Former Australian Federal Police officer and former head of security at the Commonwealth Bank John Geurts used a SAS customer event in Melbourne to warn of the various types of fraud that can be perpetuated on businesses.
These include credit card fraud (reviewing individual transactions provides a degree of protection against people using company cards for unauthorised purposes), invoice scams (separating purchasing and payment authority can help), payee substitution (confirm any requested changes to BSB and account numbers with your supplier before acting on them), employees purchasing goods or services from companies owned by themselves or close associates (researching the ownership of suppliers is suggested), and the presentation of invoices that don't match the goods or services supplied (check the documents against reality).
"No one looks at the fine detail any more," he observed.
Another class of fraud can occur when dishonest people spot opportunities to exploit gaps in the exchange of value, he said. For example, if suppliers do not have the right processes in place it may be possible for someone to obtain goods on a 'click and collect' basis before the fraudulent payment has been detected.
Fraudsters come in three main categories, he suggested.
- Opportunistic fraud occurs where someone wasn't planning to commit fraud, but - as the label suggests - takes advantage of an opportunity when it arises. They might break into a car in the hope of finding cash or small valuables, and find a credit or debit card that they then use for tap-and-go transactions.
- Organised criminals "have time on their side," Geurts warned. They are well funded, will find your points of weakness, and may have inside help, such as a 'sleeper' employee who joined the business for that very reason. "Once they're in, they're going to keep going," he said.
- Trusted insiders could be anyone who knows your systems and processes inside out. Precisely because they are are trusted, they do not normally come under suspicion. "We only caught some of these people through systems," Geurts said, noting that a systematic approach takes the emotion out of the situation - once you have found an anomaly you are more inclined to look closely at such individuals. They are most commonly motivated by greed or gambling debts, he said.
What's needed, according to Geurts, is a dynamic approach to fraud risk management. He used the analogy of a tightrope walker using a pole to help them balance: simply holding the pole isn't enough - constant adjustments are needed to avoid a fall.
He advocated a three-step approach.
- Start by understanding your business and processes. For example, a mobile carrier that provides handsets on a plan is really providing unsecured credit, and a commercial TV station derives its value from selling advertising.
- Then conduct a risk assessment, identifying possible threats (even if they seem improbable), estimating their likelihood, and determining the impact they would have on the business. Compare those findings with other players in your industry, because fraud will migrate to those with the weakest controls, he warned.
- Step three is to develop and implement preventative and detective controls. If you can reduce the incidence of fraud through automation, fewer resources are needed to investigate after the event. But do consider the customer experience - if you make life too difficult for legitimate customers, nobody will want to do business with you.
Since Geurts was speaking at a SAS event, it's not surprising that the company wants to play a role in the process.
SAS fraud specialist Guy Bourne (whose job involves "applying weird and wonderful maths to interesting problems") outlined some of the analytics that can be used to reduce fraud, but observed that they tend to be beyond the reach of businesses that are not on the scale of a tier one financial services company.
That's where SAS Results as a Service https://www.sas.com/en_au/software/cloud-analytics.html comes in. The customer provides the data, and SAS provides the software, hardware and people needed to make sense of it.
Results as a Service is available on or off premises, and for once-off (to answer the question "do I have a problem?") or ongoing use (as Geurts seemed to advocate).