I am grateful to Arturo del Castillo, Partner at KPMG and Mark Clancy at DTC who made these original presentations in Cancun, Mexico at the World Forum of CSDs and who have given me permission to blog and reproduce their slides. I was so taken with them, that I thought a wider audience would be interested to hear (or read) some of the highlights.

Spotting a Fraudster

As cybercrime is just one element of fraud, lets deal with the broader aspects first. Could you spot a fraudster in your organisation? Strangely enough, they tend not to wander round with a mask, stripey jumper and bag over their shoulder marked ‘swag’. But, over the years, it clearly has been possible to profile those who are statistically more likely to commit fraud. That would give some direction for a financial services organisation as to where to focus its detection resources.

So, with that in mind, your average fraudster, would appear to be between 36 and 45 years old, holding a managerial or executive position and likely to have been around in the organisation for over six years. I found an interesting parallel to one of the cyber crime statistics here, but more of that later. If you drill down a little further, you find that 70-% of fraudsters are between 26 and 55 years old. Many fraudsters in this profile are ‘opportunistic’. That is, they are usually first time offenders, trusted employees and the alleged behaviour comes as a surprise to co-workers.

Now before you start eyeing up all your co-workers as potential fraudsters, these are statistics and probabilities, not certainties, but I certainly found this kind of analysis very interesting, more because I just had never thought of it before. But perhaps that’s part of the problem that the industry has – most of us have just never thought of it before and we start from a base of assuming complete trust. I still think that’s a good thing, but it does mean that, if the opportunity for fraud exists in your organisation at a level that could cause financial or reputational pain, perhaps its something to think about in terms of judicious control procedures that can deter or prevent. I guess that that’s the kind of thing FIFA is going to struggle with in the coming months and years. You’d also struggle to match every one of the fraudster’s profile elements to those currently in custody with the FBI.

Fraud Defined

But what is fraud? Arturo described it as ‘a deliberate act of abuse of trust, taking advantages of swindles. Its done for profit without the consent of the concerned company’. What drives it? Opportunity, motivation and rationale.

Arturo then eloquently went on to describe some of the metrics of fraud. I found the fraud values somewhat counter intuitive. Nearly 55% of all frauds involve less than $200,000 and only around 22% had values over $1m. Given the downside to fraud – getting caught, going to jail, loss of family, reputation etc, I would have predicted much more high value fraud. After all, if you’re going to do it and that’s the downside, you might as well go for it big time. A sort of Ocean’s 11 scenario. The overall global damage caused by fraud was estimated to be over $3.5 trillion which doesn’t surprise me at all.

Types of Fraud

I also found Arturo’s description of types of fraud fascinating. Four main types – corruption (haven’t heard much about that lately – have you?), asset misappropriation, financial statement fraud and cybercrime. Of these, cybercrime and asset misappropriation are more typically found in the financial services sector. Maybe that’s just because we don’t organise football tournaments?

Cybercrime, from that point of view is a subset of fraud, but it’s the glamour model of fraud. Its techy, glitzy and there’s something exciting about the prospect of not actually having to blow up a bank to get load of cash and just pushing a button. At least, that’s what the movies would have us believe. That’s what kept me riveted in my seat after Arturo’s, to listen to Mark Clancy from Soltra, a DTC company.

Increase in Fraud

Mark started from a different position. I often moan in my own business about the amount of spam and phishing emails I get every day in my inbox and I suspect that almost everyone out there reading this will know exactly what that feels like. According to the Global State of Information Security Survey 2015, the number of external threats to our systems is growing rapidly. It was 3.4 million hack attempts in 2009 and its estimated at 42.8 million last year, which is up 48% even just over 2013. That sounds all well and good and its almost like, well it is what it is and we expect the IT people to handle it. I was intrigued however to hear how cybercrime has evolved over the years and particularly the way that motivations for it have changed. Back in 1988 for example cybercrime was the domain of technically curious individuals, the motivation? – fun.

Motivation of Fraud

By 2001 cybercrime was being taken over by the more technically adept moving from individuals to groups who wanted to ‘leave their mark’ particularly on public websites. The motivation here? – fame. I thought Mark’s description of these threats as academic leading to ‘script kiddies’ very funny. By 2004, the motivations had generally changed from fun and fame to fortune. Cyber criminals were organised gangs stealing money, data etc for ransom. By the time we get to around 2010, the motivation changes to force. Nation states and non-nation groups launching targeted and strategic attacks.

Most recently the Sony Pictures attack by North Korea exemplifies just how far and fast this can escalate. Another way of looking at or categorising these threats, as Mark explained, is ‘hackivists’, criminals, espionage and war.

Aftermath of Fraud

These of course were all preludes, mere descriptors to the main point of Mark’s presentation. The motivations are all very well. The numbers are self explanatory. Its when you hear the big bang that you sit up and take notice. This was when Mark explained the difference in speeds between cyber attackers and their victims. There are two aspects of attackers’ strategies – the time from initial attack to initial systems compromise and the time from initial compromise to data infiltration. Both of these activities, hackers can do in minutes. On the other side, the time between initial compromise and discovery is typically days (38%), weeks (29%) or even months (54%). The message is pretty clear. By the time you find out that your systems have been compromised, cyber attackers will likely have potentially been meandering around in your systems, figuring how they are structured, stealing the passwords and preparing and executing their attack, for months. Think about it. They might be in there right now – you just haven’t discovered them yet.

Again, I found a parallel between this focus on time and resource and my own speciality, withholding tax. The initial compromise occurs when tax is over withheld on a payment. The damage is financial from the very second it happens. The tax dollars are in someone else’s account and they aren’t available to re-invest. The next stage is discovery and that would be whenever the financial institution realises that there is an entitlement and begins to correct it by preparing a claim. That process can take weeks, months or even years in some cases. Once the claim is filed, there will then be another length of time before you finally see your money back in your account. Of course, there is no crime, cyber or otherwise, being committed here. Its just the way that the tax system and double tax treaties work. The message however is the same. Be vigilant, pay attention and most of all, when you see something, do something.

Mark’s closing remarks highlighted the asymmetry of the economics of cybercrime. The cost to attack is much lower than the cost to defend. But if you have a good and advanced strategy and policies to protect against cyber crime, you can make the cost of attacking you much higher and that’s a good deterrent.

Thanks to Mark Clancy and Arturo del Castillo for their great presentations, I hope that others may be stimulated by their findings and my thoughts.

Image Credit: Don Hankins