Comment: Corporate Readiness to Fraud – the first and last line of defence
Chris Bailes and Satinder Soni of Control Risks explain the vital role played by IT professionals in the fight against major fraud. Fraud against businesses is rising at a rapid rate and losses to the UK economy are estimated to have reached £52bn(1) last year. According to the European Commission(2), over €1.1 billion of EU money has been recovered through fraudulent activities. The sheer scale and complexity of this issue can leave businesses feeling exposed.
Early detection of fraud is critical. It can help organisations to stem the flow of losses, recover monies already transferred and identify perpetrators. However, it is not uncommon for large businesses to be oblivious that they have become victims for weeks, sometimes months, after the event.
The role of technology in facilitating fraud has increased, but so too has the role of technology in preventing, identifying and investigating business crime. The importance of IT professionals in the fight against corporate fraud is greater than ever. There are a number of technological solutions to assist organisations with identifying fraudulent activity. As a way of example, software applications are able to detect unusual patterns of financial behaviour or help detect fake emails that appear to be sent from legitimate corporate email addresses. Other examples of where software can assist with detecting a red flag document are excel spreadsheets with hidden rows and columns, embedded images within Word or PowerPoint slides or emails that have used white ink on a white background to disguise fraudulent activity.
Once the existence of a fraud is uncovered, IT professionals ever more often play a key role in implementing any response plan in the vital 24 hours after a fraud has been discovered. The role of digital forensics is also critical in scrutinising a company’s data, email records and telephone logs to assess how the fraud was perpetrated and map where the missing funds may have been sent. While undertaking this complex task, it is important to ensure that electronic evidence of the fraud is preserved correctly so that any civil litigation or criminal prosecutions that follow are not compromised.
After the initial response is complete, e-Disclosure/e-Discovery data analytics tools can be very effectively deployed to assist with the more detailed analysis of the activities which preceded the fraud occurring. Analysis of the same data will also help organisations understand where its vulnerabilities lie and thereby assist in preventing a similar scam re-occurring.
Fail to prepare or prepare to protect
From an IT perspective, the key to being able to respond efficiently to the discovery of a major fraud is to have a clear map of where the company’s data resides (e.g. on its own servers or in the cloud), in which country, the types of device the data is stored on etc.
Moreover, when designing or mapping a company’s data architecture, it is also important for IT professionals to involve the company’s general counsel or external lawyers who will advise on the legal barriers and safeguarding requirements for that data. A major impediment to discovering the source of a fraud in many situations is the multiplicity of data protection, employee privacy and even national security laws that a company is likely to encounter. This is particularly relevant for cross-border activities.
Court orders may need to be applied to gain access to information, or the interrogation of that information may need to take place in situ if its transfer across borders is prohibited. If IT professionals plan for these issues in advance, they can be dealt with quickly in the event of a fraud emerging or even avoided altogether through careful management of the data’s location or by ensuring that employees waive their rights over company data in jurisdictions where this is allowed.
In many cases, however, while most companies have extensive disaster recovery plans in place to deal with events such as IT failures, many do not have similar preventative fraud response plans in place before such an event occurs. According to research conducted amongst 300 companies worldwide last year by Control Risks and the Economist Intelligence Unit, a third of the businesses surveyed admitted that they did not have an investigation response plan in place.
Fraudsters will choose the easiest target within a company and often move on to a softer target such as a junior or new member of staff. The adoption of strict password protocols, the use of electronic keys and effective financial controls can make a significant difference to likelihood of a company falling prey to business crime. Penetration testing by a third party is also a useful exercise to stress test the effectiveness of a company’s defences and to gauge how they will be perceived by any criminals thinking about targeting them.
A further line of defence for companies is to trawl the internet to find out what information fraudsters are exchanging about them online. As the technological defences to fraud have become more effective, some fraudsters are instead using “social engineering” techniques to find companies’ weak points.
This involves the ’embedding’ of fraudsters within a targeted company as temporary workers to gather information on key contacts, invoicing procedures and when controls are likely to be at their most lax. Using this information makes any future attempt to extract money from a business more convincing and potentially successful. Frequently, this information is shared and sold through the so-called “dark web”. Therefore, the more that organisations are aware of what it is being said about them on the internet and have the correct systems in place, to take the right action at the right time, the better protected they will be.
About the authors
Chris Bailes is Director of Fraud & Financial Crime, Europe & Africa at Control Risks. Prior to joining Control Risks Chris was the Chief Operating Officer at the UK Serious Fraud Office where he had day to day responsibility for all operational delivery and investigative capability. Chris.Bailes@controlrisks.com
Satinder Soni is an Associate Director for Legal Technologies & Investigations in Europe Middle East and Africa. Satinder has worked with legal and risk compliance officers from global law firms and large multi-national organisations. Satinder specialises in e-discovery / e-disclosure needs across internal investigations and litigation matters. Satinder.Soni@controlrisks.com