Fighting Fraud: Breaking the Chain Contents

Chapter 2: The inbound route

63.During APP scams, criminals trick their victims into sending money directly from their account to an account that the criminal controls.134 The inbound route is the first step in the fraud chain and describes the process by which a fraudster makes initial contact with a chosen victim or victims. There are several common ways in which a criminal may do this. Historically, a scam may have started with a knock at the door or flyer on the street. These methodologies are still used, but now most fraudulent approaches use technology due to the ready availability and reach of systems of mass communication such as bulk texting and online advertising.

Figure 9: The Fraud Chain: The inbound route

Flow chart showing the process of "The Fraud Chain"

Source: Q 14 (Katy Worobec) and written evidence from CCSG (FDF0063)

Phishing and smishing

64.Phishing is the practice of sending fraudulent communication that appears to come from a reputable source. Smishing is the same practice but refers to the use of SMS text messages to defraud victims.135 The ONS recognises phishing as one of the main methods used to commit fraud, however it only began including questions on phishing into the TCSEW October 2021 and therefore data is limited.136 We attempted to source external statistics on the prevalence of phishing in the UK but as a result of our efforts believe that no comprehensive data on the scale of the problem exists.

“It’s a bit like the wild west at the moment, virtually on a daily basis we all get scamming texts and phone calls from scammers who are able to use the actual bank telephone numbers … such hijacking needs to be tackled and stopped at the engineering digital system level.” - Graham 137

65.ONS data from July 2022 shows that 50% (around 6,000) of respondents reported receiving an email, text, or social media message that may have been a phishing attempt in the previous month. Fraudsters were most likely to pretend to be from delivery companies (54%).

Figure 10: The prevalence of phishing attempts in England and Wales

Graphic highlighting the prevalence of phishing attempts in England and WalesSource: ONS, ‘Crime in England and Wales: year ending March 2022’ (21 July 2022): https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingmarch2022 [accessed 1 November 2022]

66.The prevalence of smishing can be explained in part by the widespread availability of SIM cards and the limited checks placed on those who purchase them. Professor Feng Hao, Professor of Security Engineering at the University of Warwick, told us that the process of catching fraudsters using smishing is akin to a game of ‘cat and mouse’ because, even when detected and shut down, the loss for criminals is relatively small and they are able to buy new SIM cards quickly and cheaply. He added that the lack of identity checks exacerbates this issue.138 It is clear to us that more should be done to prevent such abuse. However, we recognise that greater identity checks at the point of purchase of a single SMS card for legitimate use may limit access to technology to some groups of people. Hamish MacLeod, Chief Executive of Mobile UK, told us:

“Some countries insist on ID before you buy SIM cards; some do not. There is no evidence that that makes a difference in reducing this type of crime, but we worry a lot that it might create barriers to the socially excluded in accessing telephony.”139

67.Additional checks on individual SIM card purchases may also have little beneficial effect because of the availability of bulk messaging services such as SIM farms (see paragraph 71) and SMS gateways in other countries.

Figure 11: A phishing/smishing fraud chain

Inforgraphic of a phishing/smishing fraud chain

Source: Adapted from a UK Finance model shared via email

68.Criminals use smishing to obtain personal information and socially engineer the victim. The sophistication of cyber-enabled attacks such as phishing or smishing are growing.140 Smishing messages may contain a URL and purport to be from a recognised authority such as a bank or the Government. This link will take victims to a fake website where the fraudsters will harvest data or seek to gain access to a person’s financial accounts. In a second step, the fraudster may engage in number spoofing in order to make the scam seem more realistic as it appears to come from a trusted number. This step will be explored in Chapter 3.141

Box 2: Dale’s story

In April 2022, Dale was a victim of digital fraud. Dale, who owned a building company, heard from his clients that they had received phishing emails from his BT email address requesting money transfers.

“Someone had broken into my email account, snooped around, looked to see who my current clients were, and sent out emails asking for payment. Fortunately, all recipients were suspicious, as I had never asked for any payments during face-to-face discussions.”

Dale’s email account had been hacked by a fraudster. The criminal had used social engineering tactics to convince a BT call operator that they were Dale and they had forgotten his password, in order to allow them into Dale’s account. The operator said they would send the scammer a four-digit code to Dale’s mobile number to allow the password to be updated. The scammer convinced the operator that they had changed their mobile number, and the operator updated all the details accordingly to the scammer’s phone number.

“That is all he needed to access my email account. I am still seethingOnce the scammer had access to the account the criminal constructed believable phishing emails that were sent to clients. As with many APP frauds, the messages contained external links intended to draw individuals into transacting data or finances in a separate location. One of their phishing messages read:

“Hi Adam, can you email my accounts team and get the 50% deposit paid so they can book in a provisional date as we are almost fully booked for the year the email for them is accounts2@[redacted].com. The deposit will need to be paid directly to them to the supplies manager for him to place the order. Cheers, Dale”

“The scammer even mimicked my signing off. When clients are new, I sign off with, ‘Kind Regards’. Once we have met a couple of times I change to, ‘Cheers’. The scammer had copied this to look genuine.”

Dale quickly got in touch with BT to find out what had happened and stop any further activity. In this case, the fraud was not successful because his customers recognised the warning signs and did not make payments to the fraudster.

In response to Dale’s experience, BT said:

“Our process involves asking a caller a number of security questions. In case of Dale, the scammer was able to provide an acceptable answer to a security question which we can only assume he guessed - that allowed the scammer to complete the verification process… We regret that our current customer verification process was not able to prevent a scammer from gaining access to Dale’s BT and email account. However, we are in the process of strengthening this process to help prevent this type of fraud.”142

Source: Written evidence from Dale (FDF0104)

69.The efficacy of smishing messages often relies on their connection to real-life situations and events. For example, Katy Worobec identified an uptick in fraudsters using the Ukraine crisis to manipulate victims, adding that “[fraudsters] use world events all the time to add credibility to the way in which they operate.”143

70.The pandemic provided ample opportunities for fraudsters. The CPS told us that cyber criminals exploited the COVID-19 pandemic through the use of phishing, smishing and fake websites. For example, in August 2021, a criminal was prosecuted and jailed for sending fake smishing messages that purported to be from HM Revenue and Customs (HMRC). The messages were designed to trick victims into providing personal banking details after claiming that the recipient was eligible for a COVID-19 grant.144

71.The proliferation of smishing texts is exacerbated using so-called SIM farms. SIM farms are technological devices that can send thousands of texts an hour by connecting to multiple pay-as-you-go sim cards that do not require proof of identity unlike mobile phone contracts.145 Hamish MacLeod explained that there are two ways of routeing text messages: person to person (P2P) or application to person (A2P). A2P involves messages being sent from organisations, such as the NHS, to individuals. SIM farms are used by fraudsters to send out mass text messages by P2P routing. Macleod said SIM farms “are extremely hard to detect.”146 Superintendent Gerard Pollock told us how SIM farms are used in practice:

“There are criminals … who are being allowed, on an ongoing basis, to buy hundreds of SIM cards, plug them into SIM farms and use them to pump out thousands of text messages every day to potential victims without any regulatory or compliance steps.”147

Figure 12: A SIM farm device

Photograph of a Sim farm device

Source: ‘Covid fraud: £34.5m stolen in pandemic scams’, BBC Click (24 March 2021): https://www.bbc.co.uk/news/technology-56499886. Image by Matt Quinton

72.The telecoms sector is vulnerable to manipulation by fraudsters located across the globe. The Fraud Advisory Panel, a counter-fraud charity, told us that “fraud often involves criminals (including organised crime groups) operating from overseas ‘hard-to-reach’ jurisdictions”.148 TrueCall Ltd, a telecoms technology company, added that this can compound the difficulties of catching fraudsters:

“A lot of mass marketing fraud either originates or has links to criminals abroad. Fraudulent telemarketing and mailshots often originate from international centres, some of which are in jurisdictions that are difficult to gain local enforcement cooperation, or to trace individuals.”149

Action to tackle phishing and smishing

73.We recognise that there is work being done, across both the public and private sectors, to mitigate the reach of smishing and phishing messages. However, the current approaches are uneven with counter-fraud policies being introduced inconsistently across the telecommunications sector. This is not a new problem and it has been allowed to continue for too long. We believe much swifter and firmer action needs to be taken. Prof Hao said: “The telecom companies have some solutions, but they should do a lot more. So far, what they have done is the minimum and driven entirely by revenue.”150

74.The main formal mechanism for coordinated telecommunications action on fraud is the Telecommunications Sector Charter created by the Government’s Joint Fraud Taskforce. The charter committed signatories to tackling the impact of scam calls on customers, coordinating to tackle smishing, and more technical pledges such as using real-time checking to tackle SIM swap and Mobile Number Porting fraud. Signatories were BT, EE, Sky, Three, Tesco Mobile, Virgin Media & O2 and Vodafone.151

75.The Telecommunications Sector Charter sets nine key actions to help the sector to tackle fraud. The full charters, including others relating to Retail Banking and Accountancy, are provided in Appendices 4, 5 and 6. The nine key actions are as follows:

(1)Identify and prevent scam calls

(2)A coordinated approach to tackle smishing

(3)Use of Dynamic Direct Debit (a pilot system to facilitate three-way authentication and authorisation at the point of sale between a customer, their bank and the telecommunications provider) in order to tackle identity theft and subscription fraud

(4)Use of real-time checking to tackle SIM swap and Mobile Number Porting fraud

(5)Sector information sharing

(6)Systematic sector analysis of shared fraud and other intelligence

(7)Engagement by law enforcement to investigate significant/repeated fraud against customers and providers

(8)Improve support to victims

(9)Increase fraud awareness

76.Under Action 2, signatories committed to block smishing by identifying and implementing new counter-smishing mechanisms. These included a review of the 7726–reporting service (see Box 16) and better information sharing with the National Cyber Security Centre (NCSC) and NFIB.152 The Communications Crime Strategy Group (CCSG), a telecommunications sector body focussing on crime, told us that three out of four UK mobile network providers have now implemented SMS filters while others have applied additional technical controls on bulk SMS and financial controls on SIM use.153

77.Hamish MacLeod told us that the telecommunications charter created five lines of defence within the industry. These include safety by design processes to encourage telecoms providers to make sure that they use reliable routes for buying text messaging and incorporate fraud defence technology into the mobile phones. As an example, MacLeod told us that Android phones now use text filtering and awareness functions to flag fraudulent text messages.154

78.To counter the threat of SIM farms, some firms are putting in place measures to prevent the ease with which SIM cards can be abused by such technology. Alex Towers, Director of Policy and Public Affairs at BT, told us that BT has introduced limits on the number of text messages any one SIM can send in a day (although the limit continues to remain high at around 2,000 per day) and BT have stopped selling low-cost bundles of mobile data that allow people to abuse SIMs for as low as £5.155

79.Given the global nature of the threat from phishing and smishing, private sector companies must work together. Will Semple said that eBay works with telecoms companies across the US, the UK and Europe to identify the senders of phishing/smishing texts operated from across the world and then take down the numbers.156

80.Alex Towers told us that BT had instituted a “Spam Shield” across the EE network to try to block out, at source, spam text messages.157 According to Towers, since the creation of the shield, 80% of spam texts are blocked from the system and the numbers of reported scams and spam messages fell by over 90%.158 In written evidence, BT said that since 2021, 120 million SMSs have been blocked and that collaboration between EE with other operators to collate data from the 7726 spam reporting mechanism allows the company to block numbers generating spam on their network.159 Hamish Macleod added:

“All service providers are doing something towards spam shields: All the operators are at some phase of implementing their spam text filters. We have three operational now and one in the phase of becoming operational.”160

81.These strategies do have weaknesses. Action to tackle phishing and smishing is hampered by the lack of a comprehensive assessment of the scale of telephony-fraud. The CCSG suggested that the NECC could not estimate the amount of telephony-enabled fraud and, as a result, “it seems hard to direct private sector or law enforcement resources effectively unless there is better understanding of inbound fraud routes.”161

82.The telecoms industry has not implemented existing counter-phishing measures with enough consistency. The Association of Chief Trading Standards Officers (ACTSO) told us that telecommunications providers can do more to prevent the spoofing of numbers and shut down numbers that are being used to commit fraud.162 This is particularly the case with the disjointed implementation of spam blocking technology. Adrian Gorham, Chair of the CCSG, told us that all the major operators now have the technology to roll out spam protections on their networks but that “it is just a question of going through the processes of tuning and so on.”163

83.In addition to informal engagement with communications providers, Ofcom has several enforcement powers to tackle nuisance calls, including fraudulent calls:

84.The increased use of online messaging platforms has created a new threat. Fraudsters are able to circumvent filters placed on SMS services by using new internet-based messaging services to contact victims. Services such as WhatsApp, Skype, Zoom and Microsoft Teams all use internet technology called Voice over the Internet Protocol (VoIP). This technology allows telephone calls to be made via the internet.168

85.BT told us that the incorporation of encrypted VoIP services, such as WhatsApp, into the telecommunications system limits the ability of telecoms providers to police fraudulent communication. They said:

“The rise of encrypted services creates new opportunities for fraudsters, about which telecoms companies can do nothing… if a user is deceived into contact with a fraudster on an encrypted platform such as WhatsApp or Apple’s iMessage (the way many Apple phone users message each other) then telcos have no visibility of any aspect of these communications …”169

86.WhatsApp is an encrypted instant messaging service owned by Meta. It offers VoIP services although it requires a cellular mobile number to operate. In February 2021, Lloyds Bank found that WhatsApp scams have surged by more than 2,000% in a year, with this type of crime being recognised as the fastest growing form of impersonation fraud. This type of fraud often involves criminals posing as family members or friends in difficulty, claiming that they have had to change their number due to a lost phone.170

Box 3: Graham’s story

Graham’s daughter was tricked into an APP fraud and sent money to a scammer’s bank account. The scammer convinced her that he was a trusted family member by ‘hijacking’ a telephone number in a WhatsApp group that she was a member of.171

“My daughter didn’t see any reason to question the source particularly because the fraudster had not initially asked her for money but had managed to continue a relevant conversation.”

When she realised the scam, Graham’s daughter quickly got in touch with her bank, which told her that she should have asked more questions of the person claiming to be her brother. The family also contacted the fraudster’s bank and Graham argues that it was a “major failure” that the bank did not freeze the account at that point.

Graham makes the case that more should be done to enable banks to use their powers to recover funds, freeze transactions and track payments more closely when they appear suspicious. He said that the inability or unwillingness of banks to act is leading to billions of pounds in losses for many people and suggests that more needs to be done to improve preventative technology.

Graham argues for a ‘guardian angel’ system, whereby a trusted third party can be appointed to watch over transactions if they appear suspicious.

“Many of us do realise that we may be vulnerable either because of age or simply not being tec savvy and would support a system whereby we could designate a trusted third party to our bank. This would enable the bank to check with the third party, a Guardian Angel, independently to check out any suspicious transactions before proceeding.”

Graham’s daughter has since received full reimbursement, however Graham expressed frustration at the hurdles it took to achieve this outcome.

Meta told us that they were “sorry to hear of the distressing situation [Graham] and his family have experienced” but said that the company was unable to comment on the specific case without more details. It noted Meta’s ambition for WhatsApp to be the “safest place for private, personal communication” and raised the importance of encrypted messaging, simple number blocking and reporting tools, and two-step verification. WhatsApp also operates machine learning systems, which are used to detect bulk and automated messaging. It said that more than 70% of bans for suspected spam or scam behaviour is made before a user reports to WhatsApp.172

Source: Written evidence from Anonymous (name has been changed) (FDF0102) and supplementary written evidence from Meta (FDF0099)

87.Given that WhatsApp and other online messenger services are encrypted, they are harder to police than other SMS based messaging services, even by the owners of the platform. Rob Jones, Director General of the NECC, said: “WhatsApp has been end-to-end encrypted since 2014. If WhatsApp wanted to go after content that is fraudulent on that platform, it could not do it, because it has locked itself out of its own content.”173 We recognise the abuse of end-to-end encrypted platforms such as WhatsApp as an issue that must be urgently addressed by tech companies, however we also appreciate that policing such messages would require significant intrusion of privacy.

88.Meta, the owner of WhatsApp, acknowledged that their ability to identify variations in IP address is undermined by the use of Virtual Private Networks (VPNs) which can falsify the locational appearance of a device.174 As variations in location and country code are a hallmark of fraudulent phishing messages, WhatsApp’s vulnerability to VPN manipulation is a concern in relation to counter-fraud policy. Meta has built-in protections that aim to mitigate fraudulent phishing activity including two-factor authentication and warnings displayed when a WhatsApp user receives a call or message for the first time from another user who is not in their contact list.175

89.Concerns have been raised about two other Meta owned online messaging platforms, Instagram and Facebook Messenger. Research by TSB found that between January and March 2022, 70% of cases of investment fraud reported to them (where a platform was recorded) started on Facebook or Instagram, either through adverts or direct messaging.176 Katie Martin, Markets Editor at the Financial Times, told the Committee that at the time of giving evidence a scammer was impersonating her on Instagram and direct messaging people to con them into APP crypto-frauds.177

90.The current regulatory system does not impose sufficient leverage or incentives on digital platforms to combat fraudulent online messaging, particularly in comparison with the liability placed on the banking sector. TSB concluded:

“Tech firms and social media companies have huge power and resources but are regulated as if they did not. The financial services industry is heavily regulated by bodies with enormous power to enforce and penalise banks and rightly so. However, the largest social media firms and tech companies (who are some of the largest companies in the world) are regulated as if they have no power or responsibility to their users.”178

91.In-app messaging services are in scope of the Online Safety Bill, and thus subject to the same duties in relation to user-generated fraud and to prevent fraudulent advertising as tech platforms. However, SMS and email are not.179 The Committee’s analysis of the Online Safety Bill is found in paragraph 528.

92.It is clear that Ofcom needs to do more to enforce the powers it has to bring the tech and telecoms companies it regulates in line. The regulator is due to receive expanded powers under the Online Safety Bill and should face greater scrutiny as a result. The National Audit Office (NAO) is described by the regulator as its external auditor and the NAO has reported on Ofcom in the past, most recently in 2019.180 We consider that an updated review may be in order given Ofcom’s expanded remit and powers however that is a decision for the NAO to make.

93.Phishing and smishing techniques are among the most prolific business models operated by fraudsters. Sending scam emails and texts is a simple and effective tactic, conductible speedily and in volume. While steps have been taken by telecoms companies to prevent such tactics, fraudsters continually evade these efforts and exploit new avenues to reach victims. The Committee believes much swifter and firmer action by telecoms companies needs to be taken to reduce the quantity of fraudulent communications slipping through the net. Ofcom has a broad remit and increasing powers. The level of accountability for Ofcom’s regulation of telecoms companies must therefore increase accordingly.

94.Ofcom must carry out a comprehensive assessment of telephony fraud in order to tackle the worrying information deficit on the scale of the problem. It must bolster its use of, and report on how often it uses, its enforcement powers to hold telecoms and tech companies to account for telephony-based scams. For example, it should report the frequency with which it has used its General Conditions to request that numbers are blocked due to fraudulent activity being detected. It should publish this information as part of an annual fraud report presented to Parliament.

95.The ever-increasing role and powers of Ofcom and wider digital regulation should be subject to enhanced parliamentary scrutiny. We add our voice to that of the Communications and Digital Committee in supporting the recommendation of the Joint Committee on the Online Safety Bill that digital regulation requires dedicated parliamentary oversight and therefore a Joint Committee of both Houses should be established to perform this role.

96.In addition, we suggest that Ofcom should face further oversight as part of wider scrutiny of the DRCF (see paragraph 563) and that Ofcom should be part of the NECC (see paragraph 284).

Romance fraud

97.Online dating is commonplace in the UK. Use of dedicated dating apps such as Bumble, Tinder, Hinge as well as social media platforms including Facebook and Instagram have joined websites including Match.com and eHarmony in providing opportunities to meet people online. Research shows that a third (32%) of relationships that began between 2015 and 2019 started online, compared to only 19% between 2005 and 2014.181

98.The pandemic encouraged many people to turn to internet services. In the year to April 2021, consumer group Which? found that romance fraud had increased by 40%, with over 7,500 reported scams.182 This trend has not changed in the time after the pandemic. At the time of writing, the previous 13 months have seen 8,848 reports of dating fraud, with reported losses totalling £99.7 million. 100% of these cases were cyber-enabled.183

99.While young people typically might be expected to use online dating services more frequently, as many people aged 50 to 59 fell victim to a dating scam in the last 13 months as those aged 20 to 29 (1,600).184

Figure 13: Romance fraud victims by age

Var chart showing numbers of reported romance fraud case by age group of victim

Source: City of London Police, ‘NFIB Fraud and Cyber Crime Dashboard: 13 months of data’ [accessed 1 November 2022]

100.Furthermore, while online dating platforms are often used for the purpose of forming relationships online, other online messaging and social media platforms may also be used to date online. Which? identified romance scammers operating on platforms such as LinkedIn or even online gaming platforms.185

101.The Online Dating Association, a dating app trade association, told us that those who are most vulnerable to fraud are “those that are lonely or isolated and looking for connection”.186 It typically involves a victim being duped into sending money to a criminal who has convinced them, sometimes over significant periods of time, that they are a genuine romantic partner. Criminals gain their victims’ trust using social engineering techniques (see paragraph 161).187

Box 4: Rachel’s story

In 2021, Rachel was the victim of a romance scam that originated on Facebook and led to the loss of £113,000. After experiencing a break-up, Rachel connected with the fraudster online. He told her that his wife had died of breast cancer and that his daughter was encouraging him to meet someone new. The two began to message via text, and it appeared the scammer was using a UK number.

During the fraud the two never met in person. He then told Rachel that he had secured an engineering contract in Ukraine. On allegedly arriving in Ukraine, the scammer asked her for £250 to cover a tax issue with his business. Rachel trusted the fraudster and conducted due diligence, confirming the details of the supposed company on Companies House (see Box 11).

Rachel believes that this small initial payment was intended to “suck her in” to a spiral of increasing payments. The fraudster used manipulative social engineering techniques to pressurise the victim into borrowing more money. This included claiming that his passport had been stolen and that he was being held hostage until he could pay to get it back.

“He sent me pictures of himself locked in a cellar with only a bucket to wash in.”

Over a period of three months, Rachel borrowed £90,000 and spent £20,000 in personal savings to send payments to Ukraine.

When the police were eventually alerted by the banks, Rachel misled the police about her spending because she believed the fraudster was going to be murdered if he could not raise the money to pay back the loan sharks. This demonstrates how effective social engineering can be.

Rachel realised that she had been defrauded when she visited the address that the fraudster had given her as his home. After Rachel disclosed the reality of the situation to the police, she felt that she had experienced victim shaming. She claimed that she was told by police that the fraud was her fault, and that officers could not be held responsible given the falsified information she had declared. This was compounded by letters from Santander and HSBC, which said that they could not refund her as she had willingly transferred the funds.

“The police told me it was my fault, but a person who is a victim of burglary is not asked by the police if they put up a fight, and a victim of theft is not asked why they don’t have CCTV. When you are a victim of fraud, you are made to feel as if you are the criminal.”

The impact on Rachel has been financially and emotionally devastating. Rachel experienced a mental breakdown and described the trauma of her experience. She told us that she felt stupid and had lost trust in the police and other people, including friends.

In response to Rachel’s experience, Santander called for greater incentivisation- and accountability for fraud enablers including social media and telecoms companies. The bank said:

“Unfortunately, despite repeatedly warning her of the dangers of transferring money to someone she hadn’t met and directly raising our concerns that this was a scam with Rachel and the police, she confirmed that she wanted to proceed with payments … Due to the strength of the social manipulation by the scammer, Rachel hadn’t accepted that she was being scammed when she decided to transfer funds to HSBC. Consequently, we did not have her required consent to raise a scam claim or to contact HSBC.”188

HSBC said it noted its commitments under the CRM Code and confirmed that it had “fulfilled our responsibilities under the CRM code” as the customer was provided with fraud warnings and still proceeded with the payments. It added that “we work hard to ensure fair and reasonable outcomes for all customers who fall victim to scams”.189

Source: Rachel spoke to the Committee at an engagement event on 7 July 2022.

Action to tackle romance fraud

102.There are several strategies that can be used to reduce the ability of fraudsters to commit digital fraud that relies on impersonation of others or concealing a true identity, such as in the case of romance fraud. These include the implementation of stringent user verification policies, referred to as know-your-customer (KYC) checks.

103.Identity verification has already been adopted by some online dating platforms. Fluttr was launched on Valentine’s Day 2022 emphasising the unique pledge to root out romance fraudsters. The app was launched in the wake of renewed interest in the issue of romance fraud thanks to documentaries including Netflix’s The Tinder Swindler. Graham Pullan, CEO of Fluttr, told us that the app relied on biometric identity verification:

“This means that all our customers are verified at the very start of the process. We do it by matching the image of the user’s face to their photo ID or their chosen photo ID, which in the UK is typically a passport or a driving licence. That is done using biometric face-matching technology.”190

104.Biometric testing involves matching a user of an online service, such as a dating platform, to a known characteristic. Examples include retina scans, fingerprints, facial and voice recognition. HSBC reports a reduction by 50% of telephone banking fraud since the introduction of biometric security using voice identification.191

105.While biometrics may have significant benefits in reducing fraud risks, we have also heard concerns that they are intrusive. Prof Hao told us that increased use of biometrics might require a central database of biometrics, raising further privacy concerns.192 Professor Victoria Nash, Director at the Oxford Internet Institute cautioned that, as a guiding principle, society should “only ever require the minimum amount of information needed to carry out whatever the activity is in a risk-reducing way.”193

106.In February 2021, DCMS published a draft UK Digital Identity and Trust Framework setting out plans to make it easier for people to verify their identity online.194 This follows the rollout of the Government’s previous Verify platform, which faced criticism due to its low success rate and high cost, and was terminated in 2021.195 The beta version of the new framework was published in June 2022 and will undergo additional testing in collaboration with industry, civil society and the public.196 The Data Protection and Digital Information Bill currently is on hold. However, it is expected to establish the regulatory framework for the provision of digital identity verification services in the UK.197 The Minister for Tech and the Digital Economy told us that creating a robust digital identity framework is an ongoing piece of work.198

107.The Online Safety Bill will also introduce new measures requiring Category 1 companies to ensure adult users are given the option to verify their identity.199 Identity theft is tackled in more detail in paragraph 453.

108.There are tools that individual consumers can use to minimise their fraud risk. For example, a ‘catfish’—someone who uses a false identity and fake images to lure victims towards their profile—can be tested for through use of reverse image search, however the onus is on the user to use and operate this technology to detect prospective romance fraudsters. Joe Lycett said:

“Then there are things such as reverse image search … It is a very simple thing you can do. If you get a message from somebody and it has an image—let us say on their WhatsApp—you can take that image and put it into Google image search and it will look to see if that image has been used anywhere else. Often that will reveal that it has been used millions of times … ”200

109.The Online Dating Association said that despite the availability of new technologies, background checks and ID verification, “dating services will continue to be vulnerable to romance and investment fraud, as it is a convenient way for fraudsters to attempt to meet victims.”201

110.Online dating is now a common means by which many seek to meet new people. Easy access to potentially vulnerable, isolated or lonely people makes these platforms prime targets for exploitation by fraudsters. Furthermore, as continued technological developments proliferate, fraudsters will find new ways to perpetuate false identities online. We are aware of the wider privacy issues surrounding debate on identity verification, particularly in light of the Data Protection and Digital Information Bill. However, in the context of online dating it is clear that identity verification is a crucial first step in stamping out romance fraudsters.

111.The Online Safety Bill must be amended to ensure that dating platforms are subject to mandatory identity verification processes in order to establish that their users are genuine.

112.As part of platforms’ efforts to design-out fraud (see paragraph 131), online dating platforms must be required to implement checks such as proactively deploying reverse image search, rather than placing the onus on users to do so.

Fraudulent advertising

113.Fraudulent advertising is another key method used by criminals to reach their victims. Using this business model, victims are scammed after clicking on fraudulent adverts that appear on online platforms and search engines.

114.The nature of advertising varies across platforms. Some major internet services such as Facebook. Instagram or Google use advertising as a central revenue stream. Other platforms including eBay and Amazon host and publish material for e-commerce purposes and integrate advertising within their websites.202 There is currently no legal duty imposed upon internet platforms and social media companies compelling them to run KYC checks on their advertising customers.203

Box 5: Crypto investment scams

As noted, the cryptoasset market has grown at rapid pace since its inception over a decade ago. Investment in cryptoassets has drawn a huge number of backers following the success of the first crypto coin known as Bitcoin. Katie Martin, explained why investing in crypto is so popular:

“There is the idea that the price of bitcoin, the earliest crypto coin, shot to the moon, so that if you get in at an early stage on a lot of other tiny little crypto coins, perhaps you could enjoy those sorts of riches too. It is rarely made clear enough in the advertising around that that you are taking a huge risk with your money and that you could lose all of it.”204

While many crypto investment advertisements may be legitimate, albeit risky, fraudsters have capitalised on this avenue in order to scam would-be investors. Crypto investment scams are on the rise. In 2021, crypto crime amounted to a $14 billion industry.205 Tom Mutton, Director for Central Bank Digital Currency at the Bank of England, broke this down, explaining that two thirds of crypto thefts related to decentralised finance (De-Fi) protocols, which is an umbrella term for cryptoasset projects that do not have a traditional, centralised intermediary (like a bank).206 He added that “the majority were crypto scams, including things like rug pulling and other fake investment scams. They were worth $7.8 billion, up 82%.”207

Many investment scams are advertised cheaply and easily online. The Advertising Standards Authority (ASA), the UK’s independent, voluntary and self-regulatory advertising body, told us that the majority of Scam Ad Alerts it sent over the last 12 months have been for scams relating to cryptocurrency. However, it also sent alerts for other scam types, including fake energy saving devices and diet pill subscription scams.208 The NCSC has reportedly removed over 74,000 online scams and 90,000 URLs specifically associated with cryptocurrency investment scams between April 2020 and March 2022.209

Katie Martin suggested that while regulating cryptoassets is a complex task, regulation could be introduced relatively quickly in order to control how these adverts reach the public because, at present, “anybody can launch a coin … anybody can advertise that coin.”210 She also suggested that the Government should work with industry and regulators to launch an awareness campaign around the dangers of investing in cryptocurrency.211

While cryptoasset scams are the most frequently reported scam to the FCA, the regulator may have limited power to tackle this threat as often these scams are not linked to genuine cryptoasset firms. To tackle this, the FCA runs campaigns to inform speculative investors about the risks of investing (see ‘InvestSmart’, Box 12). In August 2022, the FCA set out new rules for high-risk investments subject to financial promotion rules, however it noted that “cryptoasset promotions are currently outside our remit.” The FCA intends to publish rules for crypto promotions after legislation has been introduced to bring qualifying cryptoassets within the financial promotions regime under Chapter 2 of the Financial Services and Markets Bill.212

115.Given the pace of technological change, it is highly likely that new technologies will provide new opportunities for fraudsters to reach consumers. For example, there is a risk that an increased uptake in smart devices may lead to new avenues for fraudsters to contact and manipulate victims. Prof Nash said:

“For example, the role of smart speakers, non-screen-based technologies. What does it mean, for example, if I ask my smart speaker at home to give me information about a financial product? Are we sure that the sorts of cues and information we rely on platforms to provide will work in that context? Equally, with IoT—internet of things—devices, such as navigation systems, is there any way your navigation system can be hacked to push you towards particular garages? There could be new forms of mobile phone scams.”213

116.The Government has recognised the cyber-security threat posed by the rise in smart technology through the Product Security and Telecommunications Infrastructure Bill, which will provide for minimum security requirements in consumer connectible products, place compliance duties on the makers, importers and distributors of these products, and introduce powers to allow breaches to be punished.214

117.Without sufficient futureproofing, technology will most likely continue to create new opportunities for fraudsters to target victims. For example, the metaverse—a digital world in which experiences and interactions occur within a virtual space—may be open to abuse by fraudulent advertisers.215 Callsign Ltd, a digital identity company, told us that the metaverse “will create additional avenues for existing fraud methods to be applied.”216 The FCA warned that it is not clear whether KYC checks applicable in the real world will apply in the metaverse, nor is it clear who will have responsibility for the oversight of such spaces. It cautioned that “the jurisdictional issues regarding ‘where’ misconduct in the metaverse occurs, and how regulators and law enforcement can engage effectively, must be tackled now rather than when harm occurs”.217

Action to tackle fraudulent advertising

118.Online advertising is regulated by the ASA. Its Scam Ad Alert System was launched in June 2020 in partnership with online platforms and digital advertising companies. It resulted in 1,251 reports and 67 alerts from March 2021 to 2022. This information is then shared with platforms, which reported that 765 ads and/or accounts had been removed as a direct result of alerts.218 While we welcome efforts to tackle fraudulent advertising via collaboration, we consider the number of alerts to be considerably out of proportion to the scale of the issue.

119.In written evidence to the Committee, the ASA acknowledged that the current regulatory approach is not properly equipped to deal with online advertising fraud. They said:

“While we play an active role in seeking to disrupt scam ads, as a non-statutory body that was not established for and is not equipped to tackle fraud, we do not investigate them because criminals, who have little regard for the law, clearly have no incentive to comply with the UK advertising rules.”219

120.In addition to self-regulatory action, there are several additional activities either in train or being planned to tackle fraudulent advertising.

The Online Safety Bill

121.The Government is working to enhance digital safety through the Online Safety Bill. At the time of writing, its passage has been subject to further delays. The information in our report will reflect the Online Safety Bill that was published prior to the Parliamentary summer recess.

122.Fraud is designated as ‘priority illegal content’ under the Online Safety Bill. It includes a legal duty (in clauses 34, 35 and 36) for large online platforms (Category 1) and search engines (Category 2A) to take steps to prevent paid-for fraudulent adverts appearing on their services. Under clause 34(1), large social media platforms (Category 1) must put into place proportionate systems and processes to:

(a)Prevent individuals from encountering fraudulent advertising,

(b)Minimise the amount of time that fraudulent advertising is present, and

(c)Swiftly remove fraudulent advertising once they are made aware of it through any means.220

123.We have identified several issues with the Online Safety Bill. In brief, these include:

124.The Committee’s full assessment of the Online Safety Bill is found in paragraph  528, and some of these issues may soon be addressed in the Government’s forthcoming Online Advertising Programme.

Online Advertising Programme

125.The Government is in the process of finalising its review of the Online Advertising Programme (OAP). The Programme is being led by DCMS with the aim of reviewing the regulatory framework for paid-for online advertising and tackling “the evident lack of transparency and accountability across the whole supply chain.”221 While the Online Safety Bill only covers platforms and search engines, the OAP is likely to include advertisers, media agencies, intermediaries, and publishers (see Table 1).

Table 1: Inexhaustive list of actors in the advertising supply chain in scope of the Online Safety Bill (OSB) and Online Advertising Programme (OAP)

Actor

In scope of OSB

In scope of OAP

Advertisers (including agencies)

No

Yes

Ad servers (intermediary)

No

Yes

Demand-side platforms (intermediary)

No

Yes

Supply-side platforms (intermediary)

No

Yes

Platforms

Yes

Yes

Publishers (other hosts of online ads)

No

Yes

Source: DCMS, ‘Online Advertising Programme consultation’ (updated 30 September 2022): https://www.gov.uk/government/consultations/online-advertising-programme-consultation/online-advertising-programme-consultation [accessed 1 November 2022]

126.We have heard support for the programme, particularly for its potential to crack down on fraudulent advertising. TSB said that the Government should “Pursue a robust approach to online advertising through the Online Advertising Programme—which places significant and meaningful requirements on firms to limit fraudulent adverts and which imposes severe consequences on those who fail to comply.”222

127.Cifas suggested that the Programme may be used to tackle some of the intermediary platforms that the Online Safety Bill appears to ignore. Cifas said: “it is important that the Online Advertising Programme effectively tackles fraudulent abuse of adverts across other channels, such as job sites, which are so often exploited to advertise jobs that simply do not exist.”223

Private sector initiatives

128.In order to tackle fraudulent advertising, platforms can try to limit the ability of fraudsters to relocate consumers away from their service and onto a malicious website. The social media platform TikTok bans content that contains links to other websites. However, some fraudsters continue to manage to subvert the system, with Elizabeth Kanter, Director of Government Affairs and Public Policy Manager at TikTok, saying:

“What they do underneath is put a different landing page, so that when a user clicks through to the landing page there might be a QR code in the landing page that tries to take the user out of our app into another space that may contain fraudulent activity … That is fraudulent activity that is not allowed on the platform. We banned over 10 million ads in 2021 containing that and other types of ads that violate our policies.”224

Box 6: Google’s action on fraudulent ads

In July 2021, the FCA set out that it “believes that search and social media platforms may be breaching section 21 of the Financial Services and Markets Act 2000 (FSMA) if they provide optimised or value-added services in relation to a financial promotion that is not approved by an FCA authorised firm or that is not otherwise exempt”.225

Following this intervention in 2021, Google introduced a new verification policy to ensure that financial promotions hosted through Google Ads are only made by firms authorised by the FCA.226 Where categories of financial services advertisers are not FCA authorised, such as crypto, some SME lenders or gold, these adverts are now prohibited.227

Didi Denham, Government Affairs and Public Policy Manager at Google, said the move had “a very significant impact” with reports suggesting that the move had “almost all but eliminated scams on Google Search.”228

Google has since followed this action with several steps including integrating and automating the FCA Alert List which prevents ads linking to more than 5000 websites featured on the FCA’s Warning List. It is rolling out an advertiser identity verification process using both dual use of state-issued ID verification and business operation verification, in which business operations are checked to investigate unlawful activity.

Other social media sites have already or are in the process of taking the same steps. TikTok told us that it was the first platform to adopt the steps in 2020.229Meta said that the process of integrating this into their services is “ongoing”, with completion expected by the end of 2022.230 However, Mark Steward, outgoing Director of Enforcement and Market Oversight at the FCA, told us that Meta has made only “noises” and the FCA is at risk of ‘losing patience’ with the process.231 We echo these sentiments.

Former Minister for Tech and the Digital Economy Damian Collins told us that Google has seen positive results from its actions in driving down fraud, while “on Meta, in particular on Instagram, they seem to have increased quite dramatically”. He told us that it would be proper for Ofcom to consider this when developing its forthcoming codes of practice under the Online Safety Bill.232

The Financial Services and Markets Bill will introduce measures to allow for greater regulation of financial promotions. At present, most financial promotions have to be undertaken by authorised firms, but these firms are able to approve third party promotions. Clause 20 will strengthen oversight of such promotions.233

Source: QQ 119–120 (Didi Denham) and written evidence from Google (FDF0072)

129.In tandem with the OAP, the ASA has started a year-long pilot programme with online services such as Amazon, TikTok, Google and Meta.234 As part of the pilot, participating companies will introduce a set of principles covering how they will raise advertisers’ awareness of the rules that apply to their ads and they will also help the ASA to secure compliance in cases when an advertiser is unwilling to follow the rules.

130.Online advertising is a favoured tool in the fraudsters’ toolkit. Scam ads are prominent across a range of online platforms and services and have the potential to expand further as technologies develop. We welcome new legislation to try to tackle this issue via the Online Safety Bill and Online Advertising Programme, but regulations must go further to ensure that the full suite of tools are used to tackle fraudulent ads wherever they appear online. Recommendations relating to the Online Safety Bill are contained in Chapter 6.

131.The Government should ensure that the terms and conditions of all social media platforms expressly prohibit fraudulent user-generated content and advertising and that platforms should be held accountable for all fraudulent material that appears thereafter. We urge Meta and other large social media companies to take action more quickly and ensure that safety is considered at design level in all future product developments.

132.By Autumn 2023, all online platforms including Meta should be mandated to only allow online adverts for financial services from companies authorised by the FCA. Financial promotions should not carry the words ‘FCA authorised’ unless they are authorised for the specific activity or product advertised. The FCA should strive towards enforcing this principle of specificity more widely in future.

Analogue fraud

133.While the focus of our inquiry is the rise of digital fraud, physical or in-person approaches are still used by criminals and should not be ignored by policymakers. Methods of fraud constantly evolve and it is conceivable that as law enforcement improves its response to online scams, fraudsters may return to targeting individuals outside of the digital realm. This is why we are covering physical approaches by fraudsters in this report on digital fraud. ACTSO said:

“It is important not to overlook the traditional frauds (e.g. doorstep crime, rogue traders, counterfeiting, used cars, aggressive sales practices etc). These frauds continue to be carried out through traditional means, including face-to-face (often on the doorstep), by telephone, and by mail. These frauds are just as serious as online scams, and are often targeted at individuals who are made vulnerable by their circumstances.”235

134.Some victims are targeted specifically by these methods. The East of England Trading Standards Authority said that “doorstep crime related fraud is still the method of choice for a small percentage of the criminal community who often prefer to target elderly, vulnerable and infirm persons in their homes, using aggression and coercion to elicit monies for poor or non-existent work.”236

135.There is a correlation between physical isolation and a victim’s susceptibility to digital fraudsters. The Good Things Foundation, a charity working to reduce digital exclusion, said:

“the experience of digital fraud may reduce their [victims] motivation, trust and confidence in continuing to use the internet… Where this results in people making decisions to avoid online banking or the NHS App - wider risks arise for commercial and public sector service provision and inequalities.”237

136.The Committee has heard arguments for reorganising the counter-fraud policing model given that the majority of fraud is cyber-enabled and perpetrated by fraudsters who are often far from where the victim lives (see paragraph 302). Andy Cooke, HM Inspector of Constabulary, proposed a central tasking model sitting within the NCA that is fully linked into regional economic crime investigators and those involved in local economic crime.238 However, we are conscious that retaining a local approach to fraud investigation may have benefits in instances of traditional fraud, where fraudsters may rely on local knowledge to execute their crimes. Andy Cooke also told us that a move away from the localised approach could result in loss of ‘local touch’ to support investigations.239

137.While digital fraud is increasing, ‘analogue’ approaches continue to be used by some fraudsters to target victims, particularly those who are digitally excluded. The local policing model has some value in supporting these vulnerable individuals and should be kept in these cases.

138.The Government’s forthcoming Fraud Strategy should not ignore the threat of ‘analogue’ fraud as well as focussing on the increasing risk of digital fraud. Counter-fraud strategies should be varied to tackle analogue tactics including leafletting and door-stepping, and it must support those who are typically targeted by them.


134 House of Commons Library, Banking fraud, Briefing Paper CBP8545, 23 February 2021

135 Cisco, ‘What is Phishing?’: https://www.cisco.com/c/en_in/products/security/email-security/what-is-phishing.html [accessed 1 November 2022] and written evidence from BT Group (FDF0067)

136 ONS, ‘Nature of fraud and computer misuse in England and Wales: year ending March 2022’ (26 September 2022): https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/articles/natureoffraudandcomputermisuseinenglandandwales/yearendingmarch2022 [accessed 1 November 2022]

137 Anonymous written evidence (FDF0102)

138 Q 233 (Prof Feng Hao)

139 Q 49 (Hamish MacLeod)

140 Cifas, ‘This is Fraudscape 2022’: https://www.fraudscape.co.uk/ [accessed 27 July 2022]

141 Home Office, ‘Fraud sector charter: telecommunications (accessible version)’ (updated 26 October 2021): https://www.gov.uk/government/publications/joint-fraud-taskforce-telecommunications-charter/fraud-sector-charter-telecommunications-accessible-version [accessed 1 November 2022]

142 Additional supplementary written evidence from BT Group (FDF0098)

143 Q 14 (Katy Worobec)

144 Written evidence from the CPS (FDF0004)

145 ‘Text that could cost you THOUSANDS: The fake Royal Mail message that’s snaring victims across the UK using cheap Chinese technology’, This is Money (30 March 2021): https://www.thisismoney.co.uk/money/beatthescammers/article-9418729/Text-cost-THOUSANDS-fake-Royal-Mail-message-snaring-victims-UK.html [accessed 1 November 2022]

146 Q 47 (Hamish Macleod)

147 Q 194 (Superintendent Gerard Pollock)

148 Written evidence from Fraud Advisory Panel (FDF0048)

149 Written evidence from trueCall Ltd (FDF0012)

150 Q 237 (Prof Feng Hao)

151 Home Office, ‘Fraud sector charter: telecommunications (accessible version)’ (updated 26 October 2021): https://www.gov.uk/government/publications/joint-fraud-taskforce-telecommunications-charter/fraud-sector-charter-telecommunications-accessible-version [accessed 1 November 2022]

152 Ibid.

153 Written evidence from the CCSG (FDF0063)

154 Q 45 (Hamish MacLeod)

155 47 (Alex Towers)

156 Q 125 (Will Semple)

157 44 (Alex Towers)

158 Ibid.

159 Written evidence from BT Group (FDF0067)

160 Q 45 (Hamish MacLeod)

161 Written evidence from the CCSG (FDF0063)

162 Written evidence from ACTSO (FDF0018)

163 Q 237 (Prof Feng Hao)

164 Ofcom, General Conditions of Entitlement: Unofficial consolidated version (17 June 2022): https://www.ofcom.org.uk/__data/assets/pdf_file/0030/238962/unofficial-consolidated-general-conditions-june-2022.pdf [accessed 1 November 2022] Nb. the GC was previously GC 20.3

165 Ofcom, Tackling nuisance calls and messages: update on the ICO and Ofcom Joint Action Plan (December 2016): https://www.ofcom.org.uk/__data/assets/pdf_file/0017/96110/ICO-Ofcom-joint-action-plan-2016.pdf [accessed 1 November 2022]

166 Ofcom, General Conditions of Entitlement: Unofficial consolidated version (17 June 2022): https://www.ofcom.org.uk/__data/assets/pdf_file/0030/238962/unofficial-consolidated-general-conditions-june-2022.pdf [accessed 1 November 2022] B1.18 (d), (e); Ofcom confirmed this in a private email dated 14 September 2022.

167 Ofcom, Tackling scam calls and texts: Ofcom’s role and approach (23 February 2022): https://www.ofcom.org.uk/__data/assets/pdf_file/0018/232074/statement-tackling-scam-calls-and-texts.pdf [accessed 1 November 2022]

168 See BBC News, ‘Internet revamp for the humble landline’ (16 August 2021): https://www.bbc.co.uk/news/technology-58233420 [accessed 1 November 2022]

169 Written evidence from BT Group (FDF0067)

170 Lloyds Bank, ‘Fraud Warning: number of WhatsApp scams has surged by more than 2000% in a year’ (31 January 2022): https://www.lloydsbankinggroup.com/assets/pdfs/media/press-releases/2022-press-releases/lloyds-bank/31.01.2022-whatsapp-scams-surge-over-200-per-cent-in-a-year.pdf [accessed 1 November 2022]

171 Anonymous written evidence (FDF0102)

172 Supplementary written evidence from Meta (FDF0099)

173 Q 218 (Rob Jones)

174 Written evidence from Meta (FDF0052)

175 Ibid.

176 Written evidence from TSB (FDF0066)

177 Q 70 (Katie Martin)

178 Written evidence from TSB (FDF0066)

179 Ofcom, Online Safety Bill: Ofcom’s Road to Regulation (6 July 2022): https://www.ofcom.org.uk/__data/assets/pdf_file/0016/240442/online-safety-roadmap.pdf [accessed 1 November 2022]

180 See Ofcom, Annual report and accounts 2021/22 (2022): https://www.ofcom.org.uk/__data/assets/pdf_file/0022/240727/annual-report-2021–22.pdf [accessed 1 November 2022] and NAO, Regulating to protect consumers in utilities, communications and financial services markets (20 March 2019) https://www.nao.org.uk/wp-content/uploads/2019/03/Regulating-to-protect-consumers-in-utilities-communications-and-financial-service-markets.pdf [accessed 1 November 2022]

181 Sky News, ‘Finding love online: more than half of couples set to meet via the internet’ (27 November 2019): https://news.sky.com/story/finding-love-online-more-than-half-of-couples-set-to-meet-via-the-internet-11871341 [accessed 1 November 2022]

182 Which?, ‘Romance fraud soared by 40% during the pandemic, Which? warns’ (11 June 2021): https://press.which.co.uk/whichpressreleases/romance-fraud-soared-by-40-during-the-pandemic-which-warns/ [accessed 1 November 2022]

183 City of London Police, ‘NFIB Fraud and Cyber Crime Dashboard: 13 months of data’: https://colp.maps.arcgis.com/apps/dashboards/0334150e430449cf8ac917e347897d46 [accessed 1 November 2022]

184 Ibid.

185 Which? ‘Online dating ‘romance’ scams up 40% through the pandemic’ (11 June 2021): https://www.which.co.uk/news/article/online-dating-fraud-up-40-through-pandemic-aKHlv5M09iYX [accessed 1 November 2022]

186 Written evidence from the Online Dating Association (FDF0028)

187 Action Fraud, ‘Romance fraud’: https://www.actionfraud.police.uk/a-z-of-fraud/dating-fraud [accessed 1 November 2022]

188 Written evidence from HSBC (FDF0106)

189 Ibid.

190 Q 135 (Graham Pullan)

191 Computer Weekly, ‘HSBC blocks £249m in UK fraud with voice biometrics’ (6 May 2021): https://www.computerweekly.com/news/252500302/HSBC-blocks-249m-in-UK-fraud-with-voice-biometrics [accessed 1 November 2022]

192 Q 235 (Prof Feng Hao)

193 Q 57 (Prof Victoria Nash)

194 DCMS, ‘The UK digital identity and attributes trust framework’ (11 February 2021): https://www.gov.uk/government/publications/the-uk-digital-identity-and-attributes-trust-framework/the-uk-digital-identity-and-attributes-trust-framework [accessed 1 November 2022]

195 Cabinet Office, Government Digital Service and Julia Lopez MP ‘Julia Lopez speech to The Investing and Savings Alliance’ (2021): https://www.gov.uk/government/speeches/julia-lopez-speech-to-the-investing-and-savings-alliance [accessed 1 November 2022]

196 DCMS, ‘UK digital identity and attributes trust framework: beta version’ (13 June 2022): https://www.gov.uk/government/publications/uk-digital-identity-and-attributes-trust-framework-beta-version [accessed 1 November 2022]

198 Q 271 (Damian Collins MP)

199 DCMS, ‘Online Safety Bill: Factsheet’ (updated 19 April 2022): https://www.gov.uk/government/publications/online-safety-bill-supporting-documents/online-safety-bill-factsheet [accessed 1 November 2022]

200 Q 100 (Joe Lycett)

201 Written evidence from the Online Dating Association (FDF0028)

202 Q 123 (Will Semple)

203 Treasury Committee, Economic Crime (Eleventh Report, Session 2021–22, HC 145)

204 Q 70 (Katie Martin)

205 Chainalysis, The 2022 Crypto Crime Report (February 2022): https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf [accessed 1 November 2022]

206 ‘The FT crypto glossary’, Financial Times (21 October 2021): https://www.ft.com/content/df9f5795-2aaf-4088-a76e-304056db61ef [accessed 1 November 2022]

207 Q 161 (Tom Mutton)

208 Written evidence from the ASA (FDF0022)

209 Money Saving Expert, ‘Over 74,000 scams axed after 10 million-plus reports to the Government: what to do if you’ve been scammed’ (18 March 2022): https://www.moneysavingexpert.com/news/2022/03/over-90-000-scams-involving-cryptocurrencies-and-more-have-been-/ [accessed 1 November 2022]

210 Q 71 (Katie Martin)

211 Q 79 (Katie Martin)

212 FCA, ‘PS22/10: Strengthening our financial promotion rules for high-risk investments and firms approving financial promotions’ (1 August 2022): https://www.fca.org.uk/publications/policy-statements/ps22-10-strengthening-our-financial-promotion-rules-high-risk-investments-firms-approving-financial-promotions [accessed 1 November 2022]

213 Q 59 (Prof Victoria Nash)

214 DCMS, ‘Product Security and Telecommunications Infrastructure (PSTI) Bill: Factsheets’ (24 November 2021): https://www.gov.uk/government/collections/the-product-security-and-telecommunications-infrastructure-psti-bill-factsheets [accessed 1 November 2022]

215 BBC News, ‘Apparently, it’s the next big thing. What is the metaverse?’ (18 October 2021): https://www.bbc.co.uk/news/technology-58749529 [accessed 1 November 2022]

216 Written evidence from Callsign Ltd (FDF0038)

217 Written evidence from the FCA (FDF0069)

218 Written evidence from the ASA (FDF0022) and DCMS, ‘Online Advertising Programme consultation’: https://www.gov.uk/government/consultations/online-advertising-programme-consultation/online-advertising-programme-consultation [accessed 1 November 2022]

219 Written evidence from the ASA (FDF0022)

220 House of Commons Library, Analysis of the Online Safety Bill, Research Briefing. CBP 9506, 8 April 2022

221 DCMS, ‘Online Advertising Programme consultation’ (updated 17 March 2022): https://www.gov.uk/government/consultations/online-advertising-programme-consultation/online-advertising-programme-consultation [accessed 1 November 2022]

222 Written evidence from TSB (FDF0066)

223 Written evidence from Cifas (FDF0015)

224 Q 135 (Elizabeth Kanter)

225 Letter from Mark Steward, FCA Executive Director of Enforcement and Market Oversight to Chair, ‘Assessment of Corporate Fraud Through Online Promotion’ (14 July 2021): https://committees.parliament.uk/publications/6817/documents/72272/default/

226 Oral evidence taken before the Treasury Committee on 21 September 2021 (Session 2021–22), QQ  267–278

227 Oral evidence taken before the Treasury Committee on 21 September 2021 (Session 2021–22), Q 343

228 Q 119 (Didi Denham)

229 Q 135 (Elizabeth Kanter)

230 Q 142 (Philip Milton)

231 Q 155 (Mark Steward)

232 Q 258 (Damian Collins MP)

233 Financial Services and Markets Bill, clause 20 [Bill 146 (2022–23)]

234 Written evidence from the ASA (FDF0022)

235 Written evidence from the ACTSO (FDF0018)

236 Written evidence from East of England Trading Standards Authority (FDF0024)

237 Written evidence from the Good Things Foundation (FDF0045)

238 Q 226 (Andy Cooke)

239 Q 226 (Andy Cooke)




© Parliamentary copyright 2022