Fighting fraud with technology

Business fraud is on the up and is costing the UK economy 1.37bn, according to new figures from accountants BDO Stoy Hayward. But the organisation believes the real figure could be much higher.

The accountants found that the figure rose sharply from 2005, when fraud cost business 1bn. The research found that only 15 per cent of businesses actually bothered to report fraud to the police. It estimated the actual cost of fraud to UK companies was nearer 5bn.

BDO said that value of reported fraud in the UK has risen 314 per cent from 2003, much of the fraud reported was "carousel" - high-value VAT fraud. This happens when criminals obtain a VAT registration number to buy goods, such as processors or mobile devices, from other EU member states, then sell on the goods inclusive of VAT and then disappear without paying this VAT to HM Revenue and Customs.

The Midlands was the worse affected region with several carousel frauds committed there. London and the South East also reported rises in the amount of fraud. Nine prosecutions last year involving fraud cost the UK Treasury 372m in lost revenues.

Experts said that detecting fraud in the modern corporate environment is an increasing challenge and is usually met with ever more sophisticated technology.

"Computer systems that do automatic transaction analysis are commonly used by banks and credit card companies and data mining techniques help to search out 'what if' scenarios," said Chris Paley-Menzies, head of forensic technology at RGL Forensic Accountants & Consultants. "However, these should also be allied with strong control procedures and transparency in financial authorisations".

Dan Morrison, partner, Corporate Fraud and Asset Recovery Group at law firm Mishcon de Reya said that there are a number of straightforward steps companies can take to dramatically improve the security and efficacy of their response if the crooks do strike.

"Careful scrutiny of prospective employees who will have high level access to your IT and security systems - experience shows beyond doubt that the majority of these frauds are carried out by insiders or at least with some level of inside help," said Morrison.

He added that companies needed to make sure they have in place a company policy permitting monitoring of emails and telephone calls in order to detect and prevent fraud. Provided such a policy has been adopted and reasonable steps have been taken to draw it to the attention of employees, the monitoring will not fall foul of the interception rules under the Regulation of Investigatory Powers Act.

"Intelligent monitoring in risk areas may provide advance warning of a planned fraud and, at the least, makes the insider's job more difficult," he said.

Morrison said hardware and software needed to be set up so that only those who truly need such rights can install new software to any part of your network. He said that PCs should not have floppy, CD or DVD drives unless there is a genuine business need for the user of a particular unit.

"By the same token, remove or disable unnecessary USB (or equivalent) ports and thereby prevent the use the portable data storage devices that are now readily and inexpensively available to the public," he said.

Jarrod Haggerty, forensic technology director, PricewaterhouseCoopers LLP said that robust risk management systems can go a long way to mitigate the likelihood of economic crime.

"A significant weapon in the fight against today's high-tech criminal is to understand where a business is most exposed to the threat of fraud through its IT infrastructure," said Haggerty. "In turn, IT can play a major role in the fight against fraud."

He said that businesses should tailor their defence mechanisms so that they are in line with their corporate business practices, ethos and culture.

Haggerty added that there are very few 'off the shelf' solutions that fit all of an organisation's requirements, so companies should consider the following; has the company recently undergone a rigorous assessment of its IT fraud risk exposure and has it addressed any significant gaps that emerged? Does the company have a formal incident response plan? Does the company have a written code of ethics with clear statements about the consequences of ethical breaches of its IT policies, so that management and staff know what is expected of them?

He said that if a company hasn't considered the implications of the Data Protection Act and what it may be required to implement in order to capture and review electronic evidence or any of the previous considerations then appropriate remedial action should be taken.

Richard Kusnierz, Director of fraud detection and risk management software company IDS said where there is a recognition that fraud occurs, organisations are putting in place hugely expensive mechanisms, "but there are cheaper and better options that are far more effective," he said.

"It is estimated that the UK invests 8bn every year in technology and measures to counter the 32bn fraudulent activity costs the country every year," said Kusnierz. "Yet there is a real lack of understanding of how to counter fraud. Many of the expensive technology solutions are complex both to implement and use - and in many cases the investment remains unused."

He said that one large financial institution recently invested a six-figure sum in anti-money laundering technology when existing software already used internally could have met all compliance requirements with only minimal additional investment.

"This lack of understanding promotes further confusion, leading organisations to invest heavily in technology without implementing the processes that are key to actually catching and deterring fraudulent activity," said Kusnierz.

He pointed out one example where running a fraud detection algorithm across the accounts payable information can flag up a number of anomalies, with multiple flags dictating prioritisation of follow-up investigation.

"Critically, this algorithm can be run constantly, in real-time, highlighting not only potential mistakes - such as payment to the wrong supplier - but also instances of potentially fraudulent activity that can be immediately followed up, before the perpetrator leaves the organisation," said Kusnierz.

Other experts said that as companies start to review their document management policies for compliance and regulatory matters they will become more aware of the use of their IT systems.

"This will also put them in a better position to implement the most effective tools for their organisation," said Andrew Szczech, electronic evidence consultant at computer forensics company Kroll Ontrack. "This approach, however, needs to be carefully considered to ensure that the ability of employees to carry out their legitimate activities is not compromised."

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.