There are a multitude of reasons why certain crimes flourish, and as night follows, day is inevitable at some point that you'll hear the words "We can't arrest our way out of this problem".
 
Fraud (or Scams) is an example of a form of crime that has surged of late; in England and Wales, it now makes up 38% of all crime and results in a total economic and social cost to individuals estimated to be £6.8 billion.
 
In parallel to that surge, we’ve also seen conviction rates worldwide tumble. England and Wales have seen arrests drop from 14,000 in 2015/16 to just shy of 5,000 in 2022/23. The falling arrest and conviction rates trend is repeated worldwide in Australia, the United States of America, Canada and New Zealand.
 
The latest iteration of the UK's Fraud Strategy divides its approach into three pillars:

- Pillar 1: Pursue fraudsters.
- Pillar 2: Block fraud.
- Pillar 3: Empower people.

The three pillars balance the opportunities for prevention and enforcement with the objective of reducing the incidence of fraud and its impact on society.

   Home Office Fraud Strategy – June 2023

Returning to whether enforcement has a deterrent effect on offenders, the best evidence I can find on this topic is a piece of research conducted in Finland. In the case of Finland, around 11% of defendants who committed financial crimes are imprisoned, which is half that of the rate for non-violent drug offences and a third when compared to crimes against property.

So, does prison work?

Well, according to the Finns, the simple answer is yes. With reoffending falling by close to 50% in the three years following a prison sentence, the study also suggests that the deterrence effect extends to their offender's associates.

In fairness, we should also note that the Finnish prison system, like much of the Nordic region, places significant emphasis on rehabilitation. The degree to which this outcome is repeatable in other jurisdictions depends on how efficacious their prison regime is.

The rise of criminal software-as-a-service (SaaS)

Software as a service (SaaS) is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. Most SaaS services are horizontal, targeting a wide range of customers with similar requirements. 

Other SaaS services are vertical, targeting customers with specific narrow requirements. Criminals have entered the vertical SaaS space, providing solutions that enable criminals to build, deliver and scale their fraud schemes for a relatively low monthly fee. We may consider calling these vertical services Crime-as-a-Service (CaaS).

Such CaaS services are not on the so-called "dark web"; they operate openly and have commercial relationships with legitimate third parties. CaaS services effectively amplify the capacity and capabilities of individual and organised criminal groups.

Law enforcement typically speaks of upstream and downstream approaches to tackling such criminality. Upstream operational efforts seek to disrupt those at the top of the criminal chain. Recent operations to counter CaaS services have also engaged in downstream enforcement, with users of the CaaS service arrested and, where possible, prosecuted.
 
iSpoof – Spoofing-as-a-service (SpaaS)

iSpoof was a CaaS service that enabled criminals to make spoofed telephone calls, send recorded messages and intercept one-time passwords. The service supported criminals in executing a wide range of impersonation frauds, with bank impersonation likely being the most lucrative.

Operation Elaborate, led by the United Kingdom, was a coordinated international law enforcement action that resulted in 142 arrests and the seizure of the servers used to operate the CaaS service. iSpoof was a lucrative CaaS business, and the investigation determined that it earned EUR 3.7 million in 16 months.

The investigation determined that victim losses stood at GBP 43 million (EUR 49 million) in the UK alone, with estimated worldwide losses of over GBP 100 million (EUR 115 million).

The CaaS service was delivered via servers based in the Netherlands and Ukraine, enabling authorities in the Netherlands to forensically image (copy) and wiretap the service. The wiretap provided authorities with an understanding of how criminals were using the CaaS service, and the data enabled coordinated downstream enforcement with arrests made in multiple jurisdictions.

In a great example of upstream enforcement, Tejay Fletcher, 35, was jailed for 13 years and four months after pleading guilty to several fraud-related charges. Fletcher was a leading administrator of the iSpoof CaaS service, using the proceeds to purchase a £230,000 Lamborghini, two Range Rovers worth £110,000 and a £11,000 Rolex watch.

Ironically, Fletcher's defence counsel told the judge that his client had no idea of the scale of the eventual fraud when he set up the website. The judge observed, "As is the case with any successful business, you probably didn't realise how successful and profitable your enterprise would be."

LabHost – Phishing-as-a-Service (PhaaS)

Like iSpoof, LabHost sought to serve the needs of criminals who target victims by impersonating trusted organisations. Set up in 2021, the service enabled subscribers to build a phishing campaign from a library of branded phishing templates.

If the library didn’t meet their needs, it was even possible for them to request bespoke templates that replicated trusted brands, including banks, healthcare agencies and postal services.

The platform's popularity meant that at the time of the takedown, it boasted over 2,000 criminal users who had used it to deploy over 40,000 fraudulent sites, leading to hundreds of thousands of victims worldwide.

LabHost enabled users to obtain two-factor authentication (2FA) codes using a "LabRat" tool. The PhaaS platform had a tiered membership structure starting at $179 per month for "Standard Membership," rising to $300 per month for "World Membership." The latter enabled the "customer" to access 70 phishing pages targeting international organisations and added ten hosted phishing pages (separate from Premium or Standard licenses).

These include organisations in Andorra, Argentina, Australia, Austria, Bolivia, Brazil, Colombia, France, Germany, Guatemala, Hong Kong, Ireland, Italy, Netherlands, Luxembourg, Malaysia, Mexico, Netherlands, Poland, Portugal, Russia, Saudi Arabia, South Korea, Spain, Sweden, Turkey, UAE, and Venezuela.

Since its creation, LabHost has received just under £1 million ($1,173,000) in payments from criminal users, many of whom law enforcement was able to identify. Between Sunday, 14 April and Wednesday, 17 April 2024, UK and international law enforcement agencies arrested 37 suspects.

In another demonstration of a downstream tactic, law enforcement contacted 800 users of LabHost with a targeted video to make them aware that law enforcement was aware of them. Analysis of the platform suggests that it collected 480,000 PANs (Card numbers) and more than one million passwords.
 
Conclusion
Criminals, like all humans, make decisions based on available information, with many focusing on the scope for gain versus the likely cost of punishment. Solely relying on enforcement is unlikely to reduce fraud risk, but it remains a potent and vital part of the mix.

Without the cost of punishment, many criminals will conclude that the gains likely outweigh the cost. With that simple equation in mind, we must conclude that enforcement efforts must match industry efforts to prevent fraud.