MPs call on banks to report electronic crime direct to police
The House of Commons Home Affairs Committee says that because financial institutions do not report all online crime, the total is significantly underestimated. The UK Government uses an estimate of the cost of online crime produced by the Cabinet Office and Detica of £27 billion, which one witness told the committee had been met with “widespread scorn”. The committee recommends that the Government “publicly distances itself” from the report.
Currently banks share information on fraud through agencies such as Cifas and the Payments Council, allowing them to report levels and monitor trends without risking reputational damage through direct public disclosure.
In a response to the report, the Confederation of British Industry said that making it mandatory for businesses to report cyber-attacks won’t help. “Proposals to force businesses to report a cyber-attack as soon as it happens when they should instead be focusing on fighting the attack privately could be counterproductive and put them at greater risk,” said Matthew Fell, CBI director for competitive markets. “Mandatory reporting would also risk cyber security becoming a tick-box regulatory requirement and stifle business-to-business information-sharing.”
Evidence given by the Foundation for Internet Policy Research said that a 2005 policy change which saw victims of fraud reporting the crime to their banks in the first place rather than to the police meant that the rate of recorded instances of fraud understates the reality. FIPR points to the British Crime Survey which shows that UK households are twice as likely to be victims of fraud than of traditional acquisitive crime. It added that the 2005 policy change had “caused the fraud statistics to go down, but it opened up an even larger gap than is usually the case between the crimes reported through the police, on the one hand, and the crime levels reported through victim surveys on the other. Now, for most practical purposes, official recorded crime is useless in determining the level of fraud”.
The committee concluded that “there appears to be a ‘black hole’ where low-level e-crime is committed with impunity. Criminals who defraud victims of a small amount of money are often not reported to or investigated by law enforcement and banks simply reimburse victims. Criminals who commit a high volume of low level fraud can still make huge profits. Banks must be required to report all e-crime fraud to law enforcement and log details of where attacks come from”.
As well as the problem of crimes not being reported to the police, the committee identified an issue regarding how crimes are classified. “Some of our witnesses stated that even crimes that violate the Computer Misuse Act 1990 are usually recorded according to the criminal’s intent. For example, a Denial of Service Attack would probably be recorded as extortion if its perpetrator was using it to blackmail the website owner. A phishing attack could also be recorded as fraud or money laundering,” the report says.
It also concluded that punishments for e-crime are more lenient than for traditional crime: “We were surprised by the fact Anonymous hackers who cost PayPal over £3.5 million were given sentences of seven and 18 months and do not believe they would have received such sentences had they physically robbed a bank of £3.5 million.” It recommends that the Director of Public Prosecutions should review sentencing guidelines and ensure e-criminals receive the same sentences as if they had stolen that amount of money or data offline.