Technological advances provide powerful tools in helping companies’ defences against fraud
Technological advances provide more powerful tools in strengthening companies’ defences against fraud, as well as a means for the fraudster to find areas of vulnerability to penetrate.
As much as technology helps the company combatting fraud, the fraudster also capitalises on technology as a powerful tool in his arsenal. As such, technology, as we know it, can be a significant enabler and a double-edged sword. A quarter of fraudsters rely on technology. However, the recent KPMG Profile of a Fraudster survey suggests that companies, by contrast, could do a great deal more to use the same technology as a tool to prevent, detect and respond to wrongdoing.
The KPMG report suggests that technology is more frequently used in perpetrating fraud than in detecting it. Companies should consider greater use of the key anti-fraud technology – the mechanism of Data Analytics that can be used to sift through millions of transactions and other data, looking for suspicious items.
The key to harnessing this technological approach lies in first understanding the fraud risks of the organisation, then collecting or creating broad data points which could be profiled to test the manifestation of those risks, implementing continuous monitoring to test the data points and acting promptly to identified exceptions. The cycle is an iterative one where the learnings from addressing exceptions should continuously feedback into refining the fraud risks and testing methodologies thereof.
This approach is an intelligence-driven one where fraud-focused data analysis is king. Fraud-focused data analysis is used in these instances to take aim and focus on a specific area of the business, including supplementing that area with data points from other related business areas. This “data-blending”, combined with advanced routine-based fraud tests, can generate deep insight into patterns of behaviour indicative of fraud or other misconduct.
Additionally, cyber-fraud, an important form of technology-based fraud, is emerging as a growing threat and many companies are aware of the issue but seem to be doing little about it. Moreover, it is quite evident that advances in technology such as the introduction of high speed Wi-Fi, high definition cell cameras, cloud storage, remote access technologies and web applications are examples of technologies that, in the last few years, have increased the fraudster’s ammunition of schemes and attack points.
The question that organisations often wrestle with is, “Are we at risk of a cyber-attack”? The reality is that the questions an organisation should be asking are – “When are we going to be the victim of a cyber-attack?”; “When a cyber-attack happens, what do I have in place to tell me that it is happening?” and “What is my crisis response plan for when a cyber-attack happens?” The latter needs to be the subject of rigorous “war-room” scenario training so that the response teams can practice and fine-tune their actions for when a real cyber-attack takes place.
The truth is, every business is susceptible to cyber fraud, but small businesses may have the benefit of being more secure against the threat of cyber-attacks as a result of the small attack surface they present to the potential attackers. However, small businesses may also be more susceptible as a result of inadequate budget and structure to drive cyber security within the organisation. It is important that small businesses realise the duality of this position and consider a balanced position as part of an intelligence-driven risk-based approach to cyber security.
With cyber-attackers dealing in many currencies, with the key ones being information and money, any organisation with personal data of customers, credit cards and other similar data is at risk. The more niche organisations are easier targets as their protection schemes may not be as good as that of a retail organisation, for example. When it comes to money, the obvious targets are large international banks with international money transfers and cash withdrawals being the two mechanisms which are attacked the most.
Essentially, fraudsters don’t need a gun to rob a bank anymore – they don’t even need to be in the same country as the bank! Armed with an internet connection, intelligence gathered through social engineering and possibly a remote access trojan maliciously hidden in a stream of corporate emails, a cyber-attacker can sit in the comfort of his lounge and conduct a bank robbery without the traditional tools of a gun, balaclava and a getaway car.
Thus, the modern criminal is unseen, often hidden behind the veil of an anonymous internet, physically located in any country in the world while carrying out an attack on an organisation in any other country. Awareness and a strategy are key in hardening our defences against such attacks. Using technology to harness and analyse the vast data population that sits within our organisations provides one of the most effective preventative, detective and reactive controls in any organisation’s arsenal in the fight against fraud threats – both internal and external.
Kajen Subramoney is an Associate Director, Forensics in KPMG South Africa