A Must for Corporations: Better Fraud Protection


Posted on by Robert Ackerman

The explosion of fraud—mostly online fraud—continues to rack up ever more billions of dollars practically every year, undermining the health of the economy. The banking industry, the biggest single victim of fraud, now does more to link cybersecurity technology to its infrastructure and has become better at establishing enterprise-wide security policies. Nonetheless, its fraud predicament continues to worsen.

According to PwC’s Global Economic Crime and Fraud Survey 2022, which asks questions of 3,000 executives worldwide, 51 percent of surveyed organizations said they experienced fraud in the past two years—the highest level in 20 years of research. Statista, an expert in market and consumer data, believes the dollar tab of fraud overall totaled $41 billion last year.

The situation in the United States is similarly distressing. According to new data from the Federal Trade Commission, the amount of money Americans reported losing to fraud in 2022 touched $8.8 billion, up more than 30 percent from 2021, and pundits believe 2023 will still be worse. Experts say the most common fraud reports of late have been coming from imposter scams, followed by online shopping, prizes, sweepstakes and lotteries, investments, and business and job opportunities.

Overwhelmed by the increasing sophistication of fraudsters, many companies need to improve their fraud protection plans. A report by PwC found that 46 percent of companies experienced fraud or related crimes last year. And fraud commonly occurs internally as well as externally. Another recent study by Alexander Dyck, a finance professor at the University of Toronto, determined that about 40 percent of companies are committing accounting violations and 10 percent, securities fraud.

Fraud is ubiquitous in the United States. According to Nilson Report data, the United States is the most prone to credit card fraud in the world, partly because it’s one of only a tiny number of countries with more credit cards than people. Also contributing to fraud issues is the American gambling boom, especially major sporting events online, according to cybersecurity provider Trend Micro and some big law firms, including New York-based Constantine Cannon. Cybercriminals commonly use compromised credit cards. This and other forms of gambling last year generated more than $60 billion in revenue, a record.

As already mentioned, American corporations also have issues unrelated to credit cards.

One is that the HR department isn’t immune from workplace schemes to defraud the company. One involves “ghost employees,” says Paypro, a workforce management software company. This is when employees responsible for setting up new hires in the payroll system create a fake employee and have the payroll checks deposited into an account they control. Today’s hybrid workforce makes the scam possible. With so many people working from home so often, it may not be unusual to have employees no one has met in person.

The biggest problem of all in the corporate world may be the way that many banks and other financial institutions, such as credit unions, conduct their business. While most say they are highly concerned about fraud, too often, their protective measures fail to stymie this culprit. One vulnerability is their heavy reliance on cloud computing, which is prone to security issues, notes Check Point, an American-Israeli multinational provider of software products for cloud security. This is true in most industries, but most aren’t hacked as much as banking, whose criminal-based losses are well above average, according to Akamai Technologies, a cybersecurity and cloud service company.

Another issue in the financial services world is that many banks, in particular, are wary of hiring outside vendors in cybersecurity risk management, even though they have the in-house tools to detect fraud early. Their reasoning: Outside vendors of all stripes introduce new security challenges. This is also true for cybersecurity vendors, some of which have been periodically hacked themselves. Still, they tend to be a useful complement and usually are better at penetration testing and making vulnerability assessments.

Fortunately, steps can be taken to mitigate fraud. Here are three of them:

+ Identify fraud risk. This will help identify inherent areas of fraud risk, assess the likelihood of a particular fraud scheme, and spotlight improvements to internal controls. Every business is unique, and no action plan is one-size-fits-all.

+ Select the proper third-party vendors. The biggest risk is choosing a third-party relationship that doesn’t align with the organization’s security standards. For instance, if a company is bound by HIPAA regulations that protect the disclosure of sensitive patient health information, it can’t afford to hire a network security company that doesn’t comply with HIPAA. A vendor must be in sync with the company. 

+ Educate users about the value of their accounts. Regularly ensure that they don’t reuse passwords and don’t share login details with anyone, and double-check that the messages they receive from the employer are genuine, thereby avoiding phishing attempts.

Proactive fraud prevention is essential. Proper actions by top management can induce everyone in the organization to internalize the positive attitudes that prevent fraud or make its detection more likely. Management needs to set the right tone at the top and realize that even small rules exist for everyone in the organization, including them. They also must maintain transparency in training and communications. The bottom line: Organizations with strong, positive environments of fraud control typically create loyalty among employees at all levels. All companies should aspire to this.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Technology Infrastructure & Operations

critical infrastructure cyberattacks cyber warfare & cyber weapons supply chain infrastructure security industrial control security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs