Once bitten, twice shy: ONS stats reveal public response to cyber-crime

News by Tom Reeve

Official statistics for fraud and cyber-crime show that cyber-crime is getting worse but the public's response to it is falling into a familiar pattern.

According to “experimental” cyber-crime statistics released by the Office for National Statistics, people are quick to learn from their mistakes when they become victims of computer crime.

The vast majority of victims of fraud and computer misuse have only been victimised once with only a small proportion saying they have suffered two or more times.

This is the first full year of fraud and cyber-crime statistics produced by the ONS. The figures are taken from data gathered by the 2016 Crime Survey for England and Wales (CSEW) and are labelled experimental while the ONS refines the survey methodology. It covers the period October 2015 to September 2016.

However, John Flatley, head of crime statistics and analysis at the ONS, told SC Media UK that the statistics are robust, giving a reliable picture of the public's experience of fraud and cyber-crime.

The statistics show that of those who have been the victims of cyber-crime and fraud, 82 percent reported being hit only once while 12 percent reported being hit twice and six percent said they had been victimised three or more times.

Flatley said that would indicate that individuals are learning from their experiences.

Looking just at computer misuse, 87 percent report being victimised once, eight percent twice and five percent three or more times. The category of computer misuse is further split into computer viruses and unauthorised access to personal information (including hacking) – but the numbers are broadly the same.

In the year October 2015 to September 2016, the number of fraud offences referred to the National Fraud Intelligence Bureau by Action Fraud in England and Wales was four per 1000 population, or 232,830, a drop of one percent on the previous year.

The survey data from the CSEW bears out the idea that victims are very unlikely to report these crimes to the police. The figure for fraud and computer misuse as a whole is just 13.7 percent, and people are more likely to report fraud (17.8 percent of incidents) than computer misuse (6.2 percent).

Flatley attributed this to the fact that when people are reimbursed for their online losses by their banks or credit card providers, they are very unlikely to report it to the police. Banks gather a lot of information about fraud and online crime but don't tend to pass cases to the police unless they have some intelligence value.

“It means that we can't use the police figures as a reliable guide to the totality of the problem,” Flatley said. “Which is why we draw on the resources such as the Crime Survey and figures from Financial Fraud Action UK.”

FFA estimates that there were 1.9 million cases of fraud on UK issued credit cards last year, a rise of 39 percent on the previous year, but most of those cases aren't referred to the police. “By the nature of this crime, only a small fraction of cases have investigative leads,” he said. “If the cards have been cloned and then used abroad, there is often little the police can do to investigate. The card issues need to put a stop on the card and write-off  the losses. It wouldn't be helpful for the banking sector to swamp police with cases that they can't do anything with.”

Breaking computer misuse down into its two sub-categories, only 1.9 percent of computer virus incidents are reported to the police but 14.7 percent of incidents of unauthorised access to personal information (including hacking) are reported.

The ONS looked at the number of incidents of fraud and computer misuse which were flagged as cyber and non-cyber crime and found that 68 percent were classified as cyber-crime.

“Fraud is one of the oldest offences on the statute books, but the internet gives the fraudsters a whole new way of committing crime,” Flatley said.

The inclusion this year of statistics for cyber-crime and fraud to the ONS figures for crime in England and Wales has resulted in a near doubling of the headline crime figures, taking it  from six million to 11.8 million crimes.

But Flatley cautions that this doesn't mean the reality of crime has changed, only that crimes which hadn't been counted before are now being included.

The 11.8 million figure is still far short of the crime rates in the 1990s when online fraud and computer misuse didn't touch most people's lives. In 1995, the headline volume of crime was 19 million. Since then, the rates of household burglary and car crime have steadily decreased due to initiatives to design out crime.

Flatley said that a similar approach was needed by the IT industry to ensure a secure by design approach to cyber-security. “The same techniques will have an impact,” he said. “By designing out crime, you cut down on the opportunities for the criminals, and by educating the public, you teach them how not to become a victim.”

The proportion of all recorded crime that was flagged as an ‘online crime' was just one percent, but certain crimes have been flagged as online crime at a much higher rate including harassment and stalking (11 percent), obscene publications (43 percent), child sexual offences (12 percent) and blackmail (32 percent).

“This is new data which has come from a new stream of data that the Home Office collects from police forces. As it's just emerging, there is no reliable trend data,” he said.

Andy Lea, head of policing at KPMG, said: “The new fraud and computer misuse estimation of 5.6 million offences highlights the challenge forces face to be better equipped to fight cyber-enabled crime and the need for all of us to better protect ourselves. These figures also show the difficult decisions forces will need to make when prioritising their use of resources.”

Sean Martin, UK general manager at Covata, said, “Two million computer misuse offences sounds like a lot, but this is likely to be a drop in the ocean compared to the real extent of UK cyber-crime. This figure will increase over time as more people recognise they have been targeted and the police get better at detecting cyber-crime. That said, the police is doing the right thing by including cyber-crime in its crime report and it represents just how much crime has changed in the 35 years since the report was first generated.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews