Terms explained:
National Fraud Database (NFD) - is used to share fraud risk information about actual or attempted fraudulent conduct against organisations.
Internal Fraud Database (IFD) - is used to share fraud risk information that specifically relates to individual staff members who tried to commit or committed fraudulent or other relevant conduct against or within an organisation.
Identity Fraud - when a subject abuses personal data to impersonate an innocent party, or creates a fictitious identity (synthetic identity), to open a new account or obtain a product.
Facility Takeover - when a subject abuses personal data to hijack an existing account or product - for example, a bank account or phone contract.
Misuse of Facility - the misuse of an account, policy or product, for example, allowing criminal funds to pass through an account or paying in an altered cheque.
Internal Fraud - fraudulent conduct or theft committed by an employee of the company or an individual applying to work for a company.
Vishing, Phishing, Smishing – an attempt to gain personal information (or persuade someone to do something) through the use of email, telephone and SMS communications.
Social Engineering - a method of manipulating people to reveal personal information about themselves or to persuade them to do something they would not otherwise do.
Money Mule - a person who (intentionally or unintentionally) transfers money acquired illegally, usually through their own bank account, on behalf of others.
BOT - a software application that runs automated tasks across the internet.Malware - software which is specifically designed to disrupt or damage a computer system.
Remote Access Software – allows a third party to access another computer remotely.
We are delighted to bring you this year’s edition of Fraudscape, which is key to understanding the challenges and threats we face as a community, and which areas we need to focus on to fight fraud together.
This report combines data from our National Fraud Database (NFD) and Internal Fraud Database (IFD), alongside intelligence provided by Cifas members, partners and law enforcement. In 2019, Cifas members saved over £1.5bn through prevented fraud losses, but we can prevent and detect even more fraud through better understanding of the key fraud threats and enablers, which is the purpose of this report.
What do the overall findings tell us?
This report highlights concerns around the growing levels of identity fraud, fuelled not only by more advanced technological techniques such as vishing, phishing and smishing, but also from the way we store personal information and the risk of data breaches. Nearly a quarter of the cases recorded to the NFD were misuse of facility cases, with the banking sector being heavily targeted. One of the key issues faced by this sector is the problem with money mules. Our data shows an increase in the number of cases which intelligence suggests may relate to money muling. This has been exacerbated by recruiters using social media channels to target the public – many of whom don’t perceive their involvement as being a crime.
Facility takeover saw a 34% increase in 2019 compared to 2018, with a large number of cases affecting the telecoms and online retail sectors. These two sectors have been particularly affected by smishing campaigns, as well as spoofing attacks, where the brand webpage has been copied to facilitate harvesting of personal information. Social engineering also plays a role in obtaining account information, be it through posing as the company or a third party. Technology has played a key role in these frauds, not only by providing ‘fraud as a service’ such as phishing kits, but also in terms of BOT attacks to obtain access to accounts.
Overall, these three case types are tied together by technology and the internet. Whether it is attacks deployed to harvest and steal personal and financial information or to persuade individuals to undertake certain criminal behaviours, it is a fact that the world is becoming more digital and the cyber threat has never been higher.
With regard to the insider threat, there was a 13% increase in individuals recorded on our Internal Fraud Database in 2019. External drivers such as addiction have been highlighted as a reason for this and in most instances, the internal fraud was potentially enabled by a lack of monitoring or processes. With a large number of internal frauds being committed within branches and call centres, there is an opportunity for regular screening of those staff, to prevent and deter, as part of a wider anti-fraud culture.
2019 saw the highest volume of cases ever recorded to the National Fraud Database (NFD).
364,643 cases, up 13% on last year, a rise of 43,001.
Identity fraud cases made up 61% of total cases recorded to the NFD, and additionally nearly a quarter of cases were in relation to misuse of facility.
2019 also saw a significant increase in facility takeover and the insider threat cases.
What do the findings tell us?The key enablers of identity fraud are:
Phishing, vishing, smishing campaigns used to harvest personal information.
Increasing numbers of data breaches containing personal or financial information.
Malware and BOT attacks assisted by services freely available on the dark web to deploy attacks on a large scale.
The theft of enhanced biometric data, such as voice data which can be used for frauds such as payment diversions and CEO impersonations.
The digital footprint left behind by individuals on social networking sites which can be pieced together to impersonate an individual.
Social engineering aided by technology to trick customers into thinking they are dealing with a legitimate company or individual.
The use of remote access software to access victim’s computers and steal information.
Cifas Commentary
Identity fraud continues to grow and remains a considerable challenge for organisations and the public. Key to tackling identity fraud will be deepening our understanding of how fraudsters evade knowledge-based authentication checks in order to ensure processes can be tightened. It is also important to understand how many times, as well as how, a victim is targeted, if they are targeted by the same or multiple perpetrators, and how long the gap is between an identity being compromised and the identity being used. An interesting point to also consider is whether a victim is targeted differently depending on where their identity details have been sold in online marketplaces.
Our analysis of identity fraud cases has shown that a large proportion of victims will have a social media presence which increases the risk of their personal information being obtained. Conversely as detection methods continue to improve and make it harder to impersonate victims, we can expect to see a rise in ‘synthetic’ identities created to carry out fraud. Finally, the growth in identity fraud can be driven simply by human error, as research in 2019 showed that nine out of ten data breaches were as a result of this. With an increasing amount of personal and financial information being stored online, it is critical that information is protected.
‘The findings in Fraudscape this year illustrate the importance of considering the fraud ecosystem holistically, and the role that each part plays in the increasing number of people falling victim to identity fraud.
‘The dramatic rate of technological advancement is a double-edged sword; for example, even as voice biometrics are becoming mainstream, fraudsters are already using stolen or legally obtained voice prints, often from social media, to defeat even sophisticated detection systems.
‘The fraud crisis facing this country will only be solved by collaboration, and Cifas is a long-standing facilitator of essential data and best practice sharing.”
Cases of identity fraud rose by 18% in 2019 (223,163) compared to 2018 (189,108) and accounted for 61% of the cases recorded to the NFD.
Over the past five years, identity fraud cases have risen by 32%, with plastic cards and bank accounts particularly targeted.
87% of identity fraud cases in 2019 occurred via online channels and over half are granted before the fraud is identified. This is a prominent issue for identity frauds involving plastic cards or bank accounts.
A large proportion of victims of impersonation are aged over 31, with a 22% rise in victims aged 61+.
Key Enablers Cifas Commentary Victims of Impersonation MapThe key enablers of facility takeover are:
The interception of One Time Passcodes (OTP) to gain access to accounts.
Phishing, vishing and smishing campaigns.
Spoofed websites that closely mimic real brands.
Criminal franchises operating on the dark web which allow you to ‘buy’ services to push out phishing attacks and socially engineer victims for one time passcodes.
Online quizzes which harvest personal and financial information.
Criminals sitting on Twitter handle feeds to approach and target victims’ offline to get them to share their banking screen via platforms such as TeamViewer.
Social engineering aided by technology to trick customers into thinking they are dealing with a legitimate company or individual.
The use of remote access software to access victim’s computers and steal information.
Cifas Commentary
Facility takeover fraud is an increasing issue but as organisations act to secure online accounts, there is a concern that criminals are turning to telephone methods rather than online channels. Reports to Cifas show that criminals are targeting Porting Authentication Codes (PAC) which allow customers to take their phone number with them when they change provider. It is still not clear whether criminals obtain the PAC code via interception or social engineering victims, and more worryingly it is still not clear who is behind the increase in unauthorised PAC code requests.
Analysis has also shown that 41-50 year olds are being targeted more than other age groups for facility takeover fraud, possibly as a result of a perception among criminals that this age group is more susceptible.
“The findings in this year’s Fraudscape show a concerning rise in facility takeover. Particularly concerning is the level of fraudulent conduct affecting the telecoms and the online retail sector driven by social engineering techniques and spoofing attacks to harvest personal information. It is critical that we continue to collaborate and innovate to keep the fraudsters at bay and protect customers identities and accounts. It is heartening to see the industry work together to share best practice and technological solutions to protect customers, but we must also remember to educate customers so that they are empowered to protect themselves and their personal information.”
There were nearly 32,000 cases of facility takeover recorded in 2019, a 34% increase compared to 2018 (23,791).
Frauds against telecommunications products such as mobile phones, account for over half of cases recorded.
Frauds against online retail products such as online shopping accounts, saw a 100% increase between the two periods.
Overall, the majority of filing reasons are in relation to unauthorised security/personal details being changed followed by unauthorised facility upgrade.
A large number of victims are aged between 41-50 years old, a 43% increase for this age group.
Key Enablers Cifas Commentary Victims of Takeover MapCifas Commentary
Misuse of facility remains an area of concern and there are still gaps in our knowledge around this. We still do not understand why certain geographic areas have a higher rate of misuse cases than others, but we can surmise that this may be due to a correlation between geography and organised crime groups operating in that area. We are also not sighted on where the money being laundered has come from and where it is going.
Analysis and engagement with partners has shown that bank accounts are not the only preferred method for money laundering, as other products such as loans are also being exploited. We have also identified that personal savings accounts are more likely to be used quickly for muling purposes rather than other types of accounts.
An increasing trend involving a large proportion of online retail accounts recorded for evasion of payment is due to individuals taking out credit and not fulfilling the payment. This is of great prominence around the likes of Black Friday, Cyber Monday and over the Christmas period.
“As criminals increasingly try to evade banks’ strict identity checks by recruiting people as money mules to launder stolen funds, the banking industry is working closely with law enforcement to identify, arrest and charge those responsible. Banks also have sophisticated systems in place to detect suspicious transactions, and when they identify a money mule account it will be closed and reported to the authorities.”
The key enablers of misuse of facility are:
Recruitment of individuals for the use of bank accounts in exchange to make money quickly.
Research carried out last year looking at public perception towards money muling shows that most people believe it is an acceptable activity.
Direct Debit Guarantee abuse – there is a perception that it is easy and acceptable to claim back Direct Debit payments.
Some accounts are preferred over others due to ease of opening, such as fintech accounts.
There were nearly 84,000 cases of misuse of facility recorded in 2019 – up 2%, from the previous year. Bank accounts are the most targeted product, followed by online retail accounts where nearly all the frauds are in relation to evasion of payment.
The fact that 74% of bank accounts recorded this type of fraud may indicate behaviours that could be associated to money muling as these types of cases saw a 6% increase between 2018 and 2019.
Overall, 62% of subjects in these cases were males aged under 30 years old, with an increase in females recorded for this type of activity.
Most products are recorded for misuse within a year of being applied for.
The most affected region was London, which saw a 45% increase, with the West Midlands region also showing an increase.
Key Enablers Cifas CommentaryCifas Commentary
Novelty documents remain an issue but we are still unaware of who is behind the websites offering these. Are they individuals or is it linked to organised crime groups?
Is the lack of whistleblowing due to the difficulty in establishing effective whistleblowing programmes? Is whistleblowing seen as an extreme measure in which employees do not have confidence that the problem will be addressed?
How are individuals approached or recruited to commit fraud against their employer? If we are able to identify the most common routes, we can develop mitigation strategies to prevent it happening.
The main drivers of internal fraud seem to be personal issues such as funding gambling habits, but also opportunity such as access to tills, and potential perception of not being caught. In a competitive market, individuals seem to be tempted to lie on their CV to get a job and are likely to not only embellish qualifications, but also seemingly go to great lengths to ensure their achievements and skills are backed up by fraudulent references.
“Fraudscape demonstrates the increasing risk of internal fraud to employers and their customers, including the most vulnerable. The continued rise in fake qualifications and fake references poses a wider threat to society which business, working with organisations such as Cifas, have a role in helping to eradicate.”
The key enablers of internal fraud are:
In some instances staff have exploited a lack of process or controls around staff behaviour to commit internal fraud. This, potentially coupled with a lack of an anti-fraud culture, means some staff have felt safe to commit internal fraud.
Some employers screen candidates after they have started the job, meaning they potentially have access to data/assets before appropriate checks have taken place.
Staff approached by third parties to conduct internal fraud continues to be an issue.
‘Novelty’ documents such as fake degrees to enable those without the appropriate skills or experience to fraudulently gain employment.
432 individuals were recorded for internal fraud in 2019 - up 13% compared to 2018, with the main cases involving dishonest actions by staff and employment application fraud.
The most prevalent form of dishonest action was theft of cash from an employer, followed by theft of cash from a customer.
Most of the staff involved were likely to have been employed between one and five years, male and aged between 21-30 years old. Most are from branches or call centres.
In unsuccessful employment applications, the most prevalent form of deceit was concealed adverse credit history.
False qualifications and false references have seen an increase between the two periods.
Most applicants were likely to be male and aged between 21-30 years old, however females aged between 41-50 have risen by a third.
Key Enablers Cifas CommentaryIdentity fraud continues to grow, fuelled by advanced technological techniques to exploit members of the public and the way we store personal information and the risk of data breaches.
One of the key issues faced by the banking sector is the problem of money mules, and this has been exacerbated by recruiters using social media channels to target the public – many of whom don’t perceive their involvement as being a crime.
Facility takeover is affecting the telecoms and the online retail sector driven by social engineering techniques and campaigns, as well as spoofing attacks to facilitate harvesting of personal information.
Technology has played a key role in all these frauds, not only by providing ‘fraud as a service’ such as phishing kits, but also in terms of BOT attacks to obtain access to accounts.
The increase in internal fraud is driven by external drivers such as addiction and in many instances, by a lack of internal monitoring or processes and a wider anti-fraud culture.
Overall, many of the key issues that face the UK’s fraud prevention community are tied together by technology and the internet.
Together we must:
Pursue measures to increase our resilience to false or synthetic identities and associated documents.
Empower consumers and businesses to protect their personal information.
Evidence the harm caused and links to organised crime, to increase government and law enforcement action.
Raise consumer awareness that first party fraud is a crime.
Collaborate with each other on new ways to tackle financial crime information sharing.
Collaborate with social media companies and wider partners to tackle abuse facilitated within these platforms.
Raise awareness across industries around the importance of strong internal fraud controls within their businesses.
Press
For any press enquiries please contact press@cifas.org.uk
About Cifas
Cifas is the UK’s fraud prevention community. For over 30 years we have worked with hundreds of organisations to stop fraud and our community is made up of hundreds of organisations from across the sectors, including most banks, credit providers and telecommunication companies. We lead in the fight against fraud by sharing data and intelligence, and provide a secure and established home for:
Trusted data of unparalleled depth and diversity - hosting the largest databases of fraud risk in the UK.
Dynamic intelligence to understand the fraud threat landscape now and in the future.
A vast network of organisations and people with a stake in fraud prevention.
Accredited education and trusted training for organisations and individuals.
For more information about Cifas visit www.cifas.org.uk
