UK Finance's 'fraud the facts 2019' report said £1.2 billion was successfully stolen "through fraud and scams" in 2018. Personal data stolen from businesses was used to perpetrate much of that fraud, according to the report.
"The theft of personal and financial data through social engineering and data breaches was a major contributor to fraud losses in 2018," UK Finance said. "The stolen data is used to commit fraud both directly and indirectly. For example, compromised card details are used to make unauthorised purchases online and personal details are used to take over an account or apply for a credit card in someone else’s name. Criminals also use personal and financial data to defraud customers, using information gained about an individual to add apparent authenticity to a scam."
"Information stolen through a data breach can be used for months or even years after the event," it said.
UK Finance said unauthorised financial fraud losses across payment cards, remote banking and cheques rose 16% in 2018 to total £844.8 million. Authorised push payment fraud accounted for a further £354.3m of losses. A new voluntary code for reimbursing APP scam victims is due to be implemented on 28 May 2019, UK Finance said.
Banks and payment card providers helped prevent further fraud totalling £1.66bn in 2018 through their "advanced security systems and innovations", UK Finance said. Some firms are looking at how to harness "behavioural biometrics" to identify and prevent fraud, it said.
"Some banks have adopted software that monitors the ways in which consumers type and swipe on their devices or how they hold their device in terms of grip, when logged into banking apps," UK Finance said. "If this ‘behaviour’ changes then the software will flag up potentially suspicious activity and could prompt a call from the bank. Use of this technology has helped to prevent tens of thousands of pounds of fraud going through."
Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said cyber criminals are constantly evolving their approach, and that there has been a greater focus in the past 12 months on targeting business emails and diverting payments.
"Attackers are increasingly patient and sophisticated, regularly monitoring a user’s mailbox for months in order to build up a picture of the company’s transactions, the user’s communication style and, crucially, internal processes for payments," Birdsey said. "With this intelligence, attackers have perpetrated some significant financial frauds which are commonly worth seven figures."
"There are some very simple steps organisations can take to avoid falling victim to such scams, including multi-factor authentication and implementing appropriate internal processes for any change of bank details," he said.
Katy Worobec, managing director, economic crime at UK Finance, said the financial services firms cannot tackle the threat of fraud alone.
"As this report shows, data breaches at third parties continue to be a major contributor to fraud losses," Worobec said. "There has been a number of high-profile incidents in 2018, many targeting well-known brands, where customer data was stolen. Whether it’s at a retailer, utility company, transport provider or elsewhere, the theft of personal and financial data can both directly lead to fraud losses or be used by criminals as part of their scams. The data can be used for months and even years after the breach takes place."
"These incidents occur outside of the finance industry’s control, yet it is banks and their customers who bear the impact. So, it’s imperative that any organisation that controls customer data does everything in its power to keep it secure," she said.