by Andy Scherpenberg
VAT carousels, intentional road collisions to defraud the insurance companies, ‘man in the browser’ technology that intercepts your financial transactions and modifies both amount and account number while you are still seeing the usual transaction screens: fraud has permeated every sector and is taking new forms and shapes. Fraudsters are becoming smarter by the day and they have access to more and more resources. In a previous blog post you could already get a sense if the impressive weaponry that the fraudsters have at their disposal.
So what can we do to counter this constant stream of sophisticated and varied attempts at fraud? We can install good physical and digital security, of course – as well as make our staff aware of the risks of cybercrime, social engineering, bribery, blackmail and other dangers. Because it is not just about financial loss, but also increasingly about the theft of confidential information, customer data or business secrets.
Inform, raise awareness and detect
From a corporate perspective this awareness has to start with senior management, because all too often they seem to be insufficiently aware of the dangers lurking just around the corner. Often, focus on the issue tends to dwindle when the problem seems to be disappearing. But the price that has to be paid for fraud detection is constant vigilance and pro-activeness. More often than not, a company’s own employees are also involved in cases of fraud. What is important is to pay attention to all possible forms of fraud so that you can quickly recognize and preempt suspicious patterns, whether they are linked to one another or not, before the fraud itself is actually perpetrated. Fraud detection and prevention is always simpler than trying to recover losses. It is also cheaper and the organization can then protect its market reputation and retain the trust from its customers.
To achieve this, you need an all-encompassing framework capable of uncovering, analyzing and linking suspicious behavior at every possible level. This begins with gathering all of the relevant data (bank transactions, invoices, customer details, port scans, failed attempts to log in and so on) from every possible channel (databases, e-mail, IT systems, network data, etc.) and including/integrating that data in the analysis process. The system must then be capable of filtering out suspicious behavior from all of the transactions and events observed, both in the past and in-real time.
The system also needs to be self-learning so that it becomes better at distinguishing genuinely suspicious behavior from the ‘false positives’ in the future. That way, you can prevent legitimate actions from being stopped unjustifiably or slowed down and hence avoiding to annoy your bona fide customers. You will also, in this way, build a framework that is not only able to detect today’s threats but is also ready for the new hazards of tomorrow. The industrialization of fraud, basing itself on the increasing digitalization of our society makes it possible for criminals – once they gain a foothold in your organization – to carry out fraud attacks in a virtual and immaterial manner without any physical intermediaries, which will bring about a fresh tidal wave of incidents.
The Chief Risk Officer and his weapons
Such a framework has been developed at SAS. The SAS Fraud Framework contains all the components needed to structure and analyze data so that potential fraud cases can be detected and investigated rapidly and efficiently. Through its data-screening features, the framework is able to provide a solution for the various areas of the business, while at the same time offering an overview of risks for the entire organization. Such an overview is of great value to Chief Risk Officers and equivalent managers. The increasing presence of this role in large organizations is an indication in itself that the need for better protection has been widely acknowledged.
Having this type of framework means you are better armed against the dangers of today and that tomorrow you will be much better protected than if you had a conventional “point solution”. Fraud is detected using SAS’s hybrid analytics approach: the same event or transaction is viewed from various angles to gain a better overall picture of the extent to which something is not normal. Statistical analyses mean that even previously unseen fraudulent behavior for which there are no specific detection rules can also be picked up. The beauty of it is that even fraudsters, to some extent, are predictable. “Social networks” can also be built up from this, creating an overview of which individuals and organizations are interacting with one another and how they may be linked. And even though “cyber” rears its ugly head more and more, it’s still people that are committing the fraud – and they rarely do so alone.
The power of this statistical approach was very well summed up by the words of German insurer Allianz: “SAS uses embedded analytical models to uncover things that the human brain cannot. Our investigators can focus on cases with the highest probability of fraud or highest potential financial damage”
The author Andy Scherpenberg is Fraud Expert at SAS.