High-tech fraud: Faceless threat

Trying to find reliable statistics about the extent of high-tech insurance fraud is a pretty forlorn task, especially as it is only detected fraud that can ever be quantified – and this is likely to be the tip of the iceberg. Furthermore, definitions of ‘high tech’ vary widely. So, not surprisingly, statisticians find it easier to lump the figures together with those for fraud in general.

Estimates from experts. therefore, provide our most reliable guide. And for motor, there can be few better qualified to express a view than Steve Gaywood, counter fraud director at the AA. He estimates that last year less than 1000 vehicle claims resulted from theft via high-tech techniques.

This is relatively small fry in comparison to the 130,000 fraudulent claims that the Association of British Insurers reports for UK insurance as a whole in 2014. But it seems reasonable to assume that the figure is rising as available technology becomes ever more sophisticated.

It also seems clear that hacking into insurers’ telematics dongles in cars, which is one area that has been attracting huge publicity, has so far accounted for few, if any, of these claims.

There has been talk of cars potentially being used as weapons by terrorists, and such attacks can in theory be carried out. For example, this August researchers from the University of California, San Diego disabled the brakes of a Chevrolet Corvette by hacking a telematics box.

However, car manufacturers and insurers insist this is not yet happening in practice. It was reported last week that car hackers stole at least 30 expensive cars in 10 days in Hampstead, London. Jaguar Land Rover, which recently recalled 65,000 cars to fix a software bug that could unlatch the vehicles’ doors, points out this is not related to the organised theft of premium vehicles. And BMW Group UK reports that it does not have an issue with car hacking.

Kenny Leitch, global telematics director at RSA, says: “We have regular dialogue with our technology partners around safety and security, particularly when news stories about vehicle hacking instances or techniques appear in the press. But we are aware of no instances of hacking relating to any of our customers.”

A cynic might suggest that such organisations have a vested interest in not detecting any instances. But their feedback is corroborated by a wide range of independent sources. These include the Thatcham research centre, the Insurance Fraud Enforcement Department, the Insurance Fraud Bureau and the AA.

Phil Oultram, claims unit technical manager at law firm Hill Dickinson, says: “There is a lot of scaremongering and we shouldn’t panic too much about the possibilities of hacking. A lot of the hacking is actually encouraged by the software developers to test their defences, but it gets reported out of context by journalists and bloggers looking for a good story, so people think it was a terrorist or criminal.”

Nevertheless, no one denies that the types of fears being expressed could become a reality in the future, which raises the thorny question of who would be liable if a hacked vehicle was made to have an accident, causing injuries or death.

Malcolm Tarling, spokesman for the Association of British Insurers, says: “We don’t know and we are not aware of any case law, but we are looking into it and discussing the issues in conjunction with Thatcham. Some of the issues are being raised by the driverless car pilots being carried out by the Department for Transport, so we need to wait for the results of these.”

There does, however, seem to be a consensus among experts that, in the case of a pay-as-you-drive insurance dongle being hacked, liability would lie with the insurer.

Nick Gibbons, partner at law firm BLM, says: “All the motor policies I’ve looked at don’t exclude hacking, so the insurer would be responsible, especially as it’s the insurer’s dongle that is fitted in the car for telematics purposes. The dongle is then effectively connected to a mobile telephone network, which gives hackers access to the car.

“Several reports from various sources show you can’t get far with hacking a car unless it’s driving at under five miles per hour, but it could become a problem in the future as technology gets more advanced. When it happens, insurers will have to deal with it head on and either specifically cover or exclude hacking.”

Stuart Markham, sales and operations manager for motor at Claims Consortium Group, feels that the advent of the driverless car, which could be available on the UK open market by 2020, means that the traditional motor market is looking at a fundamental shift in deciding how it operates and who is liable.

“The traditional model is coming to an end because, if we have driverless cars, all the evidence suggests accident rates will fall through the floor, so the whole way of pricing risk would change. Instead of the risk being the driver, it will be a product liability issue. So drivers could be suing vehicle manufacturers rather than each other. I think insurers should be planning for this right now. But when I ask around some of my clients, I am greeted with blank faces,” he says.

Compromising security systems
One form of high-tech fraud that motor insurers are definitely already experiencing, particularly for higher prestige vehicles, is cars being stolen via the use of tools readily available on the internet that can be plugged into the diagnostic port to clone the key and compromise the security system.

According to Scotland Yard, an increasing number of electronically controlled vehicles are being taken by organised criminals exploiting their weaknesses. The technique was used in 42% of all thefts of cars and vans last year in London. This amounted to more than 6000 vehicles – or 17 a day on average.

Howard Barron, senior group rating manager at Thatcham, notes: “This practice is very hard to stop as European legislation says that diagnostic ports have to be available to third parties. So we must track the people buying the tools to check they are only being used for legitimate purposes. We, therefore, need to get sellers to record details of the people buying them. A lot of car alarm systems won’t go off when people access these ports, so we are working on trying to make it standard that an alarm sounds if someone breaks a window to get at the port.”

Adrian Davenport, police relationships manager at Tracker, adds: “Personally I’m not sure what we can do other than make manufacturers aware there’s a problem. Some are in denial, which is understandable as they are selling products they want to continue selling.”

High-tech defences
Motor insurers are themselves also increasingly investing in high-tech methods to tackle a range of frauds. For example, they are using data analysis to look at claims patterns, geo-mapping to detect the locations of vehicles and phones, examining cameras near car parks and supermarkets to pick up vehicle registrations, and encouraging policyholders to record evidence of accidents on dashboard cameras.

They have also found ways to surf the internet to see if people are bragging about crimes in forums. For example, LV came across an online discussion in which someone was encouraging a friend who wasn’t injured to make a claim anyway. It also caught whiplash claimants who had stated on their Facebook profiles they were participating in sporting events, even providing photographic proof.

Insurers not prepared to finance the necessary in-house resources can still use a range of external specialists to tell whether documents or photographs have been tampered with or if names and addresses are invalid.

A company called Friss has developed software which it says can help insurers detect fraud. It can find patterns in the application process of people reapplying after being turned down. It also helps verify identities using external data. As pictures are increasingly used for claims purposes, those digital images are screened. The aim is to spot whether claimants have edited the images, to make damages look more serious, for instance, or have changed the metadata, which can give the location, time, date and type of camera.

Christian van Leeuwen, chief technology officer at Friss, explains: “It’s also very easy to buy images of damaged vehicles online. So some people send images both of their own car with its number plate and of another similar vehicle that has been badly smashed up. But we can pick this up. Our current estimate is that about one in every 500 claims involves a manipulated photo.”

Van Leeuwen believes that high-tech fraud is currently a more serious problem for motor insurance than for household insurance. But he feels that household insurance could catch up. As a taster of what may be to come, he highlights that burglars in some European countries are already using drones to fly near windows to see if there is anything worth stealing.

Photo fraud
Household insurers and loss adjusters are also investing heavily in the latest technology to detect photo fraud. Cunningham Lindsey, for example, refers to a case of how metadata analysis revealed that photos of a workman’s tools that had supposedly been stolen from his van had in fact been taken at another location after the event. They passed on details of the location to the police, who recovered the tools with a search warrant.

John Freeman, counter fraud director at Questgates, says: “We tell our clients not to accept online photos in isolation as proof, and some listen, but others don’t. The biggest problem is staged photography, with people borrowing items like watches and sending photos of them wearing them to their insurer at outset, before claiming they have been stolen.”

Another important development in the fight against fraud has been a greater willingness on the part of insurers to prosecute guilty parties. Chris Aplin, head of fraud at Cunningham Lindsey, estimates that 90% of insurers would nowadays prosecute an open and shut case, compared to nearer 30% just 10 years ago.

The founding of IFED by the ABI and Lloyd’s in 2012 has been an important development in this respect. It has received 1275 referrals from insurers as a whole since outset and, although many cases are still going on, these have already produced 513 “positive results” – of which 167 were convictions and the rest cautions or conditional cautions.

Barron holds the rare view that high-level prosecutions may not help prevent hacking that much, as hackers tend to think they won’t get caught. But most commentators beg to differ.

Euros Jones, head of business crime at law firm Weightmans, says: “High-profile prosecutions are a massive deterrent, but there is obviously no empirical data. There is a resourcing issue with the Crown Prosecution Service in prosecuting fraud generally, but it could also be worth insurers bringing private prosecutions. I’m not aware of many insurers having done this, but private prosecutions have clearly worked in the commercial field and they could be a good deterrent if insurers pick their cases properly.”

Freeman feels that placing the details of guilty parties on the Insurance Fraud Register is likely to have even more impact than prosecutions on cutting down on future crime.

He remarks: “Like in the credit industry, where County Court judgments make it hard to get credit, once Joe Public realises that being on the Insurance Fraud Register means that it will be hard to get insurance in the future, it will be a big deterrent. So we need to get all insurers participating in the register, but we must make sure that the data is accurate.”

The continued development of the Insurance Fraud Register, increased levels of prosecution and even more extensive investment by insurers in counter-fraud technology all appear set to play a valuable part in combating high-tech fraud going forwards. Nevertheless, what is equally certain is that the fraudsters themselves will not be standing still.

Gaywood predicts: “As technology advances, so does investment from UK insurers, who spend about £200m a year on fraud prevention and detection to keep premiums as affordable as possible. But fraudsters will always come up with new methods and there will always be a game of cat and mouse.”