tends to make the risk/return analysis more attractive for online criminals.
10.1 We have not seen any specific unintended consequences of the Fraud Act 2006.
BT response
11.0 We do not consider that amendment to the existing Fraud Act offences is required to address online fraud. In our view the main obstacle to tackling modern forms of fraud is resource and international co-operation, particularly for “lower level” consumer and SME fraud, which may be of relatively low value in individual cases but has a significant impact and cost across the population as a whole.
11.1 However, additional domestic legislation could assist the reduction of online fraud by criminalising collateral conduct which is closely associated with fraud, but would not necessarily require proof of dishonesty – for example being involved in the distribution of “scam” communications or the hosting or promulgation of “scam” advertising (some of which we understand may be considered in context of the Online Safety Bill). Such legislation could additionally involve an extra-territorial element similar to the “significant link with domestic jurisdiction” required in legislation such as the Computer Misuse Act, to assist prosecution of suspected perpetrators who are not based in the UK.
BT response
12.0 To the extent that we are able to comment, we would consider the resources and co-operation required to trace perpetrators, particularly given the international nature of most scam call and online fraud operations, the proliferation of mass market anonymisation and encryption tools, and the ease of conducting online fraud at scale to be the key barriers to successful prosecution.
BT response
13.0 We are not in a position to respond.
Best Practice
BT response
14.0 We would agree with the conclusion in the Treasury Committee Economic Crime Report [4]that there is no “silver bullet” solution …….. it can only work if there is extensive co-ordination at all levels, from Ministers to those on the ground who are enforcing the law”. So relentless coordinated efforts from all stakeholders is required to bring about multiple incremental gains which keep pace with and push back against fraudsters. Effective policy intervention also occurs when regulatory/industry proposals are adopted by the whole of industry and not just by the main industry players.
BT response
15.0 A great majority of scam calls originate outside the UK so the role of international actors is vital to tackling this type of fraud. We would welcome increased and effective cooperation between UK law enforcement agencies and their international counterparts to tackle this type of fraud and prosecute criminals.
ANNEX
What BT does to protect its customers from fraud
Securing our fixed and mobile networks against network security/cyber attacks
Providing customers with free security and privacy tools
Implementing & developing new blocking solutions for our networks to stop unwanted calls and SMSs
Providing customers with advice and guidance
Working in partnership with others
We are a signatory to and helped develop the Telecommunications Sector Fraud Charter with other mobile operators in conjunction with the Home Office, DCMS, Ofcom and other stakeholders. The Charter represents an opportunity for an intensification of coordinated sector and cross-sector action to fight back against fraud.
4 May 2022
[1] FRAUD - THE FACTS 2021THE DEFINITIVE OVERVIEW OF PAYMENT INDUSTRY FRAUD
[2] Treasury Committee Economic Crime Report Feb 2022
[3] https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/how-telcos-can-succeed-in-launching-new-businesses-beyond-connectivity