Almost exactly five years ago I received a disappointing email from a senior fraud investigator at the City of London Police, explaining that he and his colleagues had postponed research into telecoms fraud because they needed to don their uniforms and patrol the streets in the wake of the London Bridge terrorist attack. There can be no dispute that the police should prioritize how they deploy their scarce resources, and that public safety comes first. It is understandable that terrorism absorbed their attention following a night when eight people were savagely murdered and 48 others were injured. But after that incident it never seemed that the British police showed any zeal for tackling telecoms crimes… until now. Any telco fraud professional living in the UK must have noticed the recent glut of news about the police tackling telecoms crime. Many of these stories are linked to demands that telcos take more action to protect the public from fraud. The change in the police’s attitude to publicizing their anti-fraud efforts is best illustrated by the following BBC video of a raid on a smisher. I count at least 15 police officers lining up to smash their way into the smisher’s home, ready to confiscate the eight SIM cards in his ‘SIM farm’. That is almost two police officers per SIM card, not including the police staff that arranged for a BBC News remote camera crew to join the operation.
We can all be glad that Teige Gallagher, the man arrested in this video, has since been given a prison sentence of four years and three months. Gallagher sent SMS messages and created websites that impersonated the National Health Service, government departments and reputable businesses in order to trick the unwary into sharing their personal data. This kind of crime is despicable. However, it is not new. So why are the police dedicating more resources to it now? Or has a modest change in the level of police work been exaggerated by the press coverage? Is the driving factor a rise in this type of crime, a fall in other types of crime, changes in strategic priorities and the way the police operates, changes in their communications strategy, or has it occurred because the police are being paid by the private sector to do this work?
The pandemic has definitely reduced crime overall. Put simply, there are many types of crime that cannot be committed by people locked inside their own homes. The Office for National Statistics (ONS) tells us that for England and Wales in the year ending December 2020:
Total police recorded crime decreased by 8% to approximately 5.6 million offences, driven by falls during the periods of national lockdown, particularly April to June 2020 and mainly theft offences.
The most dangerous types of crime, including homicide, firearms offenses, knife crime, arson and sexual offenses are well down. Fraud figures for 2020 were overall similar to 2019, but there was a sharp increase in one type of fraud:
In the year ending December 2020, UK Finance reported 2.9 million cases of fraud involving UK-issued payment cards, remote banking, and cheques via their recording system, CAMIS. This shows a 4% increase compared with the previous year (2.8 million). There was a 68% increase in “remote banking” fraud (73,640 incidents).
Notice how the police and government rely on an industry body, UK Finance, as their main source of intelligence for this type of crime. UK Finance states that it has almost 300 members drawn from the banking and financial services sector. The police’s Action Fraud unit also registered an increase in similar online crimes.
The coronavirus (COVID-19) pandemic is likely to have had differential effects on trends in fraud offences because of lockdown restrictions. For example, data from Action Fraud showed a 38% increase in “online shopping and auctions” fraud in the latest year (86,984 offences), which could be accounted for by the increase in online shopping because of the closure of shops during national lockdown restrictions.
So it is fair to conclude that policing priorities should change because of a rise in the reported number of online and phone frauds compared to a fall in other kinds of crime that would otherwise consume a lot of police time. However, this should be caveated by the fact that the police often comment that they believe fraud is massively underreported, begging a question of how much an increase in reported fraud is due to an actual increase in crime or to the increased likelihood of the crime being reported.
Policing and Publicity
It would be overly simplistic to assert that all police efforts to catch smishers can be linked to a rise in frauds that occurred during lockdown. For example, it took many years to investigate two members of a smishing gang, Quin Huang and Clarke Morgan-Findlay, who were sentenced to prison in March:
The convictions are part of a complex investigation by the Met into an organised crime network (OCN) responsible for ‘smishing’ fraud offences across the UK. The losses attributed to this OCN against two major UK banks is conservatively estimated to be in the region of £20-£30million.
The defendants’ mobile phones had thousands of messages relating to these offences as well as photographs, screenshots and videos of mule bank accounts and bank cards. It is not possible to establish the precise number of how many money laundering offences are evidenced on the mobile phones, but it is believed to be in the hundreds.
However, the prosecution was limited to a total of 15 offences of money laundering – 12 between the dates of 11 July 2017 and 2 October 2017 and three between the dates of 28 August 2019 and 16 January 2020, totalling in excess of £250,000 of losses to victims.
On 11 April 2018, Morgan-Findlay was arrested by officers, who recovered the mobile phones and a number of items… He was released under investigation pending further enquiries.
I mention the story of Quin Huang and Clarke Morgan-Findlay because it differs from that of Teige Gallagher and other recent arrests. These latter arrests all involved the Dedicated Card and Payment Crime Unit (DCPCU), which has shown itself to be keen to influence the UK media. For example, the DCPCU recently boasted that its ‘crack down’ on COVID-19 scams had prevented GBP20mn (USD28mn) of fraud during 2020. The DCPCU have special reason to advertise their successes because their work is paid for by the private sector. That is why you will find all their press releases on the website of the aforementioned UK Finance, which helpfully tells us that the DCPCU…
…is fully sponsored by the cards and banking industries
There is nothing inherently wrong with the private sector funding additional police work to protect customers, although there has been much recent debate in the USA about the creation of private police forces following trials surrounding a crime-tracking app called Citizen. The entertainment industry has long provided financial backing for policing efforts aimed at copyright enforcement, often facilitated by the creation of privately-owned organizations run by former police officers, such as the Federation Against Copyright Theft (FACT), a UK-based entity that spawned a thousand internet memes because of their overblown anti-piracy videos. The widespread mockery generated in response to FACT’s campaigns showed that even law-abiding individuals will question the impartiality of information that appears obviously biased. Any neutral should apply skepticism to the reports of a privately-funded police unit in much the same way they would be wary of claims made by a business. However, the British press seems to lack objectivity, and they eagerly recycle the publicity supplied by the DCPCU without much critical examination of their motives.
Blurring the Blue Line
I cannot claim to have much influence, but the repeated subtext of conversations I have had with the British police is that life would be better for everyone if telcos were willing to pay for more police work. The police are entitled to that opinion, and I never heard them saying anything unethical. Nevertheless, there is clearly a danger that a line can be crossed when the police both solicits for funds from the private sector whilst influencing news stories presented to the public.
Recently I wrote about a BBC Radio 4 program where a representative of Ofcom, the UK comms regulator, was lambasted because UK telcos have not yet been forced to spend approximately USD100mn on the nationwide implementation of the STIR/SHAKEN anti-spoofing protocols. The presenter, Paul Lewis, threw some dubious statistics at his interviewee, without mentioning where his numbers came from. However, the source of the figures becomes apparent when listening to an earlier episode in that series, where the same statistics were quoted during a conversation with the UK’s top fraud cop, Graeme Biggar. Those statistics were obtained from an analysis of online scams supplied by UK Finance, who reported that Authorised Push Payment (APP) fraud losses totaled GBP479mn in 2020 (USD678mn), a rise of five per cent compared to the previous year. This was then incompetently misrepresented by Paul Lewis, who implied that ‘half a billion pounds’ of fraud was caused by CLI spoofing, even though APP fraud covers many more criminal techniques than the narrow subset involving scam phone calls. Either Lewis was shamefully cavalier about facts or UK Finance inadequately explained statistics so they could be understood by a BBC journalist that has fronted the same consumer finance show for over 20 years. Whatever the explanation for Lewis’ misreporting of crime figures, it is a fact that an entity paid for by banks, which makes a substantial financial contribution to the policing of fraud in the UK, supplied statistics which were discussed by the UK’s top fraud cop as part of an argument for telcos to increase spending on the prevention of theft from bank accounts. This is not extortion, but nor is it objective.
The rate at which telcos come under attack appears to be increasing. Just last week Sir Tom Winsor, HM Chief Inspector of Constabulary, joined a series of other current and former officials in insisting that mobile phone firms had made life ‘easy’ for scammers by allowing them to obtain multiple SIM cards without demanding sufficient ID. A further article in The Times continued the theme of presenting the police as overwhelmed because they receive insufficient help from telcos. These particular arguments focused on preventing SIM swaps as well as reducing the number of SIMs in the hands of criminals, though we know from a Freedom of Information request that the British police has repeatedly supplied unreliable SIM swap statistics to the national press, not least because they are guilty of double-counting the same crimes. None of the recent news articles deigned to make one crucial observation: a criminal like Teige Gallagher would not be able to simultaneously use eight SIMs to send thousands of messages from his bedroom if he had been prevented from purchasing the equipment necessary to do it. We all know that multi-SIM equipment of this type has very few legitimate uses, so is mostly bought by criminals.
Instead of trying to prevent Gallagher from obtaining eight SIM cards – a virtual impossibility unless the government passes a law limiting how many phone lines an individual can legally purchase – why not focus on restricting the equipment that fraudsters rely upon, but which hardly anyone else ever needs? Is it because the UK government and Ofcom have made a mess of banning simboxes, with the result that a protracted legal battle will likely see the Supreme Court finally conclude that simboxes are legal in the UK, leading to potentially massive compensation claims by businesses that used them to bypass termination fees? I get the sense that the police is not interested in criticizing the obvious failings of the government because they do not want to bite a hand that feeds them… and because the telecoms industry is not one of those hands.
Lazy journalists like the BBC’s Paul Lewis cannot be relied upon to present (or even understand) the relevant numbers, so let me finish by sharing some figures relating to the cost of fighting fraud. The City of London Police is tasked with taking the lead with fighting fraud across the whole of the country, but their entire annual budget is just GBP65mn (USD92mn). That is the budget for everything that police force does, not just its anti-fraud work, which perhaps explains why their best fraud experts must patrol the streets following a terrorist attack. The 2020/21 budget for the industry-funded DCPCU is GBP2.66mn (USD3.77mn). At the same time, we now have police and their media allies demanding that the UK telecoms industry spends around USD100mn on the implementation of a technology meant to reduce CLI spoofing but otherwise irrelevant for most of the frauds that the banks are worried about. In addition, we are told that telcos should make it harder for ordinary consumers to obtain a phone service, which must necessarily reduce revenues as well as causing inconvenience, but neither the government nor the police need do anything about the unrestricted sale of equipment that is almost exclusively used by fraudsters. This raises many questions about the objectivity of the police and the information supposedly presented to inform public debate.