Written evidence submitted by UK Finance (COR0149)
Online-harms regulatory framework: ensuring economic crime is in scope
UK Finance strongly recommends economic crime be brought into the scope of the online-harms regulatory framework.
A holistic approach is most effective at keeping customers safe
Tackling online harms requires a holistic approach by which every sector contributing to the problem of economic crime is held to account. Furthermore, it should be recognised that issues already in scope, such as terrorism, are in part enabled by funds derived from economic crime.
The banking and finance sector invests significantly to protect customers from fraud
In 2019, more than £1.8 billion of unauthorised fraud was stopped by advanced security systems and innovations in which the banking and finance sector invested to protect customers. Despite this, criminals still managed to steal £1.2 billion from customers using fraud and scams.
Social-media platforms are exploited by criminals for the purposes of economic crime
The increasing growth of social media and their use as a vehicle for economic crime underscore the importance of introducing an online-harms regulatory framework that protects consumers to the best extent possible. In 2019, worldwide social-media users grew to almost 3.5 billion, with 288 million new users in the past 12 months. In the UK, there are now 45 million social-media users—two thirds of the population. The fight against economic crime must keep pace with technological change.
Economic crime is not an either/or issue as proceeds fund harmful and illegal activities
Economic crime can have a devastating impact on victims, and even if the customer is compensated in full by their finance provider, the criminals that perpetrate these frauds still profit. The criminal proceeds are reinvested to fund harmful and illegal activity such as terrorism, modern slavery, drug trafficking and human trafficking.
Moral, social and financial responsibility for cross-sector efforts to combat crime
The banking and finance sector is not solely responsible for the fight against economic crime, and there is a moral imperative for social-media firms to do more. When an economic crime is committed, there are social and financial costs for both the victims and society. Given increasing economic crime and rising social-media use, the need for cross-sector efforts to combat crime is growing, otherwise there will need to be a significant uplift in law-enforcement resources—as well as in other sectors—to respond to the growing number of frauds.
The banking and finance sector stands ready to play its part and work with online-platform providers, but bringing economic crime into the scope of the regulatory framework would ensure all sectors undertake efforts to remove vulnerabilities in their systems and organisations, ultimately giving criminals fewer opportunities to target and exploit vulnerable people and the UK economy.
Economic crime and the abuse of social media
The abuse of social-media platforms by organised criminals for the purposes of financial crime has increased significantly, and there is little doubt that this trend will continue to grow. Intelligence from law enforcement and other sources indicates there are thousands of social-media accounts in operation by criminals at any one time, the majority being openly advertised and visible to users. These accounts facilitate advertising for “money mules” (for the purposes of money laundering), selling stolen identity and credit-card data, phishing, bogus investment scams and impersonating legitimate companies such as banks to enable fraud.
The potential for real benefits by bringing economic crime in scope
The inclusion of economic crime would ensure all online platforms join cross-industry efforts to tackle fraud and money laundering. The benefits are significant. First, economic crimes are intrinsically linked to crimes already identified as within the scope of the online-harms regulatory framework, so enabling more effective tackling of all illegal and harmful-but-legal activity when such a holistic approach is taken. Second, including economic crime would require all online platforms to play their part in cross-sector efforts to protect consumers. Third, the cost of economic crime to the financial sector is substantial, even when the vulnerability originated in another sector. All efforts that contribute to the reduction of economic crime benefit society and reduce online harms.
The UK banking sector, Facebook and Instagram working together to combat crime
These case studies demonstrate the positive outcomes that can be achieved as a result of cross-sector collaboration and how providing holistic consumer protection is the key to combating online harms. However, this approach is currently the exception rather than the norm, something that must be addressed if the fight to combat online harms is to be successful.
Case study 1
Industry-funded police unit the Dedicated Card and Payment Crime Unit (DCPCU) has been working with Facebook and Instagram to tackle economic crime. Since January 2019, more than 1,600 social-media accounts have been successfully taken down. Broken down by type of economic crime, these were:
These accounts had over 645,000 followers, and taking them down prevented £3.8 million of financial loss.
Case study 2
In June 2019, a UK Finance member raised the issue of fraudulent social-media profiles offering half-price goods (known as ghost brokering) to Facebook and Instagram. This notification was based on UK Finance intelligence alerts about ghost brokering.
This public/private engagement between the banking sector and Facebook led to strategic mitigation solutions being developed and is helping to prevent ghost brokering on the social media platform.
Economic crime and other illegal activities: you cannot tackle one without the other
Unquestionably, there is a clear link between economic crime and the funding of illegal activity, with online platforms being increasingly exploited by criminals.
The UK government’s Serious Organised Crime Strategy 2018 recognised that the “increasingly pervasive nature of technologies will allow less skilled and resourced criminals to gain access to markets and tools that were previously out of their reach,”[xiv] and the National Crime Agency assessed that “the threat from serious and organised crime is increasing and serious and organised criminals are continually looking for ways to sexually or otherwise exploit new victims and novel methods to make money, particularly online.”[xv]
The UK banking sector and the DCPCU combating organised crime during covid-19
During April 2020, 10 DCPCU warrants were executed in relation to covid-19. These successfully targeted and disrupted several criminal gangs involved in sending scam texts and emails to unsuspecting members of the public. Three search warrants in Leicestershire, Dorset and southeast London identified several suspects and saw mobile phones and other devices seized. DCPCU officers then searched an address in Leicester on 15 April as part of an investigation into fake HMRC text messages. A number of mobile phones and over 20 SIM cards were seized that were being used to send out texts that included links to bogus HMRC sites offering financial support and refunds to assist recipients during the outbreak.
Further examples of covid-19 harm
Money-muling. Attackers have begun using covid-19 as a lure. Victims are asked to send money abroad for soldiers affected by the virus or to citizens trapped due to quarantine measures, among other scenarios. Often, victims of money-mule scams are driven to action by a desire to help others. Those who fall for these scams may never realise that what they are doing is illegal and they are assisting in a scam.
Scams. The majority of scam reports are related to online shopping where people have ordered protective face masks, hand sanitiser, covid-19 testing kits and other products that have never arrived.2 If they have arrived, in many cases they have been substandard. Other frequently reported scams include:
Phishing/smishing. Such attacks have been prevalent, with fake or cloned websites supporting the spread of misinformation and duping consumers into falling victim to fraudsters. The National Cyber Security Centre has taken down thousands of scam sites.4
HMRC phishing emails. Emails are often sent from different Hotmail accounts, but the sender name is spoofed to read “Helping you during this covid from government” or “HMRevenue & Customs(HMRC).” They offer a grant of between £2,500 and £7,500 to taxpayers out of work or working less because of the pandemic, or the message informs the recipient they are eligible for a £698.99 tax refund that they need to claim within 24 hours by clicking on a link. The links have been identified as malicious.
Contact-tracing app. Fraudsters have developed a scam based on the rollout of the government's covid-19 contact-tracing app. Consumers across Britain received scam texts purportedly generated by the app, with a message link leading to a fake website that asked for personal details.5
Bitcoin investment. Emails advertising investments in Bitcoin platforms that claim to “take advantage of the financial downturn” and help with recovery from bankruptcy. A link is provided in the email that claims to take recipients to a website that explains how Bitcoin trading platforms work. This link has phishing and malware threats to victims, with the suspect trying to steal credentials and/or get the recipient to download a virus.6
TV Licensing. A range of fake TV Licensing emails with minor changes to the messaging and links appeared with covid-19–related lures. The emails claim the recipient’s direct debit failed and they need to pay to avoid prosecution. These emails display the subject header “We couldn't process the latest payment from your Debit Card - COVID19 Personalized Offer: You are be eligible for a 1 x 6 months of free TVLicence.” They include a link to set up a new direct debit on a website controlled by the criminals. At the end of the email, to lure recipients in, the fraudsters also offer six months of free TV licence. Recipients are asked to click on a link to apply for the offer. The link takes them to a sign-in page where they are asked to complete an online application form, providing the criminals with an opportunity to steal email logins, passwords, and personal details.7
GOV.UK council-tax reduction. Fake government emails are circulating that claim to help individuals on benefits or a low income to pay their council tax. The subject line of the email reads “Online application – (COVID-19) – You are getting a Council Tax Reduction (Total amount of benefits: GBP 385.55) Stay at home this weekend.” The recipients are told they are eligible for a council-tax reduction and are asked to click on a link to claim the benefit, which will be automatically transferred to their debit/credit card. The sender name has been spoofed to read “Council Tax – GOV.UK.”8
1 ZeroFOXInc, Phishing and Fraud in Financial Services, 2020.
[i] ZeroFOX, Phishing and Fraud in Financial Services, 2020.
[ii] ZeroFOX, Phishing and Fraud in Financial Services, 2020.
[iii] UK high-street bank, UK Finance anonymised data, 2018.
[iv] Arkose Labs, Fraud and Abuse report, 3Q2019.
[v] ZeroFOX, Financial Services Digital Threat Report, 2019. Removal figure includes takedowns May 2018–May 2019.
[vi] ZeroFOX, Financial Services Digital Threat Report, 2019.
[vii] CIFAS, annual figures from 2016-18.
[viii] Leicestershire Police, Don’t be Fooled campaign: letters sent to parents, 2019.
[ix] CIFAS, Research reveals sharp rise in middle-aged money mules, 2019.
[x] UK Finance, Half-year fraud update, 2019.
[xi] NCA, Money laundering and illicit finance, 2015.
[xii] Office for National Statistics, Crime in England and Wales: year ending June 2018, 2018.
[xiii] Home Office, Understanding organised crime 2015/16, Second Edition, p. 38, February 2019. Figures exclude money laundering and corruption.
[xiv] UK government, Serious Organised Crime Strategy, p.14, November 2018.
[xv] UK government, Serious Organised Crime Strategy, p. 5, November 2018.