Fraud the $3.7tn industry
As modern fraudsters get bolder and more sophisticated, Joanne Frearson talks to IBM’s Paul Clandillon about how to take them on
THE AMOUNT being lost by corporations on fraud now totals approximately $3.7trillion of global GDP. Fraudsters have become more sophisticated. They are no longer looking at small opportunistic crimes, but are working together to hoodwink big firms out of millions.
Paul Clandillon, European practice leader of fraud and financial crime solutions at IBM Software Group, says: “The big step change we see now is gangs of criminals emerging, which are starting to carry out much more complex and highly organised attacks.
“The problem with these more complex collusive attacks is that you may be attacked at multiple points across an organisation simultaneously.” According to Clandillon, if a company is only using traditional approaches to defend itself against these attacks, it is leaving itself vulnerable to fraudulent activity. “On average, fraud carried out by an individual tends to be about $80,000, but fraud carried out by four or more parties tends to be over $500,000,” he says. “The Association of Chartered Fraud Examiners, in its 2014 annual survey, asked all individual certified fraud examiners to make an estimate of what they believed fraud losses were in their industries.
“Their estimate was 5 per cent of turnover. If you extrapolate 5 per cent of turnover as a proportion of 5 per cent of global GDP, you get $3.7trillion. That is a very big number and gives you a very good order of magnitude of how big the problem is. It is the equivalent of 260 Olympic Games. If you want to run an Olympics every day all you do is eliminate fraud.”
Criminals are not just working in one gang, but in several, with each group taking a different cut of the spoils. “Fraudsters are getting more organised,” Clandillon says. “We have seen this in a couple of recent cases, where almost an underground industry has emerged, in which different groups of criminals supply different services as part of an overall fraud.
“There is a classic case which involved a Middle Eastern bank. The bank suffered a debit card fraud and lost $47million over a weekend.
“Essentially what happened was that one group of fraudsters suborned an employee to get access to private card data. They passed this to another group of fraudsters, who then created cloned cards. The third group took the cloned cards and used the cards to withdraw money from ATMs. This money was then passed on to a fourth group, who bought high-value goods for resale, thereby returning clean money to the overall perpetrators. There were four different groups playing four different distinct roles there. It was highly organised.”
As the $3.7trillion figure suggests, this type of crime is not isolated, and is happening frequently. Many companies lack the knowledge to be able to deal with the fraudsters effectively. “Awareness has been a problem to date,” Clandillon says. “Two thirds of companies still have no analytical capabilities to detect potentially suspicious transactions in their business. We know that companies who put in place fraud detection capabilities suffer 50 per cent less losses.”
Companies need to take proactive steps to combat fraud, says Clandillon. He explains that one of the f irst things management should do to tackle fraudsters is to make sure there is an awareness of the problem across the organisation as a whole.
“There are many different types of frauds which can be perpetrated against many different parts of an organisation,” he explains. “You have to be able to look at fraud across all of your organisations simultaneously. If you cannot do that, it becomes very difficult to spot collusive networks in operations, and relationships between parties. “The challenge of taking on fraud needs to be recognised as an enterprise-wide requirement. It needs to be managed at an enterprise level. It needs to be supported by a fraud enterprise investigation team.”
Clandillon believes that in order for a company to harden itself against fraudster attacks, it should look at it like the layers of an onion. The outer layer involves establishing a set of defences preventing people gaining unauthorised access through IT assets, while the inside layer is about forming a set of processes to combat vulnerable areas.
“The next thing behind that is a set of audit capabilities,” he says. “A set of risk-assessment capabilities and practices which ensure processes are being executed properly. The last layer is a set of tools and technologies which allow firms to identify potentially suspicious behaviour wherever it might occur in an organisation.”
Alongside this, a company should also have a dedicated anti-fraud unit, which understands the business side of things as well as the technological. “The anti-fraud unit will have a number of roles,” says Clandillon. “They will create the rules and analytical models, identify the patterns that will tell us it is essentially fraud, investigate the fraud and also discover new patterns of which they have previously been unaware.”
According to Clandillon, historical data should also be used to look for where fraud has occurred. Once fraud is discovered, rules and analytics should be updated. He also believes unstructured data should be examined. He says: “The huge amount of unstructured data out there on the web really constitutes an enormous source of intelligence for investigators. It makes them much more productive if they can tap into it.”
Emerging technologies are also giving companies new hope in the fight against fraud. Clandillon says: “The most obvious one is big data. Analytical engines now can consume vast amounts of data, in historical and real time. This can find far more interesting patterns than we were able to before.
“Other styles of analytics are emerging, such as entity analytics, to help fight fraud. When you look at a vast database of information, entity analytics can tell you who knows who and who does business with who. It will allow you to display it in a way that makes it really easy to find fraud.”