© 2016 by Sara Correia. Proudly created with Wix.com

LINKS
ABOUT

S.Correia@swansea.ac.uk

College of Law & Criminology

Swansea University

Singleton Park

SA2 8PP

  • Sara Correia

The Action Fraud debacle and the policing of fraud and computer misuse in the UK

Updated: Sep 30, 2019

Over the last four years, I have been analysing reports of fraud and computer misuse in the UK and researching the police response across four police forces[1]. In the process, I have had the opportunity to discuss my developing research findings with law enforcement locally and nationally. I have also engaged extensively with industry and third sector organisations which play key roles in fraud prevention and victim support. In this work, I have sought to understand what victims of fraud and computer misuse (CM) report, how we can identify vulnerable victims and what an adequate response would look like.


I was saddened and disappointed when last month, an undercover report by The Times led to headlines including “Fraud victims failed by police”, “Vulnerable people labelled as morons” and “Computer scoring system decides which cases are investigated” (Morgan-Bentley 2019a). A Times reporter, was hired as an Action Fraud (AF) call handler by Concentrix, the American company which runs the national fraud and computer misuse reporting call centre from Gourock, Scotland. In their report, they highlighted the inadequate training new staff received and included footage from a hidden camera which demonstrated the unprofessional attitude of some AF staff.


In what follows, I draw on results and experiences from my empirical research, to examine the recent controversy around AF and the police response to fraud and computer misuse. I hope this post clarifies matters and illuminates some of what has, in my opinion, been conspicuously missing from the media coverage thus far. This blog post looks beyond the headlines in an attempt to (re)focus attention on how to improve the victim response.


These are the key points I’d like to draw attention to:

  1. The institutional failings of AF’s delivery are stark and must be addressed, but the reasons why a national reporting system was needed in the first place must not be forgotten;

  2. That said, it is not enough to focus exclusively on past institutional failure. Institutions are vulnerable, but people/victims are vulnerable too and they deserve better. It is imperative to achieve the right balance between prioritising and responding to institutional and individual vulnerabilities;

  3. Some victims are more vulnerable than others. As first steps to deliver a victim-focused response we need: a) greater transparency with respect to what happens when a crime is reported and b) an empirically-grounded understanding of vulnerability.


The Action Fraud Story


Action Fraud (AF) is the ‘brand’ name given to the centralised national reporting centre for fraud and computer misuse crimes. Fraud is a broad offence which covers anything from rogue traders to dating scams, while computer misuse covers crimes such as hacking, virus and malware attacks. The introduction of AF recording in 2011-2012 and its nation-wide rollout in 2014 was done on the recommendation of law enforcement agencies, the independent Fraud Review (2006) and academic experts (e.g. Button et al. 2009; Levi and Burrows 2008) and mirrored equivalent initiatives in the USA and Canada. The rationale of its introduction was two-fold: 1) a national reporting system would provide a nation-wide picture of the impact of fraud and thus enable law enforcement to be strategic in tackling these crime types and 2) a national reporting centre would substantially increase reporting levels. As the marked increase in records since the introduction of AF illustrates (figure 1), the picture of fraud and levels of recording have substantially improved[2].



Figure 1


However, AF is best understood as a call centre. Its function is quite separate to those who have the responsibility for investigating crimes and providing a victim response. Once AF has registered a report (whether classed as a crime or information report), it goes into the “Known Fraud” database, a system operated by the National Fraud Intelligence Bureau (NFIB) at the City of London Police. The NFIB’s role is primarily to coordinate investigations across the UK. Given the high volume of reports, at this stage an algorithm is used to find links between reports in the Known Fraud system and identify cases with sufficient lines of enquiry to warrant being reviewed by NFIB staff and potentially referred to a local force for investigation. It follows that the NFIB’s engagement with victims is limited. Their main job is not to provide a victim response, but to sift through hundreds of thousands of reports and identify which can be investigated.


The Crises


AF has faced two major crises, both of which may be attributed to the failures of the companies awarded the contract for its delivery.


Crisis #1 came when Broadcasting Support Services (BSS), the not-for-profit organisation who previously ran the AF call centre suddenly went into administration in July 2015 after losing the tender contract for the continued provision of this service to IBM (Rucki 2015, Mail on Sunday 2015, Out-law.com 2015). This led to AF operating with a skeleton staff and is clearly reflected in the fall reports over that period, within the four Welsh police forces I have been studying (figure 2). As a subcontractor of IBM, Concentrix Ltd stepped in to help manage the crisis and run the call centre - albeit not without controversy (Owen 2015).



Figure 2


Crisis #2 hit this summer when an undercover report for The Times revealed serious problems with the management of the call centre (Morgan-Bentley 2019a). A Times reporter got a job at the Concentrix-run call centre under their own name and presumably set to work after only two weeks of training – although it is unclear exactly when or for how long they remained in the job. The report showed what can only be described as a horrific attitude among some of Concentrix’s staff, including managers describing victims as ‘morons’ and publicly shaming victims on Twitter. In addition, it drew attention to the inadequacy of the training provided to AF staff, and suggested that the information provided to victims lacked transparency or was intentionally misleading.


Myth-Busting


While the recent media coverage provided a valuable insight into what was happening at the AF call centre, some of the claims made or implied may lead to misconceptions about how the reporting system works and what victims can expect. To improve the response to fraud and computer misuse victims, these need to be addressed.


Myth #1 would be that AF staff are making whimsical decisions on what should be registered as an ‘information report’ rather than a ‘crime report’. However the examples used to illustrate this in the news reports appear to be entirely in line with Home Office counting rules (Home Office 2015). In particular, they appeared to comprise applications of the “specific intended victim” principle, used to avoid the double-counting of crimes such as bank fraud and to allow for the prioritisation of cases where the victim has experienced harm[3]. In addition, AF was accused of turning away cases of so-called “identity fraud”. However, there is no such thing as an “identity fraud” offence on the UK statute books[4]. Rather than itself a crime, the misuse or appropriation of another’s identity is best understood as an enabler of fraud, a tool used to commit fraud, generally against corporate organisations.


Myth #2 would be the suggestion that somehow AF/NFIB are failing to deliver victim care when this clearly falls under the purview of Police and Crime Commissioners (PCCs) and is the responsibility of local forces and victim support agencies.[5] The media reports have fundamentally failed to distinguish between the responsibilities of national versus local police bodies and recognise that the NFIB’s role is national coordination of investigations. Victim support happens locally, in a policy context where PCCs and Chief Constables are required to prioritise and balance the need for a victim response with all other policing demands, across the full spectrum of crimes being reported: including fraud and computer misuse, but also other crime types such as violent crime. In a context of limited local resources and given the specialised nature of support in some cases, a multi-agency approach which involves third sector organisations and local Trading Standards is key.


Myth #3 would be that the same levels of victim support should be expected regardless of the specific circumstances of the victim. In fact, while we are all vulnerable to fraud and computer misuse, some of us are more vulnerable than others. My research suggests that there is considerable heterogeneity among victims and the key is identifying those who need enhanced support. Alongside this, it is important to note that individuals report crime for a variety of reasons – these may include seeking help and support, but also needing a crime number for insurance purposes or the desire to contribute valuable intelligence for the benefit of future and potential victims. However, being able to identify vulnerable victims in need of support requires better data and an understanding of vulnerability which is grounded in empirical research (Correia 2019).


Where do we go from here?


In response to the most recent news reports, several AF staff were dismissed, Scotland has decided to pull out of the service (Morgan-Bentley 2019b) and it has been suggested by the chief executive of the civil service that Concentrix be prevented from obtaining from further public contracts – even if an outright ban is not legal under EU procurement rules (Morgan-Bentley 2019c). However, it is important that this opportunity is taken to look beyond the headlines and short-term fixes towards how the victim-response can be improved for all. I would highlight three key points.


Firstly, the institutional failings of AF’s delivery are stark, but the national reporting and response system has had some success. There is no doubt that companies like Concentrix need to be subjected to a much higher level of public scrutiny if they are to deliver public services, but we should not forget why a national reporting system was needed in the first place.


Secondly and notwithstanding the above, it is not enough to focus exclusively on the (institutional) vulnerabilities that led to the latest AF debacle. People/victims are vulnerable too and they deserve better. Concrete proposals to improve victim-response are needed. It appears the right balance between prioritising and responding to institutional and individual vulnerabilities is yet to be achieved.


Finally, and possibly most urgent of all, while all victims are vulnerable in some way (alas, we all are!), some are more vulnerable than others. As first steps to doing more than merely paying lip service to a victim-focused response to fraud and computer misuse, we need: a) greater transparency with respect to what happens when a crime is reported and b) an empirically-grounded understanding of vulnerability.


If there are no leads, the opportunities to investigate are limited - but that does not preclude a victim-focused response where AF is transparent about what happens when a crime is reported and victims who are especially vulnerable are referred to further support. Clearer guidance on vulnerability needs to be provided so forces know what to look for and the approach is consistent across the UK’s 43 police forces. In addition, better information needs to be collected by AF so that local forces can make better decisions on vulnerability assessments and refer victims to the appropriate victim support agencies.


I hope this post has succeeded in starting a dialogue which makes a serious attempt at engaging with what is really at stake: how do we make the Criminal Justice System more victim focused. I would be grateful for your comments and feedback.


References


[1] This research was part of a Ph.D. study funded by the Economic and Social Research Council (ESRC). The dataset used included all cases recorded as a crime as reported by fraud and computer misuse victims over a period of two years within the four police forces in Wales - on over 20K reports made between the 1st October 2014 and the 30th September 2016 in Dyfed Powys, Gwent, North Wales and South Wales. See recent publication (Correia 2019) for more detail.


[2] From 2011-2012 and following from the Fraud Review (2006), reports from UK Finance and CiFAS were incorporated into crime recording figures. This was rolled out across the UK from 2014. As figure 1 illustrates, from 2014 onwards, AF alone recorded a larger volume of fraud and computer misuse crimes than those previously recorded by local police.


[3] This is especially important with respect to fraud from two reasons: 1) the fraud victim is the individual or business who suffers a loss or is put at risk of loss - in the cases highlighted in the reports, this would likely be the bank in the case of card fraud or the loan company where a loan is sought under a false identity - if and until they refuse to reimburse the customer for any losses incurred; 2) the offence of fraud under the Fraud Act 2006 is extremely broad. As such, technically, every single instance of a phishing email sitting on our Spam folder constitutes the full fraud offense - even if we never look in that folder and they remain unopened.


[4] There are good reasons for this, see for example Levi an Burrows 2008.


[5] My research (Correia 2019) supports the claim that the larger proportion of recorded fraud and CM crimes are not actioned. In an analysis of 17,049 cases reported by victims within the four welsh forces, over a period of 2 years (1st of October 2014 to the 30th of September 2016), 20% were actioned in some way. However, the role of the NFIB Crime Reviewers is primarily to identify where there are viable leads for investigation. Where they do not, information and crime reports remain in the “Known Fraud” database. This is a live system that draws links between reports - meaning that a case that is reported but has no sufficient leads today, may be reviewed and referred for investigation tomorrow. All cases reported within a particular force are, however, returned to the respective force on a monthly basis to allow for local analysis of reporting patterns and vulnerability. What local forces do with this data is down to the independent decision making of local PCCs and Chief Constables.

29 views