Team: Digital, Culture, Media and Sport Date: January 09, 2023
To: Rt. Hon Michele Donelon
POLICY AND REGULATORY MIX REGARDING PERVASIVE ONLINE PHISHING FRAUD
Issue: Assessment of current online phishing fraud prevention and response measures with focus on older generation victims, and whether the policy and regulatory mix requires adjustment.
Timing: Online Safety Bill is still in the Report stage with the House of Commons, and is yet to be read by the House of Lords (1). There is still time for the 2nd (House of Lords) Public Bill Committee reading, as well as final-stage consideration of amendments. No date has been set for subsequent reviews and amendment, but this recommendation suggests that a decision is required promptly if it is to have significant impact in the Lords.
Decision: Do you agree with the recommendation to create a comprehensive Reimbursement Code (Option 1) whereby phishing fraud is compensated in full by both banks and the organisations that should incur fines for hosting said scams?
Handling instructions: This document must be exclusively shared with DCMS senior management and Ministers involved with digital policy.
Context / Consideration
Background/context
1.Phishing is a sort of social engineering in which a perpetrator sends a fraudulent message intended to dupe a recipient into giving the perpetrator access to sensitive data or to install malicious software on the victim's infrastructure (2). The 2022 Crime Survey for England and Wales (CSEW) showed a 25% increase in fraud from 2020-2022. Technology has hugely expanded the capacity for successful fraud. Phishing is frequently cited as ‘one of the main methods used to commit fraud’. Half of CSEW 2022 respondents have received a digital phishing method in the month before survey (3). The issue is also pervasive in businesses, where 83% of identified fraud attacks in 2022 were phishing (4).
2.Internet technology use amongst older people is high. 88% of 50-64 year olds and 76% of 65-74 year olds use the internet every day (5). Sending or receiving emails and online shopping (both regular channels for phishing scammers) are the most common forms of use (6). Text-based phishing or ‘smishing’ is ‘as common as email phishing’(7). The City of London Police’s National Fraud Intelligence Bureau (NFIB) saw 1,235 reports of WhatsApp-based phishing scams by fraudsters posing as endangered family members from 3 February to 21 June 2022. Losses incurred exceeded £1.5 million (7).
3.Fraud victimhood amongst older people is high. A 2019 study by Age UK demonstrated a person age 65+ becomes a victim of fraud every 40 seconds - 8% of over 65s surveyed that year, or 800,000 older people in England and Wales (8). While the elders are prone to catch many diseases than younger people, it can make them more susceptible to the frauds. For example, the Alzheimer’s Society states that dementia, which one in 14 people over the age of 65 in the UK can get, puts people ‘at greater risk of financial abuse for many reasons’ (9). At the same time, phishing and ‘smishing’ may pose enhanced threat since 39% of over 65s are not confident using smartphone technology (10), and hence may be victimised more easily by such scams.
4.Phishing fraud can have profound effects on mental wellbeing and financial security. Based on a newly released research paper (11), elderly victims (those 65 and above) in the UK were likely to suffer financial losses that were nearly twice as high as those suffered by younger age groups. Additionally, it can be anticipated that, compared to those of working age, it will be harder for many older people on fixed incomes—who lack quick access to additional resources, for example—to replace money lost as a result of fraud. Meanwhile, nearly half (49%) of all people aged 75 and over live alone. People who are more socially isolated might be more vulnerable to fraud and more difficult to release their negative emotions. As a result, the same study indicated that over one third of people aged over 65 in the UK after being defrauded developed ‘severe’ mental health issues, including becoming depressed and suicidal, and more than 20% of them are facing bankruptcy.
5.The adverse effects mentioned above also place pressure on key public services including councils and the NHS, the latter of which has been at the centre of its own phishing scam in the form of fake covid-related messages (12). The cost of living crisis exacerbates these issues, leading to the elderly victims struggling to cover their life expenses and gain relevant support they need.
Relevant political context/decisions made previously
6.Currently, victims may recover phishing losses through the Contingent Model Reimbursement Code (13) which covers ‘Authorised Push Payments’ (APP) frauds, a form of phishing where a fraudster presents as a payee (14), which has increased ninefold since 2020 (7). However, not all banks/firms follow the Code, it is not government-imposed or binding, and not all firms implement at the same level. The average reimbursement is under 50% (15).
7. In September 2022 the Payment Systems Regulator (PSR) set out regulatory proposals for full bank reimbursement of APP scam victims in ‘all but exceptional cases’ (16). This remains a proposal and again is not a government policy. Regulation hence remains vague and decentralised.
8.The Bank Protocol, a UK-wide scheme, was launched in 2016 and developed by UK Finance, National Trading Standards and local police forces. Branch staff are trained to spot the warning signs and question the customers who might be falling victim to a scam, before alerting their local police force to intervene and investigate (17). However, a survey conducted by Which? in 2021(18) demonstrated that nearly 70% of the phishing victims said the bank staff didn’t fulfil their responsibilities to stop them from revealing their personal information or transferring the money to the criminals. At the same time, statistics from the National Crime Agency 2022 (19) illustrated that 74% of police officers felt they did not have the time or were unskilled in dealing with phishing scam cases. From April 1 2021 to March 31 2022 only a quarter of phishing cases reported to Action Fraud were passed on to local police forces for action by NFIB. Of those, fewer than 4% of cases resulted in charges being brought.
9.The points 6, 7, and 8 showed that phishing fraud does not have core accountable parties and responsibility remains spread amongst victims, government, charities, police, and firms. Consequently, Office for National Statistics data 2022 (20) found that around 50% of the phishing victims in the UK are unsatisfied with current methods in place to protect them on phishing frauds, and over 80% of the victims didn’t report their cases mainly due to societal/cultural pressure and their mistrust to relevant agencies, with the elders being the least likely of any age group to report.
10.The Fraud Act 2006 and Digital Fraud Committee Report of Sessions 2022-2023 stated ‘the telecom sector has no real incentive to prevent fraud…it must do more to tackle phishing emails and smishing texts…and must prevent fraudsters…using easily accessible technology to manipulate vulnerable victims’ (21). Considering both prevention and response sides to the phishing fraud, parliamentary officials already publicly recognise failure to address phishing and similar forms of scam. In November 2022, the Lords Committee stated ‘The UK has retreated from the fight against fraud’ (22). In October, the Justice Committee called Action Fraud, the UK’s national fraud reporting centre, ‘unfit for purpose’ of the ‘fraud epidemic’ (23). Regulatory and policy adjustment is clearly required and demanded, especially towards the elders who are predominantly affected by the fraud.
Strategic considerations
11.Under the current iteration of the progressing Online Safety Bill, a ‘duty to prevent’ fraudulent pages, adverts and content will be introduced for large websites (including search engines and social media) (24). Ofcom will be made responsible for all online safety matters, including phishing fraud (25), and will have powers to fine companies (such as social media platforms) up to 10% of their global revenue for non-compliance to safety codes (26). Whereas this would centralise responsibility, it risks overstretching Ofcom, which had a cash outturn 3.9% lower than its budget in 2020-2021, even before the imminent recession and associated anticipated cuts to public bodies (27). At the same time, it should be highlighted that phishing is very hard to control and consequently cannot be expected to be eradicated only by the introduced ‘duty to prevent’. It can adapt to restrictions and any point of technological interaction might pose a phishing risk, particularly if users are less technologically underconfident.
12.Compared to the UK, the US adopted more flexible and realistic approaches on fraud prevention and reimbursement, which had better deliverability. The Justice Department is expanding its Transnational Elder Fraud Strike Force to combat fraud schemes which target elders, including phishing fraud. The Department and its law enforcement partners continue to return money to old aged victims of phishing fraud in various forms, such as forfeiture, remission, and direct payments. Their efforts over the past 12 months enabled the recovery and restoration of $21 million (28).
Options
13.Option 1: Response side: The Contingent Model Reimbursement Code could be altered to a full Reimbursement Code, and be extended to cover all kinds of phishing frauds, not just APP scams. The Code should make full reimbursement of tech-originating phishing mandatory, in line with PSR proposals (see point 7). Organisations hosting phishing scams, e.g. social media companies, should pay towards reimbursement, and both organisations and banks should pay a flat reiterative fine if compensation is not timely.
14.Positive: A full Reimbursement Code have the following benefits: Give phishing victims better protections financially; Create better cooperation between banks and technology companies; Through compulsory reimbursement requirement, incentivise both the banks and technology companies in terms of preventing the crimes from happening; The focus on responsibility is shifted from the user to the banks and technology companies as every bank user, elder users want safe and efficient banking. However, they may not be interested in participating in policy-making procedures or training programs about more advanced technological topics such as phishing. The option of a Full Reimbursement code is a practically favoured option in terms of administrative capacities and knowledge needed to end phishing - it refers to actors that can be more decisive to change technological infrastructures than single persons to increase their technological knowledge; Through relying on internal bank and company policies, it also guarantees a systematic and stable process for change.
15.Negative: Phishing crime prevention itself is not directly addressed; Regarding the response side it doesn’t cover the police side improvement actions; It doesn’t put a focus on elderly groups, which should have certain privileges on reimbursement; Financial institutions may face losses at the initial stages of the implementation, and would become resistant to the policy. They may also implement rigid secure systems at the expense of user-friendly online banking environments.
16.Common risks: It is challenging for both the banks and technology companies financially once full reimbursement becomes mandatory for all the phishing frauds; It might limit the development of the ‘source’ websites or platforms, such as its content diversity; It is vague in terms of how banks and technology companies are going to share the responsibility, which may cause conflicts at later stages.
17.Option 2: Prevention side: Improved public information campaigns should be deployed. Specifically, those aimed towards older people who might have reduced or less confident technological use, in places where such groups are more likely to see/access given information, such as in newspapers, age-targeted leaflets, or on time and channel-targeted television adverts. Adverts should be Government-funded, though the above Code adjustment also incentivises banks to raise awareness.
18.Positive: The public, especially the old people, are better educated and supported in terms of understanding the fraud; Inclusivity of the elders is increased. Elder users feel that they have agency in dealing with their financial matters, and are capable of defending themselves against malevolent actions.
19.Negative: In terms of prevention it didn’t consider stopping the fraudsters from using technology to manipulate victims, so the problems won’t be eradicated; It didn’t cover how the main actors - banks and police - should be trained better to prevent and respond to the frauds.
20.Common risks: Advertising communications risk large expenses whilst not always reaching the intended audiences; If users are not willing to participate in training on fraud or policy-making, they may oppose the initiative altogether - ignorance and indifference may increase.
21.Option 3: Both prevention and response sides: High-quality training should be made mandatory on both the bank staff and police officers, including the training on professional skills to assist elderly victims. For the bank, the focus should be on identifying the suspicious phishing crimes and freezing victims’ assets timely for easier reimbursement later. For the police officers, it should be towards cracking down the fraud schemes and criminal gangs under the coordination with the banks. Police and bank intelligence teams should be built up and expanded to specifically tackle phishing frauds.
22.Positive: It puts the focus on elders; Through relying on internal bank and company policies, it guarantees a systematic and stable process for change - it can account for changes in the phishing methods and follow accordingly.
23.Negative: The definition of “High-quality training’’ is vague, which makes it hard for the banks and police side to follow; The timeline to develop the policy is long, whilst the request to address phishing crime is urgent, especially for the elderly victims; A fair amount of human and monetary resources would be invested in the long-time strategy development, which may cause the shortage of resources in other aspects; The training materials must follow the changes in the phishing methods and bank staff and police officers must be often trained on new methods.
24.Common risks: Both stakeholders - the police and the bank - don’t have enough motivations to follow the trainings, and the levels they execute their duties will be different due to personal reasons, which may prevent the successful delivery of the policy.
25.Recommendation: Option 1. By making it mandatory for both the banks and technology companies hosting phishing scams to make full reimbursements to their victims, not only does it protect the victims’ interests well, it also puts tougher regulations on the banks and organisations to technologically stop the crimes from happening under financial pressure. Even though this option will not eliminate criminal intention, it will not allow the crime to take place. Therefore, both prevention and response sides are considered under Option 1, making profound effects on solving online phishing frauds. The option is also effective in cases when users do not wish to participate in policy-making to stop fraud to have access to safe banking which is nowadays perceived as the baseline for a fundamental service. In this way, Option 1 is practical and can provide quick results regarding this pressuring issue. Gradually, as crime decreases, the online environment would be effectively cleaned up, and banks and other organisations will face less financial pressure, entering into a benign cycle.
Clearance
None
Accounting Officer Issues
None
Handling / Presentation and Next Steps
26.This document must be exclusively shared with DCMS senior management and Ministers involved with digital policy for the use of future meetings to make amendments on Online Safety Bill.
(2502 words, excluding the headlines)
(see the reference list below)
Reference List
(1) Online safety bill - parliamentary bills - UK parliament. Available at: https://bills.parliament.uk/bills/3137 (Accessed: November 21, 2022).
(2) Phishing Action Fraud. Available at: https://www.actionfraud.police.uk/a-z-of-fraud/phishing (Accessed: November 21, 2022).
(3) Jones, P. (2022) Nature of fraud and computer misuse in England and Wales: Year Ending March 2022, Nature of fraud and computer misuse in England and Wales - Office for National Statistics. Office for National Statistics. Available at: https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/articles/natureoffraudandcomputermisuseinenglandandwales/yearendingmarch2022 (Accessed: November 21, 2022).
(4) Department for Digital, C. (2022) Cyber security breaches survey 2022, GOV.UK. GOV.UK. Available at: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022 (Accessed: November 21, 2022).
(5) Briefing paper - age UK. Available at: https://www.ageuk.org.uk/globalassets/age-uk/documents/reports-and-publications/reports-and-briefings/active-communities/digital-inclusion-in-the-pandemic-final-march-2021.pdf (Accessed: November 21, 2022).
(6) Advice about fraud | metropolitan police. Available at: https://www.met.police.uk/advice/advice-and-information/fa/fraud/ (Accessed: November 21, 2022).
(7) Person (2022) Phishing attacks – who is most at risk?, Phishing attacks – who is most at risk? - Office for National Statistics. Office for National Statistics. Available at: https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/articles/phishingattackswhoismostatrisk/2022-09-26 (Accessed: November 21, 2022).
(8) Older person becomes victim of fraud every 40 seconds. Age UK. Available at: https://www.ageuk.org.uk/latest-press/articles/2019/july/older-person-becomes-fraud-victim-every-40-seconds/ (Accessed: November 21, 2022).
(9) Alzheimer's society. Alzheimer's Society. Available at: https://www.alzheimers.org.uk/ (Accessed: November 21, 2022).
(10) Helping older people gain digital confidence. Age UK. Available at: https://www.ageuk.org.uk/information-advice/work-learning/technology-internet/helping-older-people-gain-digital-confidence/ (Accessed: November 21, 2022).
(11) Shang, Y. et al. (2022) “The psychology of the internet fraud victimization of older adults: A systematic review,” Frontiers in Psychology, 13. Available at: https://doi.org/10.3389/fpsyg.2022.912242.
(12) NHS choices. NHS. Available at: https://cfa.nhs.uk/about-nhscfa/what-we-do (Accessed: November 21, 2022).
(13) Contingent reimbursement model code for authorised push payment scams - LSB. Available at: https://www.lendingstandardsboard.org.uk/wp-content/uploads/2021/04/CRM-Code-LSB-Final-April-2021.pdf (Accessed: November 21, 2022).
(14) App Scams. Payment Systems Regulator. Available at: https://www.psr.org.uk/our-work/app-scams/ (Accessed: November 21, 2022).
(15) Financial fraud and vulnerable people - house of lords library. Available at: https://lordslibrary.parliament.uk/financial-fraud-and-vulnerable-people/ (Accessed: November 21, 2022).
(16) News & updates. News & Updates | Payment Systems Regulator. Available at: https://www.psr.org.uk/news-updates/ (Accessed: November 21, 2022).
(17) The Banking Protocol (2021) | Consumer Council. Available at: https://www.consumercouncil.org.uk/scams/bankingprotocol (Accessed: November 21, 2022).
(18) Make big purchases no big deal. ConsumerAffairs. Available at: https://www.consumeraffairs.com/ (Accessed: November 21, 2022).
(19) cms-user10. Annual plan 2022-23, National Crime Agency. Available at: https://nationalcrimeagency.gov.uk/news/annualplan-2022-23 (Accessed: November 21, 2022).
(20) Jones, P. (2022) Crime in England and Wales: Year Ending June 2022, Crime in England and Wales - Office for National Statistics. Office for National Statistics. Available at: https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/latest (Accessed: November 21, 2022).
(21) Committees.parliament.uk. Available at: https://committees.parliament.uk/publications/31584/documents/177260/default/ (Accessed: November 21, 2022).
(22) The UK has retreated from the fight against fraud, says Lords Committee .... Available at: https://committees.parliament.uk/committee/582/fraud-act-2006-and-digital-fraud-committee/news/174303/ (Accessed: November 21, 2022).
(23) Justice Committee - Summary - Committees - UK parliament. Available at: https://committees.parliament.uk/committee/102/justice-committee (Accessed: November 21, 2022).
(24) Analysis of the online safety bill - researchbriefings.files.parliament.uk. Available at: https://researchbriefings.files.parliament.uk/documents/CBP-9506/CBP-9506.pdf (Accessed: November 21, 2022).
(25) Ofcom. Available at: https://www.ofcom.org.uk/__data/assets/pdf_file/0016/240442/online-safety-roadmap.pdf (Accessed: November 21, 2022).
(26) Analysis of the online safety bill - researchbriefings.files.parliament.uk. Available at: https://researchbriefings.files.parliament.uk/documents/CBP-9506/CBP-9506.pdf (Accessed: November 21, 2022).
(27) The Office of Communications Annual Report and accounts. Available at: https://www.ofcom.org.uk/__data/assets/pdf_file/0025/221686/annual-report-2020-21.pdf (Accessed: November 21, 2022).
(28) Office of Public Affairs (2022) Justice Department expands Transnational Elder Fraud Strike Force to protect older Americans from fraud, The United States Department of Justice. Available at: https://www.justice.gov/opa/pr/justice-department-expands-transnational-elder-fraud-strike-force-protect-older-americans (Accessed: January 8, 2023).
Comments