The police chief battling cybercriminals from Russia and Ukraine

https://www.theguardian.com/technology/2016/aug/27/london-police-chief-cybercrime-russia-ukraine-online-fraud-google-microsoft

Version 0 of 1.

Last Christmas Ian Dyson got a call from his bank. Was he really in a Travelodge, ordering takeaway pizzas? No, was his answer, he was at home with his family. Like millions of others, Dyson had fallen victim to card fraudsters stealing from his account. But Dyson is not like everyone else – he is the commissioner of the City of London police, with the job of protecting not just London but the whole country from fraud. And the depressing reality is, like so many other frauds, the criminals got away with it.

Dyson is disarmingly honest about the explosion in online fraud and cybercrime, and what realistically the police can do about it. “Every month Action Fraud [the national fraud reporting service] receives 40,000 reports, half a million a year, and we know from the ONS stats that’s only a small percentage of what is going on. There were 3.8 million frauds and two million cyber offences. You cannot enforce your way out of this. It’s physically impossible.”

It’s partly because the perpetrators are abroad, with around half of all cybercrimes reported to Action Fraud originating overseas, says Dyson, citing Indian call centres and Russian and Ukrainian websites. The City of London police have a specialist officer permanently stationed in Wall Street, and worked with the Spanish police to swoop on 110 conmen operating a “boiler room” fraud targeting elderly investors.

But Russia? Do the London police receive any help from their counterparts in Moscow? “No, not at all. Ukraine is limited too. You’ll be aware of the limitations of some foreign jurisdictions.”

Another limitation is budgets. “Policing has taken a 20% hit in its budget so I’ve got to do what I can with what I’ve got,” he says, while noting that virtually everyone else in the public sector has faced similar cuts.

“You have to be realistic with the volumes [of crimes] you’ve got, [and] about the global nature of the crime issue. I cannot possibly sit here and say I am going to investigate every crime. You can’t. But policing has never investigated every crime.”

The 40,000 reports to Action Fraud every month are whittled down to ones where the police think there are “actionable leads”. Some go up to the National Crime Agency or the Serious Fraud Office, some are pushed out to the other 43 police forces across the UK, while the City of London police tackle the rest.

“There are 700 cases the City of London police are investigating at the moment. That’s me rather than ones disseminated to other forces. In the top 10 there is about half a billion pounds worth of fraud being investigated.”

What he dubs “CEO fraud” is the latest online crime wave City of London police are facing. It’s when a junior person in the finance department of a big company receives an email from the chief executive officer of the firm, asking him or her to move money from one account to another. The email is fake; somehow the fraudsters have hijacked the boss’s email account, or created one that is near identical.

There are 700 cases the City of London police are investigating at the moment

“One major company lost three lots of £250,000 this way,” says Dyson, noting that the culture in some big businesses is such that junior staff are too nervous about confronting their bosses when they receive an email which appears to be from them.

Dyson notes that the other worrying online crime wave is “mandate fraud”. You receive an email from your builder, who’s doing your extension, politely telling you he has changed his bank account details, and could the next £20,000 payment for the extension go into this account? Again, the email has been hijacked, and the householder hands over their life savings – never to be seen again, as banks do not take responsibility. Guardian Money has highlighted numerous sad tales of how people have been conned this way.

Have online fraudsters caught the police napping? Did we put bobbies on the beat when we should have been investing in fighting online fraud? In a frank admission, Dyson says: “To be honest, who’d hold up a bank these days? Who would rob a bank now when you can make it all online in seconds?” His office is just yards from the Bank of England, yet about the only robberies he sees are of betting shops, one of the last major cash-handling businesses around.

He acknowledges that the public think that when they report an online crime, nothing seems to happen. “There is a public perception that PC Plod is losing the war against these highly sophisticated cybercriminals. It’s a perception I’m trying to address.

“Last year 180,000 websites, phonelines and bank accounts involved in fraud were closed down following police intelligence. So disruption is a big thing… Your report, combined with hundreds of others could lead us to close down that website and prevent people from becoming victims of fraud. While you might not get your money back, it will go at least some way to stopping others [from being a victim].”

Disruption is a word Dyson uses a lot. He reckons the best approach for his force is to gain intelligence from the public and other government agencies, and use that to intervene before more victims are conned. It’s why he’s investing heavily in a new IBM project for Action Fraud that should turn it into the world’s most sophisticated anti-fraud intelligence system in the world. The quicker the police can see the signs, the more rapidly they are able to respond, he says.

But the public have to do more: “The public have to shift their mindset around crime. The public have to understand we cannot enforce our way out of this, [given] the volume of crime, the fact that it is global and happening so fast, and that money can be moved so quickly. It has to be about prevention and protection.”

Don’t use “password” as your password, he says. If that email arrives asking you to pay the money into another account, ring the builder, he adds. There are many, many more simple measures the public can take, he insists. In September, the government will begin a public information campaign, which Dyson says will evoke the message of the 1970s “clunk-click, every trip” campaign to get the public to use seatbelts in cars. We need the same thinking when it comes to transacting online, he says.

But shouldn’t the banks be doing more? Can the public really protect themselves from genius hackers determined to break into their accounts?

Dyson is reluctant to criticise the big banks, though he says insurance companies have a much better record than high-street banks at cooperating in fighting fraud. The insurers have paid for 35 police officers in the City of London force alone to battle fake insurance claims and have had a string of prosecution successes.

He would like the banks to be rather more intelligent when an elderly customer walks into a branch and demands to withdraw nearly all their savings when they have never taken out more than £100 before in one go. It’s usually because they are being conned.

Banks may often fail to report a fraud, in part because of the odd way in which crime is recorded. When Dyson’s own card details were stolen, he was fully compensated by the bank. That means, according to Home Office rules, that the bank was the victim of the crime, not Dyson. “It’s something we are talking to the Home Office about,” he says.

Critics say that police fraud-busters are just not technically competent and resourced to catch cybercriminals. Dyson bridles: “I’d like to disabuse anyone of the view that they are all smart computer geeks, the archetypal spotted teenager hacking into US military computers. They are not. You have some people who are business people who before the internet would have been conning people out of investments. They are doing the same now but are doing it online. Then you have the people with a slightly smarter mate who have found a quick way to make money.”

The boiler room criminals in Spain are the type who were breaking into cars before the advent of the internet, he says. But in 33 years of policing, he says criminals are changing. They used to specialise in a line of business – armed robberies, drug dealing, etc. Now, Dyson says, everybody tries a bit of everything.

Meanwhile, the police have their own geeks. Dyson says the City of London force have staff seconded to them from Google and Microsoft whose internet expertise is a match for any cybercriminal in Russia: “My guys will understand the forensic footprint of these crimes in the same way detectives are aware of forensic opportunities at the scene of a burglary.”

He is proud of his force’s work to fend off pension fraud, which was widely expected to balloon in the wake of the new pension freedoms, but has so far been suppressed by the police working with the pension providers. The force was also instrumental in stopping BT from keeping lines open after a phone is put down, a frequent tactic used by fraudsters to convince people who called back that they were speaking to their bank.

More money would help, Dyson says. For every pound invested in fighting fraud “we are preventing about £60 worth of fraud”. Meanwhile he’s behind a pilot project in which private law firms will be hired by police to help seize the proceeds of crime and repay victims earlier.

“We’re an innovative police force,” he says. “The investment in the last 10 years was in neighbourhood policing and the visibility of police officers. We are shifting, in fairness, policing is shifting to deal with online.”

Unfortunately, as he looks out of his offices over the towers of London, while fighting fraud fills much of his time, there is another more serious threat. “My number one priority at the moment is counter-terrorism. We are quite a target-rich environment.”

How to protect yourself

There were more than 5.8m incidents of cybercrime in the past year, enough to nearly double the headline crime rate in England and Wales, writes Patrick Collinson.

The Office for National Statistics said last month that one in 10 adults have been victims of cybercrime and online fraud over the previous year in the first official estimate of the scale of scams, virus attacks, thefts of bank details and other offences. An initial ONS estimate in October last year put the annual figure at 3.8m, or 40% of all crimes.

Costing an estimated £193bn a year, cybercrime is nearly as big as all other crime, such as home burglary, car thefts and violence against the person. The ONS added that the chance of being a victim is the same regardless of social class or whether you live in a deprived or affluent, urban or rural area.

Meanwhile, the figures for crime excluding online offences dropped in the year, falling by 6%. The long-term trends in traditional crimes such as burglary, car thefts and criminal damage showed that the fall in crime since its 1995 peak had slowed down since 2005. The survey found there had been no change in the overall level of violent crime compared with the previous year.

So what are the easy steps to protect yourself from online crime that Commissioner Ian Dyson recommends?

• Never disclose security details, such as your pin or full banking passwordBanks and other trusted organisations will never ask you for these in an email, on the phone, by text or in writing. Before you share anything with anyone, pause to consider what you’re being asked for and question why they need it. Unless you’re 100% sure who you’re talking to, don’t disclose any personal or financial details.

• Don’t assume an email or phone call is authenticJust because someone knows your basic details (name and address, even your mother’s maiden name), it doesn’t mean they are genuine. Fraudsters may try to trick you and gain your confidence by telling you that you’ve been a victim of fraud. Fraudsters can also make any telephone number appear on your handset, so even if you recognise the number or it seems authentic, do not assume they are genuine.

• Don’t be pressured into a decisionUnder no circumstances would a bank or organisation force you to make a financial transaction on the spot; they would never ask you to transfer money into another account for fraud reasons.

• Listen to your instinctsIf something feels wrong, it is usually right to question it. Fraudsters may lull you into a false sense of security when you are out and about or rely on your defences being down when you’re in the comfort of your own home. They may appear trustworthy, but they may not be who they claim to be.

• Stay in controlHave the confidence to refuse unusual requests for personal or financial information. It’s easy to feel embarrassed when faced with complex conversations, but it’s OK to stop the discussion if you do not feel in control of it.