Nick Martindale 8 Feb 2018 11:13am

The complications of crime in business

Crime against businesses has existed for as long as commerce itself. But today’s criminals are increasingly difficult to pin down, exploiting new channels and operating across international boundaries. Nick Martindale looks at how organisations can attempt to keep pace and keep safe

Caption: Illustrations: Matt Murphy

Putting a figure on the proceeds of crime is a notoriously difficult task, but a 2017 report by tax and advisory firm Crowe Clark Whitehill and the University of Portsmouth’s Centre for Counter Fraud Studies estimated the global cost of fraud at around £3.55trn in 2016, some two-thirds more than the UK’s entire gross domestic product (this figure was calculated by taking the average losses for organisations over the past 20 years, and then using it on specific yearly global GDP figures. It would be higher if using the figure for the last 10 years only). The UK itself loses around £125bn a year, the report suggested, while Financial Fraud Action UK estimates an incident of fraud takes place every 17 seconds.

Not all fraud is related to businesses, but there is little doubt that the threat to organisations is growing. Much of this is due to the growth of online crime, ranging from using the internet to conduct fraud that would traditionally have been carried out in other ways, to more complicated, dedicated cyber attacks such as the WannaCry hit on the NHS in 2017 and the hack on Uber in 2016, which saw the business pay $100,000 to conceal a massive global breach of the personal information of 57 million customers and drivers.

“The current situation regarding fraud is ‘red alert’,” says David Kirk, a partner at international law firm McGuireWoods, and previously chief criminal counsel at the Financial Conduct Authority and director of the Fraud Prosecution Service. “A perfect storm of digital and cyber-enabled fraud, old-fashioned employee theft, a much more transient workforce making use of their own smart phones and tablets, global banking and many other factors are making it easier for fraudsters to operate, and much more difficult to detect them and recover funds. Frauds are committed remotely, from cyber space, and with communications systems that could have been designed for the purpose.”

Unknown identities

According to fraud prevention service Cifas, around nine out of 10 frauds are linked in some way to identity theft, a problem compounded by new means of accessing data. “Business identity theft is a particularly significant risk, not just for those businesses whose identities are stolen but also those that extend credit for goods and services,” says Simi Bains, high risk and fraud insights leader at Dun & Bradstreet. “Fraudsters typically use the good name and credit of a genuine business in order to obtain credit. As well as losing revenue, victims of business fraud may see their credit scores negatively impacted and experience irreparable reputational damage.”

An increasingly common tactic is to try to trick employees into thinking they are being asked by their CEO to transfer money or make urgent payment of an invoice, using information that has often been gained by hacking into the CEO’s email, says Phil Beckett, managing director, disputes and investigations at professional services firm Alvarez and Marsal.

“This type of fraud is becoming so sophisticated, with some learning to mimic how a person writes emails to make it even more believable, that this activity is now costing businesses trillions,” he says. “If an employee receives an email from the CEO asking for help when they know they happen to be off-site, of course they’ll try to help by transferring money for them.” Often money is moved overseas to China or North Africa, he adds.

Other types of identity theft include mandate fraud, where accounts staff are duped into changing banking details to transfer genuine payments into bogus accounts, or invoice redirection fraud. “Fraudsters pose as regular or known suppliers and make a formal request for bank account details to be changed,” says Gary Kearns, executive vice-president at Vocalink Analytics.

Attempts to access important company data or change financial details are not confined to the realm of cyber attacks, however. “We do have cases where crooks find ways of getting information by actually coming into the premises of firms,” says Paul Simkins, director of quality assurance, professional standards, at ICAEW and chairman of the Anti-Money Laundering Supervisors’ Forum. “It could be via a cleaning company or other people on-site who have dodgy connections.”

In the money

Money laundering also remains an ongoing threat for businesses, particularly those which engage in international trade. According to BAE Systems Applied Intelligence, this now costs almost $2trn each year, accounting for around 3% of global GDP and a sum that would rank it in fifth place among the world’s largest economies.

“The criminals behind money laundering are finding ever more sophisticated ways of disguising their activity and it is more important than ever for global businesses to understand how to fight the threat,” says Rob Horton, head of financial crime solutions EMEA at BAE Systems Applied Intelligence. Tactics include targeting investment banking, commercial banking and especially trade finance products, he adds.

The potential to launder money through organisations has been increased by the emergence of cryptocurrencies – particularly in countries such as Japan – around which processes have yet to be fully developed and tested. “There have already been several high-profile bitcoin and ethereum heists,” points out Jordan Underhill, research specialist at US organisation the Association of Certified Fraud Examiners. “Additionally, the increase in initial coin offerings (ICOs) raises the possibility of individuals using ICOs to defraud investors. Lastly, because cryptocurrencies use new, cutting-edge technology, it is likely that we will see more novel schemes in the future that use these technologies in some way.”

Jeffrey Davidson, managing director of Honeycomb Forensic Accounting, adds: “We have started to see global news stories of money-launderers using cryptocurrency. Russian national Alexander Vinnik was arrested in Greece and charged this summer by a US grand jury over the alleged money laundering of $4bn over several years, using bitcoin.” The potential for fraud is magnified by the distributed ledger technology used by cryptocurrencies, he adds, which provides a “problematic cloak of anonymity”.

Aziz Rahman, founder of business crime solicitors Rahman Ravelli, believes many cryptocurrency fraudsters will turn to established tricks. “Common bitcoin scams may well look familiar; for example, Malware downloads and phishing, pyramid schemes, investment schemes and fake exchange scams,” he says. “For these kinds of cons, the first line of defence will always be security systems.

“For bitcoins owned by businesses, multisignature wallets are a fantastic method of protection from hackers; requiring two separate authorisations from two separate parties before any bitcoins are released. While the first would be the business, the second party would be a service that screens the transaction for fraud, making multisigned accounts significantly more difficult to steal from.”

More generally, the advice for businesses hoping to avoid becoming victims of fraud is to make sure they run verification checks, says Rodney Joffe, senior technologist at Neustar, and former White House cyber-security advisor. “Fraud prevention today needs to be about verifying offline identities, and linking them to online identities,” he says. “By checking offline data, such as names, addresses, phone numbers and email addresses, against online attributes – IP addresses, location and cookie data – in real time, you can identify any red flags before being compromised, and let real customers through without added multifactor authentication requirements on their end.”

Best form of defence

David Clarke is director of the Fraud Advisory Panel, a charity set up by ICAEW 20 years ago. He stresses the need for board-level backing of the necessary protective measures, including staff training and external companies conducting independent audits. “We did it a few years ago, and you’ve got to put a lot of work into it but the benefit in terms of new business is huge,” he notes.
“We work with two big law firms and two big accountancy firms and it contributed to us winning those contracts with them, because we have got it and others haven’t."

In the wake of attacks, such as the Panama Papers leak of 11.5 million files from the database of the world’s fourth biggest offshore law firm Mossack Fonseca, failing to have implemented suitable defences is likely to be seen as negligent, he adds, and could lead to significant fines from the Information Commissioner in future.

In time, legislation is likely to catch up with new methods of business fraud, and force organisations that fail to take this seriously to toughen up their stance. “We have seen data breach notification requirements in the US for more than 15 years, but the new General Data Protection Regulation in the EU, which comes into effect in May, will mark the first time we have seen comprehensive breach legislation across the EU,” says Aaron Simpson, managing partner of Hunton & Williams’ London office. “Similar requirements are cropping up across other parts of the world, including in Asia and Latin America. In many ways regulators have been slow to react to the growing threat, but it’s fair to say that this issue is now front and centre on the minds of regulators across the EU and the world.”

A matter of time

Welsh loan broking firm KIS Finance is all too aware of the growing threat of international fraud, having been the target of fraudsters on numerous occasions.

To date, the firm’s diligence has prevented it from losing out financially but Alan Andrews, marketing and HR consultant, says it is a significant burden in terms of the time it takes up. “We’re quite fed up with how bad it’s getting,” he says. “They try it on with bridging companies because they think we don’t do many checks, and it also means genuine customers have to jump through extra hoops.”

The business has been hit by people seeking bridging loans on properties they did not own, including one who used false passports in an attempt to get £1.6m. Another scam was a bogus company that used its name – and copied its website – to target people who had had loans declined by legitimate lenders, and request a number of payments to arrange finance that never materialised.

Much of the fraud comes from overseas, including Nigeria and India. He says his firm has received very little support from the authorities or lenders, despite having strong evidence of wrongdoing. “There’s a complete lack of interest,” he says. “But the people who failed with us were good at it, and they will only have learned from their mistakes and gone somewhere else. I think it’s going to get worse.”

Under scrutiny

Accountants have a vital role to play in the fight against business fraud, both in protecting their clients and avoiding getting caught up in any incidents themselves.

The main mechanism for protecting both entities is to conduct thorough firm-wide risk assessments on any potential customer and advising clients to do the same, says David Stevens, integrity and
law manager in the technical strategy department at ICAEW.

“That means not only assessing the exposure of the firm but each client as they come through the door on a case-by-case basis,” he says.

The upcoming evaluation of the UK’s anti-money laundering processes by the Financial Action Task Force will bring this into even sharper focus this year, he adds.

Accountants may also find themselves under increasing scrutiny when it comes to reporting cases of fraud. Research by ICAEW in 2012 found accountants were the group businesses were most likely to turn to for advice when they had been defrauded, but a recent study by Transparency International found only 1% of suspicious activity reports were filed by accountants.

“We would expect to see rather more coming from accountants, given their unique position and the fact that very often they do have sight of this,” says David Clarke, director of the Fraud Advisory Panel. “There are questions about why we’re seeing so few.”

ICAEW has recently unveiled a methodology into conducting firm-wide risk assessments. For more information about these, visit tinyurl.com/ICAEW-RiskAssess