Examination of Witnesses (Questions 793
WEDNESDAY 28 MARCH 2007
Q793 Chairman: We
are being broadcast and televised. Thank you very much, Ministers,
for coming to help us in this inquiry, and Mr Smith and your colleague.
We are fairly well into this inquiry into Personal Internet Security
now, as you might be aware, so we appreciate it very much that
you are coming to talk to us now and can answer some of our questions.
Would you like to proceed by first of all introducing yourselves
and then, if you wish, making an opening statement, or we can
go straight into questions? Perhaps we could start with Mr Smith
Mr Smith: Thank you, Chairman. I am Geoff Smith,
Deputy Director of Communications Policy in the Department of
Trade and Industry.
Margaret Hodge: I am Margaret Hodge and I have
ministerial responsibility in the DTI.
Mr Coaker: Good afternoon, Chairman. My name
is Vernon Coaker and I am the Home Office minister with responsibility
in this area.
Mr Webb: Good afternoon. Stephen Webb, Head
of the Organised and Financial Crime Unit in the Home Office.
Margaret Hodge: The position is that we have
not got an opening statement because we thought you would like
to use the time to quiz us.
Yes, we do have quite a long list of questions. I appreciate that.
Let me go straight into the questions then. What is your estimate
of the direct and indirect cost of Internet-related crime to the
Mr Coaker: Chairman, I thought I would start
with answering that question and I hope the Committee will bear
with me because I thought it would be helpful if I lay out the
statistics we have got. I thought it might be useful for the Committee's
information to look at the actual statistics we have got at the
present time. Could I just say that the police figures do not
actually record the medium used to perpetrate the crime, only
the offence committee, therefore online fraud will actually be
recorded as fraud. I think that is just a statement to make in
the first instance. In terms of direct losses, the most reliable
figures we have got at the present time are from the 2003/4 British
Crime Survey which we actually published in April 2006, which
showed 27% of households with Internet access reported that their
computers had been affected by a virus and a third of those reported
that the virus had damaged their computer. Two per cent of households
with Internet access reported that someone had accessed or hacked
into files on their home computer in the previous 12 months. According
to APACS, £154.5 million in card fraud losses took place
over the Internet during 2006, and that figure is actually an
increase of 32% from 2005, where the losses were £117 million.
With respect to online banking fraud, in 2006 the losses were
£33.5 million, which is an increase of 44% from 2005, where
the figure was £23.2 million. Much of the increase has been
driven by the increase in phishing incidents and if I tell you,
you can actually see the increase. In 2005 the figure was actually
1,713 and that had risen last year to 14,156. Online banking fraud
losses are smaller compared with plastic card fraud losses, which
are as a whole £428 million, but as I say that is a considerable
figure as well. I thought it would be of interest to the Committee
as well to lay the statistics on the Chairman. APACS pointed out
in the second half of the year enhancements to fraud prevention
systems used by the banks to detect fraud actually were reflected
in the figures, in that losses were greater in the first half
of the year, at £22.5 million, than they were in the second
half of the year, at £11 million, where the enhanced fraud
prevention measures were put in place. I think that again, to
be helpful to the Committee, shows the importance of the implementation
of these measures and the effect and impact that can actually
have when it comes to the prevention of crime. The latest research
shows in the first half of 2006 16.9 million people used the Internet
banking services in the UK. The last statistical point, again
trying to be helpful Chairman, is that the Office of Fair Trading
estimated Internet dialler scams and Internet matrix scams cost
the public a total of £70 million each year, but if we actually
looked at scams where using the Internet plays only a part, for
example an African advance fee fraud victim who may have been
targeted using the Internet, if we included that the figure would
be much higher. I apologise to the Committee for a bombardment
of statistics, but I thought it would be helpful to share that
statistical information with the Committee as far as we had got,
That is very useful. So in general you would say that the situation
is getting worse rather than better, however there are some means
being applied which are improving things?
Mr Coaker: I think it is fair to say that this
is an increasing problem which we need to be aware of and also
that the criminals who are using the Internet in order to perpetrate
crime are also becoming increasingly sophisticated in the ways
in which they are trying to attack the system. In a sense, Chairman,
I think the best way of describing it is to say that what we essentially
have are virtual criminal gangs. They are real people but they
are acting in the virtual environment and there are online gangs,
if you see what I mean, as well as individuals, and I think we
are all becoming increasingly aware of the sophistication of the
tactics they use. We have had some success, but increasingly we
are going to need to develop the tools that we use against them
in a more coordinated way in order to be as effective as possible.
Margaret Hodge: Could I just add a word of caution
to all the statistics, which is that we have not got robust figures,
so I do not think any of us have real confidence in the figures,
and the sorts of issues which cause us to question them are that
firstly, usage is going up, so if the figures go up are they going
up proportionate to usage, and the other is that for some people
in the industry there is a reputation issue, so we simply have
to watch whether or not that gives us a true indication of whether
people are reporting the crime. On the other hand, there may be
more consumers, more end-users, who do have the confidence and
therefore report crime. The only other bit of statistics I wanted
to add is that Vernon does all the sorts of surveys around individuals
and victims, and we do one with businesses where we talk to 1,000
businesses every two years and it is an information security breaches
survey. That captures everything. It does not just look at crime,
it can look at operational error and things like that as well,
but the interesting things coming out of that survey, which we
believe is quite comprehensive, are the indirect costs where you
are trying to cost things like disruption and reputation. For
a small business it is somewhere between 6,000 and 12,000 if there
are one or two days of disruption. For a large business it is
between 50,000 and 100,000. Then if you go to the direct costs
what the companies tell us, 85% of them, is that there is no direct
loss to them from crime, but those who have lost are the other
15%, the small companies. It is not a large amount, it is between
500 and 1,000, they report, and for large companies it is over
Presumably these are difficult to estimate? We have heard from
people like eBay that they do suffer from this because every individual
who has suffered fraud and who has been ripped off never comes
back again. So it is a critical issue.
Mr Coaker: That is right.
Q797 Lord Young of Graffham:
Unless I misheard, your first statistic was 27% of homeowners
with computers on the Internet were infected by viruses. Is that
the correct figure?
Mr Coaker: Yes.
Q798 Lord Young of Graffham:
That is a remarkably high figure when you think of the proportion
of people who have protection anywhere in their machine. Do you
have confidence in the figure, that people are not just confusing
that with a crashed hard drive or some other software fault and
are saying, "We've been affected"?
Mr Coaker: I think that is an important point
to make. As my fellow Minister was saying, it is very difficult.
I just wanted to say that these are the ballpark statistical figures
which we have. It is very difficult to know quite how robust those
figures are because I think it is quite right to point out that
it may well be just people where something has happened and they
describe it as a virus affecting their computers. I think this
is part of the problem as well, trying to get robust statistics
together, but as I say I thought it was just necessary to say
that these are the statistics as far as we have them. But it is
an important point you make.
Margaret Hodge: It is very interesting, again,
on viruses that in preparing for the Committee today there was
one survey I came across which suggested that only 1% of those
who were affected by a virus ever get to talking to the police
about it, and a very small percentage, about 8%, even go to their
service provider. That is also, on the virus issue, how people
perceive and deal with breaches of the legislation.
Q799 Lord Howie of Troon:
Since we will have to pay some attention to these statistics at
some stage, can you tell me whether the robustness is an over-estimate
or an underestimate, or you just do not know?
Margaret Hodge: We do not know.
Mr Coaker: The most reliable figures we have
got, as I say, come from the British Crime Survey, which are the
figures I have just used, about 27%. As I say, those are the ones
who said they had been infected by any virus. If you actually
then go on, just 2% reported that someone had tried to access
or hack into files on their own computers. That is obviously a
much lower figure. I think the BCS figures are the most reliable
figures, but I think you can put a health warning on those, to
Mr Webb: The BCS figures are the best for total
victimisation. The APACS figures which the Minister quoted are
actually, we think, very robust. They are collected from the industry
as a whole and we have got a lot of confidence in those.