Fraud is big news. The Office for Nation Statistics having added experience of fraud onto its National Crime Survey, the media was filled last week with its estimates for offences in the 12 months up to the end of March 2016: two million computer misuses and 3.8 million actual frauds experienced by individuals. That equates to one in ten consumers having experience of this crime.
Fraud is also big business. According to Experian’s Annual Fraud Indicator 2016, published in May, the total hit to the UK ecomomy is £193 billion. While individuals were defrauded of some £9.7 billion, companies are the biggest target - some £127 billion is estimated to have been taken via procurement fraud, where a non-authorised supplier or other bad actor is paid for goods and services that have not been ordered or are never delivered. Payroll fraud is a big earner for criminals, taking £12 billion every year. On top of this, fraud costs the insurance sector £1.3 billion through illegitimate claims, while 84 out of every 1,000 mortgage applications are fraudulent, costing lenders £1.3 billion annually. Even charities are not imune, suffering a £2 billion annual hit to their income from criminals.
As Andy Thomas, managing director at CSID Europe, a provider of global identity protection and fraud detection technologies, said: “Cybercrime is going through its own industrial revolution - the barriers to entry are disappearing. Tools are automating the process and costs have plummeted: getting started in cybercrime has become child’s play. The ONS data validates our concerns that the industry needs to up its game in terms of measures to prevent fraud, and consumers still need better education to avoid becoming victims to the most common fraud risk they now face.”
At NuData Security, a behavioural biometrics and fraud mitigation specialist, vice president Robet Capps made a similar point: “It’s no news that fraud is easy cheap and lucrative. The low barrier to entry - just a simple consumer laptop and an internet connection is all that’s required - the ‘cool’ factor, the low prosecution rate, the potential impact of your actions…it all plays into the ego, drive and motivation of these attackers.”
He added: “Imagine the temptation if you’re of that ethically-challenged mindset. The Internet is awash in consumer financial and identity data, just waiting to be plucked and cashed out. It’s like walking through an apple orchard, and picking the ripest, reddest apples, free and with very little opposition.”
Given such rich pickings for those willing to take the (relatively-low) risk of being caught and imprisoned, what should the data industry - and any business which both manages sensitive personal and corporate information, as well as those which need to verify the identities of individuals and businesses to which they are making payments - do to protect itself?
1. Take fraud seriously
It might seem obvious that all businesses should take steps to ensure that payments are being made on the right basis and to a legitimate person. In reality, this is often just not possible - procurement departments may apply a threshold under which invoices are paid without checking, for example, while a recent Supreme Court judgement means that, even when an insurance claim contains an outright lie, the entire claim can not simply be struck out.
According to Nick Mothershaw, ID and fraud expert at Experian, “while there are Government initiatives underway to tackle fraud, it’s largely down to organisations to take care of themselves and the people they service. There are significant differences in the size of loss and quality of fraud management across business sectors. Resilience to fraud can only be tackled from the grass-roots up, so it’s up to each organisation to not only manage fraud as a loss factor, but to overcome it by treating fraud prevention as a growth opportunity.”
He points out that the growth of digital platforms for transactions, both B2C and B2B, present a challenge because of the need to balance a smooth customer experience with fraud detection, especially during periods of high demand. “As a result, some may be inclined to take risks and accept lower levels of due-diligence instead of completing more comprehensive fraud data checking, verification and authentication processes. Criminals know this,” said Mothershaw.
Baker Tilly carried out a Pensions Fraud Risk survey which discovered that 51% of more than 70 pension schemes had not tested their fraud controls for more than a year, despite regulatory guidance for annual checks. When Wilmington Millennium canvassed the top 30 pension providers about their procedures for spotting deceased pension fraud, all declined. Even the Department for Work and Pensions refused a Freedom of Information Act request about its own checks. This is despite the fact that the National Fraud Initiative report, conducted every two years by Audit Scotland, found that screening pensions data against deceaseds lists would save the Scottish Government £4.6 million annually.
Karen Pritchard, director of Wilmington Millennium, commented: “It is incredibly disappointing that not a single organisation responded positively to our survey. Despite not having the hard evidence, anecdotally we are being told that deceased pension fraud is a growing concern and no wonder as it is costing the tax payer millions. However, simple solutions such as screening against deceased fraud products like Halo can quickly and easily identify the fraudulent payments and cut them off at the source. This is an economic crime and one that will get worse if the economy remains unstable.”
Dave Webber, commercial strategy director at LexisNexis Risk Solutions UK, argued that companies need to make fraud detection and prevention part of their corporate key performance indicators. “Today, most organisations can’t measure fraud consistently and so have no benchmark from which to measure current performance and, moreover, how advances in fraud defences are performing. Therefore companies should align fraud prevention with their overall business strategy, enabling fraud prevention teams to adapt to volatile market conditions as well as the changing behaviour of fraudsters.”
2. Use all available data
Frauds do not always happen the moment a criminal acquires sensitive information that might enable it. Often, there is a lengthy period during which a relationship might be built up to establish good credit before hitting a company for a large order that is never paid for (“long con” or sleeper frauds). Equally, consumer identities, cloned cards or account take-overs can be banked for several years before a co-ordinated, mass cash-in takes place.
That makes continuous data tracking even more vital. “Comparing information against an array of data sources makes it far easier to identify potentially fraudulent and suspicious activity,” noted Mothershaw. “Although there may not be much available information about a business, the individuals behind it can be screened and could be red-flagged or deemed as suspicious.”
Techniques and data sets aligned to fraud detection and prevention are evolving rapidly, with big data analytics lining up alongside well-established identify and profiling sources. NuData Security’s behavioural biometrics is one example. Said Capps: “We have to remember - fraudsters know us better than we do in that they’ve pegged our vulnerabilities. It’s time we returned the favour. They are vulnerable because they must do very similar behaviours to be successful and guess what? We can find them by their tell-tale signals.”
He added: “In order to detect out-of-character and potentially fraudulent transactions before they can create a financial nightmare for consumers, we must adopt new authentication methods that they can’t deceive. Solutions based on consumer behavior and interactional signals are leading the way to providing more safety for consumers and less fraud in the marketplace.”
3. Be part of the solution, not the problem
There will always be a balance between the desire to complete a transaction and the need to validate the identity of the person or business on the other side. In the consumer world, biometrics, such as fingerprints, are increasingly becoming acceptable, not least as they get built into technology. A study by Visa found that nearly three-quarters of consumers in Europe would accept two-factor authentication - a biometric plus a payment device. Building this in to new services will help to reduce fraudulent activity, although it is worth noting that both fingerprints and iris scans can be spoofed and biometric data has already been stolen or lost, creating a potentially lifelong problem for the individuals exposed.
Embedding data checks will have to become more widespread. As Mothershaw noted: “When someone poses as a customer, supplier or contractor and false information is deliberately supplied with the specific intention of defrauding a business for personal or commercial gain, it can be spotted and blocked simply by screening and checking their details against a broad range of data available to confirm given details, flag up any anomalies and known fraud information.”
There is a cost involved, but if companies become better at monitoring their exposure to fraud, the trade-off will emerge and been seen as worthwhile. Companies also have to become tougher about screening employees via background and financial checks, both new-starters and ongoing, in order to spot who might be vulnerable to outside pressure or be deliberately embedded into the business with a view to insider fraud.
Fraud offers a high payback and low risk compared to other criminal activities which makes it particularly attractive. The dependence of businesses on data, combined with gaps in their data checking processes, mean fraud will contine to grow for some time yet. At LexisNexis, Webber argued that it is time for companies to push back: “Today’s figures mark the first time the ONS has measured fraud and cyber crime in full - it remains to be seen whether more organisations will respond in kind over the next 12 months.”
Related articles: The asymmetric war on fraud