Fraud is an unfortunate reality for every business, large or small. It is not always easy to detect and can be devastating to an organization’s reputation and finances. It can also lead to legal action against the perpetrators of the crime.
November 13th – 19th 2022 is Fraud Awareness Week and as cybersecurity professionals, we wanted to spend a little time highlighting and educating how you can spot it in your business or personal life. It’s all too easy to just hope/assume that it can’t happen to you, your company, a non-profit you support or volunteer with, or your family. It’s best to be educated and alert but not paranoid.
A simple way to think about fraud is when someone knowingly misrepresents facts to obtain money, sensitive information, or other assets from an individual, organization, or business.
What makes fraud… fraud??
- Fraud is a crime that involves deceiving someone out of money or property.
- It can be committed by individuals, groups and corporations.
- Fraud is different from theft because it involves the deliberate act of deceiving someone with false information in order to steal from them.
The prevalence of fraud is difficult to measure because of likely underreporting. Many organizations do not report occurrences of internal fraud unless it is legally required or there is a public arrest. Why? Because sometimes the fear of reputational damage or loss of trust with consumers (for corporations) and donors/supporters (for non-profits) may be more concerning than the financial damage already incurred.
Beyond whether an organization would report fraud, what about employees? Many people do not report fraud for fear of retaliation or embarrassment. Since there are many types of fraud, it’s hard to know what the true extent is.
Understanding the Various Types of Fraud
Fraud likely has existed in various forms for as long as humans have existed. Much of today’s focus around cybercrime has shifted awareness as well as criminal methodologies from traditional means (paper, phone calls, live interactions) to digital form. Technology has made it much easier to achieve speed and scale of a variety of cons.
There are many different types of fraud, including corporate, tax, Ponzi schemes, cyber fraud, and consumer fraud.
Before the digital age, fraudsters used human-to-human tactics to concoct a plausible story with a sense of urgency for someone to take an action. In my writings, I came across an article called 10 Of History’s Greatest Con Artists which involves 10 infamous cases of fraud – none of which required a computer.
However, most of these setups likely took significant time and were not conducted on a broad scale.
So what is cyber fraud or internet fraud?
Cyber fraud, internet fraud, and cybercrime all kind of overlap because they involve cybercriminals with the intent to illegally acquire and leverage an individual’s or business’s sensitive information, credentials/access, or disruption of operations for monetary or other gains.
There are countless types, but some of the common themes include:
Whether it be traditional fraud or cyber fraud, there are some things that individuals and organizations can do to be aware, know the warning signs, detect what can be detected, and act when something happens.
Here are some simple warning signs and scenarios of fraud to help individuals spot it and not fall prey to the con.
- Urgent requests from someone you don’t know or someone pretending to be someone that you do know. Example: Needing gift cards, employee information (such as W9 forms), or change in bank/routing information
- Problem or Prize involved. Examples: Family member in jail, monetary reward, lottery, lost/found inheritance
- Unexpected charges to bank accounts or credit cards. Example: Small but routine payments to a legitimate looking entity (small enough to avoid raising too much attention)
- Requests for sensitive information or verifying your sensitive information over the phone. Examples: social security info, account login details, reset password, financial info
- Offers for free software or services to fix a problem that the person or organization contacting you has discovered. Example: virus / malware removal software after you receive an alert indicating your computer is compromised or there is evidence you have been viewing illicit materials online
- Threats of fines, jail or consequences if you don’t follow the criminal’s demands. Example: IRS auditor claiming you will go to jail if you don’t respond
- Requests to pay in advance for processing fees to receive something greater in the future (often via gift card, cashier’s check, wire transfer, or crypto). Example: the car wrap scam to get a weekly payment if you display a company’s sticker on your car
For organizations, individuals can still be targeted by outside criminals, but often times fraud is committed by insiders (employees or other types of workforce members) .
Corporate security and finance teams have a number of types of monitoring tools at their disposal to detect instances of fraud:
- Fraud detection software can analyze data from all your online transactions, emails, and transactions to identify patterns that indicate fraudulent activity.
- Data analytics can be used to gain insights into your business operations and identify potential red flags for fraud. For example, if you notice a sudden increase in the number of chargebacks or high-risk transactions coming through your system, you may have been targeted by scammers who are trying to steal money or information from you.
- Financial and technical controls can be put into place and audited to separate duties within companies so that no one person has the capability of making large financial transactions. While software can enforce some of these capabilities, human controls and checks and balances are still key.
Unfortunately, there is no 100% scenario to prevent fraud, but companies and individuals can push down their risk to more acceptable levels. Stopping it before it happens, or at least reducing the chances of it happening in your business, is the best approach to risk reduction.
Common sense and routine checks can help you to spot potential problems before they arise. If someone has access to information that could compromise your business or could allow them access to funds they shouldn’t have access to, then this needs addressing. Your employees will understand why certain measures are being taken if you explain them in a clear way, which helps keep any resentment down.
What should I do if I suspect that someone is stealing from my company?
If you suspect that someone within your team may be involved with fraud, report it immediately – don’t delay! Fraudsters often try and cover their tracks but if you act quickly enough then evidence might still exist so take photographs of any documents showing suspicious activity (and make sure these are dated), record details about how much money has gone missing and who exactly was responsible for handling those finances. In most large companies, employees should not conduct their own investigations so alerting legal or compliance to the issue is often the best solution.
Put things in writing: If there’s any doubt as to whether something is legitimate or not, err on the side of caution by getting advice from an expert before proceeding with anything suspicious seeming (or even non-suspicious).
Now that you know what the signs of fraud are, it’s important to take steps to protect yourself against it. The most effective way to avoid becoming a victim is by having strong internal controls in place (individual / family controls or company controls). The next best thing is to increase your awareness and keep an eye out for anything suspicious that might indicate fraudulent activity.