Information and communications technology fraud and abuse is a serious problem. Additional risks such as those associated with hacking and threats from computer viruses require organisations to pay the utmost vigilance to the security of their computer systems. And with the continuing advent of new technologies, new risks are born. This article will concentrate on fraud in information and communications technology, and how this is specifically dealt with under the Fraud Act 2006.
Application of the Fraud Act 2006
The Fraud Act 2006, which took effect in January 2007, deals with some of the deficiencies, at least as far as information and communications technology fraud is concerned, of the Theft Act 1968 and the Theft Act 1978. Under s1 of the Fraud Act 2006 a person is guilty of fraud if they act contrary to ss2, 3 and 4 of the Act. These sections cover, respectively, fraud by false representation, fraud by failing to disclose information, and fraud by abuse of position. These sections will now be considered from the point of view of information and communications technology.
Fraud by false representation
Under s2 of the Fraud Act 2006 a person commits fraud if they dishonestly make a false representation with the intention of making a gain for themselves or another, to cause a loss to another, or to put another at risk of a loss. A representation is false if it is untrue or misleading and the person making the representation knows that this is or might be the case. Representations can be made to devices designed to deal with communications, so both emails and text messages are covered. Representations can also be made online, through, for example, internet banking services. Under s5 of the Act a gain or loss may only concern money or other property, but may be temporary or permanent. Consequently, intellectual property is included. Fraud under this section will also apply to ‘phishing’, that is, masquerading as a trustworthy entity in order to acquire confidential information such as user account numbers and passwords, and ‘pharming’, that is, redirecting traffic from one website to another, bogus website, again, usually for the purpose of obtaining confidential identity data.
Fraud by failing to disclose information
Under s3 of the Fraud Act 2006 a person commits fraud if they dishonestly fail to disclose to another person information which they have a legal duty to disclose and if they intend, by failing to make the disclosure, to make a gain for themselves or another or to cause a loss to another, or to put another at risk of loss. This offence could apply to, for example, the electronic submission of tax returns or applying for or renewing a television licence online. Transactions between businesses and between consumers and businesses will also fall within the provisions of this section.
Fraud by abuse of position
Under s4 of the Fraud Act 2006 a person commits fraud if they occupy a position in which they are expected to safeguard, or not act against, the financial interests of another person, they dishonestly abuse that position, and by doing so they intend to make a gain for themselves or another or to cause a loss to another, or to put another at risk of loss. Abuse of a position applies to both acts and omissions. This section could apply, for example, where an employee emails confidential information about their employer to a competitor, either for personal gain or to cause their employer to incur damage.
Articles for use in fraud
The Fraud Act 2006 also creates two offences regarding articles for use in fraud. Under s6 it is an offence to possess an article for use in or in connection with any fraud. Under s7 it is an offence to make or supply an article for use in or in connection with any fraud. ‘Article’ is defined in s8 and expressly includes any program or data held in electronic form. This could include computer programs used to generate credit card numbers or to produce blank utility bills (see the memorandum to the Fraud Bill). It could also include software used to make illicit copies of CDs or DVDs, even if the same software has other legitimate uses, for example, under s296ZA(2) of the Copyright, Designs and Patents Act 1988. The offence under s6 is not entirely clear. Although it seems to be an offence of strict liability, in that it is not necessary for the accused to intend to use the article for fraud, or even know that it may be so used, it is likely that the prosecution would have to show that the accused did, in fact, have this intention or knowledge. The offence under s7 could apply to a programmer who creates a bogus website with the intention of collecting confidential identity details such as passwords and account numbers. To establish the offence it is sufficient for the prosecution to show that the accused knew that an article designed or adapted for use or in connection with a fraud could be so used. Whether the article is actually used to commit fraud is irrelevant. Again, there is uncertainty over whether a person who designs or adapts an article which can be used for, or in connection with, fraud, but who intends for it to be used for another purpose altogether, is guilty of the s7 offence. It seems that if the person knows that the article can be so used, then the s7 offence is made out.