Action to combat online fraud must be tipped in favour of customers, says PAC

REPORT SUMMARY

Online fraud is now the most prevalent crime in England and Wales, impacting victims not only financially but also causing untold distress to those affected.

The cost of the crime is estimated at £10 billion, with around 2 million cyber-related fraud incidents last year, however, the true extent of the problem remains unknown. Only around 20% of fraud is actually reported to police, with the emotional impact of the crime leaving many victims reluctant to come forward. 

The crime is indiscriminate, is growing rapidly and shows no signs of slowing down. Urgent action from government is needed, yet the Home Office’s response has been too slow and the banks are unwilling to share information about the extent of fraud with customers. The balance needs to be tipped in favour of the customer.

Online fraud is now too vast a problem for the Home Office to solve on its own, and it must work with a long list of other organisations including banks and retailers, however, it remains the only body that can provide strategic national leadership. 

Setting up the Joint Fraud Taskforce in 2016 was a positive step, but there is much still to do. The Department and its partners on the Joint Fraud Taskforce need to set clear objectives for what they plan to do, and by when, and need to be more transparent about their activities including putting information on the Home Office’s website.

The response from local police to fraud is inconsistent across England and Wales. The police must prioritise online fraud alongside efforts to tackle other sorts of crime. But it is vital that local forces get all the support they need to do this, including on identifying, developing and sharing good practice. 

Banks are not doing enough to tackle online fraud and their response has not been proportionate to the scale of the problem. Banks need to take more responsibility and work together to tackle this problem head on. Banks now need to work on information sharing so that customers are offered more protection from scams.

Campaigns to educate people and keep them safe online have so far been ineffective, supported by insufficient funds and resources.

The Department must also ensure that banks are committed to developing more effective ways of tackling card-not-present fraud and that they are held to account for this and for returning money to customers who have been the victims of scams.

COMMENT FROM PAC CHAIR MEG HILLIER MP

“Online fraud is a virulent and unprecedented threat that has taken hold rapidly, causes untold misery and costs individuals and businesses billions of pounds each year.

“The Government accepts there is an enormous amount of work needed to tackle the problem – work that in our view must put people first. Banks in particular need to step up, take responsibility and focus sharply on protecting and informing their customers. 

“Technology is clearly critical to combating cyber-crime, and developing effective common defences should be a priority. Policing must also be more consistent. Government has a vital role in ensuring this happens.

“Meanwhile, the public cannot be left in the dark. Online fraud affects people of all ages and backgrounds. Young people are increasingly likely to fall victim to a crime which is perceived primarily as affecting the elderly and vulnerable.

“The Government must get better at explaining the tricks employed by fraudsters to target different groups, and set out clearly the action it is taking to tackle them.”

CONCLUSIONS AND RECOMMENDATIONS

Banks do not accept enough responsibility for preventing and reducing online fraud and there is no data available to assess how well individual banks are performing. Banks have an important role to play in protecting customers but the protection they provide is variable and some are keener to invest in educating customers and anti-fraud technology than others. Banks can refuse to reimburse customers who have been scammed and ‘voluntarily’ transferred money, and shifting more responsibility onto banks for scams is likely to make them better at protecting customers. Banks are not required to provide complete data on their individual performances to the government or police, and no-one knows which banks are best at protecting them from fraud. The banks argued that data on individual banks performance would help fraudsters target the weakest banks. We can see that full detail in the public domain about which banks are more susceptible to what kinds of fraud could prove counter-productive, but there is clearly scope for more transparency over individual banks’ performance at a more aggregated level. Customers have the right to know at least something about individual banks’ record on protecting customers from fraud. Besides more transparency from the banks, there is also scope for more help from banks for vulnerable people, such as putting restrictions on their bank accounts so they are not at risk of losing huge amounts of money. 

Recommendation: The Department should set out minimum standards for banks to follow on preventing online fraud and on protecting bank customers and require banks to report to government on their performance. The Department should press the banking industry to make relative online fraud vulnerability performance data publicly available. We expect the Department to provide us with a plan for publication of this data by Spring 2018. We encourage banks to develop a voluntary scheme in the meantime to be more open with customers about the extent of fraud and how they are tackling it.

Unless all banks start working together, including making better use of technology, there will be little progress on tackling card fraud and returning money to customers. Card not present fraud, where criminals use stolen card details, has been rising dramatically in recent years. The 1.4 million known incidents in 2016 was double the number from 5 years earlier.  Technical innovations to tackle card not present fraud will only be successful if every bank participates, as they did for Chip and PIN, but solutions are still some way off. The Department wants to see a ‘significant reduction’ in card not present fraud but says it is not yet in a position to quantify what that means. People also transfer funds themselves to fraudsters, unaware until later that they are the victims of scams. Somewhere between 40% and 70% never get their money back, and banks have different policies for under what circumstances to refund money. Banks are also reported to be holding at least £130 million that has been frozen because it is fraud related, but which cannot be accurately traced and returned to victims, often because it has been passed through numerous ‘mule’ accounts. The Department is taking forward an initiative with the banks to make the best use of technology to spot mule accounts and repatriate money quickly, but says it will be a couple of years before it is likely to have a fully fledged system.

Recommendation: Working with Joint Fraud Taskforce partners, the Department should make sure all banks to make better use of technology and information to reduce card fraud and return money to customers. This should include establishing minimum technical standards for strong customer authentication for electronic payments.

We are not convinced that current awareness campaigns such as Take Five are proving effective. Many people are still not aware of how to keep safe online, and the government and others run numerous ongoing campaigns to improve citizens’ and businesses’ cyber security. While there is a perception that online fraud primarily affects the elderly and vulnerable, young people are increasingly likely to fall victim. Social media plays a significant role in online scams and further education is needed to make young people aware of the dangers of sharing personal information online. The City of London Police told us that young people are probably more vulnerable to fraud than older generations as they have a very different approach to personal information. The City of London Police cited examples of young people sharing pictures of their passports and driving licences on social media. The government should consider this in its running and targeting of campaigns to maximise impact. The Take Five Campaign backed by the government was re-launched in October 2017 with total funding of £3.8 million, £500,000 of which is from the government. A lack of co-ordination and consistency in education campaigns can confuse the public and reduce campaigns’ impact. There is often low awareness of campaigns, which are often not tailored for specific groups, and which can also confuse the public and reduce impact. Age UK highlighted huge scope to do more on education to support victims and help prevent them becoming victims again. The Department is evaluating Take Five but the evaluation is not due to be completed until March 2018.

Recommendation: The Department, working with others on the Joint Fraud Taskforce, needs to develop a more informed approach to its education campaigns – being specific about what it is trying to achieve, evaluating what works best, and looking at opportunities for campaigns more targeted at specific groups.

The Department has not yet put in place effective arrangements for its oversight of a coordinated and effective response to online fraud and for reporting on its progress. The Department is not solely responsible for reducing and preventing online fraud, but is in overall charge and is the only body that can provide the necessary strategic leadership. Many other bodies also play a role, including the police, banks, and Action Fraud, the national reporting centre for fraud. The Department is only now making fraud a priority, most notably launching the Joint Fraud Taskforce in February 2016, although fraud is not a new problem and the government’s work in this area for over 10 years appears not to have led anywhere. The Department itself considers there is an “enormous amount to be done”, but relies on voluntary participation from industry and law enforcement in the Taskforce. While reassuring us about its ‘scale of ambition’, the Department has no sense yet of how to quantify what success would look like, not even a range for what might be plausible to achieve. On the day before our evidence session the Department finally made some information about the Taskforce’s work publicly available on its website for the first time.

Recommendation: The Department should develop specific plans for how it will measure progress in tackling online fraud and judge the success of the Joint Fraud Taskforce, and it should regularly publish information on progress and performance. It should update us on progress by the end of March 2018.

The Department lacks data to judge whether its response to tackling online fraud is working. Effective action can only be underpinned properly if the Department understand the nature and scale of the threat. Yet the Department only first started to attempt to measure fraud in 2016 and when it did found that fraud accounted for a third of all crime - 3.6 million fraud incidents, of which the majority was online fraud. In the same period around 623,000 incidents were actually recorded, just 20% of estimated online fraud. The main reasons fraud is not reported to the police are because people are too embarrassed, report their loss to the bank and do not take it further, have difficulties in making a report, or simply do not report it because they think nothing will happen. The day after our evidence session plans to launch a new hotline for victims of fraud were reported in the press, but no such plans had been mentioned to us. The City of London Police highlighted how important it is to share information to prevent crime, but there is no formal requirement for banks to report fraud or share reports with government or the police. The City of London Police is introducing a new Action Fraud system to make it easier for people to report fraud and to collect information to help government and others understand the threat better. The police would also like to have a “harm index” for online fraud so it could measure whether the action being taken is actually reducing harm against the public.

Recommendation: The Department must prioritise efforts to improve the collection and reporting of data on fraud. It should update us on progress by the end of March 2018, when we also expect to hear how it is improving information sharing between government, industry and law enforcement, and working with Action Fraud to reduce the gap between reported and actual fraud.

The response to tackling online fraud is variable across different police forces, and for some it is not a priority. Online fraud now features in a number of national strategies, and there is an expectation for local police forces to respond to national priorities, but only 27 out of 41 Police and Crime Commissioners referred to online fraud in their police and crime plans. Age UK told us that the police response to online fraud was extremely patchy and elderly people can suffer real harm and stop using their computers, unplug their phones and, in the worst cases, end up in care homes because they have been victims. Age UK said that there was a problem of local good practice being shared nationally. The Commissioner of City of London Police cannot mandate what other police forces should do, but to improve the local police response his force shares information on the level of fraud in each area; carries out peer reviews; and provides advice, best practice guidance and training. Online fraud is a high-volume crime and must fit alongside everything else the police are dealing with, but this makes sharing good practice all the more important.

Recommendation: The Department should, with the City of London Police, establish what more they can do to help all police forces tackle online fraud, including opportunities to identify, develop and share good practice in a more systematic way.