It’s no secret that Latin America has suffered its fair share of cyberattacks, but the extent of the damage might be worse than many have imagined. In a 2018 study of cybercrime by the Organization of American States (OAS), 92% of banks in the study reported some kind of digital security event and more than 1 in 3 banks reported falling victim to at least one successful attack.

The OAS report uses two kinds of data: on the behavior of banks, and on a sample of their customers. Regarding the banks, there are 3 top level results to frame the more detailed data:

• Cyber-attacks are ubiquitous. 92% of banks in the study reported some kind of digital security event, including both successful and unsuccessful attacks (65% of large banks reported successful attacks). If you are a banker, you’ve been hacked.
• Most banks, by a narrow margin, do NOT use advanced detection tools and controls based on big data or artificial intelligence. This problem is more severe for smaller banks, of course, but it exists across the system.
• Cyber-attacks work, and they are costly. The average cost of an attack in Latin America was US $1.9 million, with a region-wide loss in 2017 of US $809 million.

From the customer/users’ point of view, digital services are desirable and widely utilized. This is reflected in the fact that customers are increasingly using the super-convenient smartphone as a banking platform.

• A large majority of customers, 88%, use one or more digital service, and the percentages of various services are increasing. Of those who did not, 59% cited distrust of the digital environment as the reason.
• Customers are the weaker link in the chain. Though most of them understand the general threat and some of the methods of cyber-attacks, they do not use sophisticated methods to thwart them.
• 27% of customers had suffered some kind of attack, with 47% of these reporting a financial loss. About 70% of these were fully or partially compensated (at a loss to the bank or insurer). People who were attacked also reported reduced affect for the banks (reputational loss).
• Incident reporting was very low. Customers reported that their banks did not have visible reporting mechanisms, and few reported losses to the authorities.

From the detailed OAS report, a few lessons emerge. First, the digital security risks that warrant the most attention from banking entities are theft of a critical database; compromise of privileged user credentials; and data loss.

Second, defensive systems used by both the financial institution and its customers are probably behind the curve. Hackers on the other hand, are persistent and aggressive. Banks need to step up their efforts to adopt advanced controls and invest continuously in these tools. Banks might also improve efforts to educate customers and install security requirements that help to insulate the system from mistakes of relatively unsophisticated users.

Finally, both banks and customers are committed to the digital future. Customers report that even knowing the threats of digital services, they will not stop using them. Banks continue to adopt ever more digital services to satisfy customers and lower costs. So, the prize for fraudsters and criminals will remain.

Cyber criminals will not miss seeing the opportunity. The question is, how will banks respond?

Occupational fraud awareness is the focus of Fraud Week but it’s also a rising concern of organizations year-round. At least that’s the message in the data from the Association of Certified Fraud Examiners: 2016 Report to the Nations on Occupational Fraud and Abuse.

The report compares the implementation of a wide range of anti-fraud controls across reported cases, and finds that every single type of control was more prevalent in 2016 than it was in 2010. This is true even for very widely used controls like more traditional types of financial audits and management review. An important example is the external review of financial statements, the single most common anti-fraud tool, whose implementation rate increased .08% to 81.7%.

Workforce Participation is Key

More interesting, is that the types of controls that have increased the most are those that leverage workforce participation and cultural restraints. The implementation rate for a hotline increased 8.9%, anti-fraud training for employees increased 7.6%, the establishment of an anti-fraud policy by 6.8%, and a code of ethics, already high, increased 6.3%.

It’s useful to think of the anti-fraud policy and code of ethics as part of the cultural framework, the stated intentions for acceptable behavior. These standards have to be demonstrated from the top down, and built into expectations for every employee. They have to be used when fraud is detected to devise an appropriate sanction in response, without equivocation.

Hotlines and Anti-Fraud Training are On the Rise

The largest rates of implementation increase for hotline and anti-fraud training for employees reflects actions taken to facilitate the cultural shift. Unlike the cultural standards that justify these tools, but which exist primarily in the beliefs of employees, hotline and training are concrete policies an organization can implement and measure. The connection between hotline and fraud detection is a fact: 39% of frauds detected come via a hotline. Training is less obvious, but it moves directly against the efforts of potential fraudsters to make up rationalizations for stealing. Training helps remove excuses, and clarifies the intentions of cultural policies.

Given the performance of hotlines, it is no wonder they are being adopted by many organizations. The key to this performance is availability, security, and privacy. The employee who reports suspicious behavior via a hotline has to feel secure, that it will be taken seriously and that it will not jeopardize his or her social standing in the enterprise.

Anti-fraud training helps employees interpret the code of ethics or anti-fraud policy in the context of their working lives. It may teach them how to recognize suspicious behavior or patterns of abuse, and how to report them. The ACFE report is full of “red-flag” behaviors that can indicate fraud or abuse, and employees who recognize these are better able to multiply the strength of the fraud prevention effort.

It is encouraging that so many organizations both recognize the threat of occupational fraud and take steps to prevent it., The fact is, that organizations of all types worldwide lose about 5% of topline revenue to fraud means the fight is far from over. In fact, given that fraud is an individualized crime, the effort to prevent it can never succeed completely. But it can win many battles, perhaps one that saves your organization.

Almost every organization is vulnerable to occupational fraud and abuse, and the impact of fraud can be costly. The 2016 Report to the Nations by the Association of Certified Fraud Examiners (ACFE), indicates that the worldwide loss to fraud across all organizations is 5% of topline revenue. Based on reported cases of fraud, the median cost per case was $145,000, and some others were much more.

As part of the International Fraud Awareness Week for 2016, ACFE published 5 Fraud Tips, a one-page summary of steps an organization can take to reduce its vulnerability. Implementing these steps cannot guarantee your organization won’t suffer occupational fraud, but it will certainly improve the odds.

1. Be Proactive

Top management needs to put in place policies and procedures that set a tone from the top against fraud. This may include a code of ethics taught to every employee, with on-going follow up training that emphasizes the danger and unacceptability of fraud. Traditional financial controls should be in place and reviewed on a regular basis, possibly with an independent internal audit function. Fraud prevention will be enhanced through organizational structures like effective separation of duties.

2. Establish Hiring Procedures

The person you hire may be a future fraudster. The hiring process is an opportunity to look into the background of an applicant to look for factors that may indicate risk. Where it is legal, and following best practice guidelines strictly, employers can run a variety of background checks to get a fuller picture of an applicant’s character.

3. Train Employees in Fraud Prevention

Employee training can go beyond the code of ethics. Employees are on the frontline of fraud, working with others every day and working with the systems and controls that are potentially vulnerable to fraud. These employees need to be aware of the signs of fraud both in evidence (such as breeches of a control), and in the behavior of their colleagues. One of the most difficult factors of fraud to combat is the pressure employees may feel to look for ways to commit fraud.

4. Implement a Fraud Hotline

A straightforward way to improve fraud detection is a fair and anonymous hotline for reporting potential frauds. A tip has long been the most important source for fraud reporting, and the hotline can facilitate it.

5. Increase the Perception of Detection

Fraudsters’ number one concern is getting caught. An anti-fraud culture in which there is regular training, communication, and discussion about fraud makes it clear to the potential thief that he or she will be under surveillance. When fraud does occur, the organization has to act decisively to prosecute, sending the message that the crime will have consequences.

Taking these steps can reduce the risk of occupational fraud. In the long term, the improved channels of communication up and down the organization may also help establish a happier workplace, which is a further barrier to fraud.

Thanks to the Association of Certified Fraud Examiners (ACFE), we know quite a bit about organizational fraud and abuse by way of its annual Report to the Nations. The data behind these annual reports is based on actual cases researched by fraud examiners and includes a standard set of measures across cases.

One part of the data that may be interesting to you is the variation of fraud and abuse across types of industries. ACFE has produced an infographic based on the 2016 report titled How Much Does Fraud Cost Your Industry? that summarizes part of the data, and we provide some additional background here.

Banking and Financial Services Top the Charts

Banking and financial services accounts for almost 17% of the total cases reported, with government and public administration, manufacturing, health care, and education all experiencing more than 5% of the cases, with retail close behind at 4.8%.

On the other end of the spectrum, communications, mining, wholesale trade, arts and entertainment, utilities and real estate each accounted for less than 2% of cases. To some extent, these numbers reflect the size of the industry, and specifically which industries are most likely to engage fraud examiners. However, the types of opportunities for fraud and abuse (the report refers to these as schemes) also vary by industry and will correlate with actual criminal activity.

Opportunities or schemes are defined by the type of fraud committed. Many of these involve financial transactions within the organization, including billing, check tampering, expense reimbursements, financial statement fraud, payroll, and register disbursements. Others are direct thefts of valuable goods or cash, like skimming, cash theft, non-cash theft, and cash larceny. Among these schemes, billing fraud is the most frequently reported, reflecting the fact that this is an activity virtually every organization performs—it is truly an equal opportunity fraud.

Corruption Crosses Industry Lines

Somewhat surprising is that the most prevalent scheme of all is corruption—it is the single most common fraud for most industries. Corruption accounts near or slightly above 50% of the reported cases in mining, transportation, manufacturing, oil and gas, and technology, and is not less than 20% of cases in any industry except professional services. Since manufacturing is also a higher risk industry overall, its level of fraud by corruption is very high, with 93 cases in 2016. Other industries with a high number of corruption cases include banking and financial services (138) and government and public administration (88).

The median cost of fraud varies from a low of $62,000 in education to a high of $500,000 in mining. For the other industries with most reported cases, banking and financial services was $192,000, government $133,000, manufacturing $194,000, and health care was $120,000. The costs are significant in all industries, indicating that anti-fraud measures are well worthwhile across the board.

To get a closer look at fraud in your industry, take a look at the 2016 Report to the Nations on Occupational Fraud and Abuse.

This week is International Fraud Week, an annual awareness effort organized by the Association of Certified Fraud Examiners (ACFE) to shine a spotlight on fraud. It is estimated that fraud costs approximately 5 percent of annual revenue for organizations worldwide. The seriousness of the global fraud problem is why, throughout the year, we provide our clients and other organizations with tips and information to fight fraud and safeguard businesses and investments from the growing fraud problem.

Here we share 6 of our most-read fraud-related resources:

Whitepaper: Occupational Fraud – A Hidden Killer of Organizational Performance

Our latest whitepaper, Occupational Fraud: A Hidden Killer of Organizational Performance, provides an in-depth look at the complexities of occupational fraud, so you can prevent, detect, minimize, and/or recover from it.

Get your copy of Occupational Fraud: A Hidden Killer of Organizational Performance>

Infographic: Fraud Triangle

The value of the fraud triangle is that it helps us to look at the objective factors that must be present for fraud to occur. Recognizing these objective factors helps to define actions you can take to help prevent fraud, partly through organizational policy controls and partly through managing the relationship with employees to encourage openness and trust.

View the Fraud Triangle infographic>

… Continue reading