Viscount Colville of Culross (CB)

- Hansard -

Copy Link

-

My Lords, I was a member of the Fraud Act 2006 and Digital Fraud Committee, and it was a great privilege to serve with the noble Baroness, Lady Morgan, who so ably chaired it.

The committee was driven by the massive increase in fraud. We discovered that scams are being delivered not only online but through text and messaging services, using ever more sophisticated technology. The new threat is coming from deepfake technology. Only a few weeks ago, a video appeared on Facebook that seemed to be a CNN report, with the CNN logo strapped across the base of the screen. Regional executives of a major bank appeared the video promoting what appeared to be one of their big new funds. They were followed by a succession of customers who said that they had made up to £50,000 each by investing in the fund. The user was then urged to click on a link that facilitated investment into the fund but needed the user’s bank details to do so. Once fraudsters have this information, they can impersonate the user to take out a loan, make a purchase or do any number of fraudulent financial transactions.

The deepfake fraud is just the most up-to-date example of ID fraud. This is one of the first scams to use deepfake technology. The bank executives’ images and voices had been captured from their previous appearances on television and in videos and manipulated to make them appear to be pushing the fund. The bank had a terrible time trying to stop the dissemination of this fraudulent content. It had to play a terrible game of whack-a-mole. As soon as was it was taken down from one Facebook group, it appeared on another. It also appeared in other parts of the internet and went viral on platforms and phone services. Deepfakes are just the latest generation of scams. They are so powerful because the visual medium is still seen as more trustworthy than others. The bank is so concerned that any future video appearances by executives will have to be stamped with a watermark on screen as a means of authentication, which it hopes will make future manipulation of their images more difficult.

The Online Safety Bill will put the onus on user-to-user services to prevent fraudulent content appearing on their platforms, but the growing practice of smishing—sending fraudulent messages to collect personal financial information through text and direct messages—is also worrying law enforcement officers. These scams are increasingly disseminated on SMS and MMS platforms, and so are out of scope of the Online Safety Bill. According to CIFAS, 2022 saw the highest-ever volume of identity fraud cases. They were up by nearly one-quarter from the previous year. Nearly all the cases related to mobile phone products.

In the committee hearings we heard evidence of how criminals are frighteningly ingenious at finding ways to capture a user’s ID, both online and on mobile phones. The fraudsters send messages which often seem innocent enough, such as completing a crossword puzzle or taking part in a survey, all of which involve the user giving away their personal financial details. I recently heard about a victim who received an SMS message giving details of an expected delivery from DHL. When they called the number, they were put through to a fraudulent call centre, which asked for money to be paid for customs duty in order to release the package through Customs and Excise. Fraudsters are even using ID impersonation to break the secure customer authentication service which was set up especially by the banks as a secondary source of verification. They do this by diverting the message which is meant to go to a customer’s number and then take control of it.

CIFAS told me that in the past 12 months, there has been a rise in cybercrime service platforms on the dark web. One of these sites is selling up to 30,000 fake profiles, which can be used to push fraud, at a time. The whole fraud ecosystem is incredibly sophisticated. There are specialist roles for each stage of the fraud. First, there is a fraudster specialising in stealing ID, then another who uses the information to open bank accounts and set up customer profiles, and finally there is a specialist who can siphon off the money to the criminal. It seems to me that the major way of dealing with this is to incentivise platforms and telecoms companies, which are the enablers, to crack down on fraudulent activity online. I wholeheartedly support the attempts by the noble Baroness, Morgan, to extend the “failure to prevent” law to cover more enterprises and more harms but, despite wins on Report on the Economic Crime and Corporate Transparency Bill this week, the Government still seem reluctant to adopt the ideas in her amendments.

I have already mentioned the Online Safety Bill, which leaves so many of the systems which deliver fraud out of scope. Like the noble Baroness, Lady Morgan, I would like to see telecoms companies being held to account. They have already taken some steps to reduce fraud. The committee heard evidence about BT’s spam shield, which is blocking spam messages to users. SIM farms, where a mass of phone numbers can be bought to be used to send fraudulent text messages to tens of thousands of customers, are now being clamped down on but, as the committee’s report states, these current approaches by the telecoms sector are uneven, with counterfraud policies being introduced inconsistently across the sector.

It seems to me that the enabler of the fraud ought to be held responsible, at least in part. The banks are paving the way. The Payment Systems Regulator is already changing the liability for banks whose customers have been involved in fraud. It has set out a path for introducing a 50:50 split between the issuing banks and the bank that accepts the funds on behalf of the fraudster. In July it will consult on the draft legal instruments to put reimbursement requirements in place. The following month, it will consult on the maximum level of reimbursement and guidance on customer gross negligence. By October it hopes to get the final legal instruments to Pay.UK. Early next year, these measures will come into force. The regulator will also demand transparency, the publication of data on how well banks are protecting customers from fraud and the promotion of intelligence sharing.

The telecom companies are also enablers. Either they can take part in a compensation scheme along the lines of the banks or they can, as paragraph 522 of this report suggests, be part of a

“regulatory strategy equivalent to the Online Safety Bill that is directly applicable to telecoms platforms and services”.

In their response to the report, the Government said that, despite progress being made by the industry, more could be done to protect the customers. Instead of supporting a duty to prevent fraud, they suggest that the operators join the voluntary telecoms fraud sector charter. The Government have spent much time ensuring that online platforms are mandated to protect users against fraud. In a world in which fraud is now being delivered increasingly through direct messaging and SMS, why is one sector being mandated to take action while another is allowed to take part in counterfraud action voluntarily?