Victims lost £1.2 billion in 2023 as fraudsters pivoted from voice to romance and purchase scams

At the end of May, UK Finance released their Annual Fraud Report 2024 (focusing on data for 2023). There are some interesting insights in there, as well as confirmation of some trends we also highlighted in our 2024 Digital Banking Fraud Trends in EMEA report, released in March.

Key takeaways:

• Fraud accounted for more than £1.2 billion in losses in 2023

• Fraud represents 40% of all reported crime in the UK

• Mobile apps are the platform of choice for fraudsters

• Overall, APP fraud losses declined, but fraud as a category continued to increase

• Impersonation scams, aka AKA voice scams, continue their downward trend.

During 2023, the UK government announced plans to reclassify fraud as a threat to national security, given its status as the most common crime in England and Wales, accounting for more than 40% of all crimes reported. We know fraud is often underreported, suggesting these numbers are likely even worse.

While recategorisation grabs headlines, we must ask: Is it enough?

According to the government’s own statistics, despite its ubiquity in the lives of UK citizens, fraud receives a mere 1% of police resources. More needs to be done, and it’s a waiting game to see what measures are put in place and how effective these might be.

What’s changed in the UK fraud landscape?

Looking at the data, we see two significant changes, both of which BioCatch has been observing closely for some time:

1.) Internet banking fraud (via a bank’s homepage on a web browser) has seen a drastic decrease, with just 13,000 cases in 2023, compared to more than 32,000 the year before – a change of 57%.

2.) Mobile banking fraud (and this is exclusively on banking apps) has increased by 62%, totaling 20,000 cases last year – the first time UK Finance has reported more mobile banking fraud cases than internet banking ones.

That said, losses are still significantly higher on web than on mobile (£88 million vs £45 million), which we can attribute to payment limits and restricted functionality on the mobile channel. Still, this represents a step in the right direction. This is the first time annual internet-banking losses have fallen below £100 million since 2014.

Looking at volume of cases, we reported in March that 75% of all reported fraud across the EMEA region originated from a mobile device. This isn’t far from the implied 60% reported by UK Finance (which excludes web-based browsers on mobile devices).

Our other headline two months ago was the drop in voice scams in the UK, with a 25% decrease in reports of voice scam cases in 2023. Analyzing UK Finance’s data, we see the exact same result, and a 23% drop in losses. This comes as no surprise. We’ve observed UK banks continue to deploy BioCatch solutions over the last couple of years, adding a behavioral layer to their fraud stacks to – among other things – help to identify when a user is being coerced into making a payment.

High volume, low value scams

With this in mind, we see fraudsters starting to pivot. Purchase scams (up 34% in volume and 28% in value) and romance scams (up 14% in volume and 17% in value) now seem the scams du jour in the UK. These are also notoriously the hardest for financial institutions to identify, and it’s unsurprising that banks are pleading for more controls on external platforms (i.e. social media) to help them fight back.

It's also interesting to note how fraudsters, once again, are going for the “high volume, low value” attacks. While the average impersonation scam has a case value of almost £4,000, the average purchase scam stands at relatively meager £562.

Over time, we’ve seen the average value of fraud cases drop slightly as fraudsters adjust how they act to bypass fraud controls. However, we're now seeing cybercriminals change tactics altogether, employing modus operandi notoriously associated with lower payment amounts which they execute in larger volumes.

In fact, when it comes to purchase scams, we see that the distribution of individual payment values is almost identical to that of the general population. For example, taking one UK High Street bank, we see the following:

When we compare this to impersonation scams, we see that, for this particular bank, approximately 75% of their impersonation scam payments had a value of less than £1,000, which in itself is an outlier from the UK average (50% of all impersonation scam cases have a value of less than £1,000).

A graphical comparison is shown below:

The report shows that – with technology, cooperation, and regulation – detecting and preventing fraud and scams is possible. Impersonation and online banking scams have declined in the UK thanks to a lot of hard work by a community of fraud fighters. Banks, law enforcement, and government now need to apply that same hard work to combating purchase and romance scams.

On the surface this may seem a complicated (if not impossible) task, but at BioCatch, we believe all scams lead to mules, and if we can detect and shut down these sprawling networks of mule accounts, we can also stop these hard-to-detect romance and purchase scams.