Chapter 3: Interaction
139.The second step in the fraud chain is typically marked by interaction between fraudsters and their victims. Phone calls, texts, physical meetings or other means of communication may be used to convince a victim to handover money or data. These interactions lean heavily on social engineering techniques and often manufacture pressure, anxiety and stress to force an individual into a “hot state” in which they are more likely to transfer money to a fraudster, who will rapidly ‘cash out’ their stolen funds.240
140.This chapter will provide an assessment of number spoofing, fraudulent websites and social engineering to analyse how digital fraudsters interact with their victims.
Figure 14: The Fraud Chain: Interaction
Source: Q 14 (Katy Worobec) and written evidence from CCSG (FDF0063)
Number spoofing
141.Number spoofing is used by fraudsters to convince their victims that they are calling them from a legitimate organisation. Overseas fraudsters are able to use technology to convince victims that calls are coming from UK numbers. This increases the likelihood that victims will buy into the scams and commit to transferring funds or data to fraudulent depositories. It often takes place following a smishing or phishing attempt.241
142.Number spoofing is prolific in the UK. In 2021, Ofcom found that 8 in 10 (82%) people surveyed had been targeted with scam texts or phone calls, which were intended to convince them that they were from trusted organisations such as banks, the NHS or government departments.242
|
Paul is a pensioner in his mid-70s who suffers from a history of heart attacks. His income outside savings is a state pension of £817. In February 2022, Paul fell victim to a sophisticated malicious misdirection APP scam that cost him £65,000. The fraud was conducted through smishing and number spoofing with the bulk of the interaction being conducted by phone. “He was very well spoken and with a soft Scottish accent. He identified himself as ‘Clive’ and then said he needed to take me through some security questions … I had no doubt that he was who he said he was, and so I co-operated.” Initially, Paul received a smishing text claiming to be from Royal Mail. Because he was expecting a delivery, Paul did not consider the text unusual and paid a redirection fee of £2.99 using his debit card. Two days later, he received a spoofing call claiming to be ‘Clive’ from his bank’s fraud department. The fraudster then personalised the scam by confirming Paul’s local bank branch in his town’s shopping centre. Paul said that he took this as a subliminal confirmation that the scammer was who they said they were. The scammer then went on to use sophisticated social engineering techniques. He isolated Paul by instructing him to drive home and collect his passport. He then convinced Paul that he needed Paul to assist him in catching other alleged fraudsters at the bank, cutting him off further from reaching out for assistance. The fraudster asked Paul to transfer money to ‘dummy accounts’ and for him to speak to the payment verification department via phone so that he could monitor the bank’s responses. The fraudster explained how to set up a shared call, and said he was recording the calls. By the end of this process, the scammer had moved £65,000 from Paul’s bank account into three ‘dummy’ accounts, controlled by the fraudster. The fraudster said that the police would be visiting Paul to receive a witness’s statement from him regarding fraud at Santander. When this didn’t happen and the criminal stopped communicating with him, Paul realised it was a scam. “He also said there had been 14 attempts to fraudulently move money involving this bank branch in the past month and he was leading an internal investigation to discover who might be colluding at the bank, and he needed my help.” Paul has now been fully reimbursed by Santander. However, the effects of the scam are longstanding. “I feel that the scam of which I am a victim was extremely sophisticated—they played on my anxiety and this whole experience has left me feeling violated. It’s as if someone took control of my brain and manipulated me.” In response to Paul’s experience, Santander said: “Our dedicated fraud contact centre contacted Paul, but despite specific conversations around potential scams Paul chose to provide inaccurate information to us regarding the reason for the payments, which resulted in them being released… Santander had initially agreed to reimburse Paul 50% of the first payment, but not the second and third payment based on the interaction and questions asked by the Bank prior to them being sent. Upon receiving more information regarding the customer’s individual circumstances during the Financial Ombudsmen review, we refunded the customer in full, alongside paying 8% interest on his loss from the date of the transactions until the date of the refund and a further £500 compensation.”243 |
Source: Written evidence from Paul (FDF0103)
143.When spoofing happens, scammers make it appear that a phone call or text is coming from a trusted telephone number, for example that of a delivery company. Scammers are able to do this because of the telephone identification protocol, SS7. This tells the network what ‘presentation number’ or ‘calling line identification’ (CLI) a user is calling from on both mobile and landline phones. Fraudsters can steal this presentation number. SS7 is a core part of 2G and 3G networks and is still used in telecoms networks globally.244
144.Prof Hao used the analogy of a letter to describe how number spoofing works:
“First, number spoofing is always possible. From the day the telephone system was designed you could modify the caller ID … You can think of it as posting a letter. You write the receiver’s address, and you can also write the sender’s address on the envelope. You can arbitrarily write a sender’s address. It is your choice. Sometimes, if you post a letter from home, for example, you may want to write a different sender’s address because you want the receiver to return the letter to a different address, maybe to your work address.”245
145.The UK is particularly vulnerable to the international trend of number spoofing. Brian Dilley, Group Director of Economic Crime Prevention at Lloyds Banking Group, said that the inability for telecoms companies to block international scam calls and fraudulent number spoofing was the largest fraud vulnerability for the bank.246 Part of the high degree of susceptibility seen in the UK may be a product of the historical pattern of communication between service provider and their customers. Transpact.com, an escrow service company, said:
“Individuals and businesses have been ‘groomed’ by UK banks and UK utilities to receive a phone call from the bank/utility and for the bank/utility to ask the call recipient to divulge confidential information … to prove the call receiver’s identity. This is disastrous practice, as neither an individual (nor a business) can know whether they are being called by the genuine bank/utility or by a fraudster impersonating them.”247
146.This process, conducted by many different types of companies from broadband operators to energy companies, has had the effect of ‘grooming’ customers into divulging information when asked by a person who claims to represent a trusted authority via telephone, despite the fact that they do not have to identify themselves in any meaningful capacity. While there are some legitimate uses of this practice, we believe that it should be phased out in favour of a more effective solution.
147.Spoofing technology is readily available to fraudsters. Police Scotland’s DCI Stevie Trim told us about the availability of number spoofing applications provided by multiple companies. DCI Trim said: “From my experience, a lot of these are independent companies. There are spoofing apps that people can download. They were originally used to play jokes: I could put in a phone number and pretend to my mum that I was from a particular organisation.”248
148.Action to tackle number spoofing is made much harder by VoIP technology. Prof Hao argues that the ability to falsify your CLI is getting easier because of “the deregulation of the market, more and more telecommunication companies use VoIP-based technology. With those kinds of companies, the service is in the cloud, so it is much easier to modify a number.”249
149.For example, as well as online messaging, WhatsApp (see Chapter 2 and 3) permits calls through the use of VoIP, although it blocks attempts to register an account on WhatsApp using a VoIP provider specifically. Meta recognises that WhatsApp only has a “limited ability to identify when a call or message is originating from a location that differs from the country code assigned to the registered phone number, using identifiers like a user’s IP address for example.” This leaves it open to abuse.250
150.All voice calls, regardless of the use of encryption, are undermined in their ability to mitigate number spoofing by the design of their service. Adrian Gorham told us: “voice calls which are, by policy and technical design, ‘any-to-any’ so can be originated by any customer in the UK/internationally to any customer in the UK and cannot be subject to prior filtering by content”251
Action to tackle spoof calls
151.Action to tackle and prevent scam calls is listed in Action 1 of the Telecommunications Fraud Sector Charter. The Charter sets out measures including implementing enhanced call blocking solutions, working with Ofcom and the Information Commissioner’s Office (ICO), as well as data sharing on the sources of scam calls with law enforcement, banking and the industry.252 According to the CCSG, this work is “on track.”253
152.Ofcom has taken several steps to tackle number spoofing. In October 2021, Ofcom asked phone networks to block internet calls coming from overseas if they pretend to be from UK numbers. When TalkTalk implemented the measure it claimed to see a 65% reduction in complaints about scam calls.254 Different operators are now rolling out their own solutions to this issue.255 EE has launched new firewall technology to block international scam calls that use a UK CLI and claims to have blocked up to a million a day since its inception in July 2022, benefitting BT, Plusnet and EE customers.256
153.In February 2022, Ofcom published a consultation on improving the accuracy of CLI data. The consultation set out plans to strengthen its existing General Condition C6, which introduced CLI measures—to require providers, where technically feasible, to identify and block calls with CLI data that is either invalid, non-dialable or does not uniquely identify the caller. It will provide guidance on what it expects providers to do to meet the new obligations. We understand that Ofcom expects to publish a statement on these plans in Autumn 2022.257
154.The ‘Do Not Originate’ list is a key measure being used to tackle number spoofing. Created by Ofcom and UK Finance, the list details numbers that are allocated to financial institutions, but which are never used for outbound customer service calls. Huw Saunders, Director of Network Infrastructure and Resilience at Ofcom, told us that the list now comprises “over 12,500 numbers, which, if they are seen in the network, are known to be malicious or known to be a scammer and therefore should be blocked.” Saunders also added that from Ofcom’s perspective the list “has proven very effective”.258 When HMRC implemented the measure, it reduced the amount of phone scams spoofing genuine inbound HMRC numbers “to zero”.259
155.Part 4 of the Data Protection and Digital Information Bill, which is currently on hold, is set to increase fines for nuisance calls and texts by extending the reach of the Privacy and Electronic Communications Regulations (PECR). Clause 80 will enable the ICO to investigate and act against organisations responsible for unwanted direct marketing.260 The PECR are not aimed at fraud and it appears that these measures will need to be directed towards fraudulent calls unless there is clear guidance that this should apply.
156.We have taken evidence that highlights how international best practice can be followed by UK regulators. For example, in 2022 the US Federal Trade Commission (FTC) took action against a VoIP service provider for facilitating the transmission of pre-recorded scam robocalls, many relating to the pandemic, several of which originated overseas and used spoofed numbers.261 The case was the FTC’s third action against a VoIP provider. The court action included an order permanently stopping the defendants from such illegal conduct, forcing them to introduce technology to block such calls and screen new customers, and included a suspended civil penalty of more than $3 million.262
157.Also in the US, technology has been created termed ‘Stir and Shaken’ protocols which will enable networks to authenticate CLI numbers. At present, this cannot be implemented on EU phone networks and Ofcom says that UK providers cannot implement such technology until networks and the technology that supports voice services are upgraded. The Government is switching off the public switched telephone network (PSTN) in order to make all phone lines digital by December 2025. In practice, this means that landlines will be connected by broadband connections (like in VoIP) rather than copper phone lines. This means that CLI authentication likely will not be fully available in the UK until that point.263
158.Number spoofing is fundamental to convincing victims that they are being contacted by a genuine, trusted authority. We endorse the valuable work being undertaken by Ofcom and the industry to tackle number spoofing, however efforts to address CLI spoofing must not be watered down or delayed.
159.Ofcom must expedite its work on number spoofing. It must ensure that technologies that prevent CLI abuse are rolled out as soon as possible, and take all available steps to require the mandatory use of these technologies immediately when possible. Updates to the core network should be made urgently to stamp out fraud, ideally prior to 2025. Where such reasonable steps are not taken, companies must face penalties.
160.Companies should phase out the process of identifying consumers via telephone by confirming personal information with them. A more effective solution to this requirement must be sought.
Social engineering
161.Social engineering is the process by which criminals groom and manipulate people into divulging personal and financial details or transferring money.264 Fraudsters use social engineering to bring a victim into what Brian Dilley called a “hot state”.265 This is the point at which individuals stop thinking clearly and often feel rushed, anxious and mistrustful.
162.Highlighting the risks of romance fraud and the vulnerability characteristics of victims, the Online Dating Association said: “Fraudsters are extremely adept at emotional manipulation and recognising the signs of those who are vulnerable and easy targets.”266 For example, isolation, reduced digital literacy or mental health illness may contribute to higher levels of vulnerability.267
163.Social engineering is not only successful against victims who are predisposed to scammers by existing vulnerabilities. Dr Konstantinos Mersinas, Senior Lecturer at Royal Holloway, explained that anyone can fall for social engineering saying: “The fact that security professionals might fall for social engineering attacks, and phishing, indicates that it is not a matter of knowledge or of providing the information.”268
164.Social engineering reduces the efficacy of counter-fraud warning signs. Attempts to fight back against social engineering may be undermined by the lack of trust created by the criminal. Brian Dilley told us that this often leads to the victim believing that the person trying to contact them genuinely is trying to help them because they have created a compelling narrative.269 TSB acknowledged that social engineering helps criminals circumvent warnings and public information campaigns created by stakeholders within the fraud chain:
“Given the scale of fraud in the UK and the sophistication of many scams, the technologies that are used, and the complex social engineering tactics used it is not credible to suggest that educating people about fraud is particularly effective … Fraudsters will always find ways to explain away a customer’s concern.”270
165.Social engineering can prevent individuals from asking for help and it can leave victims with residual feelings of shame. Mike Haley explained this issue by its parallel with the experience of burglary and fraud:
“I could be burgled, and everyone would have sympathy for me. I would not feel shame or embarrassment about it, and other people would have some empathy. With a fraud, there is a degree to which people will feel ashamed and embarrassed to even speak about it. They feel, as do others, that they have brought it on themselves in some way, they were not very savvy, and they were taken in by social engineering.”271
166.See Box 7 for Paul’s experience of being socially engineered to transfer £65,000 into a fraudster’s account. The fraud was predominantly based on the high degree of trust Paul placed in the fraudster.272
Action to tackle social engineering
167.In September 2021, Stop Scams UK a cross-sector industry body, launched a pilot scheme called 159, a memorable short code phone service that connects the retail banking customers directly with their bank, should they receive an unexpected or suspicious call on a financial matter. Stop Scams UK told us that the average bank impersonation scam costs consumers more than £4,500. By spring 2022, 80,000 calls had been made to 159 and the service has now been expanded to accommodate other banks including the Co-operative Bank, the Nationwide Building Society, and TSB.273
168.Initiatives like the 159 initiative are vitally important in shaking a victim out of the ‘hot state’. Stop Scams UK said that the initiative can help to “break the scam journey at that critical moment when the consumer is at most risk of being socially engineered and making a payment.”274
169.Education is a central component of helping people recognise and response to social engineering. Brian Dilley said that whilst attaining reliable metrics for studying the success of awareness messaging is challenging, education is “the first line of defence” because it can help a victim to understand when to hang up the phone.275 More information regarding consumer education can be found at paragraph 402.
170.Social engineering is a cruel tactic used by fraudsters to manipulate their victims. It has longstanding impacts on victims, who may find it difficult to trust organisations in future because of the tactics used by fraudsters to manoeuvre them into the ‘hot state’ in which they make a payment.
171.Financial institutions, whether banks or building societies, must be encouraged to participate in the 159 initiative, and should be mandated to provide information on the service to their customers if the initiative is extended beyond pilot stage.
Fraudulent websites
172.Fraudsters incorporate fraudulent websites or domains into phishing messages to draw victims into the interaction phase of a fraud. Domain registration to set up a website is cheap and easy, often only costing between $10 and $30 a year.276 This enables some fraud to be carried out with relative ease. The ease with which fraudsters create these domains means that identifying and closing them down becomes a game of “whack-a-mole”.277
173.Fake websites often link to real life scenarios or contemporary events that are exploited to help social engineering of victims. The COVID-19 pandemic provided a rich opportunity for phishing attacks. Texts often relocated victims to fake website pages about vaccinations or COVID-19 passes. Websites were designed to collect personal and financial information from victims. They offered vaccine booking appointments in return for a fee.
174.There are a number of ways in which fraudsters aim to spoof websites. For example:
- TLD squatting happens when a fraudster registers an identical brand-owned domain name with a different Top Level Domain
e.g. Facebook.co instead of Facebook.com. - Typosquatting/URL hijacking happens when a fraudster registers a site close to an entity’s brand or copyright e.g. facebo0k-login.com.
- A fraudster might use a lookalike in order to replace letters with similar looking characters e.g. royaimaii.com rather than royalmail.com.278
175.Prof Hao’s research shows that fraudulent domain names often work best on mobile devices because users are less likely to notice that a website is different to the original on their phones because of the smaller screen size and user interface.279
176.The use of fraudulent websites presents a significant challenge to counter-fraud agencies because domains can be made quickly with very few identity checks. Prof Hao said: “Often, phishing websites are short-lived. They do not last long, because it takes time for the activities to be detected. After a day or two, they get the fraudulent transactions and make enough money, and if it is detected and blocked, they just open another domain.”280
177.New software makes finding and removing fraudulent websites even harder. Proxy servers can be used to guide users to websites that are blocked in other countries via domain hopping (the practice of relocating to new domains to prevent being penalised). An example of this kind of site is Unblockit. In addition, IP masking services disguise the IP address of the hosting server through software like Cloudfire. The Motion Picture Association told us that these pieces of software offer criminals the ability to evade shutdowns through ‘domain hopping’. It said:
“When enforcement activities are implemented—be it ISP blocking, search engine delisting or otherwise—Unblockit and sites like it simply move to a new domain.”281
Action to tackle fraudulent domains
178.Action to tackle fraudulent domains is spearheaded by the NCSC. In 2021, the NCSC took down 2.7 million campaigns amounting to 3.1 million URLs. This was an increase on the 700,595 campaigns and 1.4 million URLs taken down in 2020. Overall, since the takedown service began in June 2016 it has taken down 3.7 million campaign groups (5.8 million URLs covering more than 2 million IP addresses).282
179.The Motion Picture Association has argued that more should be done to tackle fraudulent domains by know your business customer (KYBC) checks. It suggested that a new KYBC obligation should be placed on online service providers such that checks “would require commercial entities to establish the true identity of their business customers as a precondition for selling, and receiving payment for, digital services.”283
180.Will Semple suggested that KYC checks could help to prevent criminals registering new domains and encrypting the traffic between a web server and the customer’s browser. He said:
“They have to register a domain. Often, they have to register what we call an SSL certificate, which encrypts the traffic between the web server and the customer’s browser … my view is that it is too easy to register, and some simple know your customer-type techniques would probably introduce a major speedbump into the entire process. They would not stop it, but they would definitely make it harder for bad actors to carry out these activities.”284
181.However, Prof Hao told us that this is more difficult than it sounds because domain hosts can only monitor traffic on a website and deduce whether it is likely to be fraudulent by the type of traffic it attracts. While it is possible to look up the owner of a domain, this is not common practice. In addition, Prof Hao said:
“Criminals never use their real identity; they always use a stolen identity to register the domain. They do not register it in the UK; they register it overseas. They use a stolen credit card to make payments, or bitcoin or an anonymous payment method.”285
182.The Association of British Insurers said that there must be more effort to deter fraudsters from registering fraudulent domains given that “the issue moves so quickly that simply listing domains will always be outpaced by new domains emerging.” They argue that prosecution is vital to deter future fraudulent activity.286 However, Michael Skidmore, Senior Researcher at the Police Foundation, cautioned that policing these domains would be challenging because we are “dealing in this regard with quite technical and cross-border offenders.”287
183.Will Semple argued that action against fraudulent domains must be cross-sectoral. Noting that “everyone has a role to play”, He identified eBay’s collaboration with PSPs, financial services institutions, software providers and domain name registrars as an example.288 The efficacy of this approach can be seen in the work of Stop Scams UK who said that through collaboration BT, TalkTalk and others had put online a URL Blocking Proof of Concept service that blocked 33,000 phishing domains as of February 2022.289 These partnerships must stretch to law enforcement.
Box 8: The role of the National Cyber Security Centre (NCSC)
|
The NCSC was launched in 2017 as part of the Government Communications Headquarters (GCHQ). Its role is to act as a bridge between industry and Government and it is the UK’s national authority on the cyber security environment.290 The National Cyber Strategy 2022 set out that the NCSC’s key priorities are to take direct action to reduce cyber harms, support the UK in protecting itself, provide technical input to government policy and regulation, provide UK sovereign capabilities, and to support growth in cyber skills and investment. 291 The NCSC has a key role in preventing fraud. In April 2020, the NCSC launched the Suspicious Email Reporting Service, inviting people to share suspicious emails or websites with report@phishing.gov.uk or by reporting directly online. Since the launch, the NCSC have shut down over 76,000 scams across 139,000 websites.292 It works in partnership with the ASA on the Scam Ad Alert System; if a post is suspected of being fraudulent, an Alert is sent to the NCSC (and participating social media platforms), which scans the alert for URLs and remove the website if found to be malicious.293 The NCSC has a key role in taking down scams reported to the 7726 service (see Box 16). It also runs the Cyber Security Information Sharing Partnership, a public-private information sharing service that allows organisations to share cyber threat information securely and confidentially.294 In addition, under Action 2 of the Telecommunications Fraud Sector Charter, telecoms providers will share reported URLs and phone numbers linked to smishing with the NCSC. Under Action 7, the NCSC (along with the City of London Police and NECC) is required to appoint a telecommunications fraud point of contact.295 The Centre also provides guidance for individuals, SMEs, large organisations and public and private sector professionals as part of its Cyber Aware campaign.296 We have heard that the NCSC fosters positive collaboration with the private sector. BT Group told us that it has worked with the NCSC on the development of its security education and advice for customers.297Stop Scams UK is currently working on how it can better share data from its 159 project with the NCSC.298 Will Semple told us that “we see very strong leadership in our ecosystem from agencies such as the NCSC and GCHQ”, noting regular collaboration with eBay.299However, we are concerned that collaboration with ISPs is lacking, particularly given their role in domain hosting and the creation of fraudulent websites. We recognise that more can be done, particularly at a local level. Fighting Fraud and Corruption Locally, a working group connected to Cifas, told us that there should be better communication between local authorities, the police and the NCSC to encourage joint working at a local level.300 The National Anti-Fraud Network (NAFN) told us that while content to support businesses’ awareness of fraud is valuable, it should be more widely publicised and supported with a focus on local implementation.301 |
184.Finally, we note the lack of current focus on the role that Internet Service Providers (ISPs) play in the fraud chain. ISPs supply individuals with access to the web and supply hosting facilities for websites.302 Dr Mersinas called for a collective effort that included getting “the technological giants, the ISPs and the platforms on board” and not relying on law enforcement efforts alone.”303 At the moment, membership of the CCSG does not include ISPs despite their role in domain hosting and the Telecommunications Sector Charter does not explicitly mention cooperation or data sharing with ISPs.304
185.We understand that the Government is considering fraudulent domain names as part of its review of the Computer Misuse Act, including potential powers to seize internet domain names so that fraudsters cannot register a domain to “lure people down a fraudulent path”.305
186.We also understand that the issue of fraudulent domains is not considered to be within Ofcom’s regulatory perimeter. Furthermore, it is arguably inconceivable to bring it within its territorial perimeter due to the overseas nature of this activity. We recognise that any efforts to bring this issue within Ofcom’s regulatory perimeter might result in domain hosts using overseas services.
187.Fraudulent websites have become a common means by which fraudsters can convince their victims that they are interacting with a genuine organisation or authority. At present, it is too easy to set up a spoof website. Domain hosts and ISPs have been left out of the debate on how to tackle fraud. This oversight has left them without due scrutiny. These services must be subject to the same stringent counter-fraud controls that should apply across the board.
188.The Government must clarify within whose regulatory perimeter domain hosts and other ISPs sit and explore whether bringing this issue within Ofcom’s regulatory remit would materially benefit its counter-fraud function. The responsible regulator should consult on new regulations requiring domain name providers to enforce greater KYC checks on those registering domain names, and on codes of practice to establish protocols that prohibit domains from being used if it is believed that the intention is to deceive users.
189.The Government must expedite the forthcoming Tech Sector Charter and include ISPs within its scope.
242 Ofcom. ‘45 million people targeted by scam calls and texts this summer’ (20 October 2021): https://www.ofcom.org.uk/news-centre/2021/45-million-people-targeted-by-scams [accessed 1 November 2022]
244 BBC News ‘Why phone scams are so difficult to tackle’ (23 August 2021): https://www.bbc.co.uk/news/business-58254354 [accessed 1 November 2022]
252 Home Office, ‘Fraud sector charter: telecommunications’ (updated 26 October 2021): https://www.gov.uk/government/publications/joint-fraud-taskforce-telecommunications-charter/fraud-sector-charter-telecommunications-accessible-version [accessed 1 November 2022]
254 ‘Ofcom plans crackdown on fake number fraud’, The Independent (23 February 2022): https://www.independent.co.uk/news/uk/ofcom-talktalk-government-consumers-companies-house-b2021235.html [accessed 1 November 2022]
256 EE, ‘EE takes a stand against scammers with latest international call-blocking technology’ (18 August 2022): https://newsroom.ee.co.uk/ee-takes-a-stand-against-scammers-with-latest-international-call-blocking-technology/ [accessed 1 November 2022]
257 Ofcom, Improving the accuracy of Calling Line Identification (CLI) data: Consultation on changes to our General Conditions and supporting guidance on the provision of CLI facilities (23 February 2022): https://www.ofcom.org.uk/__data/assets/pdf_file/0015/232071/consultation-improving-cli-data-accuracy.pdf [accessed 1 November 2022]
259 Take Five, ‘Criminals exploit Covid-19 as fraud moves increasingly online’: https://www.takefive-stopfraud.org.uk/news/criminals-exploit-covid-19-as-fraud-moves-increasingly-online/ [accessed 1 November 2022]
260 Data Protection and Digital Information Bill, Part 4, clause 80 [Bill 143 (2022–23)]
262 Federal Trade Commission, ‘FTC takes action to stop voice over internet provider from facilitating illegal telemarketing robocalls, including scams relating to the pandemic’ (26 April 2022): https://www.ftc.gov/news-events/news/press-releases/2022/04/ftc-takes-action-stop-voice-over-internet-provider-facilitating-illegal-telemarketing-robocalls [accessed 1 November 2022]
263 BBC News, ‘Ofcom asks phone networks to block foreign scam calls’ (25 October 2021): https://www.bbc.co.uk/news/business-59032795 [accessed 1 November 2022]; BBC News, ‘Why phone scams are so difficult to tackle’ (23 August 2021): https://www.bbc.co.uk/news/business-58254354 [accessed 1 November 2022] and Which?, ‘Digital Voice and the landline phone switch-off: what it means for you’ (7 October 2022): https://www.which.co.uk/reviews/broadband/article/digital-voice-and-the-landline-phone-switch-off-what-it-means-for-you-aPSOH8k1i6Vv [accessed 1 November 2022]
274 Ibid.
276 Allen & Overy, ‘Domain names, online fraud and UDRP proceedings’: https://www.allenovery.com/en-gb/global/blogs/digital-hub/domain-names-online-fraud-and-udrp-proceedings [accessed 1 November 2022]
278 Techradar, ‘Why criminals spoof your domain name’ (7 November 2019): https://www.techradar.com/news/why-criminals-spoof-your-domain-name [accessed 1 November 2022]
279 Mohammed Aamir Ali, Muhammad Ajmal Azad, Mario Parreno Centeno, Feng Hao, Aad van Moorsel, ‘Consumer-facing technology fraud: economic, attack methods and potential solutions’, Future Generation Computer Systems, vol 100 (2019), pp 408–427 (November 2019): https://www.dcs.warwick.ac.uk/~fenghao/files/Consumer_Facing_Technology_Fraud.pdf [accessed 1 November 2022]
282 National Cyber Security Centre, Active Cyber Defence: The fifth year: https://www.ncsc.gov.uk/files/ACD-The-Fifth-Year-full-report.pdf [accessed 1 November 2022]
290 HM Government, ‘National Cyber Security Centre’: https://www.gov.uk/government/organisations/national-cyber-security-centre [accessed 1 November 2022]
291 Cabinet Office, ‘National Cyber Strategy 2022’ (updated 7 February 2022): https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022#the-national-cyber-security-centre [accessed 1 November 2022]
292 DCMS, ‘Major law changes to protect people from scam adverts online’ (8 March 2022): https://www.gov.uk/government/news/major-law-changes-to-protect-people-from-scam-adverts-online [accessed 1 November 2022]
294 National Cyber Security Centre, ‘CiSP’: https://www.ncsc.gov.uk/section/keep-up-to-date/cisp [accessed 1 November 2022]
295 Home Office, ‘Fraud sector charter: telecommunications’ (26 October 2021): https://www.gov.uk/government/publications/joint-fraud-taskforce-telecommunications-charter/fraud-sector-charter-telecommunications-accessible-version [accessed 1 November 2022]
296 See National Cyber Security Centre, ‘New web tool to test your cyber risk as survey exposes 80% of British people fear online attacks’ (March 2021): https://www.ncsc.gov.uk/news/consumer-cyber-action-plan [accessed 1 November 2022].
302 Carphone Warehouse, ‘What is an Internet Service Provider (ISP)?’: https://www.carphonewarehouse.com/broadband/guides/what-is-an-isp.html [accessed 1 November 2022]
304 Home Office’ Fraud sector charter: telecommunications’ (26 October 2021): https://www.gov.uk/government/publications/joint-fraud-taskforce-telecommunications-charter/fraud-sector-charter-telecommunications-accessible-version [accessed 1 November 2022]