In this blog Criminology Lecturer, Courtney Smith, investigates the growth of online fraud in a time of crisis. Courtney is interested in critically thinking about how traditional criminological theory may apply in the context of green criminology, exploring the challenges and benefits that this may bring to mainstream understandings of ‘crime’ and ‘justice’. Courtney enjoys taking a multi-disciplinary approach to her work, drawing on expertise from a range of academic fields.
There is one substantial truth when it comes to technology: the more ingrained these advancements become in our everyday lives, so increases the number of opportunities for cyber criminals to exploit societal vulnerability. Cyber-fraud can broadly be defined as deception through misrepresentation for financial gain and while non-specific this encompasses a wide variety of fraudulent acts from identity theft all the way to romance fraud. The nuances between method and motivations amongst the plethora of fraudulent acts can help create more narrow understandings of the various types of offences, though by and large the above elements remain consistently observed.
The scope of such crime is vast – the Office for National Statistics estimated that there were 4.5 million fraud offences in the year leading up to March 2022 (an increase of 25% on the year ending March 2020)! Of course, much of this increase was attributed to the behavioural shift to online living during the pandemic, with increases noted in consumer and retail fraud. Half of the respondents to the Crime Survey of England and Wales reported receiving suspicious emails, texts or social media messages that may be scam related.
What’s more is that West Mercia police have recently raised the alarm on two significant scams currently in circulation in the Worcestershire area: the first relating to PayPal scams and the second linked to energy scams targeting those experiencing financial hardship during the ongoing energy and cost of living crises. Cyber-fraud is, therefore, not something that occurs out of sight and out of mind. Rather it is an embedded component of modern-day living – and an understanding of such offences has never been more important!
Phishing and Spoofing
Cyber phishing is similar in concept to regular fishing – it is quite simply the use of as bait to lure individuals. Bait usually exists in the form of fake messages which trick users into clicking malicious links, providing personal information, or fulfilling financial requests. Links can be used to prompt individuals to unwittingly download malicious software which can infect and corrupt personal devices. However, phishing can also be used to distribute links to spoofed websites. These are webpages that masquerade as trusted sites such as personal banking log in pages or social media sites. Vulnerabilities are exploited when individuals log in by entering their usernames and passwords to these pages which are conveniently designed to communicate this information to the cybercriminal. It should be noted however, that spoofing is not only confined to websites but has also been observed in relation to phone numbers, text messages and email addresses and so there is a multitude of ways for phishing scams to be distributed.
Phishing scams tend to overemphasise a level of urgency and instil fear in victims with scammers encouraging immediate action to be taken. Simple prompts such as an inauthentic security alert encouraging a password change are enough to deceive users and provide an attacker with all the relevant information needed to exploit the individual for financial gain. Some phishing scams, known as spear phishing scams, are even more sophisticated. This is because they take longer to play out and require a high degree of knowledge about the target. Spear phishing attacks target specific individuals based on their characteristics or job profile, often mimicking language and email signatures that portray the correspondence as authentic and credible. It is this level of sophistication that induces a sense of trust amongst target populations and thus elevates the potential level of success for scammers.
Social Engineering
We have all heard the phrase ‘technology is only as good as the person who uses it’. While we may use this as a way to refer to our technological aptitude (or to somewhat evaluate the usefulness of tech developments), cybercriminals are instead keen to exploit our cyber-vulnerabilities through human error.
Social engineering relies on using human interaction and psychological manipulation to trick users into making errors when it comes to safeguarding personal and protected information. This process of manipulation sees the cybercriminal gain the confidence of their target via their misrepresentation of their trustworthiness. In some instances, attackers will even go as far as scoping out their victims, targeting those that evidence certain cyber-insecurities. It is important to note here that the reason social engineering works so well in the field of
cybercrime is because it does not seek to exploit the vulnerabilities of the technology. It simply capitalises on the capacity for human error!
How to Protect Yourself from Fraud
Despite the above allusion to the sophistication of such scams it is important to note that the sheer number of indiscriminate scams in existence mean it is imperative for individuals to know how to protect themselves from this type of extortion.
Action Fraud, the UK’s national reporting centre for fraud and cybercrime, advises individuals consider the following steps:
1. Stop: Take a moment to think before parting with your money or personal information. Thinking through the request for information may protect you from fraudulent activity.
2. Challenge: Scammers will try to rush you to send over information or monies. You can reject, refuse, or ignore requests if you suspect the request to be fake.
3. Protect: If you think that you are a victim of fraud contact your bank immediately and report it to Action Fraud online at https://www.actionfraud.police.uk/ or alternatively forward it to report@phishing.gov.uk