28 July 2016

Fraud prevention: tell me “where” this email came from

Online fraud is a major problem. Many of these frauds cross international borders. Criminals “over there” steal money from victims “over here”. But there’s a relatively simple change that email software and service providers could make that could have a significant impact on this type of fraud: let’s tell end users when an email was transmitted from a foreign mail server.

Last week, the UK Office of National Statistics released its first-ever estimates of fraud and computer crime. The numbers are sobering. In the 12-month period ending March 2016, the ONS estimates that 2 million computer crimes and 3.8 million frauds were perpetrated on victims in England and Wales. A staff member at ONS familiar with the survey expressed the (informal) view that approximately one half of these frauds were conducted using some form of online communication while the remainder used other methods such as telephone or traditional post.

The police face enormous challenges trying to enforce the law against criminals who commit fraud at a distance. Keeping in mind that more than 90% of these frauds produce a financial loss of less than £1,000 (67% produce losses of less than £100), there are limited circumstances in which a full investigation is practical.

Even when an official investigation can be justified, many of these investigations quickly encounter a barrier: an international border. Many fraud attempts directed to UK-resident victims originate from criminals who appear to be located outside of the UK.

It was suggested recently when I was interviewed by the BBC that a natural policy response to combat cross-border fraud would be to increase international cooperation for police investigations. I doubt this would have a significant impact on the number of frauds committed. The police forces in the developing world have more limited resources (and fewer incentives) to crack down on local criminals who steal from overseas victims. (I’ve written on this subject before).

But what if it were possible to alert email readers that the message they have received (promising untold riches, or pretending to be their boss and instructing them to transfer money urgently to a phoney supplier) was probably sent from someone who is outside of the UK? That small piece of critical information – that this email was probably sent “from somebody in Ruritania” or “from somebody who is outside of the UK” – might be enough to nudge end users into a more cautious frame of mind and thereby reduce fraud.

In fact, this is easier than many people realise. Many overseas criminals don’t try very hard at all to disguise their location. On occasions when friends ask me to review a suspicious email, I’m often able to determine within a minute or two that the email probably originates from a foreign country – usually a developing country.

The simple technique that I use (examining full email headers that are normally invisible to the reader and then conducting a reverse IP number lookup on the originating server) has been well-known to computer and telecommunications professionals for many years. Although these techniques are not the most difficult things to learn, they are very user-unfriendly and would be cumbersome for millions of end users to do.

More importantly, these kinds of investigative steps are only carried out after an end user has developed some suspicion about the provenance of the email. What the end user actually needs is to be presented with information that will help to trigger this suspicion in the first place.
My many friends in the technical community may raise objections about this idea. I can already imagine a number of these (and my responses).

  • Objection 1: “End users won’t understand the information.” Then build a better user experience and make it more intuitive.
  • Objection 2: “If we do this, more overseas criminals will use technical means to try to disguise their location – pretending to be in the UK.” Yes, they probably will. But this would require the overseas criminal to obtain access to some type of service equipment located in the UK. This creates more policy and enforcement options here in the UK.
  • Objection 3: “The criminals will just find some other way to defraud victims in England and Wales.” Of course they will! We will never rid the world of fraud entirely. Let’s work to make it harder for them when we can.
In conclusion, many cross-border frauds are allowed to occur because it is very inexpensive for overseas criminals to target victims in the UK. Making this style of fraud more expensive for overseas criminals might make it economically unattractive for some of them, and would provide police, policy makers, and service providers, with more enforcement options here in the UK.

On those occasions when it’s a trivial to determine that an email originates from outside the country, let’s tell the end user.