Firms keeping quiet about e-crime

With the phishing threat sharply up, police estimate that high-tech crime is costing the UK billions of pounds every year

Three-quarters of companies that suffered a high-tech criminal attack in 2003 failed to contact the police, according to figures released on Tuesday, which show that e-crime probably cost UK businesses more than a billion pounds last year.

The research, conducted by the UK's National Hi-Tech Crime Unit (NHTCU), found that just 24 percent of companies targeted by cybercriminals decided to contact the authorities. The police are pushing hard for companies to contact then when they fall victim to a hacking attack, or receive an extortion demand from blackmailers threatening to bring down their IT network or Web site.

Despite this evidence that the majority of companies still aren't prepared to talk about their e-crime experiences, the NHTCU insists that the situation is improving. "When the NHTCU started [in 2001], we weren't getting any information from companies at all. Now, we're getting information from a significant proportion of the business community," detective chief superintendent Len Hynds, head of the NHTCU, told the e-Crime Congress 2004 in London.

Often, companies don't contact the police because they are afraid of losing business if their customers learn they were vulnerable to a cybercrime attack, while some firms are thought to be worried that the police might take away their IT kit as part of their investigation. But these preconceptions may be diminishing.

"Often, we're contacted by someone saying they work for a hypothetical company, and asking what the NHTCU would do if this firm reported a hypothetical instance of e-crime. When they learn how we work, they usually cooperate fully with us and work towards a prosecution," said Hynds.

The impact of e-crime
Over 200 companies were surveyed by the NHTCU for its 2003 Hi-Tech Crime Survey. Of this group, 83 percent said they suffered some kind of high-tech crime last year.

Twenty percent reported being hit by a denial-of-service attack, and 17 percent said they'd experienced financial fraud.

Just over three-quarters said they'd experienced a virus attack, although David Aucsmith, security architect and chief technology officer for Microsoft's security business unit, suggested this figure is too low. Aucsmith reckoned that the remaining companies must simply not have noticed being hit by a virus.

The estimated impact of the e-crime suffered by these 201 companies was over £195m. Three of the firms, all financial institutions, had each lost more than £20m.

The NHTCU isn't prepared to commit to a precise figure for the overall cost of high-tech crime to the nation  as small businesses weren't included in its survey, but it is confident that the bill runs into billions of pounds.

The NHTCU also reported a large jump in the number of spoof Web sites that attempt to defraud people by pretending to be part of a genuine financial institution.

Hynds told the conference that 50 phishing sites were reported in 2003, a very significant increase on the year before, when just seven were brought to the attention of the NHTCU.