Terms explained:
National Fraud Database (NFD) - is used to share fraud risk information about actual or attempted fraudulent conduct against organisations.
Internal Fraud Database (IFD) - is used to share fraud risk information that specifically relates to individual staff members who tried to commit or committed fraudulent or other relevant conduct against or within an organisation.
Identity Fraud - when a subject abuses personal data to impersonate an innocent party, or creates a fictitious identity (synthetic identity), to open a new account or obtain a product.
Facility Takeover - when a subject abuses personal data to hijack an existing account or product - for example, a bank account or phone contract.
Misuse of Facility - the misuse of an account, policy or product, for example, allowing criminal funds to pass through an account or paying in an altered cheque.
Internal Fraud - fraudulent conduct or theft committed by an employee of the company or an individual applying to work for a company.
Vishing, Phishing, Smishing – an attempt to gain personal information (or persuade someone to do something) through the use of email, telephone and SMS communications.
Social Engineering - a method of manipulating people to reveal personal information about themselves or to persuade them to do something they would not otherwise do.
Money Mule - a person who (intentionally or unintentionally) transfers money acquired illegally, usually through their own bank account, on behalf of others.
BOT - a software application that runs automated tasks across the internet.Malware - software which is specifically designed to disrupt or damage a computer system.
Remote Access Software – allows a third party to access another computer remotely.
Welcome to this year’s edition of Fraudscape, which is key to understanding the challenges and threats we face as a community, and which areas we need to focus on to fight fraud together.
This report combines data from our National Fraud Database (NFD) and Internal Fraud Database (IFD), along with intelligence provided by Cifas members, partners and law enforcement. In 2021, Cifas members saved over £1.3bn through prevented fraud losses, but we know we can prevent and detect even more fraud by developing a better understanding of key fraud threats and enablers – which is the main purpose of this report.
Despite the obstacles brought about by last year, we recognise that 2022 brings its own unique challenges and threats. New ways of working as well as ongoing uncertainty around the UK economy and the rise in the cost of living will almost certainly provide a rich seam of opportunity for fraudsters.
In addition, those struggling financially may be tempted to commit fraud in order to generate additional income during these difficult times.
As the UK’s leading fraud prevention service, our role in protecting Cifas members, stakeholders and the public from fraud has never been more important. Now is the time for the fraud prevention community and the wider UK public to collaborate and deliver a targeted and proactive approach to stop fraud. Let’s take the fight to fraud.
What do the overall findings tell us?
The volumes of cases recorded to the NFD are close to pre-pandemic levels, with over 360,000 cases recorded in 2021.
Levels of identity fraud reached over 226,000 cases and account for 63% of all cases recorded to the NFD – a 22% increase (nearly a quarter) on 2020. Identity fraud continues to impact the plastic card and banking sectors but rises in the online retail and loans sector have also been identified.
The sophistication of cyber enabled attacks such as phishing and smishing continues to grow, as does the quality of false documentation provided to support the subsequent fraudulent applications. There is concern that the rise in living costs will encourage criminals to target loan products and deferred credit services and exploit organisations that have more relaxed lending criteria than others.
Misuse of facility accounts for just over a fifth of cases, with over 79,000 cases recorded, and is up 17% from 2020. The majority of cases relate to bank accounts, with 72% of cases (nearly three-quarters) holding intelligence indicative of mule activity. The significance of this can be seen in conjunction with the continued rise in scam activity and the requirement for an account to transfer funds obtained from those scams.
Of note, there has also been a rise in misuse of plastic cards, with the main filing reason being payment fraud. The sector may be increasingly targeted as a direct result of economic stresses due to rising living costs.
Levels of facility takeover declined slightly by 3%, but over 37,000 cases were still recorded. Although the majority of cases impact the telecoms and online retail sectors, 2021 saw a growth in cases in the plastic card sector. Advances in technology and an increased use of digital channels will continue to be exploited by criminals to target not only victims, but also organisations, in an attempt to gain access to accounts. With more people using online banking and mobile payments, criminals will seek to gain access to these existing accounts, particularly if credit providers tighten their lending criteria.
The insider threat remains a key concern. Although the number of individuals recorded for dishonest conduct has reduced by 7%, this is likely as a result of organisations not being able to conduct as many interviews and investigations into staff conduct through various lockdown measures. Of note is the growth in false employment application (unsuccessful), particularly in relation to concealing adverse credit or previous employment history.
As remote and hybrid working become the norm it is important that organisations conduct regular screening of staff and ensure offboarding processes are fit for purpose within these new working environments. Cases of theft of IT equipment have grown and intelligence has indicated increased numbers of employees forwarding sensitive information to either personal email addresses or email addresses associated with their role.
2022 Half Year Figures
Nearly 200,000 cases of fraudulent conduct recorded – up 11% on the first 6 months of 2021*.
Over 136,600 cases of identity fraud – up a third (33%) on 2021 making up 69% of cases recorded to the National Fraud Database (NFD).
Over 12,000 cases of false application - up 55% on 2021. Mainly impacting the banking sector though increases have been identified for mortgages and asset finance.
63% (17,967 cases) of misuse of bank account cases have intelligence indicative of mule activity.
There were 175 individuals recorded to the Internal Fraud Database – a 51% increase on the same period in 2021.
63% (34 cases) increase in false employment application (unsuccessful), mainly due to concealment of information such as adverse credit history or employment history.
Over 136,600 cases recorded (up 33%)
Accounting for 69% of cases filed to the NFD. 1 in 9 occur via online channels - though there is a 39% increase via broker channels.
Plastic cards and bank accounts continue to be targeted and a rise in telecom products has been identified.
Nearly a quarter of victims of impersonation are over 61. Of note:
Those aged between 51 and 60 years are more likely to be impersonated for insurance products.
Those under 21 are more likely to be impersonated for telecoms products.
Over 33,000 cases of misuse of facility, so far lower than the same period in 2021 – though still accounting for nearly a fifth of cases recorded to the NFD.
Misuse of loan products has increased, mainly across personal loans unsecured and personal loans deferred credit.
Of the bank accounts recorded for misuse of facility, 63% of cases have intelligence that indicate mule activity.
Personal current accounts remain a target, but there are increases in personal savings accounts being targeted.
A quarter of accounts that have intelligence indicating mule activity are recorded within a month of application.
Over 15,000 cases of facility takeover recorded to the NFD, so far lower than the same period in 2021.
Online retail and telecoms products continue to be targeted, however there is an increase in the targeting of plastic cards. Victims of facility takeover are generally over 31 years. Of note:
Those under 21 are more likely to be targeted for bank account products.
31 to 40 years are more likely to be targeted for online retail products.
51 and 60 years are more likely to be targeted for telecoms products.
Those over 61 are more likely to be targeted for plastic cards.
175 individuals recorded – up 51% on the same period in 2021.
63% increase in false employment application (unsuccessful) - (88 cases).
47% increase in dishonest actions by staff - (72 cases).
Most individuals recorded for dishonest conduct worked in a contact centre - up 50% on 2021. This is followed by those working in branch- up 12%.
Most individuals were between 21 and 30 years (48%), however there has been a 76% increase in 31-40 years.
Overall, most individuals had been in employment for 2 to 5 years (43%).
2022 Half Year Figures - Analysis
Criminals are taking advantage of rising living costs by targeting consumers with various phishing campaigns using social media and emails to harvest personal information to use for fraudulent conduct.
There are campaigns claiming to be from utility providers offering deals to save on their energy bills and some have taken advantage of collapsed utility firms to pose as debt collectors and contact consumers using the details of their former supplier.
Investment scams targeting individuals looking to supplement their income and pensions in light of economic strain.
Criminals have been posing as network providers and/or phone dealers to offer deals, such as rewards for loyalty or opportunities to get a better deal on their contract.
Social media adverts and emails offering the chance to win fuel vouchers by working with well-known brands.
As more households feel economic strain, they may need to find ways to supplement their income. Criminals are exploiting social media platforms to offer work from home and ‘make money quick’ schemes which are, in fact, money muling.
More companies are looking for ways to expand their portfolio into the Buy Now Pay Later space. For businesses new to this arena, criminals will look to exploit any vulnerabilities within their processes.
As the e-commerce market grows, criminals will look to exploit marketplaces and apps that allow peer to peer selling. They will ’sell’ an item to a consumer, often asking for payments requested outside the app, such as through PayPal, Cash App or bank transfer. The item often does not exist or is not then sent to the customer.
Criminals are targeting contact centres to try and understand what processes are used to gain access to accounts. They often try to socially engineer the contact centre agent to gain access to a customer account or use the information they get from the agent to target consumers.
Malware is an increasing method deployed by criminals to target devices and gather information to access accounts. Criminals often use kits sold on the dark web to install the malware on victim’s devices through apps or email links.
Social engineering is still a key method to harvest personal and financial information. Often posing as a bank, criminals will persuade victims to move their money into a safe account or allow access to accounts.
False documents still a remain a key issue for organisations as they continue to be easily available through novelty document sites. The effects of rising living costs will mean that individuals may use false documents to claim affordability for products and services.
The use of unregulated brokers to make applications is a real concern, as they may charge high fees to consumers and then supply false documentation with inflated income to apply for products and services.
As individuals struggle with rising living costs, they may be tempted to supplement their income by exploiting their knowledge of processes, such as over-claiming overtime or expenses. There may also be an increase in staff approaches, where an individual is given the opportunity to make money for making changes to accounts or selling data.
Due to economic constraints since the pandemic, many individuals are not disclosing adverse credit or employment history as they feel it will hinder their employment opportunities.
Remote working continues to be a concern around monitoring staff from a wellbeing as well as performance perspective.
2021 saw over 360,000 cases of fraudulent conduct recorded to the NFD, which is close to pre-pandemic levels.
Identity fraud remains a key threat and the number of cases recorded has grown by 22% (226,000) in 2021.
Cases of misuse of facility accounted for over a fifth of cases (79,000) recorded in 2021.
A rise in the misuse of plastic cards has also been identified with the most common reason for filing being payment fraud. As living costs increase there is concern that volumes will increase.
Facility takeover accounted for 11% of cases on the NFD with a particular impact on the telecoms and online retail sectors.
Of concern is the growing rise in facility takeover cases involving plastic cards and bank account products.
The insider threat remains a significant concern. In 2021 there was growth in the number of false applications where individuals concealed adverse credit or previous employment. Organisations also face real challenges as remote and hybrid working become embedded with instances of employees abusing personal and sensitive information and the theft of IT equipment being identified.
What do the findings tell us? 2022 Half Year Figures 2022 Half Year Figures - AnalysisIdentity fraud analysis:
2021 saw an increase in the use of synthetic identities to apply for products and services.
Smishing, phishing and vishing campaigns remain very effective in harvesting personal information.
False documentation and identity packages are becoming increasingly sophisticated.
Identity Fraud Case Study
Cifas Commentary
Digital engagement is a key concern for organisations ensuring identities are verified correctly online. This is due to a marked increase in the sophistication of cyber enabled attacks such as phishing and smishing and the quality of false documentation available.
Social engineering remains one of the preferred tactics to gain access to accounts and personal information. This includes the impersonation of financial institutions and criminals impersonating customers to an organisation in order to gain access to and information from accounts.
As technology makes it easier to use voice spoofing and deepfake technology, both consumers and businesses need to be cautious before releasing any financial or personal information and verify that they are really talking to who they believe they are.
As living costs continue to rise, consumers must be wary of offers that appear to be too good to be true where a criminal is looking to harvest personal and financial information. Businesses also need to bolster their defences, particularly those offering any deferred credit products such as loans or buy now, pay later as criminals will look to target them.
It is really important for both consumers and businesses to carry out thorough checks on who they are dealing with. Genuine businesses can be impersonated to dupe customers and service users to part with their life savings and their personal information. As we embark on this more digital world, it is vital businesses have good policies, systems and processes in place to safeguard themselves against threat actors in a world where online ID verification is becoming more challenging.
Identity fraud remains a key threat and the number of cases recorded has grown by 22% (to 226,000 cases) in 2021, accounting for 63% of all cases recorded to the NFD.
91% of identity fraud cases occurred via an online channel.
Although identity fraud mainly impacts the plastic card and banking sectors, the online retail and loans sectors have also been particularly targeted.
Attempts to access loan products saw a 39% increase, with unsecured personal loans heavily targeted. Although two thirds of attempts were not granted, loans will continue to be a target in light of rising living costs.
Overall, 24% of victims are aged over 61 and this age group is disproportionately targeted for plastic cards and bank accounts.
There has been a 53% rise in those aged between 31 and 40 years targeted for asset finance products and those aged between 51 and 60 years are more likely to be targeted for insurance products.
There has been a 7% rise in companies being impersonated, predominantly for telecoms or loans products.
Analysis Cifas Commentary identity fraud case studyMisuse of facility analysis:
Social media continues to be an enabler for recruiting mules.
Increasing access to online tools such as receipt/refund generators to support fraudulent conduct is of concern.
There are considerable links between mule activity and APP scams.
Mule accounts are being used to receive fraudulently obtained grants, loans and benefit funds.
Cashing out fraudulently obtained funds via cryptocurrency is increasingly concerning organisations.
Cashing out fraudulently obtained funds via cryptocurrency is increasingly concerning organisations.
Cifas Commentary
A real challenge facing organisations is the social perception of what constitutes fraud. In recent research carried out by Cifas, one in 13 people admitted to conducting fraudulent activity in the last 12 months.
17% of respondents to the survey believed money muling to be acceptable and 6% viewed making a false claim of non-delivery of a retail item acceptable. This perception, combined with the accessibility and availability of online services and guides on how to conduct fraudulent conduct, means challenging these perceptions will be essential in influencing the decisions individuals make in the face of financial adversity and rising living costs.
Social media remains a key enabler in the recruitment of mules due to its vast reach. There is however more work to be done to understand the source of illegitimate funds, the role of the account in transferring those funds and the ultimate destination and cash out.
Rising levels of money mule activity over the past year are a significant cause for concern. As ongoing uncertainty around the economy and cost of living increases bite, there is a need for the fraud prevention community to come together and coordinate fraud prevention messaging. We must deter consumers from being tempted by fraudsters offering easy money schemes and ensure they understand the consequences of engaging in fraudulent activity.
What anti-money laundering can learn from fraud prevention:
In the world of financial crime, money laundering and fraud often go hand in hand, but from a prevention perspective the two crimes, though related, are often dealt with in isolation – with fraud frequently allocated more resources and attention as financial institutions seek to protect themselves from losses.
Money laundering is often associated with serious criminal activities like drug trafficking and terrorism financing, but it’s estimated that more than fifty per cent of the world’s laundered funds actually originate from fraud, which begs the question – why are these interconnected crimes tackled in isolation?
These are two serious crimes, so what’s behind the vastly differing approach?
With fraud, there is a tangible risk of financial loss for individuals and organisations across all industries, with the burden of financial reimbursement often falling heavily on banks. Because of this, there’s a clear incentive to prevent financial losses associated with fraud across sectors, and the realisation of this has enabled private entities to put aside competition and work together to combat the challenges of fraud with joint initiatives that rely on intelligence sharing and transparency.
This open, collaborative environment does not yet exist for those tackling anti-money laundering (AML), whether in the financial sector or elsewhere where large sums of money are being used to buy real estate or high value goods.
Unlike fraud which negatively impacts a business's bottom line, laundered funds bring in an estimated $1.86 trillion into the global economy annually, and so the clear opportunity for profits can often overshadow the more opaque threat of regulatory fines and sanctions.
In other words, the lack of regulatory and legal enforcement means there’s not as much incentive for organisations to continue allocating resources to investigate suspicious transactions once compliance checks have been satisfied. Coupled with this, there is currently a lack of legal clarity around the permitted sharing of money laundering data between regulated entities, which limits those organisations that wish to share and do more to combat money laundering.
However, it doesn’t mean that criminal activity isn’t occurring, and that innocent people aren’t having their lives ruined as a result of such crimes. For example, instances of money muling increased by 38% during the pandemic. Fraudsters essentially took an opportunity to exploit the vulnerabilities of those impacted by job losses during the pandemic, luring them into sharing their bank account information with false job advertisements.
A shift in perception and incentives
However, should greater emphasis be placed on investigating suspicious activity beyond current compliance requirements, more can be done to prevent further crimes and financial losses; as laundered funds are distributed throughout the financial system in a series of transactions that appear to be legitimate, it’s often the case that those funds go on to facilitate further instances of mass fraud, and more serious crimes such as people smuggling, drug trafficking and terrorism.
Due to the serious nature of these crimes, greater incentives are needed to ensure that preventing money laundering isn’t solely regarded as a compliance goal, but essential to business success and continuity.
How this is done is the challenge facing governments and law enforcement – the industry needs stronger means of deterrence, which could be tougher penalties and enforcement of laws and regulations, the removal of board and executive staff, the revocation of practising licences, and increasing public awareness to the atrocities that negligence facilitates.
But the financial sector can’t rely on governments and law enforcement to solve this problem – to be successful in combatting money laundering and preventing criminal activity, the industry must come together to tackle the challenge itself – as it’s proven can be done with fraud.
Cross-sector collaboration, facilitated by smart technology.
Unlike fraud, the anatomy of anti-money laundering compliance failures over the past two decades has been identical. If teams from different industries come together to collectively share wisdom, new intelligence and develop joint prevention strategies – then it’s possible to have a significant impact in preventing the financing of criminal activity.
In order to do this, there needs to be a way to quickly share data and intelligence between organisations – as laundered money moves quickly through the financial system, and delays in decisive action can have serious consequences.
Organisations can look to fraud prevention tactics as a model for how this could be best achieved. Secure sharing of transactional data for the purposes of crime prevention, as is done in the United Kingdom with fraud prevention organisations like Cifas, is a positive step forward to preventing the high harm crimes that money laundering enables.
It’s also important that industries move away from manual processes and adopt new technologies that pool existing data to provide real-time risk analysis on both new and existing accounts. This level of transparency, combined with competent people and risk-based processes, will ultimately be key in helping tackle financial crime across the board, enabling industries to more confidently avoid risk and ensure continued profitability and success.
Stephen Platt, Founder and CEO, Riskscreen
Misuse of facility accounts for just over a fifth of cases, with over 79,000 cases recorded and up 17% on 2020.
Most misuse cases are in relation to bank accounts (88%) and these have increased by a third.
72% of misuse on bank accounts has intelligence that indicates mule activity and these cases have risen by 24% in 2021 compared to 2020. Although the majority of cases are in relation to personal accounts, there has been a 24% increase in the abuse of company accounts for this type of activity.
A large proportion of subjects recorded for this type of activity are aged between 21 and 30 years. However, there has also been a 19% rise in those aged under 21 years.
The rise in cases indicating mule activity may be aligned to ongoing problems with authorised push payment fraud (APP). Mule accounts are often needed to transfer funds gained from illegal activities such as scams and then transferred on to facilitate serious and organised crime.
Analysis Cifas CommentaryCifas Commentary
2021 saw an emergence in the use of malware to attack devices to harvest personal and financial information. Popular tactics included smishing texts themed around NHS COVID testing as well as delivery rescheduling.
Malware is also deployed through malicious links received through smishing attacks or through downloadable apps. It is essential that both businesses and consumers regularly run antivirus and antimalware on all devices to check for such malicious software.
More people than ever are using digital channels for online and mobile banking and this presents considerable opportunities for phishing attacks. As well as socially engineering victims to reveal passcodes, criminals are employing call redirection tactics to allow them to impersonate customers and respond to organisations to verify fraudulent activity as genuine.
Advances in technology and an increased use of digital channels will continue to be abused by criminals to target not only individuals, but also organisations, in an attempt to gain access to accounts. A high proportion of account takeovers still come via telephony channels, which are often perceived as the weaker link and may be targeted by the growth in voice spoofing technology.
False upgrade scams, run by increasingly sophisticated fraudsters, have a real impact on our customers. These are designed to both steal the personal and financial details of victims, as well as provide the scammers with a handset which could be sold for a profit or used to commit further criminal activities. It is vital that customers and businesses stay vigilant when receiving unsolicited calls, be cautious if you receive a call that says the wrong device has been sent and Take Five before parting with their personal and banking details. Scam texts can be forwarded to 7726, and phone numbers operating scam calls can be reported by texting ‘CALL’ to 7726 and following the prompts.
Mobile UK
Leaving the Back Door Open - How phone channel fraud works
There are fundamentally three channels’ criminals exploit to attack banks - as Pindrop CEO Vijay Balasubramaniyan has been narrating over the years. The first and most “traditional” being physical robbery that is (largely) prevented using security systems and trained personnel; the success rates in this scenario are very low and are progressively de-incentivising armed robbers and other forms of physical attacks. The second and most “common” attack is the digital breach. Fraudsters armed with valuable information and strategies will penetrate various infrastructure components starting from the perimeter all the way into the networks’ core systems. The success rate in this scenario is statistically higher but what makes this even more attractive is the ability to hide identity. To counteract, Banks have been conducting significant investments in this space using advanced cybersecurity technologies that have put them in an advantageous position against cyberattacks. As a result, this has pushed criminals to target the least discussed and often overlooked side of the business: the telephony space. With higher success rates and even lower identity risks, this has become a greenfield for fraudsters across the banking world. Without a physical threat or advanced capabilities in cybersecurity, someone with the right pieces of information can steal money right over the phone.
The phone channel is often favoured by fraudsters to either gain information or access customer accounts through social engineering, which simply means tricking contact centre agents into revealing something they shouldn’t or coaxing the agent into verifying a fraudster as a customer. Phone channel security is often reduced to asking secret questions, also known as knowledge-based authentication questions (KBA). Organised crime rings attempting to social engineer their way to account takeover, are often more prepared to answer these questions than their customers. Pindrop’s data shows that fraudsters tend to pass such questions with success more than half of the time whereas the true customer forgets the correct answers 20-40% of the time. Additionally, contact centre agents are often measured on the quality of customer interactions, so being overly suspicious or asking lengthy security questions only counts against their job performance ratings. Agents aren’t typically trained in identifying deception, and the techniques used by fraudsters are designed to not arouse suspicion.
Fraudsters are very well prepared. Through data breaches, personal information is available on the dark web in droves. Crime syndicates will buy this data that contains account numbers and other personal info readily available across social media networks. They compile this information on their target victims and collate enough information to bypass ineffective security like KBA’s, OTP’s (one-time passcodes) that can be easily obtained through social engineering techniques, or other subversion tools like spoofing and voice altering. Once a bad actor gains access to an account once, they can not only move money, but also change other information like email addresses, approve authorised users or change policies.
Even if you have the best online security, nothing protects the phone channel beyond easily discoverable information or easily socially engineered one time codes. The fraudster will use the phone channel as an entry point and even enable easier access to the more heavily guarded online or mobile channel. The phrase has become a bit cliche, but ‘locking the front door, but leaving the window open’ is an appropriate summon of poor phone channel security. Cringe at the cliche, but make sure the security isn’t equally cringe inducing. With most things in life the proper remedy takes a bit of effort. Updating policies and information sharing are of the utmost importance, but technology developed and deployed by experts represents the key for effective consistent protection against organised crime syndicates.
Pindrop
Facility takeover analysis
Social engineering coupled with sophisticated number spoofing and vishing attacks remains a significant threat.
Criminals are deploying impersonation attacks not just on consumers by posing as financial institutions or service providers, but also as the customer to the legitimate business.
There has been a rise in the sophistication of the cyber-attacks. By using bots, criminals are targeting organisations in an attempt to infiltrate and harvest accounts or to respond to consumer enquiries on social media.
Over 37,000 cases of facility takeover were recorded in 2021, similar to 2020 levels. Although the majority of cases impact the telecoms and online retail sectors, 2021 saw 19% growth in cases in the plastic card sector.
Overall, a large proportion of cases have occurred online (47%) or through telephony channels (43%).
A large number of the cases recorded are in relation to unauthorised security or personal detail changes to the account. There has been a rise in unauthorised facility upgrade particularly targeting the telecoms sector. Victims have been duped into believing they are talking to their provider and are coerced into agreeing to false upgrades so criminals can fraudulently obtain handsets.
Overall, a large proportion of victims of takeover tend to be aged over 41 years. Those aged between 31 and 40 years are more likely to be targeted for online retail products, whereas those aged between 41 and 50 years are more likely to be targeted for telecoms products.
Analysis Cifas CommentaryThe benefits of ongoing monitoring
Have you ever considered that the results of most pre-employment checks are only valid in that split second that the results are returned? By the time you have read to the end of the returned results they are already out of date. In 2021 there were over 360,000 cases of fraudulent conduct recorded to the Cifas Databases. In the year to June 2021 there were 909,000 convictions in courts in England and Wales - and average of just under 2,500 per day. These figures show how much information is being updated on a daily basis and why the belief that because a check was once undertaken, an organisation has protected themselves against the insider threat.
Many organisations believe that they have robust checks in place as they screen at pre-employment stage, and that any additional checks are costly and time consuming. That is not the case when it comes to checking employees against the Cifas Internal and National Fraud Databases. Cifas members pay their annual subscription fee and can undertake unlimited checks* against these databases for no additional cost, and with checks being able to be carried out directly via an API, manually or as a CSV excel document upload, a check can be completed in seconds. Any matches that are returned can then be reviewed to determine if the integrity of the individual is in question or whether the organisation is happy for the employee to continue their employment. A match does not equal a ‘do not employ’ marker. So that clears up the concerns that it is costly or time consuming!
I recently spoke to a member of Cifas who had a perfect example of the importance of ongoing monitoring…
In February 2022, we became aware that an employee of ours had three recent Cifas cases against them.
Employee A worked in a customer facing role and it was identified that they were using three known names and a number of known addresses based over 100 miles apart. All were for false applications. Our team called the organisations who recorded the cases for more information . For one of the cases, Employee A had altered the salary credit on their bank statement in order to inflate their income. They were intending to use the inflated income figure to evidence a higher annual salary in order to get car finance. However, the document went through verification checks and Employee A was filed to the Cifas National Fraud Database.
One of the other cases was as a result of Employee A submitting a false fraud claim. A payment had been made from their account and Employee A disputed it and advised they didn’t authorise the payment. The organisation looked into it, did not uphold it and closed the account. The final case was made as adverse credit was identified that had not been declared.
We also identified that Employee A had been abusing their position by transacting on their own account, which is against employee policy.
Employee A was suspended pending investigation. The investigation conclusion noted that there were concerns around the employee due to the Cifas cases and there was a concern that due to the adverse credit, they could be in financial distress. Upon interviewing Employee A, they advised that they knew some details about the cases. They also advised that they allowed a family member to use personal details such as name address etc and didn’t see the problem with it – Employee A had taken photos of their ID and given the family member payslips and bank statements. Employee A handed in their notice before the disciplinary meeting.
I cannot stress the importance of using the tools that are available through Cifas to protect your organisation against the Insider Threat - especially where there is no additional cost. Dishonest employees can cost an organisation tens - if not hundreds of thousands of pounds, and that’s before reputational damage is taken into account. Cifas works with our members to support them with implementing ongoing monitoring and can help you understand how this can work best for your organisation. Make an enquiry on our website to talk about how we can support your organisation against the insider threat.
*subject to fair usage policy
Tracey Carpenter - Insider Threat Proposition Lead, Cifas
Cifas Commentary
Remote and hybrid working have provided real challenges for organisations over the past two years. Instances of work avoidance and inflated overtime have been identified following the introduction of home working and flexible working arrangements.
An unexpected side effect of remote and hybrid working is that it has enabled offboarding employees to steal both commercial and personal data and IT equipment.
A significant concern is the rise in insider threat as a service, where individuals are actively recruited to work in particular roles to carry out dishonest activity and exploit policies and procedures. There are also individuals advertising their insider knowledge on forums in a bid to earn additional money at their employer’s expense.
Organisations must ensure that as agile working agreements develop and increase in popularity, their policies and procedures are fit for purpose. Increases in the cost of living may further tempt staff members into committing dishonest conduct or becoming more vulnerable to staff approaches. It is therefore essential to have appropriate monitoring in place to audit employee behaviour and ensure wellbeing checks are carried out regularly, so that organisations are equipped to assess the true risk the insider threat poses to them.
With high levels of scrutiny for every penny spent at Councils, it’s vital that Local Authorities take the threat of internal fraud seriously. At Lambeth Council during 2021-22 we’ve used Cifas’ data to identify eighteen job candidates who posed an internal fraud risk to us, having previously been identified by other Cifas members as being involved in fraudulent conduct. By managing this risk, we’ve helped to protect public funds from ending up in the pockets of criminals, enabling us to continue to provide the vital services our community depends upon.
Insider threat analysis:
The main concerns for organisations are the challenges around remote and hybrid working and ensuring that appropriate policies and procedures are in place.
Staff approaches (including online approaches) are a continued risk to organisations.
There is growing concern around offboarding employees as individuals may be working their notice period in a remote environment. This has given some staff the opportunity to take advantage by stealing equipment and/or accessing information that they should not have access to.
Insider threat as a service is also an emerging threat where individuals either offer their services to support fraudulent transactions or are recruited to do so.
Why do people commit insider fraud?
The COVID-19 pandemic has seen employees switch to home working, and this has subsequently exposed businesses to an increased risk of ‘insider fraud’.
A knock-on effect of COVID-19 will see fraud committed for a variety of reasons. Employees may have a partner who has lost their job or been furloughed and only receiving 80% of their salary and so out of desperation will have the motivation to commit fraud as a way of keeping a roof over their head and food on the table. Working from home has provided the perfect opportunity for employees to collaborate with organised crime gangs to divulge confidential data to be sold on the dark web. Companies who have a ‘no mobile phone’ policy in the office have no way of controlling that when it comes to an employee working at their dining table. Disgruntled employees will have the motivation and rationalisation to commit fraud because they do not believe it is fair that they need to return to the office to work whilst a shielding colleague can continue to work from home with no commuting expenses or time. We have heard of many companies supporting employees throughout the pandemic and keeping them happy by sending them well-earned treats in the post. Whilst employees like to receive these goodies, employers know that they need to ensure that they have a happy workforce as this can minimise the likelihood of an employee ‘going rogue’.
Of course there has to be a degree of trust or a business cannot operate, and so it is crucial that organisations have a robust counter-fraud culture and internal controls to deal with internal fraud. For this to become established within any organisation, all staff must buy into the reasons why combating fraud is important. They need to understand where the boundaries are between what is and is not acceptable, and see that preventing and dealing with fraud is an integral part of everyone’s role within the organisation.
Having a Learning Strategy in place is the bedrock of creating a counter fraud culture, and demonstrates the tone from the top - from fraud awareness and identifying red flags, to career progression for those undertaking investigations as well as those responsible for gatekeeping functions like Internal Audit, Compliance and Human Resources.
The Cifas Fraud & Cyber Academy has courses looking at why people commit insider fraud, the psychology of fraudsters and how to spot the signs of internal fraud. You can find more details about these as well as our full range of courses here:
Cifas Insider Fraud Specialist Programme | Cifas Academy
Rachael Tiffen, Director of Public Sector and Training, Cifas
Nearly 270 individuals were recorded to the Enhanced Internal Fraud Database in 2021. 41% of cases were in relation to dishonest actions, with the majority of filings in relation to theft of cash from the employer.
There has been a rise in theft of IT equipment. This may be due to reduced controls to monitor staff who are working in a remote or hybrid environment. There have also been examples of staff exiting a business and not returning items provided to them. Most individuals worked within branch or within the contact centre.
False employment application (unsuccessful) accounts for 39% of cases and has increased by 10% since 2020. A large number of filings were in relation to hiding information on applications, such as adverse credit history, concealed address with adverse and concealed employment history.
Overall, a large proportion of those recorded are aged between 21 and 30 years. However, there has been a noted increase in those aged between 41 and 50 years being recorded. There was a 27% increase in those aged between 41 and 50 for dishonest actions. 87% of these people had been in employment 10 years or more.
There was a 33% increase in those aged 31 to 40 for unlawful obtaining or disclosure of commercial data. 57% had been in employment for over 10 years.
Analysis Cifas Commentary The benefits of ongoing monitoringVolumes of cases recorded to the NFD are close to pre-pandemic levels, with over 360,000 cases.
Identity fraud volumes reached over 226,000 cases and account for 63% of all NFD cases – up 22% from 2020.
The sophistication of cyber enabled attacks such as phishing and smishing continues to grow, as does the quality of false documentation provided to support subsequent fraudulent applications.
There is a real concern that due to the rise in living costs, criminals will look to target loan products and deferred credit services and exploit those who have more relaxed criteria than others.
Misuse of facility accounts for just over a fifth of cases, with over 79,000 cases recorded, and is up 17% on last year. The majority of cases are in relation to bank accounts, with 72% of cases holding intelligence indicative of mule activity.
There has also been a rise in misuse on plastic cards, with the main filing reason of payment fraud. The sector may be targeted in light of economic stresses experienced in the UK due to rising living costs.
Facility takeover has declined slightly by 3%, but 37,000 cases were still recorded.
2021 saw a growth in facility takeover cases in the plastic card sector.
Insider threat still remains a key concern. 2021 saw a growth in false employment application (unsuccessful), particularly in relation to concealing details of adverse credit and/or employment history.
Organisations must ensure that as remote/hybrid working agreements develop and increase in popularity, their policies and procedures are fit for purpose.
The increase in the cost of living may tempt staff members into committing dishonest conduct or becoming more vulnerable to staff approaches. It is therefore essential to have appropriate monitoring in place to audit employee behaviour and ensure wellbeing checks are carried out regularly.
A significant concern is the rise in insider threat as a service, where individuals are actively recruited to work in particular roles to carry our dishonest activity and exploit policies and procedures.
Recommendations
It is important that we all report fraud. Only through reporting can we fully understand the nature and scale of the threat the UK faces and adjust our response accordingly. Find out how to report below.
Report scam emails here
Report scam texts here
Report a scam website here
Report Fraud at www.actionfraud.police.uk
Report tax scams here
It is important that we all report fraud. Only through reporting can we fully understand the nature and scale of the threat the UK faces and adjust our response accordingly. Find out how to report below.
In uncertain times and with rising living costs many people may be tempted to commit fraud. It is important that we coordinate our messaging to deter people and ensure they understand the consequences of engaging in fraudulent activity.
Members of the public are at more risk than ever of falling victim to fraud and scams. It is important that we encourage the public to take proactive steps to protect themselves as outlined in the Take 5 campaign.
Businesses should ensure that they have robust cyber risk management protocols in place to protect themselves and their customers. There is a variety of information and tools that can support business and a selection are listed below.
Press
For any press enquiries please contact press@cifas.org.uk
About Cifas
Cifas is the UK’s fraud prevention community. For over 30 years we have worked with hundreds of organisations to stop fraud and our community is made up of hundreds of organisations from across the sectors, including most banks, credit providers and telecommunication companies. We lead the fight against fraud by sharing data and intelligence, and provide a secure and established home for:
Trusted data of unparalleled depth and diversity – hosting the largest databases of fraud risk in the UK.
Dynamic intelligence to understand the fraud threat landscape now and in the future.
A vast network of organisations and people with a stake in fraud prevention.
Accredited education and trusted training for organisations and individuals.
If you are interested in joining Cifas click here
For more information about our Fraud and Cyber Academy click here
This year will be the first time we regularly update information to Fraudscape over the course of the next 12 months. If you would like to receive notifications when new content is added to Fraudscape let us know here
Join us on the 5th July and the 19th July for two exclusive webinars. Register to attend here