In May 2023, the UK government, led by the UK Home Secretary Suella Braverman, initiated a three-pillar strategy for attacking and defeating financial scams in the UK.  The three pillars are: 1) Pursue Fraudsters, 2) Block Fraud and 3) Empower People.  The new fraud strategy was outlined in a 66-page report describing the initiatives and goals and is impressive in that it broadens the reach of who should help in this fight. Specifically, it calls out mobile network operators, large internet players, social media companies and, of course, financial institutions

The new strategy also requests involvement from the UK Intelligence Community to help identify and arrest fraudsters, many of which reside outside the UK.  The UK government has appointed Anthony Brown as the Prime Minister’s Anti-Fraud Champion.

Scope of the Scam Problem


Before we cover the fraud strategy itself, let’s briefly review the problem. The scope of the scam problem has gained so much attention because authorized fraud losses now exceed unauthorized fraud losses (54%-46% in 2022). According to the fraud strategy document:

  • Over 40% of all (criminal) offences in England and Wales involves online fraud and scams
  • Victims reported losing £2.35 billion in 2021.
  • For authorized frauds (where victim unwittingly executes the transactions), the average loss was £3,000, although some victims lose hundreds of thousands of pounds
  • Losses above £10,000 make up 0.5% of the loss incidents, but 29% of the financial losses.
    70% of the fraud either originates abroad or has an international element


Then there is the human side of fraud – the psychological toll that scams take on actual victims.   The document noted at least three-quarters of the victims also suffer emotional hardship because of these losses.

There is also a concern that generative AI will allow fraudsters to more effectively craft the ‘attack’ message (phishing, smishing or vishing).  Separately, in a recent Frank-On-Fraud article, TSB Bank said, “Meta is responsible for (the initiation) for most of the fraud and scams perpetrated against their customers”.  Meta owns Facebook, Instagram and WhatsApp.

Dissecting the Pillars of the UK Fraud Strategy


Now that we’ve examined the problem, let’s dig into each pillar of the fraud strategy.

Pillar 1: Pursue Fraudsters

The first goal of the strategy document is focused on pursuing criminals. Today, few defendants are ever taken to court for financial fraud and scams. It is estimated that for every 1,000 frauds, there is only one successful prosecution. And given that a majority of fraud attacks initiate abroad, the government wants to bring in the UK Intelligence Community and add over 400 new investigators in a new National Fraud Squad to start to aggressively identify and arrest fraudsters.  They had a recent success in November 2022, working with the US and the Ukraine, to bring down the iSpoof website (used to spoof banks on phone calls to customers). Nearly 200,000 UK victims were impacted, losing £43 million. The takedown operation led to the arrest of more than 100 people.


The UK government wants to drive global action on fraud by making it an internationally focused priority. The UK government will also add police presence in key countries to help disrupt fraudsters.
The government will address legal challenges to information sharing to help mitigate fraud/scams.  The new Economic Crime and Corporate Transparency (ECCT) Bill will “introduce provisions to disapply civil liability for AML regulated firms who share customer data with each other for the purposes of preventing, detecting and investigating economic crimes.”


The government will also publish a new cross-sector money mule action plan to freeze funds and disrupt mule recruiters and mule controllers.


This pillar also will replace Action Fraud to make it easier for victims to report losses.


Pillar 2: Block Fraud

The second goal of the strategy document is centered on blocking fraud and recognizes that many of the scams begin with text messages, phone calls, email, social media, search engines and false advertising.  So, telecommunication companies and technology firms need to be involved in the solutions to block scams.  But first, there will be more tracking and reporting on the patterns of fraud and the Payment Systems Regulator (PSR) will require banks to provide reporting on authorized payment fraud rates.


Next the “Anti-Fraud Champion will work with industry, including social media and telecommunications firms to ensure companies are properly incentivized to combat fraud and explore all avenues to do so”.  This is a new approach, and it will be interesting to see how these companies respond.  Recently, the telcos have added firewalls to help reduce the number of spam messages which have been attributed to stopping 600 million scam text messages since January 2022.


The Office of Communications (OfCom) will be responsible for implementing the regulations associated with the proposed Online Safety Bill (imposes duties of care on providers of online user-to-user services and search services and requires Ofcom to issue codes of practice about those duties). Failure to comply with the Online Safety Bill will result in significant fines. 


The government is already working with tech companies on a new Online Fraud Charter (to be delivered in summer 2023) that will improve data sharing between the government and the private sector, ensure that all advertisers of online financial promotions are registered with the Financial Conduct Authority (FCA) and putting in place systems to prevent fraudulent content from appearing on platforms.  There is also a telecommunications charter which sets out how to prevent telecommunications-enabled fraud, including blocking scam texts.   There will be a ban on financial cold calls, stopping spoofed calls, the banning of SIM Farms and a review of mass text aggregators that could require registration.


For financial firms, the strategy will allow for faster payments, based on a risk-based approach, to be held/slowed down to allow for proper investigation of suspicious transactions.  This risk-based approach should be extended to involve both inbound and outbound transactions.  The FCA will also assess financial firms’ fraud systems and controls.  The PSR is also calling for data sharing standards, for compatibility of data, to help flag risky transactions.  This data sharing should be done in real-time to prevent fraudulent transactions from executing.


Banks have already added stronger customer authentication (part of PSD2), Confirmation of Payee and The Banking Protocol (which can involve the police actually visiting a branch in the case of a questionable/scam cash withdrawal and helping to convince the customer to not withdraw the funds).
Another new control will have the National Cyber Security Center (NCSC) charged with working with financial institutions and tech companies to search the Internet for malicious/fraudulent websites and having them removed or blocked from public access. 


Pillar 3: Empower People

The final goal will address ways to empower people by improving anti-fraud communication and ensuring young people have key anti-fraud and cyber security skills.

The government also wants to streamline how victims report scams and provide consistent support for victims in the UK.  Sadly, today 18% of the fraud victims are repeat victims accounting for 35% of all fraud.

The strategy plans to establish a trusted and secure digital identity market in the UK and restrict creating and selling identities.

The most important point of this goal is to “make sure more victims of authorized fraud get their money back by legislating to enable the PSR to require reimbursement by all PSR regulated payment service providers.”  The focus for authorized payment reimbursement will be on transactions in the UK’s Faster Payment System where it is noted that 97% of authorized push payment (APP) fraud currently occurs. 
The delivery of this strategy is phased over three years.  The first goal is to cut fraud by 10% from 2019 levels by the end of the current Parliament.

Summary


The delivery of this strategy is phased over three years.  The first goal is to cut fraud by 10% from 2019 levels by the end of the current Parliament.

This is a very ambitious plan, as it should be.  Every country around the world should look at this plan and create a similar one.  Whether it includes the aggressive reimbursement component for authorized payment fraud or not is open for discussion.  But the other parts of the three pillars are independently sound.  It will take hard work involving not only government, but telecommunications, the tech industry and financial services to execute this strategy, and it is necessary to prevent consumers from losing billions of pounds every year.

 

 

Recent Posts