Well, it it’s National Fraud Awareness Week and I cannot help but notice that fraud is doing really rather well. In fact it’s booming in the UK. While awareness and education efforts are helping reduce the rate of increase in some categories of fraud (eg, romance and impersonation scams), overall financial losses are still climbing. What’s worse, the Credit Industry Fraud Avoidance System (CIFAS) is now highlighting a very worrying trend of fraud becoming normalized, with around 12% of people in the UK admitting to fraudulent conduct in the last year. We need action. Perhaps it is time to stop telling people to choose longer password and time to start shifting the economics.
Fraud Is Out Of Control
The scale of the problem is staggering. Fraudsters stole more than £629 million from UK consumers in the first six months of 2025, a 3% increase on last year, according to new figures from UK Finance. Their half-year fraud report reveals more than two million confirmed fraud cases were recorded between January and June 2025, an increase of 17% compared to the same period in 2024. The report also notes that most scams now start outside the banking system, with two-thirds of authorized push payment (APP) fraud beginning online, often through social-media platforms, fake adverts or digital marketplaces and half of the remainder coming from telecommunications networks.
In the US, Chase reckon that half of the scams reported to them originate on social media and, as consequence, Chase will not allow customers to send Zelle payments identified as originating from contact through social media. Similarly, the UK banks estimate that more than half the frauds that they see come from the same source. Meta, in particular, has a huge problem. The company estimated that a tenth of its revenue lasty year would come from advertisements for scams and banned goods and it further estimates that its platforms show users 15 billion scam advertisement every day.
Investment scam losses increased by more than half to nearly £100mn in the period with an average loss of more than £15,000 per victim. The sophisticated tactics that criminals use are increasingly powered by AI, such as deepfake videos featuring trusted financial figures appearing to punt cryptocurrency investment opportunities or share tipping services. Now, as you might expect, a lot of the money stolen in the scames comes from older members of the public. I could use any one of a million stories to illustrate just how serious this problem is, but I’ll just use this one to make the point: In Australia, an 85 year old woman fed, note by note, $364,000 into a Bitcoin ATM inside her local tobacconist, from where her savings vanished into the cryptoscamosphere never to be seen again.
UK Finance quite rightly points out that the financial sector cannot tackle the escalating fraud crisis alone. It is urging the government’s upcoming fraud strategy to make prevention a national priority and to hold social-media and telecoms companies accountable for scams originating on their platforms. They are right, and the banks are right to upset about the lack of action. The Prime Minister, Sir Keir Starmer pledged before the last general election to make Big Tech accept their share of the costs of fraud, removing some of the burden from banks which must reimburse victims of payments scams up to £85,000. But that hasn’t happened, and the banks are left holding the baby despite previous initiatives that were supposed to help. Revolut, which is the currently the most complained about financial services provider so far as push payment fraud is concerned, has already complained about last year’s data-sharing agreement between Meta and financial institutions to help protect customers from becoming victims of fraud, saying that Meta’s initiative “falls woefully short of what’s required to tackle fraud globally”.
Something has to be done. But what?
The telcos have at least started to move. The UK’s new “Telecoms Charter”, which brings together government and top mobile networks to crack down on scam calls, commits the telcos to upgrade their networks within the next year to eliminate the ability for foreign call centres to spoof UK numbers, making it clear that calls are originating from abroad. This will have an immediate impact on scams because 96% of mobile users decide whether to answer a call based on the number displayed on their screen, with three-quarters unlikely to pick up if it’s from an unknown international number. The networks will also bring in advanced call tracing technology to give police the ability to track down scammers.
Allies In Fighting Fraud
The telcos are stepping up to the plate, but what about the social media companies? They need to do something about identity too: but, again, what? How can they help us to fight the fraudsters?
The way forward here is not for social media companies to starting doing know-your-customer (KYC) checks but to work with people who do. After all, working out whether I am a person or not is a problem. It is much easier just to ask someone else who already knows whether I am a bot or not. A rather obvious place to start in the developed world is with my bank. So, when I go to sign up to a social media site, instead of trying to work out whether I am real or not, the site can bounce me to my bank (where I can be strongly authenticated using existing infrastructure) and then the bank can send back a token that says “yes this person is real and one of my customers”. In other words, am unforgeable proof of personhood.
The bank should not say which customer, because that is none of the social media site’s business and anyway when the social media site gets hacked it won’t have any customer names or addresses: only cryptographic proofs that contain no personal information.
There is another step that does contain personal infomation though, and that might be taken in other circumstances because knowing that “Dave Birch” is a real person and the verification that this particular account belongs to the Dave Birch who writes columns of Forbes and plays Dungeons & Dragons are different things. Hence the need for a three state solution. Once I am “known” to social media, then I can go on to be “verified” if I want to be. Again, not by social media but by organisations who can attest to relevant facts (eg, I am over 21, I have a bank account, I stayed at the Hilton or whatever).
In this straightforward scheme (which I have suggested before) “unknown” users show up in red, “known” users show up in yellow and “verified” users show up in green. Most normal people, I imagine, will leave their social media accounts in the default yellow setting of “known only”. Some people might want to go tighter with a green “verified only” setting. But now, crucially, consumers will likely ignore red users trying to sell them cars or concert tickets and opt for yellow or green users.
(A yellow setting doesn’t let the criminals get away with stuff. But it does protect the identity of legitimate users. If a yellow user commits a fraud, the police can obtain a warrant to ask whoever attested to their identity to provide it.)
We may not be able to force the social media companies to pay their share for the fraud that they facilitate but a few simple rules around KYC can help to tilt the scales back on our favour.