Proactively managing the risks of fraud

While the Irish justice sector plays a pivotal role in tackling the problem of fraud in society, it also needs to remain resilient to existing and emerging fraud challenges it itself may encounter, writes Eoin O’Reilly, Director of Deloitte Forensic.

Fraud is an age-old problem, which affects all sectors and all corners of society. While it is difficult to put exact figures on the cost of fraud in Ireland, the global cost of fraud is estimated at upwards of €4 trillion annually, and this is almost certainly under-investigated and under-reported.

Unsurprisingly, Covid-19 has spawned a new surge of fraudulent activity, targeting individuals, private companies and government support schemes, both globally and in Ireland. An Garda Síochána, in particular, are at the forefront of the fight to temper the impact of Covid-19 fraudulent schemes in Ireland, and are educating businesses and the wider public on what to look out for.

The Covid-19 pandemic has provided a new backdrop to commit previously seen fraud types and it is also acting as an accelerator for more sophisticated and innovative forms of attacks, which have proven profitable, and are likely to persist. Equally, although fraudulent events related to Covid-19 are currently monopolising the headlines, that does not mean that other forms of fraud unrelated to Covid-19, committed internally by employees or from outside organisations, have gone away.

Notwithstanding the crucial role the Irish justice sector plays in tackling the problem of fraud in Ireland, it is also not itself immune to the threat of fraud, in particular given the level of sensitive information and assets in their custody. The challenge remains for all stakeholders within the public and private spheres, including the Irish justice sector, to protect itself and to stay resilient to new fraud threats.

What are the threats and where are they?

The exact nature of fraud threats encountered by organisations differ depending on their own set of circumstances. From internal misappropriation and abuse of positions, to external cybercrime events, fraud types can be diverse and can range from the relatively basic to the highly sophisticated.

What remains constant however, are the rewards being targeted, namely unauthorised access to funds or physical property, or unauthorised access to confidential information and data which, in the new digital age, is continuing to grow in volume and complexity in order to successfully deliver on organisational mandates. Wherever the access points are to funds, property or data within an organisation are where specific fraud threats are likely to be found.

According to the Association of Certified Fraud Examiners, a global professional organisation dedicated to fraud risk management, the biggest increases in fraud since the onset of Covid-19 have been seen in the area of cybercrime, with fraud in general continuing on an upward trajectory for the next 12 months. While some of this relates to tried and tested email phishing attempts, there is also a growth in more sophisticated cyber fraud attacks targeting public and private entities, such as elaborate invoice re-direction, advanced fee and similar fraud schemes, which are highly organised, involve multiple jurisdictions and are executed at speed. Examples of techniques used in attempts to divert funds have included use of artificial intelligence (AI) to mimic voices of an organisation’s senior management and the cloning of legitimate websites.

This is also reflective of an ever-increasing ‘professionalisation’ of cyber-enabled fraud, with the criminal ecosystem using innovation to rapidly evolve and to plan attacks on identified targets at greater scale. This includes crime being offered ‘as a service’, for example, where malware programmes can be bought and then used by other criminals on their intended targets.

Aside from the increasing sophistication of fraud, the changing nature of our remote working environments since Covid-19 has also opened up risks as traditional controls to prevent and detect fraud may be disrupted. This is the case for external frauds, but it may also increase opportunities for fraud to be committed from within an organisation, which typically can remain undetected for longer.

Building resilience against the evolving fraud risks

Prevention is certainly better than cure and by adopting a proactive approach to managing fraud, it can reduce the risk of being blind-sided, enabling a swifter response by spotting fraud early.

However, the continued evolution of fraud requires organisations to act now to ensure they are armed with the right knowledge and tools to adequately protect themselves.

Deloitte has helped a number of organisations to build resilience against fraud through a framework of dynamic preventative and detective measures, designed to keep pace with changing internal and external environments. While the right set of solutions will be dependent on each organisation’s own circumstances, the following are examples of steps which organisations should be taking:

• Perform a risk assessment: A vital foundational step for an effective anti-fraud programme requires organisations to understand and catalogue the threats they currently face, and to keep such assessments up to date. The new threats emerging through Covid-19 necessitate a re-evaluation of those risks.
• Aligning cross-organisational goals and resources: As it is becoming increasingly difficult to separate the concepts of fraud and cyber security in the new digital age, setting cross-organisational goals and aligning resources within teams can also be more effective and potentially cost efficient.
• Key internal controls: Organisations should be confident that key internal controls, such as
  segregation of duties and employee vetting processes, are robust and that these remain intact in our new remote working environment.
• Internal fraud training and communication: Fraud training and internal communications not only to raise awareness of external fraud threats but also act as a good deterrent against internal fraud.
• Technology: Evaluate the opportunities in the use of data and technology to prevent and detect fraud.

Unlocking the potential of data to manage fraud risks

As the scale and level of innovation of the fraud threat increases, more and more organisations are meeting the challenge head on by turning to technology-driven solutions, such as data-driven advanced analytics, machine learning and artificial intelligence. These solutions proactively detect and prevent fraud in a more precise and timely manner, thereby increasing resilience against tech-enabled criminals and insider threats.

As an example, “clustering” and “anomaly detection methodologies” involve creating statistical profiles to identify normal activity and then differentiate outliers from these profiles. Supervised modelling uses data from prior events to allow systems to “learn” the characteristics and early warning signs and identify others with similar behaviour.

Employing such technology solutions requires good data governance practices
and the right blend of analytical skills and organisational knowledge to derive useful insights. While establishing a data-led approach can sound like a large undertaking, this can be achieved incrementally by starting small and picking smartly in order to drive value. Rather than casting the net wide or investing heavily in one technology solution, a focused proof of concept in a targeted area, guided by the right experts, is a good way to understand the mechanics of an analytics-driven approach and to demonstrate its worth.

Clearly the fraud risk landscape is changing, and all organisations must be ready to meet the challenge. While criminals are becoming more and more tech-enabled, advances in technology also offer opportunities for effective and efficient solutions to meet that challenge head on. Regardless of approach, critically evaluating existing fraud risks and controls in the face of emerging fraud risks will help all stakeholders, including the justice sector, to stay resilient to fraud risks now and into the future, while continuing to fulfil its vital public service role.

Eoin O’Reilly, Director, Deloitte Forensic
E: eoreilly@deloitte.ie
W: www.deloitte.ie