Cyber fraudsters target individuals in ‘silent stealing’ approach

The report, The UK’s Response to Cyber Fraud: A Strategic Vision, warned that cyber fraud is “rampant” in the UK. One study estimated that fraud (of which cyber fraud is the most common form) has an annual cost of £190bn to the UK economy.

Among other issues surrounding the handling of cyber fraud in the UK, there is a lack of clarity regarding understanding of cyber fraud and contrasting levels of prioritisation across different stakeholders. For instance, law enforcement does not have sufficient funds to respond to complex cyber-fraud incidents. This is in part due to its “seemingly victimless” nature.

The report recommends that law enforcement focuses on protecting vulnerable people from becoming victims of cyber fraud as the cyber-crime landscape evolves.

RUSI found from interviews and workshops that cyber criminals appear to be increasingly targeting individuals - particularly people working remotely, using household equipment with insufficient cyber-security measures - rather than businesses. Cyber fraud targeting individuals can include romance or investment frauds.

Individuals are less likely to report the loss of small sums of money than businesses suffering large losses, rendering the “silent stealing” technique safe and effective for fraudsters when a large enough number of victims can be targeted. The approach also makes it harder for law enforcement and banks to identify the threat as a single fraud or a major criminal operation worth millions of pounds.

“There’s a working hypothesis that criminals are going down market,” the report said, quoting an interview. “Yes, trying to steal £10m from a bank is an option, but stealing £10 a hundred thousand times is going to give you a good return and probably go below the radar. Are you going to call Action Fraud or your bank in the case where you lose £10?”

Sneha Dawda, a cyber-threat researcher and one of the report's authors, commented that “silent stealing” has grown in popularity because the vast volumes of breached data available online makes it easy for criminals to acquire personal data for fraudulent purposes. She warned people to be wary about social engineering techniques, such as those used in sophisticated phishing emails to encourage individuals to disclose passwords and other details.

“It’s really about checking, checking and checking again before you do anything like giving out your details, because cyber breaches are constantly happening; they expose a lot of information, and simple things like a password manager and having unique secure passwords for each account that you have will minimise that risk of cyber criminals being able to take advantage of multiple accounts,” Dawda said.

RUSI called for a more integrated response to cyber fraud, with the government moving to fill the current policy vacuum and law enforcement agencies and the private sector sharing data to inform investigations.

The report warned: “Government authorities, law enforcement agencies, financial institutions, private sector industry associations and cyber security and technology companies all hold information relevant to the detection and investigation of cyber fraud, but have no effective way of pooling it together”.