by Bob Burls @ Naked Security From Sophos
Do you know how to report a computer crime? Or even who you would report it to?
So far, we have looked at a SQL injection attack, unauthorised email account access and malware in our series of articles on how to report a computer crime. In this article, we'll look at phishing.
We'll look at what offences are committed in different countries when a crime like this happens, how you should report the crime, and what evidence you can preserve.
Take this scenario:
- Alex receives an email purporting to originate from a bank he has an account with.
- The subject line reads “Important - your online banking has been suspended!!”
- Alex panics and opens the email. The message tells Alex that his online account has been disabled and he will have to reactivate it.
- Alex clicks on a link in the email and enters his details into the site he is directed to.
- To Alex, the email appears authentic and the website he is directed to seems to be his usual bank website. Alex believes it is genuine.
- The cybercriminal, who is the author of the email and operator of the phishing website, intends to sell the phished data on an underground forum.
- Both Alex and the bank are the victims in this instance.
What was the offence?
We can break it down like this:
- The cybercriminal sets up the imitation bank website and sends the fake banking email with the intention of deliberately misleading people and gaining access to their data.
- By creating the imitation site and email, he intends to:
- make a gain, by selling the data, or cause another person to make a gain; OR
- cause a loss to another, or expose the risk of a loss to another.
- Alex has had his identity stolen.
The legal bit
We've focused on the UK, USA, Canada and Australia, but each country has its own legislation, though the relevant statute often exists to accommodate the same offences in each country.
UK
In the UK, most computer crime falls under offences covered by one of three pieces of law:
- Computer Misuse Act 1990
- Communications Act 2003
- Fraud Act 2006
Other associated crimes could include Conspiracy or Money Laundering offences, but victims of computer crime are more often than not affected by at least one of the three acts listed above.
In this case, the cybercriminal commits fraud by false representation, contrary to Section 2 Fraud Act 2006, amongst other Fraud Act offences.
The relevant section in the Fraud Act states that in order to be false, the representation must be misleading and the person who makes it must be aware it is misleading.
This legislation applies to internet crimes through the representation being “submitted in any form to any system or device designed to receive, convey or respond to communications (with or without human intervention).”
USA
In the USA, most cybercrime offences are covered by Title 18, United States Code (USC) Section 1030 – Fraud and related activity in connection with computers.
This is what the cybercriminal contravened when he created the fake site and email with the intention of making a dishonest gain.
Canada
The Criminal Code of Canada contains sections that specifically cater for cybercrime, including:
- Unauthorised Use of Computer
- Possession of Device to Obtain Computer
- Mischief in Relation to Data
- Identity Theft and Identity Fraud
In this case, both Section 402.2 Canadian Criminal Code (CCC) - Identity Theft (taking specific personal information, such as date of birth, social insurance numbers, etc) and Section 403 CCC - Identity Fraud.
Australia
Both state laws and commonwealth laws exist in Australia. In South Australia, the investigation of cybercrime by police is classified under three tiers and is spread across the organisation depending, mainly, on severity.
The primary legislation for computer offences is the Summary Offences Act, 1953 (SOA) and the Criminal Law Consolidation Act, 1935 (CLCA).
Reporting the crime
UK
In the UK, when a crime has taken place it should be reported to the police, so Alex should immediately report it at the local police station.
A crime allegation may be investigated by a police force or may be referred to the Police Central e-Crime Unit (PCeU) which provides the UK's investigative response to the most serious incidents of cybercrime. The PCeU requests that the routine reporting of computer crime offences are not made directly to them.
There is also an alternative reporting body for internet-enabled crime: Action Fraud.
Action Fraud records and passes on crime reports to the National Fraud Intelligence Bureau, who then decides whether the incident requires further investigation, as not all computer crimes are investigated.
USA
The Department of Justice website contains a Computer Crime and Intellectual Property Section with a contact page for reporting incidents to local, state or Federal Law Enforcement Agencies (LEA).
Two Federal LEAs have a remit to investigate some computer crimes:
- The Federal Bureau of Investigation (FBI)
- The United States Secret Service (USSS)
In this case the crime should be reported at the FBI Local Office, or US Secret Service or Internet Crime Complaint Centre.
Canada
The Royal Canadian Mounted Police (RCMP) are the main agency with regard to the investigation of federal statutes, but they also have policing responsibility for a number of the Canadian provinces and all 3 territories, as well as some local police services in towns and cities.
Alex should report the phishing to his local police service. If appropriate, it will be escalated for the attention of the agency with federal responsibility, the RCMP.
Australia
Alex should report the crime to the Australian State or Territory Police.
Investigation policy differs from state to state but the Australian Federal Police website offers a guide on whether the crime should be reported to either Australian State or Territory Police.
Preserving the evidence
Alex should preserve the original email as evidence. He should also inform his email service provider that he has reported the incident to the authorities.
Remediation
Alex should inform his bank of the phishing as soon as possible. It may prevent any fraudulent transfers and provide useful evidence to the bank of so-called 'money mule' accounts, which relay money while obscuring the true identity of the cybercriminal.
Alex should change his bank password immediately, and any other account he owns which uses the same password. He should make sure that this time each account has a different (and hard-to-crack) password.
In future, Alex should be cautious of any unexpected emails which ask him to log in to an account, even if they look like they are genuine.
He should also always keep his anti-virus signatures up to date, and make sure his operating system and applications remain patched.
Conclusion
In general, it's important that all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up and an accurate picture of the levels of computer crime can be produced.
If victims of a particular crime do not come forward to report incidents, then the number stated in crime reporting statistics will be not be a true reflection of the number of crimes taking place.
The scenario above is given as an example to help you in understanding when and what offences have taken place. Please be reminded that no two situations are the same and we have not catered for the “what if” situation.
We have also not included any corporation’s AUP (Acceptable Use Policy) that may be in place and may have been breached.
All of the scenarios are made up and the characters depicted bear no resemblance to any person.
Acknowledgements
Daedalus Teks gratefully acknowledges the assistance of Naked Security and the following organisations in preparation of this series of articles:
- UK Police Central e-Crime Unit
- Action Fraud
- United States Federal Bureau of Investigation
- United States Secret Service
- Royal Canadian Mounted Police
- South Australia Police