Threat Intelligence Investigation for Cifas: National Fraud Database

Cifas is a not-for-profit fraud prevention membership organisation. Cifas collated the details of victims of impersonation recorded by member organisations to its National Fraud Database. 

In 2017, almost 175,000 cases of identity fraud were recorded to Cifas – a 125% increase compared with 10 years ago – and 84% of identity fraud cases occurred online. With this volume of cases being identified, and the effect that these cases have on both the victims of impersonation and the cost to the organisations that suffer the fraud, the value of prevention grows ever clearer.

There have been a number of campaigns put in place to educate the public on the risks of identity fraud, and steps that they can take to safeguard their identity details – notably the ‘Cyber Streetwise’, ‘Take Five’ and ‘Not With My Name’ campaigns. Yet identity fraud continued to rise to record levels. The question to ask was, where are criminals getting their data from in the first place? Although personal details may be sold on the dark web, how does it relate to behaviour and activity on the surface web? What role does phishing have to play, and how has it evolved?

Cifas appointed us to undertake research and produce a report to give insight to whether data compromise was due to online behaviour on the surface web, or whether it was an amalgamation of what criminals have collated and sold via the dark web. This research also provided insight as to what personal information is available on the Internet, and we explore some of the methods used to obtain it.

The data sent to us included key information about victims, including their address at the time of the fraud, contact details and any banking information. We then carried out a bulk search using an API. We used their own dark web ‘crawler’ to query the dark web search index. 


  • Personal information is sold both on the dark web and the surface web. 
  • If privacy settings are set to public then a wealth of personal information can be obtained. 
  • Nearly a third of victims are found to have visible ‘digital footprint.’ 
  • The age of the victim is an indicator of the products subsequently applied for in 
  • their name. 
  • Older people more likely to compromised by data breaches. 
  • Company directors are at particular risk. 
  • Two-thirds of victims compromised through a data breach or social media. 
  • Phishing remains a key method to obtain personal data. 

Download our latest pdf ‘Wolves of the internet’

Download PDF