03 February 2020
New figures which report a fall in ‘computer misuse' and a rise in fraud shows the authorities are failing to grasp the true impact of cybercrime, according to a cybersecurity expert.
Tim Thurlings of bluedog Security Monitoring says that the current figures disguise the full extent of the problem and demonstrate the need for more accurate ways to measure cybercrime.
New figures released by the Office of National Statistics show that, according to the National Fraud Intelligence Bureau (NFIB), ‘computer misuse crime' fell by 11% in the year ending September 2019 to 21,471 offences, following rises in the previous two years. The NFIB figures include cases reported by businesses and other organisations.
Meanwhile the Crime Survey for England and Wales (CSEW) estimated that, amongst the population as a whole, there were just over a million offences - unchanged from last year.
However both sets of figures also show significant rises in fraud over the same period. According to the NFIB, the number of reported cases rose by 19% in the year ending September 2019 to 743,413 offences.
Meanwhile fraud offences experienced by adults in England and Wales increased by 9% to 3.8 million according to CFEW. The increase was driven mainly by a rise in ‘bank and credit account fraud' which totalled 2.7 million offences.
"These figures demonstrate the difficulties the authorities face in defining cybercrime. At present, we are failing to capture the true extent of the problem," said Tim Thurlings, a former ‘ethical hacker' who helped to develop the European TIBER threat intelligence framework. "So-called ‘computer misuse' is just the tip of the iceberg. I expect that cybercrime plays a role in many of the fraud cases, even though they may not be classed as such. For example, a lot of payment card fraud is now caused by attackers penetrating retailers' IT networks and putting malware on their point of sale systems to capture customers' card details.
"Meanwhile ‘authorised push payments‘ - where victims are tricked into paying money into a criminal's account - are often the result of phishing emails or phone calls and are a type of social engineering which is very much part of cybercrime.
"It is clear that the police and finance industry are lacking know-how on what computer misuse is, and how these attackers operate. However, as cybercrime has become complex and sophisticated, it is also very difficult to place offences in one category or another. In many cases cybercrime is part of the mix, for example criminals may also use phone calls to victims as part of the scam.
"Certainly we need better ways to measure cybercrime and understand its impact on business and society as a whole. Meanwhile companies need to be aware of the growing threat and understand that security should not be left to the IT department - it is now everyone's responsibility."