Fake Boris’s? That’s not even the most horrifying thing about digital fraud…
Why are companies losing so much money and how can we stop it?
Anyone who actively chooses to be Boris Johnson should automatically ring bright red alarm bells. Last week, a man was arrested in Holland for just that. Putting aside his clearly diminished mental state, the arrest revealed how easy it now is to get any sort of fake id online. He had uploaded a floppy haired photo of our morally floppy ex PM and secured a driving licence in his name. Who knows if this man would have made a better politician but he definitely wasn’t able to drive legally.
I am sure everyone has a war story about an incidence of digital fraud that has happened in their business. I remember in 1999, I was using faxes to send credit card details across to our lastminute.com suppliers as the early website was held together with bits of string. Shocking I know, but one day I found a stack of paper on the photocopier full of customer information. I remember thinking: “Oh dear, we should probably invent a better way of doing this.”
Estimates of the impact on the economy now are staggering. The Royal United Services Institute reckons fraud costs the UK £190bn, of which the majority is online.
Last week, Baroness Morgan, who chaired an excellent special committee on digital fraud in the Lords, slammed the government and law enforcement agencies for not treating fraud as seriously as other crimes. [NB was it ‘last week’ in Sunday newspaper time? Or ‘earlier this month’?] Unless a victim “bangs, bleeds or shouts” they are not treated as victims. And yet OFCOM data suggests nine in 10 of us have encountered online scams and 60 per cent of us have suffered as a result.
And as if this area is not complex enough, generative AI enables far more sophistication in these scams. We know that people are creating fake profiles of normally trustworthy sources and encouraging customers to transfer money or buy sham products. Synthetic identity is no longer in the realms of sci-fi. If you’re a celebrity business leader with your own podcast or one that has made a speech recently, a clip of your voice will be out there and could be made into a fake video for your employees or customers.
Cybersecurity has moved up the corporate agenda over the last decade, and yet digital fraud is rampant. Boards and executives have put focus into stopping cyber attacks that take down a service or hack customer data but there is more to do on other kinds of fraud. You’ve probably already updated all your software, done a risk audit and maybe even bought in some experts. So, what else might help? Here are some ideas.
Firstly, embrace ethical hacking and bug bounties. Instead of solely relying on internal security measures, consider inviting external hackers to test your systems for vulnerabilities. Establishing bug bounty programmes encourages ethical hackers to proactively search for weaknesses in your digital infrastructure. By rewarding them for finding and reporting vulnerabilities, you identify potential issues before malicious actors exploit them, while the hackers receive recognition and compensation for their efforts. I have even heard of a company that pays rather than penalises their employees if they find an issue. [is this surprising? I would have thought internal bug bounty schemes would be the norm?]
Secondly, think two steps ahead about what skills you might need and lean into the technology that is emerging. Encouraging employees to participate in cybersecurity awareness programmes and providing them with ongoing training on topics such as phishing, social engineering, and secure online practices will help, but only up to a point. Companies I have seen get good at security also think laterally about hiring. One company brought in a biometric expert before it was a well known area, another brought in a psychologist/analyst, which is increasingly a skillset useful in unpicking crimes.
Thirdly, collaborate with competitors. Consider forming alliances or partnerships with other businesses in your industry, even if they are rivals. By exchanging insights about new fraud techniques, emerging trends, and preventive measures, you will collectively enhance your defences and stay ahead of the fraudsters.
Finally, It is important to be aware of the latest legal responsibilities and where you might be vulnerable if not proactive. Companies are to some degree already held liable for digital fraud, and rightly so in many cases, but there are still grey areas.
Where does the responsibility lie if a criminal gang is using your corporate identity to trick customers? Bad actors increasingly use this strategy. I met the CEO of a small marketing agency in Durham recently who had found that scammers had set up an email address using his company name and were approaching his customers offering made-up services and demanding payment for things such as website domains. Not surprisingly his customers were furious and wanted compensation. Having clear policies and understanding where liability sits in these complex scenarios is essential.
Naively, never did I imagine the tech revolution of the early nineties would mean the criminal world would change so fast and in such sophisticated ways. Right now the double whammy of global recession and much more accessible AI technologies will sadly drive more people to exploit others. It’s not only the horrific thought of more Borises being engineered that makes this an urgent issue in any business.
An increasingly important topic, Martha.
For example, fake voices (of family and friends) will inevitably be used to defraud telephone customers. It's now time to start treating telephone companies in the same way we treat social networks. The telephone system is a 'platform' on which crimes are being committed every minute of every day.
Let's hold the phone company CEOs accountable for the crimes committed on their networks. They sell blocks of phone numbers to the fraudsters and these companies can see all the call traffic, so they must know who the criminals are. This means that they're complicit. It's unacceptable for phone companies to have got away with this for so long.
It's time we brought this epidemic of phone fraud to an end. Fraud victims (or even their banks) should take phone companies to court. We need to know whether the law will back the victims or the network operators. If CEOs are told that they are 'on the hook', this malpractice will end overnight.
We look to Parliamentarians of both Houses to defend telephone customers, and especially the thousands of fraud victims. Let's get these CEOs in front of a Committee and hear what they have to say.