A new report from UK security think tank Royal United Services Institute (RUSI) finds that fraud has “reached epidemic levels” in the country and that the collective volume of attempts should be viewed as a national security threat.
The paper’s central assertion is that the volume of fraud now represents a serious threat to availability of public funds, such that it should no longer be considered a low-impact (and sometimes low-priority) sector of crime. Contributing factors include a “responsibility vacuum” created by leadership and budgeting of both central government and local law enforcement agencies.
Fraud eating up to 10% of UK GDP, yet infrequently investigated
The case for treating fraud as a national security threat is rooted in the UK’s existing “serious and organized crime” legislation, which treats criminal enterprises of sufficient size or threat (including terrorist groups) in such a way. The paper argues for treating fraud, which is sometimes perpetrated online by nation-state threat actors or groups seeking to fund terrorism, similarly. The central proposed solution is to loop in intelligence tasking from the National Security Council in combating fraud groups of this nature, and increasing cooperation and data-sharing between different agencies. It also calls for counterterrorism agents to receive training in disrupting fraud operations.
Fraud has seen year-on-year growth in the UK in recent years, and the researchers now put the number at as much as £190 billion (or 10% of the UK’s GDP in 2017). The paper argues that the traditional “criminal justice” approach to investigating and prosecuting fraud is no longer adequate given that so much of it is now online and originates from sources outside the country’s borders. Reimagining it as a national security threat would provide the quickest path to putting the resources in place to combat it.
The researchers contend that the UK is uniquely vulnerable among world powers as a fraud target because it has failed to devote adequate resources to policing it for more than a decade. With 3.7 million incidents between March 2019 and March 2020, fraud has become the most likely crime an individual will experience in the country (at over 10 times the rate of burglary and 20 times the rate of common theft). Yet surveys of attitudes demonstrate that the general public continues to see fraud as a low-priority crime, something that is only likely to happen to the elderly or the gullible. A Home Office study from 2019 finds differently; it characterizes the average UK fraud victim as being age 25-54 and in a managerial or professional occupation with a high income.
Though fraud is clearly growing as a crime segment, the scale of policing of it is not keeping pace. The paper points out that there is no national cross-government strategy for fraud cases, only 1% of the nation’s police action is devoted to it, and most victims do not report a positive outcome in the response to it.
Statistics from Action Fraud, the central UK law enforcement fraud reporting channel, indicate that 85% of reported fraud since 2019 had at least some component that was “cyber assisted.” However, holes in the operational response to fraud cause many cross-border investigations to be dropped due to leaving the jurisdictions of the involved agencies. The paper also points out that most local police agencies prioritize crimes by individual dollar value rather than category volume, meaning that fraud cases are likely to be put on the back burner or potentially never even taken up.
Stephen Maloney, executive vice president and chief revenue officer at Acuant, expanded on how the evolving (and growing) cybercrime industry at minimum requires more serious attention from all levels of law enforcement even if it is not formally labeled as a national security threat: “The magnitude of these losses can’t help but have a dampening effect on the UK economy. It’s also bad news for consumers, who often bear the brunt of many direct costs (especially in account takeover and identity theft). Financial fraud offers a lucrative source of income for cybercriminals; with such tempting promise of high reward and low prosecution rates, emboldened cybercriminals have grown in their sophistication, exploiting the human-interest factor by posing as banks or suppliers and then duping consumers into revealing their personal details. These scams have also proved effective in targeting commercial organizations, as senior executives have been tricked into revealing sensitive information which enables access to a company network … The increasing volume of attacks globally has also been attributed to more fraudsters willing to commit the crime, more data available on the black market, and more financial institutions and merchants that are vulnerable to attacks. Plus, as more countries fully adopt EMV, fraudsters have switched their tactics online and fraud will continue its migratory path to all available online channels.”
Fraud as national security threat?
While a case of simple volume being directed against the UK general public may make only a tenuous case for redefinition of fraud as a national security threat, the report also notes that UK public bodies have been expected to lose a collective £31 billion to £48 billion to fraud, or each losing anywhere from 0.5 to 5% of their annual budgets. Aside from the sheer loss of public money, negative impacts include a gradual erosion of public trust and the ability of businesses to pay taxes and invest. The report points out that international confidence in the UK’s financial services sector is more important than ever now that it is separated from the EU.
The paper’s strongest direct case for fraud as national security threat is the link to financing of terrorism, though it remains unclear exactly how many attacks or how much money shares that link. The report notes several case studies of organized fraud that was linked to terrorism financing, such as a “courier fraud” case in 2016 that took £1 million from UK pensioners to assist in funding ISIS.
The researchers call for this new “national security threat” approach to be embedded in the National Cyber Security Strategy, an initiative that is refined every five years and has just begun its current iteration with the start of 2021.