Cyber Security

The Future of Cyber-Enabled Fraud

Deepfake, biometrics and artificial intelligence, QA's Cyber Practice Director, Richard Beck, takes a look at the future of cyber-enabled fraud.

Looking Over the Horizon at Cyber-enabled Fraud

Today, we're in the middle of the fourth industrial revolution. One that is amplified by the popular use cases for AI, 5g connectivity, IOT (internet of things), quantum computing, these digital technologies are evolving the way in which we operate across every single industry.

This digitised society has transformed cybercrime and cyber-enabled fraud into a major revenue stream for organised crime groups (OCG).

The Office for National Statistics (ONS) statistics show that there were 1.6 million computer misuse offences in the year ending 2022, an increase of 89% on the year 2020. Between November 2020 and 2021, the UK lost £2.5 billion in fraud and cybercrime cases.

Europol has identified cybercrime as a key challenge, noting its role in helping fraudsters to increase the technical complexity of their attacks. Whilst the West Midlands Police and Crime Commissioner reports that in the past year, 89% of all fraud in the West Midlands was cyber-enabled.

Commander Nik Adams, Economic and Cybercrime Lead at the City of London Police, recently told the House of Commons that the force predicts anywhere from 25% to 65% growth in fraud over the next 4 to 5 years.

Counter fraud responses from government, regulators and industry has failed to adequately tackle the growth in cyber-enabled fraud, either in coherent reporting strategy or adequate victim support. Giving rise to charities like the Cyber Helpline staffed by volunteers to help fill the current victim support gap.

In line with recent thinking from the UK Digital Strategy, digital skills and capability in emerging technologies are vital for growth and innovation in the UK economy, and crucial to the wider goal of combating cybercrime and reducing cyber-enabled fraud.

Crypto Legislation and Regulation Enablement

The Economic Crime and Corporate Transparency Bill will in-time provide additional powers to law enforcement to help them to seize and recover crypto assets, including on and off ramps, more easily, potentially expanding this to also include civil recovery powers.

As the UK government sets out plans to regulate crypto, the once insulated UK finance system will need to find the right balance when embracing emerging technical innovation for economic growth and protecting against the inevitable unknown crypto ‘shocks’ of the future.

The emergence of crypto assets and crypto fraud as a service, presents new challenges to the counter-fraud and cybercrime landscape, particularly cryptocurrency which uses blockchain technology to form a transactional database. Despite the use of blockchain technology, cryptocurrency provides an outlet for fraudulent finance that is harder to trace than payments made via traditional banking infrastructure. Crypto will become a pivotal outlet, seen today on a smaller scale, in evading economic sanctions through high-risk exchanges, whilst NFT’s are still seen as a trojan horse for wider consumer crypto adoption.

Around 15% of all proceeds of crime were routed through crypto mixers last year, which can obfuscate and create some anonymity through coin shuffling, according to the National Crime Agency (NCA) who is calling for regulation of mixers.

Even with the potential regulation of some crypto assets we know that cybercrime investigations often involve tracing and recovering funds, as they are transferred across multiple crypto assets including tokens or chains and locked into initial coin offering (ICO) frauds using the ‘pump and dump’ schemes.

An interesting development would be the establishment of a ‘failure to prevent fraud offence’. This would mean an organisation would need to prove that it has reasonable and adequate procedures in place. Notwithstanding the suggested amendment to create a transparent route for the funds generated by enforcement activity, to go back into funding the agencies and protecting them from costs and damages in civil prosecution case, subject to the next review phase on this legislative journey.

Reporting Cybercrime and Cyber-enabled Fraud

The government is due to release its updated fraud strategy which links to the proposed changes to Action Fraud, which is ear marked for major reform. Some of this positive change is under way, with ten regional fraud squads recently formed.

With an improved national fraud and cybercrime reporting system as announced in the Government’s Beating Crime Plan, counter fraud skills, specifically for digital fraud will need to be part of this strategy. The ONS reported last year that fraud accounts for approximately 41% of all crime against individuals.

Cybercrime prevention and disruption strategies will require a greater understanding of the criminal convergences, digitalisation and emerging technologies that enable and empower cybercrime actors.

While the data on cyber-enabled fraud and its perpetrators is incomplete, we can identify an increased trending over recent years. In the year ending 2022, fraud had increased by 25% since the pre-pandemic year to 2020.

Action Fraud reports that 80% of reported frauds are cyber-enabled; they could have taken place offline, but their scale, reach and impact have been expanded using online services and digital technology.

Ransomware and the cost of cybercrime is already up a percent of global GDP, over £500 billion a year. The global cybercrime epidemic shows every sign of continuing to rampage through every global economy.

While the limited Budapest Convention for cybercrime should be superseded by the new UN convention on cybercrime in 2024, new waves of cybercrime actors and unsophisticated organised crimes groups without advanced technical expertise continue to emerge akin to tech start-up disruptors.

Just over the Horizon: Deepfake and AI

Deepfake technology is advancing fast, especially when combining AI tools, making it easier for OCG’s to create realistic videos and audio recordings that can be used to deceive individuals and organisations, often referred to as a ‘Frankenstein ID’, marginally mitigated through the existing crude authentication of digital media.

Linked to this is business email compromise (BEC) or CEO (Whaling) fraud, typically used to impersonate executives or trusted parties. It’s estimated that is accounts for 85% of all identity fraud in the UK. Validating a call-back, often used today in mitigation, will be disrupted in the future.

Biometric authentication isn’t new, however techniques to investigate biometric digital fraud and the development of new methods of detecting and preventing e.g., voice cloning, are still inadequate at scale.

Overlapping biometric and deepfake cybercrime is the fast-moving synthetic identity fraud, which combines real and fake information. This one is a ‘long game’ cyber-enabled fraud, using the art of digital deception and it’s often very difficult to detect.  

Combining AI and biometrics will allow for the custom crafting of synthetic identities at scale. Managing the creation or growth of a synthetic identity over a long period, helps to evade detection, and sometimes escaping detection all together. An investigators success will often focus on the lack of ‘human’ inconsistency in these types of investigations, behavioural analysis and identification of patterns and anomalies with biometric verification.

2022 was reported as the biggest year ever, for cryptocurrency hacking, and slowed the rise of global crypto adoption. Manging to even spook the disruptors like Apple Pay and Google Pay from launching their own digital currency. The prospect of a digital pound, announced by the HMG Treasury and Bank of England recently, has the potential to provide huge benefits to the economy balanced by the inevitable cybercrime and digital fraud risks. Notwithstanding the privacy and civil liberties infringement concerns and enablement of existing regulatory and legal frameworks to operate unimpeded when introducing the digital pound.

The greater adoption and over reliance on digital and emerging technology, the use of digital wallets aligned to our identity and biometrics, or DNA based secure tokens in the long term within the Metaverse takes us to a new dimension of cyber-enabled identity theft.

In this medium term the Metaverse, which is still pending a ‘killer application’, will move us beyond the ubiquitous mobile device dependency today, introducing an immersion experience harnessing wearable technology. Cyber-enabled fraud within this new landscape will have big implications for brands and businesses stepping into this exciting arena, as consumers expect safety and security akin to the physical realm.

On a positive note, we will have the capability to utilise artificial intelligence, beyond the initial ChatGPT type use cases, to an intelligent level, with the computing power of quantum, to detect cyber-enabled fraud within very large data sets at the speeds beyond 5G.  

At the same time, future tech cyber-enabled fraud and cybercrime is pitted against a backdrop of cybercrime actors ready, willing, and never more able. Assisted by the same emerging technology, to exploit technology for organised criminal gain! Or even a future nation state, destabilisation attack against a national digital currency, masked by many multiple state sponsored OCG’s.

No single entity will ever have sufficient capability to out move or get ahead of the organised criminal groups determined to exploit cyber-enabled fraud opportunities in the future. Chess moves aside, the future will require government and industry collaboration at new levels and unprecedented scale, with financial investment in emerging technology to match. Inevitably this will drive increased demand for digital security skills, way beyond the relaunched cyber aware hygiene bar for citizens – and importantly for every digitally transforming organisation.

Learn more about Cyber Security Training and Cyber Security Apprenticeships with QA.