Who’s policing the platform? Platform liability and the rising tide of online fraud

Online fraud is now the UK’s most common crime. And while victims once bore the brunt alone, attention is turning sharply toward the platforms and telecoms networks that enable it.

In the wake of legislative reforms and mounting losses, regulators are beginning to hold tech platforms, search engines, and telecoms providers to account.

But as generative AI accelerates the scale and sophistication of digital scams, are the UK’s enforcement tools keeping pace?

Scale of the problem

According to UK Finance, fraud accounted for over £1.17 billion in losses in 2024, much of it originating from online sources. Over 70% of fraud starts on social media, telecoms, or search platforms, where users are tricked into clicking malicious links, sharing personal data, or making direct payments.

A study by Which? and the FCA revealed that the vast majority of online investment scams begin via Google ads, Facebook posts, or Instagram messages. Despite the use of fake celebrity endorsements, cloned websites, and spoofed numbers, enforcement has historically focused on the end fraudster, not the platforms enabling their access to victims.

APP fraud and the liability shift

The Authorised Push Payment (“APP”) fraud reimbursement scheme, launched in October 2024 by the Payment Systems Regulator, requires banks to refund customers duped into making payments to fraudsters. While this imposes liability on payment service providers (“PSPs”), it does not extend to the platforms or telecoms providers through which the scams originated.

The result? Banks foot the bill, while platforms profit from fraudulent ad traffic, a dynamic that has drawn growing scrutiny from both Parliament and regulators.

The Online Safety Act 2023: A Regulatory Turning Point

The most significant development in platform liability is the Online Safety Act 2023, which places duties on platform providers to mitigate fraud and other online harms. Overseen by Ofcom, the Act imposes new obligations on user-to-user services and search engines, including:

• Conducting fraud risk assessments;
• Implementing “proportionate measures” to prevent scam content;
• Taking down illegal material swiftly upon notice;
• Publishing annual transparency reports.

Crucially, regulated platforms now face enforcement action and substantial fines if they fail to mitigate risks, particularly for failing to remove or control user-generated scam content. However, critics note that the Act does not currently impose civil liability for losses suffered by individual victims.

Ofcom’s Enforcement Powers

Ofcom’s remit under the Act includes:

• Issuing Codes of Practice;
• Investigating platform compliance;
• Imposing fines of up to 10% of global annual turnover for serious breaches.

Draft codes published in 2024 require platforms to apply:

• Fraud detection algorithms;
• KYC-style checks for high-risk advertisers;
• Stronger controls on “paid-for ads” and influencer content.

But enforcement remains slow. Full implementation is expected to extend up into 2026.

The Telecoms Dimension

Telecoms networks are also under pressure. SMS spoofing and number porting fraud, where a victim’s number is hijacked and used to intercept two-factor authentication codes, remain rife.

In 2025, Ofcom moved to close the ‘Global Title’ loophole, which had allowed international scammers to impersonate UK-based caller IDs by leasing Global Title phone numbers. These are special phone numbers used in the background of mobile networks to route signalling messages, scammers lease the numbers and use them to intercept authentication codes.

Yet many in the counter-fraud sector argue this is not enough. Innovate Finance, among others, has called for telecoms firms and platforms to share joint financial liability for fraud.

Recent Developments

Baroness Taylor in the House of Lords Communications Committee criticised the “fragmented” approach to fraud enforcement and called for mandatory liability for platforms profiting from scam adverts.

The FCA and National Cyber Security Centre (NCSC) launched a joint taskforce targeting AI-generated investment scams from ‘Finfluencers’ social media.

The UK Government confirmed that Ofcom will gain powers to ban or restrict certain advertising categories if proven to be high-risk for fraud.

What this means for you

For regulated firms, asset managers, law firms and fintechs, online fraud is no longer just a consumer issue. Fraudsters are:

• Cloning staff profiles and domains;
• Using deepfakes to impersonate CEOs or investors;
• Spoofing internal email chains and voice calls;
• Reputational damage, financial loss, and customer trust are all at stake.

To counter this, businesses must:

• Audit marketing and communications channels to assess exposure;
• Ensure strong incident response protocols for impersonation or fraud events;
• Engage with platforms early and in writing when harmful content appears;
• Monitor Ofcom guidance and review service provider compliance;
• Consider regulatory submissions. Ofcom’s transparency framework accepts stakeholder evidence of harms.

Our takeaways

The days of platforms being passive conduits are numbered. As liability shifts and regulatory pressure mounts, social networks and telecoms providers will face increasing scrutiny, and possibly financial accountability, for enabling fraud.

Businesses should not only review their internal controls, but also their contracts, advertising strategies, and response frameworks.

The fraud landscape has changed and so must the defence.

Drop the authors a line if you would like to start work on improving your fraud resilience today.