Cybercrime figures 'tip of the iceberg'

A reported fall in 'computer misuse' disguises a link with the rise in fraud, it is claimed

New figures that report a fall in 'computer misuse' and a rise in fraud show the authorities are failing to grasp the true impact of cybercrime, according to a leading cybersecurity expert.

Tim Thurlings, of bluedog Security Monitoring, a former 'ethical hacker' who helped to develop the European TIBER threat intelligence framework, says that the current figures fail to show the full extent of the problem and demonstrate the need for more accurate ways to measure cybercrime.

The figures released by the Office of National Statistics show that, according to the National Fraud Intelligence Bureau (NFIB), 'computer misuse crime' fell by 11% in the year ending September 2019 to 21,471 offences, following rises in the previous two years. The NFIB figures include cases reported by businesses and other organisations. Meanwhile, the Crime Survey for England and Wales (CSEW) estimates that, amongst the population as a whole, there were just over a million offences - unchanged from last year.

However, both sets of figures also show significant rises in fraud over the same period. According to the NFIB, the number of reported cases rose by 19% in the year ending September 2019 to 743,413 offences. At the same time, fraud offences experienced by adults in England and Wales increased by 9% to 3.8 million, states the CFEW. The increase was driven mainly by a rise in 'bank and credit account fraud', which totalled 2.7 million offences.

"These figures demonstrate the difficulties the authorities face in defining cybercrime," says Thurlings. "At present, we are failing to capture the true extent of the problem. So-called 'computer misuse' is just the tip of the iceberg. I expect that cybercrime plays a role in many of the fraud cases, even though they may not be classed as such. For example, a lot of payment card fraud is now caused by attackers penetrating retailers' IT networks and putting malware on their point of sale systems to capture customers' card details.

"Meanwhile, 'authorised push payments' - where victims are tricked into paying money into a criminal's account - are often the result of phishing emails or phone calls and are a type of social engineering which is very much part of cybercrime. It is clear that the police and finance industry are lacking know-how on what computer misuse is, and how these attackers operate.

However, as cybercrime has become complex and sophisticated, it is also very difficult to place offences in one category or another. In many cases, cybercrime is part of the mix: for example, criminals may also use phone calls to victims as part of the scam.

"Certainly, we need better ways to measure cybercrime, and understand its impact on business and society as a whole. Companies need to be aware of the growing threat and understand that security should not be left to the IT department. "It is now everyone's responsibility," he concludes.

Fraud has many faces, of course, as Rob Otto, EMEA Field CTO, Ping Identity, points out, "It is a broad category of crime that includes fraud by false representation, fraud by failing to disclose information, and fraud by abuse of position. In all three classes of fraud, it requires that, for an offence to have occurred, the person must have acted dishonestly and that they had to have acted with the intent of making a gain for themselves or anyone else, or inflicting a loss [or a risk of loss] on another. One of the fastest growing areas is cyber-related fraud."

According to the City of London Police 'Action Fraud' unit, £34.6 million was reported to be stolen from victims between April and September 2018, while around a third of victims in that period fell prey to the hacking of social media and email accounts, he adds. "Cyber fraud can fall into two broad categories. The first is fraud that uses an electronic means, such as email, website or even telephone calls that attempt to trick a victim into paying for something fake. Overdue TV licences bills, software to 'fix' a hacked computer and forged company invoices are a common trio from a seemingly endless list of scams. Identity theft is another common fraud component that can lead to more complex fraudulent purchases or financial agreements," Otto continues.

In both instances, identity has a significant role to play, he states. "The telephone call, email or website claiming to be a 'Microsoft' [or equally well-known tech company] employee contacting you with a request for payment may seem legitimate - but being able to validate this identity can be difficult. On the other hand, e-commerce payment processors with a 'card not present' transaction need to validate a purchaser's identity beyond just a legitimate credit card number." Assuring identity is the challenge, he adds. "In the case of payment fraud, many checks are happening in the background that assess risk through analytics, such as spending habits, geo-location and merchant trustworthiness. Banks are also instigating MFA [Multi Factor Authentication] through one-time pass codes to card owners' smartphones - and, as a result, these types of 'card not present' frauds are either not rising as fast or on the decline in most markets."

However, the more challenging issue remains around how individuals can assure the identity of organisations they deal with electronically. "Part of the issue is the need to raise consumer awareness around cyber security 'hygiene', but this must also extend to how organisations legitimately contact customers via digital means. We are encouraging organisations to use modern technology, such as smartphone apps with strong authentication capabilities, to establish secure communication channels with their customers. This can help both the organisation and the end consumer to recognise a legitimate interaction and mutually authenticate one another."

At a national level, several countries have instigated government-backed platforms that can help to assure digital identity, such as Estonia's digital ID card, which is used for securely accessing health and tax services and, increasingly, third party providers. "However, government-issued ID cards have been politically toxic, so it's likely that, in the future, banks may well offer this type of ID assurance services," he concludes. "This will become more likely, if a common standard can be agreed and implemented. Initiatives such as Open Banking can help to facilitate dialogue between banks, but at present the best advice is to use caution and use secondary methods such as contacting the listed details on a valid website, if an email for payment arrives out of the blue."