Complacent consumers allow cybercrime, phishing attacks to flourish

One report says that complacent customers and the credit crunch are largely responsible for the U.K.'s sharp spike in most areas of cybercriminal activity.

Most areas of cybercrime and cybercrime attacks in the U.K. rose sharply last year after dipping in 2007. Researchers say the trend is partly caused by consumer complacency about their security, combined with more sophisticated phishing attacks.

The figures come from a new, comprehensive report that gathers information from publicly available sources about a variety of computer-based U.K. crimes.

One notable trend is the rise of account takeover where, instead of using false IDs to pen new accounts, fraudsters focus on stealing details and access codes for existing accounts of consumers, using a combination of phishing emails and Trojans to gather the information. This account takeover activity rose 207% in 2008, according to the U.K. Cybercrime Report published by Garlik Ltd., a Richmond-based online identity consultancy.

"Now the banks are less forthcoming with credit, and doing more thorough checks [on new accounts], and the fraudsters are focusing more attention on getting hold of your existing bank account, credit card account, or even eBay account. There is a clear rise in account takeover fraud," said Tom Ilube, chief executive of Garlik, which has published the report for the last three years.

The report also highlighted a 132% increase in online banking fraud with losses totaling £52.5m, compared to £22.6m in 2007. The sharp rise can be mostly attributed to nearly 44,000 phishing websites specifically targeting banks and building societies in the U.K.

According to Ilube, phishers are getting more sophisticated, not necessarily in technical terms, but in the content of the emails. "We are seeing phishing attacks that use the names of MPs, or which pretend to be from DHL, telling you your package has not been delivered, and to click "here" for more information. We have also seen a wave of messages purporting to come from Inland Revenue, sometimes promising a tax rebate."

By monitoring the 'dark market' where stolen details are traded on the Internet, Ilube has also detected a massive rise in activity, not only in the sale of stolen credit card details, but also login passwords. "A year ago, you'd see 50,000 credit cards numbers a month appearing in these trading sites for fraudsters. Now we see around 120,000 a month," he said. "We are also seeing stolen login information being bought and sold. These include logins for Web email, social network sites, eBay and PayPal. A year ago you'd see between 6000 and 10,000 of these a month -- now it's 300,000."

He said that many people are often less concerned about protecting their webmail login details, but these credentials can be used to find other valuable pieces of information. "The fraudsters go into those email accounts, look for any other useful information that might give them access to other accounts. They might go to other sites you use, claim their password is lost and have a one-time password sent to that email address. They will use your webmail address to try and pick up as many one-time passwords from other facilities that you use."

One other factor contributing to the rise in cybercrime attacks, he said, could be a certain complacency among consumers. "In 2006/7, there was a lot of publicity about ID theft, and consumers became more aware, they bought shredders to get rid of confidential documents, and thought the job was done," he said, but since then the fraudsters have adopted new techniques.

Ilube's advice to users is to take more responsibility for their own security, especially since the crime is so hard for law enforcement to tackle.

In addition to covering financial and identity crime, the report also tracks online harassment, computer misuse (spreading malware), sexual offences (mainly paedophiles) and land registry (switching ownership of land).

The research for the third U.K. Cybercrime Report, published by Garlik, was carried out by criminologists from specialist consultancy Invenio Research between January and October 2009.

Criminal trends

Category 2008 2007 2006 Change from '07 to '08
ID theft and ID fraud 86,900 84,700 92,000 +2.6%
Financial fraud 207,700 203,7003 207,000 +1.9%
Online harassment 2,374,000 2,240,000 1,944,000 +6.0%
Computer misuse (excluding viruses) 137,600 132,800 144,500 +3.6%
Sexual offences 827,000 830,000 850,000 -0.4%
Total 3,633,200 3,491,200 3,237,500 +4.1%

Read more on Security policy and user awareness