Online fraud: let’s close the loopholes

The internet is a haven for criminals. A place where they pay no taxes, are subject to few laws, can rob the public with almost complete impunity and launder and store their money.

The government’s draft online safety bill will not bring order to this outlaw territory. It will probably have limited effect even on the crimes it does attempt to smother with layers of duties, codes of practice, objectives, and assessments.

The purpose of the draft bill is to give Ofcom, the regulator, powers to regulate “certain internet services”. The new law will, the government claims, protect young people and clamp down on racist abuse online. It is, the press release says, “a milestone in the government’s fight to make the internet safe”.

Internet providers will have a duty to remove and limit the spread of illegal or harmful content such as child sexual abuse, terrorist material, and content about suicide. Fines of up to 10 per cent of global turnover may be imposed. It is also claimed it will tackle user-generated fraud such as romance scams through dating apps which UK Finance says cost 3,000 victims £13m net in 2020. 

But it is the gaps in the draft bill that appal critics. Two years and one government ago the white paper Online Harms was published to further the state’s intention to “shape an internet that is open and vibrant but also protects its users from harm”.

After a long consultation there is a draft bill — the second after the first was lost when the parliamentary session ended on April 29. Another two years could easily pass before these plans become laws in the virtual world. The elephant in the room could have had two calves in that time. And it is mastodon-sized.

It was to be called the online harms bill but the government clearly got tired of campaigners pointing out all the online harms which were omitted. So it has been transmuted into the draft online safety bill. But there is little safety in it, for adults or children, from thieves. 

Search through the bill’s 59,553 words and you will not find “fraud” or “money” or “steal” or “scam”. The one mention of the word “financial” — outside of “financial year” — is only there to exclude “financial impact” from the definition of content that is harmful to adults or children and causes them “adverse physical or psychological impact”.

That means the consequences of losing your life savings or in-game credits online will not be “harmful” to you under this bill and companies will therefore not have a duty to protect you from it.

The Department for Digital, Culture, Media & Sport confirmed that the bill does not mention fraud or any other specific criminal offences. They will be set out in regulations, which have less parliamentary scrutiny and cannot be made until after the final bill is passed.

The DCMS also told me those clauses were intended to deal with legal activity and did not apply to illegal activity such as fraud. But the people behind numerous mini-bond scams generally deny wrongdoing. A few have been arrested, fewer charged. At the moment almost all were legal.

Criminals pay to get pole position in the race for customers so their ads come at the top of searches. Google takes money for every click

I’ve written before in FT Money about frauds that are out of control, where thieves use psychological warfare to persuade their victims to take part in the theft of their own money. UK Finance’s report Fraud the Facts 2021 revealed that nearly 150,000 individuals had £479m taken from them by that technique. The initial key to these crimes is adverts on social media and search engines. They lure people in with promises of the best cash Isas or investments paying high returns. Criminals pay to get pole position in the race for customers so their ads come at the top of searches. Google takes money for every click. And the more a company pays per click the higher it goes up the search results. Customers who do click are told that to get the brochure revealing the keys to wealth they need only fill in a few details.

That data is the new gold. The streets of criminal havens are paved with it — the information they need to cold call and offer “investments” in fine art, property, wine, or whisky. Or offer the security of firms that seem to be genuine but are in fact clones of real firms, mimicking their style and name, stealing their Financial Conduct Authority registration number and getting money transferred through lightly regulated payment institutions that do not confirm the payee name. If that bait is not taken the thieves will call back using a spoofed number in a full blown impersonation fraud using the data that has been harvested to show the mark they know so much that they must be from their bank or HM Revenue & Customs or the police. Then they rob them. 

The mastodon-sized gap in the draft bill is any mention of controlling these adverts. Online firms do not have to check if a firm is regulated or genuine before accepting the cash per click offer. The now bust mini-bond firm London Capital & Finance reportedly spent £20m on Google adverts, which lured in many of the 11,625 investors who gave it £276m.

During the long gestation of the bill, the government has been told many times by fraud experts it must include controls on adverts. They called for making search engine and social media companies ensure these ads come from genuine businesses checked against the Financial Conduct Authority’s register of regulated companies.

The DCMS told the FT this week: “We will shortly be considering whether tougher regulation on online advertising is also needed.” 

Any regulation would be tougher than the present absence of controls. Forcing companies to disgorge any earnings from adverts that turn out to be part of a fraud would be tough. Fining them 10 times that amount would be tougher. Making directors criminally liable for frauds committed from adverts which they had accepted money for might be tough enough to stop it. 

The draft bill now begins at least 12 weeks of what is called “pre-legislative scrutiny” by the House of Commons Culture, Media, and Sport Select Committee. It will be 2022 before laws are passed and could be 2023 before they are in force, plenty of time for criminals to find a way round them. One thing I have learned in years of reporting on fraud is that the criminals are quicker and cleverer than those trying to stop them. With a four-year gestation period they will not face much of a challenge.

Paul Lewis presents ‘Money Box’ on BBC Radio 4, on air just after 12 noon on Saturdays, and has been a freelance financial journalist since 1987. Twitter: @paullewismoney