Criminal justice system is failing cyber crime victims

The UK criminal justice system needs further, urgent reform to better serve the needs of victims of cyber crime, who face barriers to reporting offences, receive inadequate support, and rarely achieve any form of justice, according to a study commissioned by the Home Office and HM Inspectorate of Constabulary, Fire and Rescue Services (HMICFRS).

The research, conducted at the University of Portsmouth, set out to assess the nature and impact of crime related to misuse of computers – including most forms of cyber crimes, such as hacking, malware and ransomware infections, and distributed denial of service (DDoS) attacks. It is the first major UK study into the impact felt by victims.

It concluded that the police lack the proper resources to effectively fight cyber crime and protect and support its victims, and made several recommendations for system-wide changes that the wider cyber security sector could take into account to work more effectively in this regard.

Mark Button, director of the Centre for Counter Fraud Studies at the University of Portsmouth’s Institute of Criminal Justice Studies, said: “There has been a perception that cyber crimes don’t have as bad an impact as some physical crimes, but this report shows that computer misuse crime has a similar, and in some cases a worse, impact than comparable traditional crimes, such as burglary.

“We found victims who compared cyber attacks to physical assaults, some rape and some contemplating suicide as a consequence. We also found some victims struggling to report these crimes. For example, one woman whose laptop camera had been hacked by criminals was dismissed by the police, and another lady whose estranged husband hacked her computer to secure advantage in divorce negotiations was told it was not a crime.”

Button and his team, who conducted 52 in-depth interviews with victims, along with a wider survey of 252 people, said computer misuse crime was poorly classified by the authorities, and recommended at the most fundamental level a new reporting system be developed, to be regularly monitored and evaluated by Action Fraud and the National Fraud Intelligence Bureau.

Button also found that the Action Fraud brand name represented a barrier to the reporting of some crimes, and recommended it be renamed the National Fraud and Cybercrime Reporting Centre to better account for cyber crime.

The report went on to recommend a high-level review of all police force websites about what advice is given on such crimes, to ensure more consistency in reporting across the UK. This should go hand-in-hand with improved training for frontline officers and other police staff to understand exactly what constitutes a computer misuse offence, it said.

The report also suggested that the National Cyber Security Centre (NCSC) be given the explicit task of working with organisations that regularly receive complaints about cyber crime – such as banks or social media platforms – to encourage people to report through centralised web links.

Finally, Button’s report highlighted the need to increase the resources made available to tackle computer misuse. Many of the interviewees questioned by the research team said they received neither a police investigation nor support, and in only four cases was the perpetrator brought to justice. Resources for dealing with cyber crime are often built too much on short-term funding models, the report said.

“Despite nearly a million computer misuse crimes being reported in the 2018 England and Wales crime survey, just 23,683 were recorded by Action Fraud,” said Button. “This illustrates significant under-reporting and highlights a subsequent lack of support for those who have often been left deeply affected by the crimes.”