Deutsche Bank fraud prevention expert Peter Blackall explains the cost of fraud, how victims are targeted and what organisations can do to protect themselves against attack
Between January 2016 and October 2017, more than US$7bn was lost to fraud by corporates worldwide.1 The Association of Certified Fraud Examiners’ (ACFE) findings highlighted that “internal control weaknesses” were responsible for almost half of the 2,690 cases they covered over the period.
The need for fraud controls at all levels of business is clear and although regulation protects clients of financial institutions to some extent in the case of a fraud, there is more that businesses can do to help protect themselves.
Businesses can all too easily get caught up in client demand for fast turnarounds, and worry about delays incurred by running fraud checks. However, from a bank perspective, we see corporates making payments to accounts upon request and then realising the payment premise was never genuine. This article provides an overview of this expanding area of financial crime following Brendan Goode’s article ‘Combating cybercrime’ in flow, October 2017.2
Definition and background
Fraud is defined by many different legislative bodies around the globe.
For example, in the UK, the Fraud Act 2006 refers to “dishonestly making a false representation”, “dishonestly abusing a position” and “dishonesty failing to disclose information”, all with intent to gain an advantage or cause a loss. The German Strafgesetzbuch looks at fraud as occurring when someone, with intent, gains an illicit advantage for themselves or damages an advantage for another.
The theme is clear; there must be some dishonest conduct or intent to knowingly gain an advantage that one is not genuinely permitted to obtain. At the same time, no actual loss or gain needs to happen. This is a likely reason why many companies do not see that they are the victims of fraud, as they have not lost any assets off their balance sheet. In turn, this can lead to lack of investment in fraud prevention.
According to the ACFE, more than 90% of fraud is enabled by phishing.3 So, a fraud attack is as successful as the weakest link in a target’s chain. According to PwC’s 2018 Global Economic Crime and Fraud Survey 4, only 49% of global organisations reported that they were a victim of fraud and economic crime. This is surprising and is a likely indicator of the lack of awareness in many corporates of what fraud is. The report advises to “think of fraud as the biggest competitor you didn’t know you had”.
Criminals run fraud scams like businesses, researching their targets. They will not necessarily try to obtain cash funds; in fact, many fraudsters are looking for data on individuals, which is fast becoming a commodity in its own right. This is where the difference between a chance fraudster and an organised fraudster occurs.
Organised criminals will scan social media, including LinkedIn, to produce very convincing victim profiles. They can use this information to communicate with targets as if they are familiar with them. This can then be combined with other types of fraud, such as business email compromise or invoice redirect.
Emails with bad grammar promising an inheritance from a long lost relative still go on but the attacks are now much more sophisticated. Emails very closely resemble legitimate emails from social media and may even spoof the email address of the legitimate source. The email can be tailored specifically towards an individual, and this is known as ‘spear phishing’.
Other methods of obtaining data are summarised on the Deutsche Bank cyber-security resource site, which includes a downloadable checklist.5 They include:
- Vishing – where fraudsters telephone their target purporting to be a trusted source, to obtain user names and bank account access.
- Smishing, where an SMS is used inviting the target to click on a smartphone link.
- Phishing, where email is used to persuade recipients to click on a link providing access to account details and passwords stored on a computer.
lost to fraud 2016/17
Business email compromise
One of the biggest challenges we see corporates facing is the “business email compromise” (BEC). This is an attack that preys on employees trusting all instructions they receive are authentic and genuine. Again the numbers are large and the losses are unlimited. The FBI reports that over a three-year period 40,203 domestic and international incidents reported to them resulted in a US$5bn exposure. 7
A typical example is a business that has a longstanding relationship with a supplier and is requested to make a payment for an invoice to a fraudulent account with different account details to the normal account. The request may be made via telephone, fax, or email and appears to originate from the genuine supplier.
The invoice may be genuine so far as the payment is required for goods ordered, but the actual invoice has been intercepted and the beneficiary account details changed so the payment is redirected. A subtype of business email compromise is “CEO fraud” where instructions appear to originate from the CEO who makes requests from a position of authority.
If an email is received, the subject will spoof the email request so it appears similar to a legitimate request. Likewise, requests made via facsimile or telephone call will closely mimic a legitimate request. Very often the request either comes from a hacked email system or the email address is spoofed, that is, mimicked to resemble a genuine address.
The basis for the style, tone and details of the BEC attack is a well-planned social engineering attack. Fraudsters create their attacks by accurately mimicking the style and tone of the person they are pretending to be, and the imitation can be difficult to spot.
In summary, a CEO fraud social engineering attack is structured as follows:
Step 1: Initial contact
The fraudster impersonates a high-ranking manager (e.g. the president, CEO, CFO) or a trusted partner (e.g. lawyers, notaries, auditors, accountants etc.) of the company.
They contact a specific employee, for instance a finance manager, an accounts payable clerk or any other employee they consider to be useful. The contact may be established by phone calls (imitating the voice) or emails (imitating the email address). The email request may include additional information that could add further legitimacy to the request. This information may have been obtained in a number of ways, for instance by hacking the actual CEO’s email account, through phishing, social engineering or open source research.
Step 2: Urgent and exceptional request
Step 3: Persuasive dialogue
To convince the target, the fraudster will use a combination of the following approaches:
- Use of authority: It is an order to do this
- Confidentiality: This project is still secret and its success depends on this transaction
- Appreciation: I count on you for your efficiency and discretion
- Pressure: The success of the project rests on your shoulders
Step 4: Transfer order
If steps 1-3 have been successful, the targeted employee will transfer funds to the account of a fraudster. The funds will often be immediately redistributed to other bank accounts, which, once the fraud has been identified, will make it difficult, if not impossible, to recover the funds.
Recovering the funds can be complicated for a combination of reasons. First, the victim of the fraud may not realise they are the victim until their finance teams reconcile their payments against their invoices, or worse still, the supplier they paid reconciles and the process takes even longer for the victim to realise the payment was made to a false account. Victims are also sometimes reluctant to report fraud on the basis that their reputation may be damaged by admitting they are a fraud victim.
Second, fraudsters will move funds into an account that they are able to control. This account may belong to a vulnerable person, conned into allowing a fraudster to use their account, or someone has sold a dormant account to criminals who have then left the country. The fraudster will then split and move the funds via a network of mule accounts, often located in different jurisdictions to the victim’s account.
Speed is key to funds recovery. As soon as fraud is discovered there should be no delay in informing the bank who will attempt to recover the funds. A break in the chain of receiving and paying invoices improves the chances of checking the correct payment address.
On 11 June 2018, the FBI launched ‘Operation Wire Wire’ to counter the threat of BEC. They produce a useful atlas of common BEC locations and it is easy to see in this representation how far funds move.8 This makes it even harder for banks to recover assets.
Successes are forthcoming; a large number of arrests occurred last year across the regions shown – but this goes to show how money can change hands quickly.
How to protect against Business Email Compromise (BEC)
- Ensure all staff, not just finance teams, know about this type of fraud
- Have a process in place which allows staff to properly verify that the instruction they have received from their senior management team is legitimate. This could involve establishing a callback procedure to verify instructions
- Always review financial transactions to check for inconsistencies/errors
- Consider which information is publicly available about the company and whether it needs to be public
- Ensure computer systems are secured and antivirus software is up to date
Account take over occurs where fraudsters are able to access an account and operate as if it were their own.
People often use the same password across more than one secure login. An example of this is a fraudster emailing you with a convincing social media request with a link to the genuine site. As the person clicks through the link, a keylogger is installed and notes the user name and password. The fraudster then uses this to attempt to gain access to other services such as online email services or market places.
At risk are marketplace and their sellers, who trade on an account. The account could be compromised and the funds that the seller has built up over time is then moved to a mule account.
Fake documents and trade finance fraud
This is not an area we have seen too much of, but it is a risk, particularly in trade finance because of what is known as the “fraud exception”, where presentation of fraudulent trade finance documentation means the bank does not have to pay.9
Fraud within the trade finance space is closely linked to money laundering schemes. Trade finance is a complex area and typically involves the shipping of large quantities of goods at short notice, often changing hands multiple times along the journey. On average, only 5% of shipping containers are checked by port authorities, so the potential for criminal gangs to ship non-existent goods to facilitate crime is high. Diligent checks, knowing your clients and intermediaries as well as inspecting paperwork will work towards mitigating the possibility of fraud.
Financiers of commodities can end up taking on the risk of the seller when offering trade finance on the basis that the underlying goods to be shipped are of the specified quality and quantity. If the documentation is faked to show a higher quality of goods than is actually shipped then the loss is held by the financier, often with no recourse on the goods. This is why banks employ collateral managers to monitor goods stored in warehouses that lending is secured on. And in 2014, the Qingdao scandal, involving multiple pledging of the same metals for collateral with warehouse receipts, rocked the industry.10
The International Chamber of Commerce Commercial Crime Services provides training and fraud prevention services with its International Maritime Bureau “dedicated to the prevention of trade finance, maritime, transport and trade fraud and malpractice”.11
All too often overlooked by companies is the threat of internal fraud. According to the ACFE 1, around half of all corporate fraud is committed against companies by their own employees, with 14% of employee fraud relating to expenses. The average length of time before the fraud is discovered is 24 months and businesses struggle with accepting that this has occurred with long-serving employees.
Keeping a discreet eye out for the following indicators is sensible and does not encroach into an aggressive surveillance regime:
- Evidence of lavish lifestyle.
- Mood changes and unusual generosity.
- Employee in financial difficulty.
- Defensive behaviour when expense submissions are queried.
Prevention measures include:
- Know your staff by having a robust onboarding procedure.
- Set up a confidential reporting system for employees to report fraudulent conduct anonymously and in confidence.
- Conducting a fraud risk assessment across the company to identify weak points.
- Ensure a separation of duties between accounts receivable and accounts payable; this will allow for more time to check for external fraud attempts, as well as removing the temptation for collusion with fraudsters.
- Reviews of expense reimbursements and dip-sampling. Checks should be conducted on a random basis to ensure that expenses are genuine and are within business policies.
Outlook for fraud prevention
For me, the same issues apply to a single vulnerable adult as they do to any corporate body; dishonest people exploit people’s sense of trust or sense of urgency to defraud them.
Criminal gangs defrauding a multi-million-pound bank are no different to the couple of fraudulent tradesmen pretending to fix your roof and charging you for non-existent repairs.
Companies are focussed on the online threat of fraud, which is absolutely right, but “old fashioned” fraud is still a way in for criminals to steal money. As online fraud controls improve, fraudsters will return again and again to exploiting the human element of the chain.
Peter Blackall is the Fraud Risk and Controls Manager for the UKI region at Deutsche Bank. He served in the Royal Navy as an Engineering Compliance Officer and then became a police detective, where he specialised in vulnerable adult investigations before joining Deutsche Bank
1See the ACFE’s 2018 Global study on occupational fraud and abuse report at https://bit.ly/2HvziNC
2See https://bit.ly/2MaBWr9 at db.com
3See https://bit.ly/2AsEAHa at db.com
4See https://pwc.to/2sKL1xF at pwc.com
5See the Deutsche Bank cyber security resource site for definitions and a downloadable checklist at https://bit.ly/2n03WCG
6See https://bbc.in/1VxvzMZ at bbc.co.uk
7See https://bit.ly/2qAEVBE at ic3.gov
8See https://bit.ly/2LKrFFV at fbi.gov
9This is helpfully explained by law firm Norton Rose Fulbright in their factsheet at https://bit.ly/2n3R3Yx
10See https://reut.rs/2KgCVnY at reuters.com
11See https://bit.ly/2AwvE3x at icc-ccs.org
Sign me up
Register for exclusive insights
relevant to your area of
Manage your profile and
preferences to receive exactly
what you need