New Fraud Taskforce: Game-Changer or PR Move?Experts Debate Impact, Global Influence of U.K. Initiative
The formation of a new U.K. taskforce that aims to curb financial fraud and cybercrime by facilitating stronger collaboration among banks, government and law enforcement is getting mixed reviews from industry experts.
See Also: A Toolkit for CISOs
The Joint Fraud Taskforce, announced last week by the Secretary of State for the Home Department, Theresa May, includes representation from the London Police, the National Crime Agency, the Financial Fraud Action UK, the Bank of England, British fraud-prevention agency Cifas and CEOs from the country's major banks.
The taskforce's initiatives include:
- Better understanding cyberthreats, by identifying intelligence gaps and vulnerabilities;
- Fast-tracking intelligence sharing between banks and law enforcement for a more coordinated approach to track down cybercriminals;
- Creating a new list of the top 10 most-wanted fraudsters;
- Developing a more efficient system for identifying cybercrime victims and potential victims;
- A nationwide rollout of cybercrime intervention training for bank staff;
- Consumer and business education about cybercrime to raise public awareness; and
- Removing weak links in financial systems and processes that can be exploited by fraudsters.
"It is clear that fraud is often coordinated by organized criminal gangs, increasingly using online channels to dupe unwitting individuals and access their accounts," May says in a speech she gave last week about the taskforce's purpose. "There is growing evidence they do so from jurisdictions out of reach of traditional policing, using technology that make them difficult to investigate."
And many times these cybercrimes are being waged against financial-services companies to help fund terrorist activity, she adds.
"That is why today is so important," May says. "It represents a united front of government, law enforcement and industry in preventing, identifying and cracking down on fraud."
But critics question how effective the taskforce will actually be at bringing cybercriminals to justice and reducing fraud. They also tackle the question of whether such a group could be effective against fraud in the U.S.
Impact on Fraud in U.K.
While in theory, May's vision of a union of law enforcement, government and the private sector sounds like a strong one, critics say the task force's formation is more about spinning positive political publicity than coming up with a strategy that can actually make a difference in reducing fraud losses.
That's because catching the criminals that wage these attacks will be the real challenge.
Thom Langford, chief information security officer at Paris-based public-relations firm and consultancy Publicis Groupe, in a tweet he posted Feb. 10 about the new taskforce, says convincing law enforcement to take this initiative seriously won't be easy.
Biggest problems is getting law enforcement to take this seriously. I have multiple complaints and zero follow up -> https://t.co/JP1udSuKboï¿½ Thom Langford (@ThomLangford) February 10, 2016
And the collaboration challenge goes both ways, one cyberfraud and threat-intelligence expert, who asked not to be named, tells Information Security Media Group. British banking institutions have little respect for some of the entities that compromise the taskforce, the expert says, including law enforcement, which is likely to hinder the group's success.
"Faster intelligence is not going to happen, as the banks and police do not share between themselves," the expert says. "The police mean well, but are two years behind the U.S."
This observer also says most U.K. banks have little respect for the Financial Fraud Action UK, which has had little impact on reducing fraud. "This initiative is more relevant in the U.S., because of credit card fraud in the U.S. and large amounts of criminals who buy this data," the expert adds.
Need for Change
Still, others say there is a clear need for fraud-fighting change in the U.K., and this taskforce could be an answer.
In October 2015, a cybercrime study commissioned by the city of London noted that e-commerce fraud losses totaled Â£217.4 million (U.S. $313.8 million) in 2014, with losses to the banking sector from online-banking fraud peaking to a new high at Â£60.4 million (U.S. $87.2 million).
The report also notes that 90 percent of large organizations in the U.K. said they had been impacted by a security breach in 2013 and 2014.
And, for the past year, authorities in the U.K. and the U.S. have warned of significant upticks in business email compromise fraud, also known CEO fraud, which the Federal Bureau of Investigation in August 2015 warned had resulted in the theft of more than $1.2 billion from businesses worldwide between October 2013 and August 2015.
Chris Pierson, a cybersecurity attorney and chief information security officer for invoicing and payments provider Viewpost, says the taskforce's focus on public awareness could have an impact on reducing losses linked to BEC attacks. But how much impact will depend on how aggressive the taskforce gets with its educational campaigns."
"The best chance for success against BEC/CEO fraud will be user awareness and education," Pierson says. "However, every week thousands of people around the world are duped into Nigerian scams and fraud, despite years of education and awareness of the threat and just pure common sense."
But Avivah Litan, a financial fraud expert and analyst for consultancy Gartner, is more optimistic about the impact the taskforce could have. Raising security awareness is the only "practical way" to address BEC threats, she says.
"It is too impractical to think all the businesses potentially impacted by this type of fraud will implement the necessary technical controls required to mitigate it. It just isn't happening," Litan says. Yet online banking fraud, and fraud in general, is growing significantly in the U.K., and if the authorities don't stem the tide, "U.K. citizens will feel unsafe and will not trust the financial service sector."
Could Taskforce Work in the U.S.?
Litan says that in spite of the challenges, the British government's formation of a taskforce is a huge step forward.
"Close collaboration between law enforcement and the banks is always a good thing," Litan says. "Plus, victims sometimes have trouble getting refunds; so this task force should help put attention on that fact and facilitate the victims' funds recovery."
Still, Litan agrees that it will probably take time for law enforcement and the banks in the U.K. to improve their information sharing and collaboration efforts.
"I think getting buy-in from the banks is problematic, as they have to be convinced that they should share threat intelligence with law enforcement as soon as possible," she says. "This is time-consuming for them, and they also aren't convinced the efforts are always worthwhile. Conversely, yes, law enforcement must be prepared to share their intel with the banks, without fear of disrupting investigations in process."
Litan, however, does not think overcoming those hurdles will be a challenge, and could offer some worthwhile lessons for the U.S.
"I see a lot of strong collaboration in the U.K. between law enforcement and the banks, and just between banks as well," she says. "I think the U.K.'s spirit and practice of collaboration on cyberthreat and cybersecurity matters is much stronger than it is in the U.S., probably because there are far fewer banks and players involved than there are in the U.S. Here [in the U.S.], we tend to get bogged down by multiorganizational processes and bureaucracies that you don't see as much in countries with far fewer banks."
Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, which has a presence in the U.S. and the U.K., says that while extraditing and arresting the cybercriminals who wage cybercrimes continues to pose challenges, the formation of this taskforce and other initiatives could start to make waves that have a global impact.
"The issue always is, 'Can you arrest the criminals?'" Nelson says. "But I do think the announcement about this taskforce is exciting news. It shows that people are taking cybersecurity seriously."
What's more, Nelson says he sees the actions of this task force aligning well with those being spearheaded by the Global Cyber Alliance, an international, cross-sector alliance established in January to identify, confront and prevent cybersecurity risks.
The GCA is a global cybersecurity partnership founded by the New York County District Attorney's Office, the London Police and the Center for Internet Security.
"I don't think this taskforce in any way competes with the FS-ISAC; in fact, I think it's a nice complement," Nelson says. And I can see this task force and the Global Cyber Alliance also working well together to identify the risks associated with cybercrime and then coming up with ways to address those risks."
Tom Kellermann, CEO of Strategic Cyber Ventures, an investment fund for cybersecurity companies, says the taskforce's partnership between the public and private sector is "historic."
"It will take years; but I applaud this collective effort," he says.