Teamwork is usually a good thing. Many organizations work hard to increase its effectiveness because well-coordinated activity can boost productivity and improve outcomes. Unfortunately, the effect of multiple people colluding to commit occupational fraud and abuse has the same kind of effect as good teamwork by increasing the impact of the crime.
Greater Collusion = Greater Loss
The Association of Certified Fraud Examiners (ACFE) 2016 Report to the Nations on Occupational Fraud and Abuse shows that the greater the number of people colluding in a fraud, the greater the loss. The median loss for a lone fraudster was $85,000, while losses where 5 or more colluded was $833,000.
It’s important to note that about 48% of the cases covered by the 2016 report involve collusion between two or more people. However, fraud by collusion was detected in about 18 months as compared to 16 months for the lone fraudster, so the duration of the fraud was not the prime source of the higher cost of collusion. In any event, the frequency and higher cost of collusion means that this form of fraud is a serious threat.
Working Together to Defeat Controls
Collusion may enable fraudsters to defeat controls based on separation of duties, independent verification procedures, or other procedural methods intended to reduce fraud or failure. Certainly, employees are expert in the application of controls where they work every day. When two or more of them coordinate activity meant to defraud the organization, they can defeat the controls at least for a time.
How to Detect Collusion
Detection of clever collusion schemes may be improved by setting up automated tracking or standardized analytical systems that flag unusual behaviors. For example, numerous transactions on a dormant or very low volume account or transaction amounts outside normal limits may indicate fraud. The system might flag changes in employee behavior, such as failure to take a vacation for a lengthy period of time or a significant change in working hours. The system might be designed to create norms for behavior in a given type of job and compare each person in that role to the norm. Outliers’ of behaviors could be scrutinized more closely.
Prevention is the Best Medicine
Of course, prevention is better than detection because detection means that fraudulent losses have already occurred. Potential fraudsters may leave a trail based on internal searches, such as searches for accounts whose inactivity means that they would not be regularly monitored, helping them to escape detection.
More straightforward, a well-designed hiring process with effective background checks, plus regular training in fraud prevention can help to create a workplace culture where fraud is not tolerated. Multiplying the number of people who would report suspicious behavior is probably the most effective means of fraud prevention, including collusion to commit fraud.
In general, compliance is conforming to particular expectations, standards, or behaviors, where risk is an exposure to potential loss or injury. When we think of compliance in the security arena, it often means that you are following prescribed standards, which could be regulatory, industry best practices, or standards that are otherwise customized or company specific.
While compliance and risk often follow the same path, a compliance audit or survey is often performed with a one-size-fits-all “compliance only” approach, as opposed to one that requires more complex reasoning.
Some may question the rationale of compliance if risk is not a constant consideration. Lack of experience, industry knowledge, or even simply lack of time can hinder the ability to take a more risk-based direction. After all, taking a compliance only approach simplifies the security audit process by allowing for uniform application, reduced subjectivity and error in assessment, and strong performance metrics capability.
According to the Nilson Report, the world’s leading source of news and proprietary research on consumer payment systems, the United States currently accounts for 47 percent of global credit and debit card fraud even though it generates only 27 percent of the total volume of purchases and cash. Payment card fraud losses totaled $3.56 billion in 2010 in the U.S. from all general purpose and private label, signature, and PIN payment cards.
Unfortunately, ATM fraud will continue to challenge the financial landscape for 2013. Most experts agree it is due to the lack of chip and pin (EMV) implementation in the U.S. Data from the Europol Payment Card Fraud 2012 Situation Report further illustrates the impact. As European countries continue their EMV migration, skimming losses decrease.
Defined as the intentional act of trickery to unlawfully obtain funds from an ATM, most people associate ATM fraud with external crime, where the card or card number and associated PIN are illegally obtained by outside individuals, gangs, or even more sophisticated organized crime syndicates. Considered a form of identity theft by the Federal Trade Commission (FTC), while identity theft had been holding relatively steady for the last few years, the FTC cites a 20 percent increase in ATM fraud in 2011 alone.
From the onset of the proliferation in the use of ATMs, less sophisticated (but equally effective) methods of ATM fraud include such means as card trapping, skimming, and keypad overlays. Trapping, as the name implies, is where the customer’s card is somehow trapped by the perpetrator only to be retrieved later. Skimming is where the perpetrator has put a device over the card slot of an ATM, which reads the magnetic strip as the user unknowingly passes his card through it. These devices require the use of a miniature camera (inconspicuously attached to the ATM) to read the user’s PIN at the same time.