Written by Richard Hurley, Communications Manager, CIFAS – The UK’s Fraud Prevention Service
The frauds recorded to the CIFAS Staff/Internal Fraud Database in 2013 help to underline not only what insider threats have occurred, but where the real vulnerabilities lie.
Fundamentally, of course, vulnerability is something that will always be tied up with risk: and organisations have typically been able to appreciate the risk from outside their organisations (e.g. criminals, fraudulent applications, computer hackers, identity crime). But are the risks from inside the organisation much different? And, if they are not, are they fully appreciated?
The internal fraud threat is no different from the external fraud threat
The CIFAS Staff/Internal Fraud Database allows organisations to share data on several types of confirmed fraud committed inside an organisation (a full list can be seen here). The most commonly recorded type of fraud in 2013 was employment application frauds. In effect, this is no different from a customer lying to an organisation: the prospective employee/customer makes an application containing several material falsehoods and declarations (or, equally, not declaring information) that is vital to the employment decision. Whereas a potential customer might make false declarations about income, or employment status, similar frauds can take place from prospective employees. In 2013, some contained false or forged qualifications, others gave a false visa status, false declarations about employment history (e.g. somebody saying that they had left an organisation when they had been dismissed for a serious offence) or fraudulent declarations regarding income and outgoings in positions regulated by authorities such as the FCA.
Realistically, are the risks any different and are the solutions? Organisations check numerous sources of information when dealing with customer applications (credit checks, the CIFAS National Fraud Database, the voters roll etc). Why? To verify information before a decision is made. The checks to be made for prospective employees are the same type of check: checking with all previous employers listed, completed DBS checks, the CIFAS Staff Fraud Database. Why? To stop someone entering your organisation before any potential financial or reputational damage can be done.
And the other dangers internally? Just like the other dangers externally!
Other common frauds in 2013 identified by organisations included dishonest actions to obtain a benefit, either through theft or deception. Examples of this were the submitting of false expenses, or stealing cash from a customer account. When you think about frauds affecting consumers – such as someone having funds fraudulently taken from their account – is the fraud (fundamentally) any different? In reality, no: both are fraud as theft. Both have a financial impact that goes beyond the initial amount taken (e.g. investigation, refunds, compensation or fines) and a profound impact upon confidence and morale: of the customer in their service provider and the staff respectively. The net results: consumers take their business elsewhere, and staff are affected, productivity is jeopardised and the organisation suffers even more. Fundamentally, too, you begin to see how there is scant difference between frauds committed inside an organisation and those committed from the outside.
The unlawful obtaining or disclosure of data is also a very serious threat that has direct parallels to the external risks and dangers organisations already tackle. Mention organised criminals to many organisations – or malicious hackers – and the external threat is easily appreciated: most organisations have long been putting counter fraud measures in place to stop a remote attack from a foreign land. But, what steps are in place to stop a member of staff (often targeted by the same criminal gangs) from simply downloading a portion of a customer database to their desktop and then a USB key or sending to their home email address? Numerically, data thefts might seem few and far between – but one data theft can encompass thousands of customer records. If you consider that the CIFAS National Fraud Database (containing those ‘consumer fraud figures’) has over 60% of frauds being classified as an identity crime (that is a crime reliant on the misuse of personal or account data) then the scale of the problem is clear. One type of fraud links directly to another.
Tackling fraud from the outside means tackling fraud from the inside too. An organisation cannot successfully promote safe practice to its customers if its own house is not in order.
Simply put – fraud is fraud: no matter who commits it, the risk is there. Counter fraud measures that are accepted when it comes to consumer fraud – such as intelligence, checking, data sharing etc – must now start to be used by organisations. Those who do not, risk becoming the weak links in society’s anti-fraud effort.