From Fraud to Infosec and Vice Versa... Part 2

Monday, April 23, 2012

Neira Jones

9f19bdb2d175ba86949c352b0cb85572

In my previous post, I summarised the UK National Fraud Authority latest Annual Fraud Indicator and how it relates to information security.

In this post, I delve further on this connection by further refining the key fraud enablers used to defraud victims of all types.

These cut across the fraud landscape and often overlap which poses further challenges for quantifying their impact, but the classification is nonetheless helpful and recognisable.

Let me start by mentioning a very interesting fact: only four out of all the fraud types identified in the IFA showed an increase compared to the previous year. Parts of those four were cheque fraud (£34M fraud in 2011) and telephone banking fraud (£16.7M fraud in 2011).

When we examine this further and see that online banking and plastic card fraud (see earlier post) showed a notable decrease due to better security in general, but specifically better authentication, fraud monitoring and public awareness, one comes to the logical conclusion that criminals are starting to revert to good old ways (cheque fraud) and path of least resistance (telephone channel, where similar authentication and fraud reduction methods to those available online are not yet widely deployed).

Lucky that in the UK we won’t have to deal with cheques for much longer (planned withdrawal 2018), but telephone operations and individuals using the telephone for transactional purposes should worry...

Key fraud enablers...

Insider enabled fraud: this is the type of fraud that is currently not captured by reports such as the Verizon DBIR, because typically, there was no “unauthorised” breach. However, 34% of UK respondents to PWC’s 2011Global Economic Crime Survey said employees were responsible for their largest fraud detected last year. In addition, 67% of public sector respondents said their largest fraud was perpetrated by an employee.

Other studies from CIFAS report that insider fraud increased by 14.5% in 2011. Interestingly, CIFAS also reported on attempts to gain employment fraudulently, which was underpinned by research with SOCA which found that around 10% of employees dismissed for fraud were ‘high risk’, with 4.5% assessed as being involved in, or likely to be involved in, serious organised crime.

Top Tip: authentication technologies and processes as well as the deployment of effective staff vetting procedures will mitigate the insider fraud risk. For example, as pointed out by Andrew Barratt in his comment on my previous post, controls such as decent access controls, logging of access (reviewed), random spot checks, coupled with sensible segregation in duties could reduce procurement fraud significantly.

Identity enabled fraud: It is important to clarify that the £1.2bn estimated loss to individuals is based purely on direct losses to UK adults and does not include losses recovered by the individual (for example, from banks) or any indirect costs such as responding to and repairing the impact of the frauds. Nor does it include any losses suffered by the public, private or not-for-profit sectors.

Therefore, the full cost to the UK from identity fraud each year will be higher than £1.2bn if everything could be taken into account. It would be wrong to infer that identity fraud has ‘fallen’ because the methodologies between this and the last estimate are very different. Frighteningly, CIFAS reports that identity fraud accounted for more than 48% of all fraud cases reported by its members and recorded to their National Fraud Database during 2011.

Top Tip: for businesses, authentication technologies/ processes and fraud scoring/monitoring tools when offering goods and services, effective security/fraud awareness programmes for staff at all levels and the ability for staff to report suspicions easily will help mitigate identify enabled fraud.

For individuals, security and fraud awareness is crucial (see “Useful Links” on the home page of this blog) and businesses can help with that aspect as part of their corporate social responsibility agenda.

Cyber enabled fraud: according to the Cost of Cybercrime Study, the overall cost to the UK economy from cybercrime is £27 billion per year (some estimates of cyber enabled fraud are included in the form of £1.4bn worth of online scams against individuals and £2.2bn cyber enabled fiscal fraud against government). The scope of the term “cybercrime” is wider than that of “cyber enabled fraud”.

Whilst at the present time the overall cost of ‘cyber enabled fraud’ has not been quantified, it is undeniable that the private sector bears most of the cost of cybercrime at an estimated £21bn or 77% of the economic impact of cybercrime in the UK.

Top Tip: well, hopefully, no one needs any top tips on how to combat cybercrime and therefore mitigate cyber enabled fraud... But we now have some real tangible fraud figures to pin our investments on without having to wait for something nasty to happen...

Organised crime groups (OCG): 14% of OCGs are involved with fraud as a crime category and the proportion of fraud losses attributable to OCGs was estimated at £9.9 billion across various fraud types. It is not possible to identify the level of OCG activity against each fraud type or victim. Areas of loss captured include tax and benefits fraud; retail banking, insurance, mortgage and telecommunications fraud; and mass marketing fraud.

Top Tip: not all fraud types perpetrated by OCGs can be mitigated by information security measures (e.g. car theft rings, etc.) but for those that can (e.g. mass marketing fraud, retail banking, insurance, telecoms, etc.), the traditional armoury (people, process and technology) can be used to great effect.

Again, some great parallels can be drawn with the latest data breach reports. I hope you found this series helpful...

Until next time,

Cross-posted from neirajones

Possibly Related Articles:
9378
Enterprise Security
Information Security
fraud Compliance Insider Threats Banking Data Loss Prevention Cyber Crime Information Security Infosec Classification
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.