Helen Langton, CEO of Asia Pacific and the Middle East at the International Compliance Association (ICA), takes us through some ways to strengthen a fraud management plan in the post-covid world.
Crises rarely announce themselves in advance, and the COVID-19 pandemic is no exception. It proved to be the great disruptor of 2020, affecting the public and private lives of millions worldwide and is proving equally challenging in 2021 as the world looks to bounce back.
Needless to say, criminals seized the opportunities presented to them by the pandemic and found new attack vectors and ways to exploit new technologies and services to carry out their illicit activities. An average of 164 cyber crimes are reported every day in Australia, according to the Australian Cyber Security Centre (ACSC) – the equivalent of one every ten minutes. Numerous reports link a spike in cybercrime to the pandemic, and associated technologies – much of which relates to the increased number of people working remotely.
For counter-fraud professionals, such threats are nothing new. The spread of Covid-19 has merely elevated the visibility of fraud for the general public, as well as exposing to organisations the serious consequences of underestimating the threat of online fraud.
How we respond to fraud carried out now will reverberate as the world gradually returns to business as usual. Moreover, with as many as 78 percent of Australians likely to request a hybrid working model in their next contract according to the FY 2020/21 Salary Report for ANZ conducted by recruiting experts Hays, the increased threats surrounding Work From Home (WFH) will continue.
The following are among the key questions that will need to be answered if we are to be prepared for the new normal.
- How do I keep up with changing fraud typologies?
Criminals have responded with characteristic ruthlessness and speed to exploit COVID-19. One case in the US saw the theft of hundreds of log-in details via CEO Fraud (pretending to be the CEO of a firm); other instances have involved fraudsters posing as government agencies through SMS messages with a phishing link. In response, none other than the US Secret Service have been forced to contact US firms warning that email fraud has and will continue to grow during the pandemic. [2]
The risk surrounding new products and services, always susceptible to fraud, must also be borne in mind during these unprecedented times. Connected cards – a card given by one self-isolating to a trusted friend or relative – have been set up by the UK’s Starling Bank, for example.[3] The risk of fraud has been mitigated by limiting purchases to in-store only, setting a $200 spend limit and the use of a PIN. These practical steps may not prevent fraud entirely, but significantly narrow the window of opportunity for criminals.
Knowledge of new products and services, including their potential flaws and loopholes, is a vital defensive tool in any anti-fraud department.
- Criminals are flexible – How do I adapt and respond?
Criminals are without qualms when it comes to exploiting others for their own gain. For their illegal schemes to work, criminals ensure that they are flexible and act quickly as situations unfold. Counter fraud professionals can, paradoxically, learn something from a criminal’s spontaneity. Though their methods change, their embrace of innovation tells us a much about how criminals work; recognising this helps anticipate and nullify new threats.
Equally, unsuccessful criminal activity is often hugely informative in exposing the methods and techniques that criminals adopt. Learning how criminals behave, and how they think, is crucial for counter fraud professionals. Only by studying the behaviour of criminals can their ways of operating be understood and, ultimately, identified and prevented.
- How do I get staff to engage with counter-fraud controls?
Embedding a zero-tolerance approach to fraud is perhaps a counter fraud professional’s number one priority within a firm. However, an anti-fraud culture is more than just signing up to certain well-meaning mantras – it must be a thorough, practical and easy to comprehend framework instilled across all levels of a firm.
To achieve this end, an anti-fraud culture should be part of the wider culture of the firm. Positioning fraud beneath this wider umbrella underlines the danger it poses to everyone within a firm. After a data breach last year, Capital One’s stock dropped 5%, and the bank explained it expected recovery costs to be more than $100 million.[4] Clearly this fraud affected the whole business, and by disseminating such examples to staff, the threat of fraud becomes far more vivid; the damage fraud can do to a firm’s profit margins is an excellent way of passing on your message.
With many now working from home, less obvious cases may need a little more reinforcement. Take using a company laptop for personal use, or vice versa, which is fraught with risk. IT controls standard in an office environment need to be implemented domestically, including ensuring ID&V during onboarding is performed as robustly as it would have been in the firm’s office. Awareness of the challenges around onboarding must be circulated whilst staff adjust to off-site work.
Employees should be reminded that fraudsters will try to exploit any slackening of security bought on by a lowering of IT standards.
- How do I get senior management to recognise the threat posed by fraud?
The COVID-19 pandemic has demonstrated how those most vulnerable amongst us can quickly find themselves dangerously exposed when society is convulsed by unexpected events. For senior management, the reputational risk of leaving vulnerable customers exposed is a potent one, and something about which a well-informed and savvy general public are increasingly intolerant.
If counter fraud professionals can highlight this risk – and tie it to concrete numbers that show that the amount that would have been lost had anti-fraud measures not been taken – then senior management are far more likely to recognise fraud as just as damaging a threat as money laundering and sanctions exposure (remember that real-life case studies are of inestimable value in demonstrating this danger). Making fraud part of the bigger risk agenda solidifies its importance.
A holistic approach is key here: fraud must be brought under the financial crime compliance canopy, instead of just credit risk. The OAIC Notifiable data breaches report conducted by the OAIC[1] relate that 15 percent of all reported breaches in the second part of 2020 came from the finance sector – the second highest of all industries. Detail such as this can help drive home the message to senior management, and secure support for counter fraud professionals.
Final thoughts
Fundamental to overcoming the issues that confront counter fraud professionals is learning and education; without it, none of the questions above can begin to be addressed. This can be as simple as setting up email alerts or taking part in LinkedIn discussions with other professionals (from whom much insight can always be obtained) to the more thorough-going experience of virtual classrooms and hot topic events – such as those offered by ICA – or absorbing the latest reports and publications.
Senior management need to be informed of the substantial threat fraud poses, and the surest way of engaging them is for counter fraud professionals to arm themselves with the facts on fraud, as well as the answers on how to mitigate the threat. Such learning must be continual; criminals are unceasing and persistent in their efforts, and counter fraud professionals must be unceasing and persistent in turn, making us better equipped to navigate an ever-changing landscape.
International Compliance Association (ICA) is the leading professional body for the global regulatory and financial crime compliance community.
[1] Europol, ‘How Criminals Profit From The COVID-19 Pandemic’, 27 March 2020: https://www.europol.europa.eu/newsroom/news/how-criminals-profit-covid-19-pandemic – accessed April 2020
[2] Scott Zamost and Jennifer Schlesinger, ‘US Secret Service warns that coronavirus email scams are on the rise’, CNBC, 2 April 2020: https://www.cnbc.com/2020/04/02/us-secret-service-warns-that-coronavirus-email-scams-are-on-the-rise.html – accessed April 2020
[3] Starling Bank, ‘Introducing: Connected cards for Starling personal accounts’, 8 April 2020: https://www.starlingbank.com/blog/introducing-connected-cards-for-personal-accounts/ – accessed April 2020
[4] Rob McLean, ‘A hacker gained access to 100 million Capital One credit card applications and accounts’, CNN, 30 July 2019: https://edition.cnn.com/2019/07/29/business/capital-one-data-breach/index.html – accessed April 2020
[5] UK Finance, Fraud – The Facts 2020: The definitive overview of payment industry fraud, 18 March 2020: https://www.ukfinance.org.uk/system/files/Fraud-The-Facts-2020-FINAL-ONLINE-18-March.pdf – accessed April 2020
[1] https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2020/