Executive summary
“People are being wronged on a massive scale.” Joe Lycett1
“The state has retreated from the investigation and prosecution of fraud over the last 15 years.” Mark Fenhalls KC2
Fraud is the most commonly experienced crime today
Fraud is the most commonly experienced crime in England and Wales today. It accounts for approximately 41% of all crime against individuals.3 A person aged 16 or over is more likely to become a victim of fraud than any other individual type of crime, including violence or burglary.4 It costs the economy billions every year.5
Even though fraud is a massive problem affecting every section of society and all age groups which, in evidence to us, the Bank of England admitted directly affects consumer confidence, successive Governments have failed to tackle fraud with the priority it deserves. The former Chancellor, Kwasi Kwarteng MP, commented earlier this year that fraud was not a crime that people experience in their “day-to-day lives”.6 While the data on fraud and its perpetrators is incomplete, we can identify an increase over recent years. In the year ending March 2022, fraud had increased by 25% since the pre-pandemic year to March 2020.7 While these figures have begun to stabilise, fraud remains higher than before the pandemic and latest data shows that losses over the past year total a staggering £4 billion.8 This may explain why the Government has excluded fraud statistics from public statements on crime rates and claimed that crime is falling.
If citizens were being routinely mugged and having millions of pounds stolen from their wallets in broad daylight, every organisation involved in allowing this to happen would have no choice but to deal with it swiftly, and the perpetrators would be brought to justice in court. Because most fraud is now happening online and often involves social engineering of the victim, the exponential growth in fraud and scams has been invisible and fraudsters face little risk of being caught. This has to stop.
The COVID-19 pandemic accelerated the shift towards digitalisation, with more people turning to online technologies to conduct their daily activities. Online banking and shopping have become mainstream, online dating has become widely adopted, and online messaging platforms and social media are used to communicate with friends, family and businesses. It is through these channels that the tendrils of domestic or overseas Organised Crime Groups are being extended to reach victims in the UK. The UK’s widespread use of the English language, its position as a digitalised, global financial hub, the enthusiastic adoption of the Faster Payments system, and the emergence of cryptoassets make for a fertile ground for fraudsters.
The result has been an increase in digital fraud. 80% of reported frauds are cyber-enabled; they could have taken place offline, but their scale, reach and impact have been expanded by the use of online services and digital technology.9 These conditions have contributed to a monumental increase in authorised push payment (APP) fraud, which happens when a person or business is tricked into sending money to a fraudster posing as a genuine payee. For this reason, we have chosen to focus our inquiry on APP fraud and the impact of digital fraud on individual consumers.
Fraud is rightly being taken seriously by both Houses of Parliament. The Justice Committee recently published its fourth report of session on Fraud and the Justice System. While the scope of our inquiry differs from that of the Justice Committee, we have considered their findings and are pleased to have drawn many similar conclusions, which are highlighted throughout this report.
Law enforcement is under-resourced for the fight against fraud
Law enforcement agencies are chronically underfunded for the fight; only a paltry 1% of law enforcement is focussed on tackling economic crime.10 Moreover, digital investigation remains outside the capacity of mainstream policing despite police forces operating in a highly digitalised society facing many digital forms of crime.11 The organisational structure for policing fraud is complex and confusing. Action Fraud (probably better re-named as ‘Report Fraud’) remains inactive and misunderstood, and local police forces are so preoccupied with competing priorities that they cannot effectively manage cross-border frauds that so often sit outside their local purview. The effect of such under-prioritisation has been to create a permissive culture across Government and law enforcement agencies towards fraud and the criminals who perpetrate it. This then permeates through to affect the attitudes of private sector players in the fraud chain, which describes the steps involved in a fraud, who have not stepped in to do what they can to prevent consumers being scammed.
The criminal justice system has also failed to keep pace with the threat, resulting in a significant decrease in the prosecution of fraudsters over the last decade.12 This is not a by-product of failing legislation. While there is scope for increasing maximum sentencing, the Fraud Act 2006 is, as we have heard, still a highly effective piece of legislation that has simplified the fraud landscape and it has the flexibility to adapt to future technological developments. It is true that the efficacy of the Act is hindered by backlogs in the courts as well as an outdated disclosure process that has not kept pace with the changing technological landscape, however these issues cannot be blamed for the failure to find and prosecute fraudsters.
Without fear of facing investigation or justice, organised criminals around the world turn to the UK as a lucrative market to commit fraud. They know that they can operate with limited fear of prosecution or redress for their crimes, the proceeds of which they use to fund further criminal activity including human trafficking and the drugs trade, and they do not have any regard for their victims.
The ‘alphabet soup’ of responsible bodies is ineffective
The decline in investigation and prosecution of fraud must be laid, at least in part, at the feet of Government inaction. Counter-fraud policy is spread across a “complicated map” made up of multiple departments, taskforces and Ministers.13 This results in a plethora of agencies and bodies, a vacuum of responsibility and a culture of blame-shifting.14 We recognise the mind-boggling variety of acronyms that make up this alphabet soup and have provided a glossary to accompany this report.
Fraud is far from a victimless crime. The financial impact can be significant, particularly in the context of the current cost-of-living crisis, which ruthless fraudsters are exploiting to manipulate vulnerable consumers. The emotional impact can be even more traumatising. Victims of fraud are socially engineered by malicious fraudsters, many will face a crisis of confidence and lose trust in the authorities and people that surround them, and some may suffer devastating mental health consequences. Unlike almost any other crime, fraud victims are often blamed for the crimes that have been committed against them, which reduces their incentive to report fraud to the authorities. Some will never recover the funds they have lost, and those that do may remain emotionally shattered by their experience. Many will never see the perpetrator face justice. However, given the scale, pace and ease with which fraud is developing, it is also clear that we cannot arrest our way out of this challenge.15
Organisations that make up the fraud chain are not uniformly incentivised to tackle fraud
Fraudsters use a variety of channels to reach their victims, and they follow a series of steps before they are able to ‘cash out’ their stolen funds. Within this fraud chain, there are multiple stakeholders across several sectors that enable fraud to take place and often fail to put adequate systems in place to prevent it. For too long, these businesses have been allowed to enable and facilitate fraud.
The telecoms sector has no real incentive to prevent fraud and has allowed blame to be placed elsewhere for too long. It must do more to tackle phishing emails and smishing texts before they reach victims, and must prevent fraudsters from making spoof phone calls using easily accessible technology to manipulate vulnerable victims into thinking they are a trusted organisation. Similarly, web-hosting providers must prevent fraudsters from registering fraudulent website domains. The tech sector must slam the brakes on fraudsters using online advertising and social media platforms to reel in consumers, and do more to verify the identity of those using online dating platforms before they commit romance fraud. Plans to hold platforms to account via the Online Safety Bill for online fraudulent advertising appearing on their services must not be allowed to slide and should be strengthened.
We recognise that many organisations are rightly signifying their ambitions to tackle such fraud, but they are not yet comprehensively incentivised to put practical measures into action at the pace required. While it could do more, the financial services sector has been bounced into action due to the burden of reimbursing customers who lose out to fraud. Processes including Confirmation of Payee are proving effective in heightening awareness of the risks of making online payments.
Until all fraud-enabling industries fear significant financial, legal and reputational risk for their failure to prevent fraud, they will not act. Companies continue to play their part in public-facing talking shops whilst at the same time relying on individually managed consumer awareness campaigns that shift the blame onto victims. At the same time, these organisations are failing to build in futureproofed counter-fraud mechanisms either at the point of design or retrospectively.
The private sector must be encouraged to combat fraud not only through facing the threat of corporate criminal liability or regulatory action, but also through the creation of a safe harbour for the sharing of data for the purposes of preventing fraud. It is only through a holistic approach involving every part of the fraud chain that fraud will be prevented upstream before money leaves a victim’s account. Industry solutions are clearly possible and effective; we only have to look at the success of chip-and-PIN in tackling face-to-face ‘analogue’ fraud to see that.
And when fraudulent payments do slip through the net, it should not be the sole responsibility of the financial services sector, in particular the victim’s bank, to pick up the bill. All stakeholders in the fraud chain, including the payee’s bank, must know they have a duty both to prevent fraud and to address their failings and the victims’ losses once it has occurred. They must lend their support to a united, centrally-led public awareness campaign that takes its lead from best practice exhibited in public health campaigns.
Six steps to break the fraud chain
Fraud costs the UK and its citizens billions of pounds a year. Security Minister Tom Tugendhat MP told us that “fraud is a scourge on UK people: it is a tax on businesses and people, and it not only damages the integrity of our financial and economic system but undermines trust in our economy and reduces our ability to trade freely.”16 Its financial and emotional cost to the millions of victims is immeasurable. The Government must take this opportunity to revisit its criminal justice priorities and begin by placing the UK’s biggest crime at the forefront of the national agenda. As priority steps to break the fraud chain, we recommend the following:
- The UK’s advanced payments infrastructure is one of the key reasons why it has become a global centre for fraud. The speed with which payments can be made must be delayed in certain circumstances to allow more time for banks to review risk signals and contact their customer about the proposed payment. The Payment Systems Regulator should consult on measures to achieve this (see paragraph 229).
- To move fraud to its rightful place as a top priority for law enforcement, fraud should be included within the Strategic Policing Requirement (see paragraph 327).
- To address the mind-boggling variety of acronyms and alphabet soup of departments, taskforces and Ministers with responsibility for fraud, a cabinet sub-committee with a clear mandate to tackle fraud should be established, chaired by and accountable to the Security Minister (see paragraph 286).
- Several sectors involved in the fraud chain have failed to prevent rampant fraud for too long. The Government must introduce a new corporate criminal offence of ‘failure to prevent fraud’ across all sectors to address this (see paragraphs 521).
- The Online Safety Bill contains several important measures to prevent fraudulent content and scam advertising from appearing on online platforms and to hold tech companies accountable when they fail. It must be brought forward urgently (see paragraph 559–562).
- To create clear advice for consumers to follow to help them to prevent fraud and report it if they become a victim, the Government should oversee the introduction of a single, centrally funded consumer awareness campaign in partnership with industry (see paragraph 418).
3 ONS, ‘Crime in England and Wales: Appendix tables’ (27 October 2022), Table 1: https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/datasets/crimeinenglandandwalesappendixtables [accessed 1 November 2022]
4 ONS, ‘Crime in England and Wales: year ending June 2022’ (27 October 2022): https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingjune2022#fraud [accessed 1 November 2022]
5 Estimates for the cost of fraud to the UK vary. For example, see UK Finance, ‘Cross-sector action needed as criminal gangs steal more than £1.3 billion’ (August 2022): https://www.ukfinance.org.uk/policy-and-guidance/reports-and-publications/annual-fraud-report-2022 [accessed 1 November 2022] and NCA, ‘The threat from fraud’: https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/fraud-and-economic-crime [accessed 1 November 2022]
6 BBC, ‘Sunday Morning’ (6 February 2022): https://www.bbc.co.uk/iplayer/episode/m00149kt/sunday-morning-06022022 [accessed 1 November 2022]
7 ONS, ‘Crime in England and Wales: year ending March 2022’ (21 July 2022): https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingmarch2022 [accessed 1 November 2022]
8 ONS, ‘Crime in England and Wales: year ending June 2022 (27 October 2022): https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingjune2022#fraud [accessed 1 November 2022] and City of London Police, ‘NFIB Fraud and Cyber Crime Dashboard : 13 months of data’: https://colp.maps.arcgis.com/apps/dashboards/0334150e430449cf8ac917e347897d46 [accessed 1 November 2022]. The total lost to individual victims rather than organisations or those recorded as ‘unknown’ was £1.9 billion.
9 Action Fraud, Fraud Crime Trends 2020–21: https://data.actionfraud.police.uk/cms/wp-content/uploads/2021/07/2020–21-Annual-Assessment-Fraud-Crime-Trends.pdf [accessed 1 November 2022] and Cabinet Office, ‘National Cyber Strategy 2022’ (7 February 2022): https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022 [accessed 1 November 2022]
10 Oral evidence taken before the Treasury Committee on 25 January 2021 (Session 2019–21), Q 2 (Graeme Biggar) and Q 222 (Andy Cooke)
12 Figures available at Written Answer UIN 120774, Session 2021–22.