by Andy Scherpenberg
VAT carousels, intentional road collisions to defraud the insurance companies, ‘man in the browser’ technology that intercepts your financial transactions and modifies both amount and account number while you are still seeing the usual transaction screens: fraud has permeated every sector and is taking new forms and shapes. Fraudsters are becoming smarter by the day and they have access to more and more resources. An overview.
“The best trick that the devil ever invented was to make us believe that he doesn’t exist.” This often used saying applies perfectly to fraud. Tricksters are making increasing efforts to conceal their presence and hide their crimes. Certainly in the area of Internet fraud, this is bearing fruit for them. All reports from research companies and analysts worldwide underline a fact: there is an exponential increase in malware and digital security incidents.
Fraud, more than any other crime, can remain undiscovered for long periods of time (with insider fraud, this period averages 18 months). Often fraud numbers are understated with some victims not even realizing they have been defrauded. That’s why for many people, cybercrime is viewed as one of the largest dangers that our economies faces. One of the things to be aware of are so-called ‘black swan events’. These are incidents that come as a complete surprise to the affected organization and can have a huge impact on the latter. One example of this was the “Unlimited Operations” attack, when on a single day more than 30 million euros was taken from ATMs worldwide after hackers succeeded in removing the limits on accounts.
In the area of “classic fraud”, the amount of damages caused by each case of fraud has also risen steadily as the result of the ‘professionalization’ of the fraudsters, both in the physical world, as well as in its digital counterpart. In practical terms, this also means that there is a greater chance that you will sustain irreparable damage from just one incident of fraud, resulting in major financial or reputation-related damage to your company. In the worst-case scenario, this can lead to delisting from the stock exchange and even bankruptcy.
Analogue and digital
An additional challenge is that fraud can take a variety of forms that can differ from sector to sector. The illustration below gives you an idea of the many forms of fraud – from VAT carousels used to defraud the government, to phishing and ‘man in the middle’ attacks designed to swindle you via Internet banking; from lengthy, convoluted maneuvers to gain the trust of employees so that they disclose their login details (‘social engineering’), to the theft of confidential data by a company’s own employees… These are all part of the package of threats that you have to arm yourself against.
To make things even more complex an entire range of different channels are now being combined in sophisticated fraud schemes. For example, bankcard details are stolen online, leading to fake cards being used in ATMs to withdraw funds from bank accounts that can sometimes run into millions of euros, or a distributed denial of service attack (DDOS) may be simulated on a website to divert attention away from an attempt to break into the organization’s internal systems.
A fragmented approach leads to weak defense
All of this makes it particularly difficult for companies and governments to fight fraud. Organizations frequently use a fragmented approach when trying to prevent and fight various forms of fraud. Each department and support service (HR, finance, audit, etc.) often has its own approach and systems. There is no enterprise-wide view, which makes it easier for fraudsters to discover weaknesses in the defenses and exploit them.
And to make everything even more complicated, today’s methods and processes to fight and address fraud are already out of date tomorrow. Which means that the approach and defense mechanisms you are using today, no matter how modern and sophisticated they may be, become hopelessly outdated after a year. It’s like trying to mop the floor dry with the tap still turned on. Fraudsters spend a lot more time imagining their next move than we spend addressing their last move. Furthermore, many organizations are not aware of the particular threats hanging over their heads. Alternatively they take the opposite stance, downplay the whole issue and refuse to invest in sufficient forms of protection, treating the sales talk of security companies as paranoia. All of this means that fraudsters find it very simple to rob these types of organizations.
But what can you do to better arm yourselves against fraud? You will find out in my next blog post next week.
The author Andy Scherpenberg is Fraud Expert at SAS.