Do you really ‘Know Your Customer’? The growth of identity fraud and what we should do about it

5th June 2024

If you asked most people which of their assets was the most desirable for criminals, they’d probably respond with a range of high-value goods, such as vehicles, jewellery and tech.

They’d be wrong.

In the digital era, arguably the asset which has the most financial value to criminals is you – in the form of your personal data.

An identity is a valuable asset, and fraudsters know this. However, all too frequently, as a previous Cifas campaign, Data to Go, showed, it can be relatively easy to piece together the data which makes up our identity from a range of online and social media sources. Furthermore, in addition to this, the harvesting of personal data by criminals via phishing, smishing, hacking or other tools is now a sadly established feature of modern, digitally enabled life. Together, these passive and active identity harvesting tools are the key to criminals committing identity fraud to glean multiple lines of credit from a range of credit providers, financial institutions, and retailers.

Alongside identity theft, the growing use of false identity documents, fuelled by increasingly easy access to AI image generation, means that the ‘market’ in real or fake identities is richer and fuelling a growing identity fraud problem.

This is a problem we can expect to see increasing over the coming years and is not only problematic for the credit industry, which is bearing a heavy cost, but it also has a considerable human impact: identity theft leaves victims with a long journey to prove their innocence and to repair their identity and credit score, which, while not bearing a financial burden, does create a considerable, emotional one.

The scale of the challenge

Although identity fraud does not capture the headlines in the same way as authorised push payment fraud, this is a crime which has seen a precipitous rise over the past decade as the digitalisation of everyday life has made our personal data ever more accessible by criminals. According to the University of Portsmouth’s Annual Fraud Indicator 2023, identity fraud is costing the UK economy more than £1.8 billion.

At Cifas, identity fraud remains the biggest filing type to the National Fraud Database – the database of confirmed fraudulent conduct we administer on behalf of our members – representing 64% of filings or 237,642 cases in 2023 across a range of sectors including banking, credit cards, and the telecoms industry.

While the financial cost to the economy is high and the impact on individuals can be distressing, the societal cost is arguably an equally concerning facet of this problem. As the primary means of proving our identity moves from the physical to the digital, the growth of identity fraud is having a profound impact on individual trust in the online environment, which in turn risks undermining our collective prosperity and trust in institutions.

The fight back starts here

Given the size of the problem and its impact on businesses, individuals and the economy, it is perhaps then surprising that the response to date has been so muted. Anecdotally, many victims report a struggle to get a crime reference number in cases of identity theft where there has been no financial loss to the victim. Businesses – the financial victims of many identity fraud cases – can rarely expect a policing response.

This, however, is starting to change. The current government published its first ever Fraud Strategy in May 2023 and within this recognised the role of identity theft as a precursor to identity fraud. This strategy committed to ensuring that “victims of identity theft get the support they need to repair their identities”. Since then, the government has published an identity repair checklist for victims to outline the steps needed to recover and secure a stolen identity, including using the Cifas Protective Registration Service. The strategy also committed to exploring “new legislation to restrict creating and selling identities and the handling of data copied or obtained through unauthorised access”.

Furthermore, over the past 18 months, it has been heartening to witness the extent to which law enforcement is taking some decisive action against the range of ‘crime-as-a-service’ actors supplying the specialist identity crime cyber skills and tools to fraudsters via online marketplaces.

Two notable multi-jurisdictional counter-fraud policing operations in recent times have focussed on disrupting crime-as-a-service facilities purported to specialise in identity theft and account takeover fraud. The first of these was the take down of the notorious ‘iSpoof’ fraudulent calling facility, by the Metropolitan Police, supported by European policing partners and Europol. More recently, in April 2024, police disrupted the ‘phishing-as-a-service’ site ‘Labhost’, a site said to be used by 2,000 individuals to facilitate over 40,000 fraudulent sites and cause harm to multiple thousands of victims.

The next generation of reforms

With a General Election looming, we’ve been campaigning hard for the next generation of fraud reforms by the next government by launching the Cifas Fraud Pledges 2024. One area we focus on within this campaign is the need to drive forward the response to identity theft and fraud.

But what would this look like in practice? It is a truism that there is no ‘silver bullet’ to solve the problem and that action is needed along a number of lines. To follow the Fraud Strategy’s three-pronged structure, a good starting point may be as follows:

PURSUE: We need to invest in specialist, multi-disciplinary law enforcement units with the skills and capabilities to investigate and disrupt the criminals facilitating industrialised identity theft so that the operational activity we’ve seen recently becomes the norm. Supporting this, we need to update the law to ensure that identity theft is criminalised in name as well as in practice, and update sentencing guidelines to reflect the harm this crime causes.

BLOCK: At Cifas, we see the value of multi-sector data sharing on a daily basis. By breaking down silos and acting across industries, platforms like our own can use this data to identify indicators of criminal networks and work with law enforcement partners to flag new modus operandi and emerging risks. Furthermore, as identity verification moves increasingly from the physical into the digital realm, under the government Digital Identity Trust Framework we need to make cross-sector data sharing within the identity service provider sector a prerequisite and ID repair requirements a fundamental cornerstone of the regime.

EMPOWER: Finally, we need to do as much as we can to empower consumers with the information they need to avoid falling victim to identity crime. This includes driving forward public information campaigns and education programmes. We are calling on the next government to include fraud and financial harms education as compulsory with Key Stage 3 and 4 PSHE education and to support technological innovations which put consumers in control of the use of their identity.

Where individuals are victims, we must provide them with the support to repair their identity. It is here where we would do well to learn from partners in the US, Australia and New Zealand, where there are state-led or partially state-funded ID repair services. Prior to this happening, at an individual business level we can also ensure that staff have the skills and knowledge to signpost individuals to avenues where they can get help.

While the problem has exploded over the past decade, there are steps that government, industry and consumers can take to tackle the problem and ensure that our most valuable asset – our identity – remains in our hands.

Helena Wood, Director of Public Policy at Cifas. Earlier in her career, Helena spent over a decade in public service in the UK, with positions at the National Crime Agency, the Asset Recovery Agency, HM Treasury, and the Charity Commission.

Cifas the UK’s largest not-for-profit fraud prevention membership organisation. She was previously a Senior Research Fellow and head of the UK Economic Crime Programme at RUSI’s Centre for Financial Crime and Security Studies, where she remains an Associate Fellow.