The growing threat of online fraud Contents

2The role of banks and awareness campaigns

19.Banks have an important role to play in protecting customers against fraud. However, the protection banks provide varies, with some investing more than others in customer education and anti-fraud technology. The Payment Systems Regulator has found that banks needed to improve the way they work together in responding to scams, that some banks needed to do more to combat scams, and that data available on the scale of scams were poor. Which? has argued that shifting liability for scams onto banks would encourage them to protect their customers better.33

20.UK Finance told us that online fraud is a problem that the industry takes incredibly seriously.34 The Chief Executive commented “I would say we are succeeding” based on his figure that total fraud had gone down 8% while transactions have been increasing, but also acknowledged that there is more that the industry can do.35 Age UK told us it would like to see banks doing more to help vulnerable people, for example on putting restrictions on their bank accounts which maintain financial independence for them, but make them less vulnerable to the risk of losing huge amounts of money. UK Finance said it was identifying practices across the industry, in particular on withdrawing some online functionality for customers where it was not needed.36

Data on banks’ performance

21.We asked representatives of the finance industry why the only data made available of incidents of fraud was at aggregate level, rather than by individual banks. Customers at the moment do not have any information on which banks are performing better on this than others. UK Finance said that seeing where patterns are emerging at the aggregate level was helpful for the industry. Lloyds told us that individual banks know how they compare with others, but told us that banks did not publish individual numbers because then the fraudsters would target the ‘weakest’ of the banks.37 We suggested that it might be in the banks’ own interest not to be transparent and publish individual data, as it could deter customers. Both UK Finance and Lloyds maintained that the negative effect, of potentially revealing to fraudsters where they should go, was the more dominant argument for them.38 We do not find this a compelling argument. The experience of the car industry in relation to car theft was referred to by our witnesses—the publication of a car-theft index not only informed consumers, but also prompted the car industry to deliver improvements.39 Rather than signposting weaknesses to fraudsters, we consider that greater transparency from the banks would ensure that those potential vulnerabilities in the system would be addressed as a priority, thereby improving, not reducing, security.

22.We understand that Age UK has suggested a league table of banks’ performance and Age UK confirmed that, in its view “there is a strong case for greater transparency.”40 The Department told us that at present the data available to it is not good enough to support publishing a table that ranked the banks. It said that, while it was not Government policy now to have such a table, that did not mean it was ruled out for the future.41 In fact the Department confirmed that it did not currently see data on the relative performance of banks at all.42 Even the City of London Police does not see data showing it which particular banks have got more or less of particular kinds of fraud—it told us that such data would be intelligence from which it could look at what action to take, would be used for tackling crime and not for any other purpose, and that confidentiality would be respected.43 There is no formal requirement for banks to report fraud or share reports with government.44 It is also not mandatory for a bank to notify cases to Action Fraud, although the Departments told us there is a “strong expectation” that they would do so.45 The City of London Police confirmed that, if it had access to individual banks’ figures, that would give it a pretty accurate view of how much was actually getting through to it.46

Card not present fraud

23.Criminals using stolen card details to make fraudulent transactions, including over the internet, is known as ‘card not present’ fraud. Known cases of this type of fraud increased by 103% between 2011 and 2016, from 709,000 to approximately 1.4 million incidents.47 The Department told us that card not present fraud, along with funds repatriation, were the two things it was prioritising with the banking sector and financial institutions.48 It said that, through chairing a recent oversight board meeting of the Joint Fraud Taskforce, the Home Secretary had vigorously held Mastercard and other representatives of the private sector to account for delivering as quickly as possible a technical solution to card not present fraud. The Department told us that it wanted to see “a very significant reduction” in card not present fraud by 2019, though could not quantify more precisely what reduction it expected to see “because it will depend on the solutions that are arrived at”.49

24.We asked whether banks could make better use of technology to tackle the problem, for example using changing CVV numbers on cards. Lloyds told us that very few banks are using changing numbers, and that if the sector were to move towards doing so then it would have to be an industry initiative that everybody did at the same time.50 Lloyds stressed the work that banks were doing ‘behind the scenes’, for example investing in tools to help them identify riskier transaction, that was not visible to the consumer. It told us that consumers want faster and faster banking services and that, while banks could intervene more and put stops on lots of transactions, that would interrupt the flow of transactions and of banking.51 The Department also stressed the need for industry-wide solutions, in general to fraud, but also specifically to deal with card not present fraud—“That is really only likely to be delivered effectively if we have industry-wide co-operation”.52 The Department told us that, through the Joint Fraud taskforce, it was discussing the scope for designing out crime opportunities and designing in protection at the very earliest stages of the development of new technology.53

Funds repatriation

25.Banks are reported to be holding at least £130 million of funds that cannot accurately be traced back and returned to fraud victims, an amount that UK Finance said was probably a conservative estimate. UK Finance also told us that the amount represented frozen funds, believed to be connected to fraud, where banks have identified a concern and started to investigate further, which had caused the National Crime Agency or the police to freeze the money within the accounts. It was therefore not for the banks to say what happens to that money, because it has been frozen by the judicial system.54

26.Lloyds said that the main emerging threat was ‘authorised push payments’ whereby the customer asks the bank to move money, but has been the victim of a scam convincing them to do so.55 Age UK drew our attention to a variety of scams where victims had been convinced to transfer money, and to the distress caused as well as the financial losses.56 It has been estimated that between 40% and 70% of people who are victims of scams do not get any money back.57 Lloyds told us that different banks would have their own appetite for judging whether to refund customers, but that Lloyds would look at whether an individual had taken “reasonable steps”, such as to verify who they had been talking to and not being reckless with their information, and would also take account of whether Lloyds had given them a warning. Lloyds said that someone is far more likely to obtain a refund if a vulnerability has contributed to them being scammed.58

27.The Department told us that it was taking forward a major initiative with the banks on funds repatriation, for a much better system which could potentially deal with quite a significant proportion of authorised payments. It said that a system making the best use of technology to spot ‘mule accounts’ (accounts which exist for the purposes of channelling monies obtained through fraud) and repatriate money quickly could provide a lot of consumer protection. The Department added that being able to track money back through multiple mule accounts, freeze it and return it to the victim could also improve intelligence about the mule network and better assist law enforcement. The Department highlighted that there may be legal challenges to such a system and it needed to work through the legal protection that the banks were asking for, and so it thought it would be “a couple of years” before it had a fully fledged programme. It did say it would press the banks to see whether there are some classically quick wins it could do well before that to “demonstrate the proof of concept”.59

Awareness campaigns

28.Many people are still not aware of best practice for keeping safe online and there is more to do to help citizens’ and businesses improve their cyber security.60 The City of London Police stressed the importance of investing time in prevention and the education of the public.61 Age UK told us there was huge scope to do much more to help prevent people from being victims, stressing also the importance of making sure people who have been victims in the past do not become victims again.62

29.While there is a perception that online fraud primarily affects the elderly and vulnerable, young people are increasingly likely to fall victim. Social media plays a significant role in online scams and further education is needed to make young people aware of the dangers of sharing personal information online. The City of London Police told us that young people are probably more vulnerable to fraud than older generations as they have a very different approach to personal information. The City of London Police cited examples of young people sharing pictures of their passports and driving licences on social media.63

30. The government and other bodies run various campaigns; in March 2017 there were more than 10 different ones running at the same time. There is a risk that different organisations running campaigns with slightly different messages not tailored for specific groups can confuse and reduce impact.64

31.UK Finance also highlighted the importance of education in helping people not to become victims, mentioning in particular the ‘Take Five’ campaign. Take Five has been going for a while, but was relaunched two weeks before our evidence session, with the slogan “My money? My info? I don’t think so”.65 Recently the Department provided £500,000 towards the campaign, out of total funding of £3.8 million.66 The Department said that success for the Take Five programme would be “measurable improvements in behaviour, with people being confident enough to say no and to challenge when fraudsters are after their money”.67 The Department is evaluating the success of the Take Five campaign, though results are not due until March 2018.68

33 C&AG’s Report, paras 11, 2.9, 2.10

34 Q 1

35 Q 45

36 Qq 18–19

37 Qq 2–4

38 Qq 21, 22

39 Qq 79, 129

40 Q 18

41 Qq 80, 81

42 Qq 86

43 Qq 87–92

44 C&AG’s Report, para 17

45 Qq 77–78

46 Q 105

48 Q 136.

49 Qq 94, 137

50 Q 56

51 Q 47

52 Q 81

53 Q 120

54 Q 53; C&AG’s Report, para 11

55 Qq 6, 7

56 Correspondence with Age UK, 26 October 2017

57 C&AG’s Report, para 11

58 Q 52

59 Qq 145, 146

60 C&AG’s Report, para 13

61 Q 100

62 Q 40

63 Q147

64 C&AG’s Report, para 13

65 Q 26–33

66 Qq 140–142; C&AG’s Report, para 3.7

67 Q 142

68 Q 142; C&AG’s Report, para 3.7

5 December 2017