The State of Cybercrime in US and UK [Research]
Table of contents
- Nature and scale of cybercrime in the US and the UK
- Current policy landscape and law enforcement responses in the US and UK
- Emotional and mental health consequences of cybercrime
- Emotional disruption
- Feeling powerless
- Shame and stigma
- Long-term impacts on health
- Feeling vulnerable
- 10 key recommendations for US and UK governments to follow
The first transatlantic study on how cybercrime is affecting our lives just got released. Buckle-up...
Clario and Demos are presenting the first ever study investigating the issue of cybercrime and its impact on consumers in the UK and USA.
At a time when everyone’s lives are becoming more connected than ever, we wish this groundbreaking report made for more optimistic reading. However, while that’s not the case, we hope that with enough of an outcry we can push governments to do their jobs and protect us from a problem rapidly spiralling out of control.
You can download the fascinating report for yourself in full at the bottom of this article.
Nature and scale of cybercrime in the US and the UK
In this report we investigate cybercrime, its impact on victims, cyber policy, and digital policing by looking at responses from 2,000 people from both the US and the UK respectively. To start with, we discuss the nature and scale of cybercrime in these countries.
In the US, more than one third of Americans have had their data accessed illegally (35%), which is more than 115 million people. In the UK, one in five Brits have had their data illegally accessed (21%), equivalent to eleven million people.
US consumers whose data was exposed lost $1,231 on average. Despite Brits facing cybercrime less frequently, the mean amount lost due to cybercrime is higher than in the US, equating to £1,276.
Speaking of the types of cybercrime most frequently reported, for the US it was phishing, with social media/email hacks at the top in the UK.
A survey was conducted with over 11,000 victims of cybercrime from the US and the UK, in order to find certain behavioral patterns amid socio-demographic traits that could increase the likelihood of being a cybercrime victim. However, the report found no conclusive evidence to say certain demographic groups are more vulnerable than others.
Our study found out certain differences in attitude towards security among age groups. For example, a false sense of security was more apparent among Gen Z-ers, (18-25 year olds), with 50% feeling they aren’t important enough or vulnerable enough to be targeted by hackers.
In comparison, those aged 65+ were far less likely to have this attitude, with just 15% agreeing with the statement "I'm not vulnerable enough" and 22% agreeing with “I’m not important enough” to be targeted by hackers.
Current policy landscape and law enforcement responses in the US and UK
Someone once said that in policing, if it’s not shouting, bleeding or banging, then it won’t get prioritised.
With a cybercrime outcry growing louder in both the US and UK, it is much expected that the governments will reinforce control. Both countries have a broad policy landscape functioning nation-wide and overseeing the issues, but what if they lack the expertise to mitigate them?
In the US, the cybercrime control system functions on several levels:
- CISA (Cybersecurity Infrastructure Security Agency) is a body within the Department for Homeland Security, which is supposed to be handling nation-wide cybercrime issues, but lacks the capability to complete this task.
- NCCIC (National Cyber Communications Integration Centre) is responsible for sharing information with the private sector and is deemed to be ineffective. One interviewee said it “barely exists” at all.
- IC3 (the Internet Crime Complaint Center) is a reporting hub run by the FBI, the main function of which is to review complaints before passing them to relevant law enforcement bodies for further investigation. But since underreporting is a major issue in both the US and UK, it is no surprise that in 2016, IC3 captured just 10-12% of the total cybercrime scale.
In the UK, cybercrime is handled by three different tiers of law enforcement:
- NCCU (the National Cyber Crime Unit) and NCSC (the National Cyber Security Centre) which demonstrate the highest level of response. NCCU deals with issues of critical national-level importance, while NCSC focuses more on public-facing concerns. This body has a solid level of support from our expert interviewees.
- Action Fraud is on the second level of response. Serving as the UK’s cybercrime and fraud reporting centre, it is not trusted by the British public that much. According to the Times’ investigation, over half of concerns sent to Action Fraud are rejected by an algorithm before they see a human investigator. Our interviewees generally agreed that victims did not get adequate support from this body.
- UK police forces, with the ten newly created Regional Organised Crime Units (ROCUs) represent the lowest level of response. There is little relevant expertise beyond the ROCU units though. This happens mainly because the issues are not being handled down by Action Fraud. But even if they get passed down - they are not deeply investigated due to the lack of resources and expertise.
Emotional and mental health consequences of cybercrime
We know there is huge psychological harm. We’ve got examples of where there have been suicides.
Alongside the huge financial cost of cybercrime, mental health is another critical consequence often overlooked.
One of the most common consequences of cybercrime is feeling worried, anxious or angry. People often blame themselves for falling for a scam, worry about getting their money back and losing more information to another cyberattack.
One of our case studies, a woman in her fifties from New York, US, had her bank account compromised. Thousands of dollars were taken from her account. She had to “fight tooth and nail to get her money refunded”, which caused her great stress and had a detrimental effect on her mental health.
I did feel powerless and that stress and anxiety, “What am I going to do?” I was pretty confident that the money would get back, but I was afraid what happens until the money gets back — that was a really anxious time.
Angela is a woman in her fifties living in Denver, US. The bank told her that thousands of sets of shapewear - underwear designed to shape a woman’s silhouette - were purchased using her account, and she was being charged for going into an unarranged overdraft.
Many victims don’t know how they lost their data or how to retrieve it. As a result, they feel powerless and as if everything happening is out of their control.
Joel Lewis from Age UK describes this feeling through different stages of grief - first, people feel angry, then they get stressed and worried. They may even just go offline, because they feel like the online world is just too dangerous, it’s not for them.
Shame and stigma
I was naive, so you feel embarrassed that you’ve allowed it to happen, especially if you’re IT literate. How could I?
We are less likely to blame ourselves when we are mugged in the street or our house was burgled. Just like Patricia, many participants in our study said they blame themselves and feel ashamed about being a victim of cybercrime.
Many attacks happen where people least expect them to - e.g. on dating sites, where these days people tend to spend more time than before social distancing.
Millions of people turn to these sites and apps to find genuine relationships - but what they find instead is shame and stigma attached to being a victim of romance fraud. Long-term effects can cause real harm to the health and wellbeing of victims.
Long-term impacts on health
We often miss the connection between the psychological harm and the long-term physical harm of being a victim of cybercrime. The stress and worry over money or personal data breaches can cause people to lose their sleep, appetite or gain weight.
Some research also identified a link between being a victim of cybercrime and anxiety and depression.
Joel Lewis from Age UK also said that some elderly who contacted their organisation had to go under long-term care or even passed away a couple of years later after being a victim of fraud. Although the amount of research on this has been growing, further research is still needed.
I know somebody out there has got my number, has got my address. That does make me a little bit uneasy. Since then, I’ve doubled security at my house, put cameras everywhere, bars on the door and everything else.
Matt had his online identity stolen. One night, while he was out with friends, he noticed a message on his phone from the UK Government saying “You’ve got a tax rebate of £900”. Within an hour scammers had taken approximately £1,000 from his accounts.
Getting his money back was a long and complex process. After numerous attempts, he was able to return them, but like many others, he still feels vulnerable.
The emotions of anger, anxiety and worry leave their place to a feeling of vulnerability. And the worst thing is that feeling doesn’t end when your data is secured or money is returned.
10 key recommendations for US and UK governments to follow
Informed by the findings above, here are ten recommendations to fix the currently broken system that seeks to prevent and tackle cybercrime and deal with its repercussions.
We recommend that both the US and UK governments:
- Establish a National Reporting Hotline for fraud and cybercrime, with a simple three-digit number, e.g. ‘119 for Cybercrime.’
- Establish a National Fraud Taskforce, staffed with specialist investigators, with responsibility for investigating cyber fraud cases.
- Roll out Victim Care Squads nationally, staffed with specialist advocates, to provide support and advice to victims of cybercrime.
- Legally oblige banks to pass anonymised information to the new National Reporting Hotline, whenever their customers are victimised by cybercrime.
- Establish a legal duty that, whenever a data breach occurs, businesses must provide customers with timely, step-by-step guidance on how to protect themselves. They must also introduce remedial security measures - such as mandatory multi-factor authentication on customer accounts.
- Mandate basic cybersecurity education within schools (particularly in the US, where provision is far more uneven) to increase digital literacy, awareness and knowledge of protection.
- Introduce a national campaign to educate adults on cybersecurity, based around the launch of the new National Reporting Hotline.
We recommend that the US government:
- Strengthen the Cyber Infrastructure Security Agency (CISA), providing it with sufficient resources to coordinate private-public collaboration for combating cyber threats.
- Introduce a post of National Cyber Director, responsible for enhancing the US’ public-private work and international collaboration efforts.
We recommend that the UK government:
- Reach effective security and policing agreements with the EU, following Brexit, to ensure British police forces retain access to European intelligence and joint investigative work.
* * *
As the report makes clear, we now involve the internet in almost every aspect of our lives, from buying groceries to meeting the person we want to spend the rest of our lives with. And it’s this connectivity that is making us more vulnerable than ever to cybercrime.
With an exponential rise in the number of victims, those lucky enough not to be impacted yet assume that governments are responding to the threat. The extensive investigation concludes that they are not. Not by a long shot.
However, there is good news. We conclude our report with solutions to the problem. The best line of defence is a public equipped with the tools and knowledge to protect themselves. As we always say, forewarned is forearmed.
Methodologically, our report includes learnings on:
- the unexpected psychological and emotional impact of cybercrime
- case studies revealing how government organisations are failing in the fight against cybercrime
- findings around the evolution of cybercrime and the impacts of COVID-19 and Brexit
- 10 key recommendations for US and UK governments to follow.
Featuring insights from eleven experts around the world, it brings together knowledge and experience from law enforcement, academia, NGOs, the private sector and government. These experts are:
- Dr Ingolf Becker - Lecturer in the Department of Security and Crime Science at University College London (UCL), where he works on information management and cybersecurity.
- Sherrod DeGrippo - Senior Director of Threat Research and Detection for ProofPoint, a cybersecurity firm which works with businesses to protect them from cyberthreats.
- Kristin Judge - CEO of the Cybercrime Support Network, a US-based nonprofit which supports cybercrime victims by improving collaboration between national partners.
- Professor Michael Levi - Professor in the School of Social Sciences at Cardiff University, an internationally-renowned expert in cybercrime and organised crime, with experience advising Europol, the Home Office, and the United Nations.
- Joel Lewis - Consumer and Financial Service Policy Manager for Age UK, a charity which provides advice and support to older and vulnerable people, in the UK.
- Mark Montgomery - Executive Director of the Cyberspace Solarium Commission, a body tasked with developing a new strategy to protect the US from cyberattacks.
- Rob Morgus - Senior Director of the Cyberspace Solarium Commission.
- Rick Muir - Director of the Police Foundation, the UK’s leading independent policing think-tank.
- Chris Painter - President of the Global Forum on Cyber Expertise Foundation Board, formerly a prosecutor, chair of the G8’s High Tech Crime Group, and the world’s first cyber diplomat at the US State Department.
- Alex Rothwell - Deputy National Coordinator of Fraud and Economic Crime at the City of London Police, the British police force responsible for leading on economic crime.
- Wayne Stevens - Fraud Lead for Victim Support, a UK-based organisation which provides emotional support and advice to people who experience any form of crime.