Chapter 3 - Crime Areas

3.6 Crimes relating to social engineering - Law enforcement considerations

In 2013 around 3% of internet users in the UK experienced financial losses from phishing attacks in the previous 12 months [104]. While this figure is likely to underestimate the scale of the losses, given that it is challenging for victims to accurately attribute the source of their financial loss to a phishing attack, it is still significantly higher than the number reported to law enforcement.

The detection rates for this type of crime are low and sentences have historically been modest relative to the criminal gain. Since fraudsters engage in a rational calculation, making an assessment of the benefits and costs, lenient sentences do little to diminish their inclination to offend [105].

Phishing incidents, particularly those occurring across multiple jurisdictions, require many investigative resources and often lead to with an uncertain result as the attackers adopt multiple levels of obfuscation, such as registering phishing domain names via privacy or proxy services [106].

Some joint law enforcement and private sector efforts have successfully targeted and disrupted phishing websites. The uptime of phishing websites declined in the second half of 2013, with the majority of the websites being active on average for less than eight hours [107].