FFA UK’s membership includes all the main retail banks, credit, debit and charge card issuers, and card payment acquirers. We increasingly see the customer being targeted as the nature of criminal attacks constantly changes, and as such the protection of the customer sits at the heart of what we do. Our mission therefore is to work effectively and collaboratively to protect consumers and businesses from being victims of financial fraud, and in doing so create the most hostile environment in the world for financial fraud.
FFA UK is an authoritative voice in the complex landscape of financial fraud agencies and organisations with expertise built up over many years of operating at the heart of the UK payments industry, and a track record of working with partners to successfully prevent and detect fraud.
As you will see through this review of the year, FFA UK has achieved much of which we can be proud. This has included the excellent work carried out through our Financial Fraud Bureau in protecting members and the public following several significant data breaches. Similarly, the scam alerts we issue get wide coverage in the media and help forewarn business and customers about new scams that may put them at risk. The police unit we sponsor, the Dedicated Card and Payment Crime Unit continues to disrupt organised criminal gangs and bring them to justice. Working with partners we have continued to raise awareness through a number of education and awareness campaigns.
I was particularly pleased last year to attend a Ministerial Serious and Organised Crime meeting chaired by the Home Secretary and attended by ministers, law enforcement leads and senior officials from relevant departments. I was able to convey positive messages about how much the industry is doing, the role of FFA UK in facilitating collaborative work such as data breach handling, the need for a nationwide multisector campaign like Take Five (more on this later), and the appetite of the industry to engage further with government and law enforcement through the Joint Fraud Taskforce.
As a Board we have set an ambitious agenda for Financial Fraud Action UK. As Board Chair I am convinced that by working effectively and collaboratively with our partners FFA UK is best placed to protect consumers and businesses from financial fraud.
Chair, Financial Fraud Action UK
The launch of the Joint Fraud Taskforce in February heralds a new focus from the Home Secretary on the previously much overlooked ‘volume crime’ – typically low-value, high-quantity crimes that are most likely to affect personal customers and yet have often fallen below the radar of government and law enforcement.
FFA UK has been at the forefront of the industry input to the setting up of the Taskforce, which is intended to leverage the capacity of the three parties – banking, government and law enforcement – in order to overcome hurdles which we have each found difficult to overcome individually. One such hurdle is the perennial problem of preventing customers – both personal and business – from falling victim to the ever more ingenious tactics that fraudsters are employing to part them from their money. A particularly harmful manifestation of such cases, as we know, is when the fraudsters pretends to be from a trusted authority such as a bank or the police and dupes the customer into moving money into a ‘safe’ account – which of course turns out to be anything but. In business this often presents itself as a communication to all intents and purposes comes from the CEO asking that money be transferred urgently. The two common factors in all these scams is that the fraudster is pretending to be someone he isn’t, and that the duped customer is usually acting as a result of fear engendered by the conman without stopping to think or check first.
Enter ‘Take Five to stop fraud’ – a collaborative large scale awareness campaign, facilitated and largely funded by FFA UK, aimed at making a fundamental step change in customer behaviour in relation to fraud and scams. The ambition is for this to become an umbrella brand to provide a vehicle for unifying and amplifying fraud awareness activities by many partners, so that customers will have confidence that the advice is coming from a trusted source. The simple message is for customers to ‘Take Five’ – to stop and think before reacting to any request to give out personal or financial details or to move money to a new account.
Every one of our partners that we have talked to has been very keen about this campaign. We already have a number of funding partners and sponsors as well as the commitment of our Board to launch this in 2016. But we still need to build on that support, so if you would like to be involved or want to know more, please contact me at email@example.com.
Finally, during 2015 the future of trade associations in the financial services industry has been under review. In December, Ed Richards, who conducted the review, recommended that several associations should be ‘integrated to create a new Financial Services Trade Association’. While FFA UK was not initially in scope for the review our Board has been considering if FFA UK should seek to join the new Trade Association if it is created. Whatever happens, we at FFA UK remain focused on combatting financial fraud and the scammers who target customers and so making sure the public is protected to the best of the industry’s ability.
Director, Financial Fraud Action UK
Through industry collaboration FFA UK seeks to be the authoritative leader in defending consumers and businesses from financial fraud, by creating the most hostile environment in the world for fraudsters.
FFA UK’s primary role is to drive collaborative action to reduce the impact of financial fraud and scams both across the industry, and with partners in the public sector, private sector, and law enforcement. It operates its own data and intelligence sharing bureau and sponsors a fully operational police unit.
FFA UK's key aims are to:
It does this by:
FFA UK works in partnership with The UK Cards Association in developing and delivering fraud strategy on credit debit and charge cards. UK Cards is the trade body for the card payments industry in the UK, representing financial institutions which act as card issuers and acquirers. FFA UK works with the Cheque & Credit Clearing Company on credit clearing and cheque fraud.
DCPCU hosts Project Sandpiper Conference celebrating the end of a two year EU funded project focussing on organised Eastern European crime gangs, and resulting in an estimated £23m of savings to the industry.
The Joint Money Laundering Intelligence Taskforce (JMLIT) is launched. FFA UK advised during its planning and implementation.
“Mrs Norris”, the FFA UK video as part of the government’s Cyber Streetwise Campaign aimed at small businesses that accept remote card payments, reaches over 1 million hits on YouTube after only three months.
FFA UK is incorporated acquiring its own Board and strategy.
Fraud Squad aired on ITV featuring a DCPCU investigation into a Zimbabwean organised crime gang involved in large scale cheque fraud affecting over 12 UK banks.
Launch of joint FFA UK and Neighbourhood Watch National Awareness Week focused on phone scams with 173,000 volunteers seeking to reach 2 million people and leading to over 280 pieces of media coverage.
To help reduce fraud levels from social engineering over the phone such as Vishing, FFA UK publishes research into different security solutions in the market which would help customers and banks to authenticate one another over the phone and spot any fraudsters calling.
FFA UK partners with Citizens Advice on their Scams Awareness month.
FFA UK’s Financial Fraud Bureau co-ordinates the payments industry response to a data breach at Carphone Warehouse. Over 1.2m compromised records were notified to respective banks and law enforcement, minimising impact on customers.
FFA UK joins the Government project on open banking standards. The work aims to identify and consider any associated fraud risks as new payment services are introduced into the market so customer security remains high.
FFA UK release new fraud metrics including fraud prevention rates showing that industry prevents £7 in every £10 of fraud.
The Recorded Crime figures published by the ONS includes, for the first time, fraud crimes reported by financial institutions and other organisations to the National Fraud Intelligence Bureau at City of London via FFA UK and Cifas.
FFA UK leads industry response to the TalkTalk data breach involving 21,000 customer bank account details.
FFA UK Chair appears at Ministerial Serious & Organised Crime meeting chaired by Home Secretary to present on industry collaborative work - the first time the private sector has attended such a meeting.
A vulnerability exploited by fraudsters where telephone lines can be held open is finally closed, due to work undertaken by FFA UK, Metropolitan Police and the telecoms industry.
This work is driven by the Industry Strategic Threat Management process and so is responsive to the changing patterns in fraud in the market. This integrated approach is designed to prevent avoidable fraud, to effectively identify patterns where fraud has been committed, and to support law enforcement in bringing the criminals to justice following an attack.
To ensure a coordinated response to threats, we provide expert fraud prevention advice on new initiatives pioneered by the financial services industry – for example on account switching and mobile payments. We also engage stakeholders, including regulators and government, to ensure that regulation works in step with fraud prevention programmes. The next two sections show examples of how we work collaboratively .
Remote purchase fraud
Finding the right balance between convenience and security for consumers and businesses remains a constant concern for the payments industry in what continues to be a fast changing, competitive and innovative market place. For the industry this means enhancing detection methods and processes to provide an optimum level of checks and balances that are not over intrusive or disruptive to genuine transactions over the phone, internet or via a mobile.
2015 saw a noticeable increase in the number and scale of data hack incidents in the UK and abroad. Much of this compromised data was in turn used by fraudsters to attempt e-commerce and telephone order transactions as well as enabling other fraudulent activities such as impersonation, account takeover fraud and social engineering scams. As well as handling the data breaches through its Financial Fraud Bureau, FFA UK provided targeted Education and Awareness campaigns (see E&A section below), providing vulnerable groups with clear advice of how to protect themselves from remote purchase fraud.
During 2015, FFA UK helped fund a pan EU initiative, Project Skynet, led by the DCPCU to develop law enforcement skills and capabilities to better disrupt cyber and digital enabled crime. Project Skynet's primary aim is to improve the response to e-crime in the payments sector and follows the success of Project Sandpiper, the DCPCU led European Commission funded project targeting Romanian Organised Crime Groups (OCG's) impacting on the UK.
The project commenced in January 2015 and will conclude after a two year period. It focuses on the ever increasing cyber threat to the UK payments industry and more specifically the area of remote payments which was responsible for 70% of the £567.5m fraud losses on UK cards in 2015.
The project has the support of Europol’s European Cyber Crime Centre (EC3) and has secured commitment from law enforcement in Belgium, Finland, France, Holland, Hungary and Romania who are recognised as full partner organisations.
The three phases of the project are:
Work with telecommunication companies
FFA UK continues to work with the telecommunications industry as part of its collaborative efforts towards reducing the opportunities for fraudsters to misuse telecommunication company services such as SIM swap, number redirection or number spoofing to defraud bank customers.
This effort includes:
FFA UK is now working with the telecommunication companies to look at addressing other techniques used by fraudsters. This includes preventing the misuse of Calling Line Identification (CLI) and SIM swapping whereby fraudsters are able to obtain a new SIM card for a mobile phone so being able to pretend to be a victim if a bank contacts them.
Work is also currently underway to develop a multi-industry declaration to assist raising consumer awareness.
Annual Neighbourhood Watch Awareness Week
In June FFA UK partnered with Neighbourhood Watch and Neighbourhood Watch Scotland to deliver a national awareness week with a focus on phone scams. Some 173,000 Neighbourhood Watch volunteers helped to warn their communities of the dangers of these particular scams.
HM Government’s Cyber Streetwise campaign
At the start of the year, as part of the Government’s Cyber Streetwise campaign, FFA UK funded and launched an online film, “Mrs Norris”, setting out the steps businesses can take to protect themselves when accepting card payments online. The 40 second online animation, which has had over 1 million views since its launch, emphasises the importance of ‘Knowing Your Customer’ and using online authentication when taking card payments over the internet.
Out of Your Hands
FFA UK continues to work in partnership with the Telecommunications UK Fraud Forum (TUFF) to deliver ‘Out of Your Hands’ (www.outofyourhands.com), a teaching resource aimed at teachers and students, which is aligned with the National Curriculum and features examples of typical fraud scams, mobile phone crime and guidance on how to stay safe when making online transactions. The website includes real-life victim and perpetrator case studies and short films and is focused on raising awareness of scams and helping young people to consider the risks of sharing their personal information with others.
Using intelligence gained through the Industry Strategic Threat Management Process, FFA UK regularly issues Scam Alerts to the media, warning the public of newly emerging fraud threats. Scam alerts issued during 2015 have covered issues such as email invoice malware, farmer fraud and spoof text messages (smishing). We have also seen a move to businesses being targeted and issued a scam alert warning businesses they were being targeted by fraudsters hiding malware inside fake invoices emailed to them, which then stole online banking credentials.
Other Partnership Campaigns
During 2015 FFA UK worked in partnership with Citizens Advice and its Scams Awareness Month, providing detailed advice on financial frauds and scams. We also worked with law enforcement and Get Safe Online on a range of awareness campaigns including ‘Not In My Name’, providing advice on how people can protect their personal information, and ‘Think Twice Before You Act’, a campaign raising awareness of social engineering scams.
In 2016 FFA UK intends to launch with its partners, including Government and law enforcement, a step change national awareness initiative on fraud and scams called ‘Take Five to Stop Fraud’. It will call on Britain to Take Five – to simply have the confidence to stop and think when faced with a potential fraud, whether it be a an unsolicited approach by telephone or by e-mail. It is based on the premise that if everyone remembers they have the right to Take Five, we will stop fraud in its tracks.
A key strand of FFA UK’s programme is to act as a conduit for data and intelligence sharing across the payments industry, and beyond with partners including the police.
The coordination that is made possible through our Fraud Intelligence Sharing System (FISS) also allows us to share insights, where appropriate, with other agencies, including the National Crime Agency, the National Fraud Intelligence Bureau (NFIB) and the Cabinet Office's Counter Fraud Checking Service.
Critical aspects of FFA UK’s intelligence sharing work include the following:
Financial Fraud Bureau (FFB)
Established in 2010, the Financial Fraud Bureau (FFB) leads the payments industry’s collective initiatives on fraud data-sharing.
Its key roles are:
Through the FFB, the industry can be alerted immediately of any known compromise of bank or card data through a series of designated Single Points of Contact (SPOCs). A significant example of this in 2015 was the Carphone Warehouse data breach. The Carphone Warehouse data breach put the team to the test with 1.2 million card records believed to be at risk of compromise.
In breaches such as this, the dissemination of data is not the most time consuming part of the work. Rather, it is being able to expertly manage external stakeholders to get the data securely in the required format, instilling confidence in using the FFB to act as the conduit at a time when the company who has suffered the breach is under extreme pressure.
The unit had to work closely with the acquirer, card schemes and Carphone Warehouse in order to establish and co-ordinate the details of the differing aspects of the breach to provide the best information to members. Once the data was received the FFB processed and securely disseminated the data in a few hours.
Financial Fraud Desk within the National Fraud Intelligence Bureau
During the year the FFB has been working with the NFIB within the City of London Police to identify the organised crime groups attacking across the industry, with a view to disrupting their activity.
Working alongside the NFIB has increased the level of analytical material available to the FFB, and has widened access to intelligence sources. This has helped the team identify viable lines of enquiry which would not otherwise have been available to the FFB. The effect of this has been an increase in police investigations being taken forward.
Fraud Intelligence Sharing System (FISS)
Sharing data and intelligence to tackle fraud, the Fraud Intelligence Sharing System (FISS) is a central payments industry database – an extremely secure, flexible and cost effective intelligence system which is used to identify linkages and patterns in frauds, playing an important role in protecting consumers and businesses.
Members share a range of information on fraud. This helps industry and police identify patterns and strengthen defences. Importantly, the industry supplies its fraud data and intelligence to the National Fraud Intelligence Bureau to assist in wider fraud analysis and prevention and the data is then also included in the recorded crime figures.
A member bank referred a small, but high value, series of lottery fraud victims who had lost their life savings to an organised criminal group to the Financial Fraud NFIB Desk. They had duped the susceptible victims into paying substantial advance fees to release non-existent lottery winnings and had also convinced them unwittingly to act as money mules, laundering funds from other victims.
Access to NFIB databases enabled the Desk to identify more victims and a number of suspects, a few of who were still in the UK and thought to be laundering the proceeds at the cash-out stage.
The Desk instigated a number of ‘safeguarding’ interventions, causing local police to visit victims to prevent further losses and to stop victims engaging in money laundering themselves. Enforcement packages were sent to appropriate police forces and separate arrests of Nigerian and Polish nationals have been made. Enquiries are ongoing to identify other members of the organised criminal group.
Following this initiative, the level of reported lottery fraud in this series dropped by almost 100%.
It is fully sponsored by the cards and banking industries, with an on-going brief to investigate, target and, where appropriate, arrest and seek successful prosecution of offenders responsible for card, cheque and payment fraud crimes.
It is headed up by a Detective Chief Inspector and comprises officers from the Metropolitan and City of London police forces who work alongside banking industry fraud investigators and support staff. Established in April 2002, the unit is fully sponsored by the payments industry which invests nearly £3.2 million per year in its operation.
The DCPCU’s national remit is to identify and target the organised criminal gangs responsible for card and payment crime. Since its inception in 2002, the unit has:
Two Moldovan card skimmers who travelled to the UK to steal money from ATMs were jailed for a combined total of more than 12 years in November, following an international police operation. The duo had harvested enough bank card data to expose banks to a potential loss of more than £3.4 million.
The men were caught after police officers working in the DCPCU received intelligence that a number of Moldovan men would be travelling to the UK with card skimming equipment to commit ATM fraud.
Stefan Mereacre and Oleg Borta were arrested in the car park at Stanstead Airport after arriving in the UK in May 2015.
At the same time, officers acted on intelligence to execute a search warrant at a house in Purfleet, Essex. They seized two bags containing a variety of skimming equipment, computers and mobile phones.
During the search, 8,096 compromised bank card numbers were recovered from the computers and memory cards. The cards had a street value of £3.4 million, based on the amount stolen on average from a compromised card.
Borta was sentenced to seven years’ imprisonment while Mereacre was given a sentence of five-and-a-half years. They had both previously pleaded guilty to conspiracy to defraud.
A persistent fraudster who attempted to steal more than £650,000 from a number of banks across England was jailed for six years and nine months in June.
David Mendes, 56, of Kilburn, London, used forged documents, including passports and driving licences, to siphon off funds from customer savings accounts at seven banks.
Between November 2010 and October 2014 Mendes visited a number of banks where he used a range of forged ID made out in different names but bearing his photo. He then made fraudulent transfers of large sums of money and opened new accounts.
In total, Mendes obtained £355,400 from accounts during the four-year period, having targeted £667,100 in total.
Mendes was caught when he tried to use a stolen debit card to withdraw £4,700 from an account. Bank staff became suspicious when the signature he used did not match another on their system and was detained by police.
CCTV showed Mendes undertaking the transactions in the banks, while he was also linked to the transfers through forensics.
Engaging with regulators and policy-makers
A major public affairs objective has been to achieve the best possible regulatory and public policy environment for fraud data-sharing. To this end, FFA UK is working with the Cabinet Office to facilitate more effective intelligence-sharing on known fraud.
FFA UK worked alongside the BBA and supported the setting up of the Joint Money Laundering Intelligence Taskforce (JMLIT) – a 12 month pilot project launched in February 2015 to improve intelligence-sharing arrangements to support the fight against money laundering and other criminal activity.
FFA UK has also been leading the banking industry input to a Joint Fraud Taskforce, working with the Home Office and law enforcement, with ultimate responsibility to the Home Secretary. As well as driving greater industry benefit from law enforcement, the Taskforce will also address the unintended consequences of legislation in terms of impacting industry ability to fight fraud. The Taskforce was launched with the support of FFA UK and the banking industry in February 2016.
The Home Office Minister Karen Bradley spoke at a special DCPCU conference in January 2015 to praise the unit for its hugely successful work as part of an EU funded initiative. Project Sandpiper targeted Romanian Organised Criminal Gangs (OCGs) operating in the UK by facilitating collaboration between the DCPCU, Europol and the Romanian National Police (RNP). The project delivered strong results leading to 32 prosecutions, 17 convictions and the disruption of five OCGs.
In conjunction with The UK Cards Association and Payments UK, FFA UK responded to a consultation on the new Payments Service Directive (PSD2) which is coming into force January 2018. The response took into account the views of UK banking institutions towards the impact on fraud the new directive is expected to have.
The FFA UK response highlighted issues around one of the key aims of PSD2 which is to mandate minimum standards for customer authentication over the internet and, allowing TPP (Third Party Payments) service providers access to consumers banks accounts.
Allowing TPPs access to their bank accounts can provide benefits such as account aggregation services whereby accounts across different banks can be presented in one place for ease. However, as is the case with so many other new payment services they also attract criminals who will look to defraud customers of these services. These are just some of the issues FFA UK highlighted in its response to the consultation.
The press office delivers coverage for awareness campaigns and publicity for FFA UK and DCPCU operations, as well as providing a full reactive service dealing with enquiries from national, local and specialist media.
During the year the office responded to 797 requests from journalists, secured over 210,000 column centimetres of coverage and featured in 18 hours of TV and radio. The office also issued 46 press releases and media alerts. Coordinated and conducted 230 broadcast interviews and delivered £7,480,170 of positive news coverage.
ACTO (Account Takeover) This involves a criminal fraudulently using another person’s credit or debit card account, first by gathering information about the intended victim, then contacting their bank or credit card issuer whilst masquerading as the genuine cardholder. The criminal will then arrange for funds to be transferred out of the account, or will change the address on the account and ask for new or replacement cards to be sent to the new address.
ATM (automated teller machine)
A computerised self-service device permitting the holders of an appropriate card and personal identification number (PIN) to withdraw cash from their account and access other banking services.
A payment card, enabling holders to make purchases and to draw cash up to a pre-arranged ceiling, the terms of which include the obligation to settle the account in full at the end of a specified period. Cardholders are normally charged an annual fee.
Cifas is a United Kingdom fraud prevention service. It is a not-for-profit membership association representing the private and public sectors. Cifas operates two databases: the "National Fraud Database" and the "Staff Fraud Database".
Contactless is a fast, easy and secure way to pay, for purchases costing £30 and under. Contactless payments are becoming increasingly common on a range of devices. The underlying technology for all contactless payment devices is the same. The contactless device contains an antenna so that when it is touched against a contactless terminal, it securely transmits purchase information to and from the terminal.
A card which has been printed, embossed or encoded so as to purport to be a legitimate card but which is not genuine because the issuer did not authorise the printing, embossing, or encoding.
Transactions which are conducted over an electronic network where the buyer and merchant are not at the same physical location e.g. payment card transactions via the Internet.
Malware includes computer viruses that can be installed on a computer without the user's knowledge, typically by users clicking on a link in an unsolicited email, or by downloading suspicious software. Malware is capable of logging keystrokes thereby capturing passwords and other financial information.
The action of "washing" or "laundering" money from illegal activities. This can be done in various ways e.g. buying and re-selling of goods or gambling.
National Crime Agency
The UK’s, lead national law enforcement agency against organised crime; human, weapon and drug trafficking; cybercrime; and economic crime that goes across regional and international borders. UK point of contact for foreign agencies such as Interpol, Europol and other international Law Enforcement Agencies.
National Fraud Intelligence Bureau
The City of London Police’s National Fraud Intelligence Bureau uses millions of reports of fraud to identify serial offenders, organised crime gangs and established and emerging crime types.
Organised Crime Group
Defined in the Serious Crime Act 2015 as a group which has at its purpose, or one of its purposes, conduct of criminal activities and consists of three or more people who agree to act together to further that purpose – s.45(6).
A transaction where the merchant, retailer or other service provider does not have physical access to the payment card; examples are transactions by telephone, mail order or Internet.
Copying the magnetic stripe details of a payment card usually with a card reader, for use in counterfeiting.
Smishing involves a fraudster sending text messages (also known as an SMS) at random to mobile phones. The text messages claim to come from a reputable organisation such as a bank or mobile phone company. The message will try to trick the customer into clicking on a link to a bogus website or calling a phone number, usually by claiming they need to verify or update details or reactivate an account. The criminal will then attempt to get the customer to disclose personal or financial information, which they will use for their own fraudulent purposes.
Vishing involves a fraudster phoning a potential victim and posing as someone from a bank or building society, the police or another legitimate organisation such as a telephone or internet provider.