“Virtual currencies, perhaps most notably Bitcoin, have captured the imagination of some, struck fear among others and confused the heck out of the rest of us — including me.” – Senator Tom Carper, chair of the Senate Homeland Security and Governmental Affairs Committee, November 2013
Today is day 2 of our Fraud Awareness Week series, Fraud Stories and Lessons Learned, and we want to highlight the rapidly emerging problem of cryptocurrency fraud. Brad Moody, EVP of Operations for Lowers & Associates, points out the rapid increase in crypto-related fraud noting that in 2016 there were only 340 active fraud cases of such fraud and by 2020, there were more than 80,000 cases in the U.S. alone.
In this fraud story, Brad explains how current schemes to capture victim organizations’ cryptocurrency are amplifying the need for effective internal controls, anti-fraud training, and third-party penetration testing.
Listen to the story here:
Interestingly, one of the best ways organizations can protect themselves from cryptocurrency fraud is through the same tried and true practices used to prevent social engineering, phishing, and other related attacks. Employees are increasingly subject to scams through email and link-sharing, so it’s important to look at how to detect and block such activity but also to train employees on how to recognize and avoid becoming victims to such scams.
David Gardiner, Senior Vice President of Lowers Forensics International, offers further advice: “Crypto based currencies are now becoming a professionally acceptable form of tender. Now more than ever, corporations need to proactively mitigate their risk and exposure. This can be done through a myriad of operating procedures including the process of facilitating not only their outbound, but even incoming payments. Strict rules of engagement, much like the protocols already used in wire transfers (verbal confirmation, dual signature authentication, etc.) should be followed here as well.”
Stay tuned tomorrow for another fraud story from the front lines of Lowers & Associates.
According to the Association of Certified Fraud Examiners (ACFE), a single case of occupational fraud costs the victim organization an average of more than $1.5 million, and Certified Fraud Examiners (CFEs) estimate that organizations lose 5% of their revenues each year to fraud. In the ACFE’s 2020 Report to the Nations, a study of 2,504 cases of occupational fraud investigated by CFEs in 125 countries, the typical fraud lasted 14 months before it was detected and caused a median loss of $8,300 a month.
In an effort to educate organizations on the reality of fraud and to increase awareness of the controls that can help reduce fraud, each year the ACFE sponsors Fraud Awareness Week. Today marks day one of our Fraud Week series, Fraud Stories and Lessons Learned, and we are pleased to introduce Milton de Oca, Director of Operations for Lowers & Associates International. Prior to joining L&A, Milton served 32 years as a police officer with the Miami police department, a gangs sergeant, and finally, as the commander of the intelligence and terrorism unit.
Milton tells the story of an attempted fraud he and the L&A team helped to uncover and resolve in South America related to the procurement of ballistic vests that were to be used for dignitary protection.
Listen to the story here:
This interesting case demonstrates that fraud can come in many forms and at any level. Often it takes a considerable amount of investigation to uncover the fraud and while, in this case, we were able to exonerate the client of the loss, the ACFE reports that most organizations (54%) do not ever recover the losses they suffer at the hand of occupational fraud.
Milton advises all organizations to enlist the help of an independent outside source in cases like these in order to conduct an unbiased investigation.
Stay tuned tomorrow for another fraud story from the front lines of Lowers & Associates.
Disclaimer: Portions of this conversation have been edited for length and clarity, and certain locations and details have been modified for privacy reasons.
Standard Operating Procedures (SOPs) are exactly what they say on the tin – a calculated and tested directive used as a foundation for an operation or individual tasking. At L&A, we often use a tree as an example of the mechanics behind an SOP: the roots provide the foundation from which the procedure grows; the trunk is the day-to-day actions and the branches are the end deliverable result.
However, a tree will grow wild if permitted. And left unchecked, SOPs will do the same thing. Unfortunately, the question we most often run into when assessing a business and its SOPs speaks to the reason why avoidable risk exists in the first place: If the SOP isn’t broken, why should we fix it?
As with everything we do in risk mitigation, questions are good, but the bottom line here is that there is no single answer as to “why” fix an SOP. For an SOP to remain viable, it needs to remain malleable while also staying strong in the face of adversity. This means SOP’s need to be challenged, as the current times, technology and industry attitudes constantly change around it. Periodic and systemic reviews and tests are just as integral to the SOP as the original calculated and tested directives that comprise the SOP itself. Some businesses might excel at the review and update process, but even then, they can sometimes fall short by failing to communicate those documented SOP changes to all relevant staff.
As part of #OurStory series, Daniel Cootes, AIExpE and Client Relationship & Operations Manager for Lowers & Associates UK office, shares some insights into his experience assessing an operation in Asia whose SOPs weren’t so much incorrect but existed in an environment where uncertainty was not a risk the insurer was willing to ignore.
So, somewhere in Asia, there’s an operation. The insurer of this operation, our client, needs to determine what type of coverage the operation (their client), needs, so they ask you to assess the active threats in the area. It turns out these threats include local gangs, natural disasters and ISIS. Walk us through securing a facility like this for the insurer – where do you start?
The thought process here begins with how to answer one question, really: Could an attacker cross this facility’s perimeter, suppress the security onsite, get to the vault, breach that vault, take what they want and then get back out? Intelligence leads us to believe that, yes, this sort of attack is possible, but you also ask, is it likely? Where this mine is located, it’s certainly possible, but most of this type of gang activity is in the bigger Southeast Asian cities. Also, this insured has a fantastic piece of nature looking after them, because we’re talking about an operation in the middle of a jungle where it’s pretty much two roads in and two roads out with hours of driving required through dense trees. But you start by recognizing, yes, there is a possibility of this scenario happening, obviously, and go from there.
With an understanding of the facility’s threats, the landscape around it, the likelihood of an attack, the personnel involved, what kind of recommendations did you end up making and how did you reach those conclusions?
Given the parameters and all the different angles that they had, I made some recommendations of what we thought was acceptable, the operation then came back with what they thought was acceptable based on their operational and cultural perspective. Ultimately, it’s about being realistic, and how easy would it be for the operation to implement the updates. Something like this didn’t need to be nuclear bomb proof, so we looked first at the gate and fencing that they had, for example. It was all about 10 years old and in the jungle, things get rotten quickly – it’s hot, wet and horrible, right? And so, they had to commit to review that fencing every six months. We talked about upgrading their roving patrols. We also looked at upgrading their CCTV. Technology nowadays is so inexpensive, there’s no excuse to not have it. There are some other very specific things we did for them that I won’t go into, but a good deal of it comes back to their standard operating procedures and making sure their people are following those.
SOPs are incredibly important, and you were able to assess this facility’s risk entirely through a remote process – how did you do that?
Lots of questions. I kind of like to start from the outside and work my way in. If I turned up at the site, I tried to build the picture of what was in front of me, and what would stop me from getting in. I mentioned the gates already, but I also had questions about their guys on the gates, which guys had access to the CCTV or any alarm systems and how the gates locked – some of these gates might be left open during the day, some of these sites run 24 hours as well. It again comes back to being collaborative and flexible and understanding what’s realistic for them to be able to lock the gate and which of their guys on the gate is involved in that process. Really, you just keep peeling back as many layers of the onion as possible and what it takes to get to the good stuff in the vault.
When you get to the vault, the questions become things like what were they doing to prevent attackers from getting into that space, how well-trained and well-armed their guys were, are the guards their own guys or an outside security company, how are they actually screening these people. You just keep pulling the wool at the jumper and ask all these types of questions. At the same time I’m asking these questions, I have to try and be realistic. I might want them to have a military response, but it’s about understanding what they’ve got and how they can deploy it. I again would go back to the SOPs, who wrote them and how – was the person accredited? How old are the SOPs, what’s changed since then? Have those updates been made and communicated?
All this assumes a breach by people, bad actors. How do you go about mitigating the risk of a natural disaster?
For us and our work, we must think specifically about what insurers are actually insuring. Most have their policies they write for people of course, but in this instance, the high-value goods are what they’re focused on. So, the primary question we need to be able to answer here is: If there is a natural disaster, will this be a total loss with respect that it will never be seen ever again?
For example, let’s say there was a fire in the Louvre gallery and there were no fire suppression systems. Once the Mona Lisa has been burned to smithereens, it’s gone. However, with something like a precious metal, there’s a good chance we can salvage that after a mudslide through excavation or the like, depending on where it ends up. Ultimately though, you can’t really mitigate a mudslide, right? And that’s what insurance is for, those unforeseen, unfortunate circumstances. What you can think about, though, is how the valuables are stored.
When we talk about vaults with cash inside, fire is a risk, so you ask questions about fire suppression systems – what’s in place, what do we need to put in place. For a mudslide, what we can be conscious about is trying not to have the goods scattered all over the place once the slide is over and do our best to keep it in at least a defined area. Because as long as we can get to the vault, it’s not a total loss. So, it was more about how they controlled the inventory – once it comes out of the mine, it’s processed, heads straight into the vault, it’s labeled and locked, check that off the list.
So, talking then about ISIS, how does that factor into the risk mitigation process? That seems like it would bring a whole outside set of geopolitical and other type of problems.
What we’ve seen ISIS do in Africa, is something that could happen at this operation’s location. We asked the operation if they’d thought about a branch attacking them to, not just steal from, but take over the operation. They had, fortunately, and were doing things to keep tabs on the local gangs, they also had access to the military with a few guys onsite, in addition to a few policemen. These were people that were trained in weapons systems, could fight back while a call for more help went in. From there, we dug into questions about their communication capabilities, ran down the list of who controlled those processes, how many satellite or cell phones were available, internet capability, back-up power and generators, and just, again, kept pulling at the thread.
For this operation, ISIS presented a viable threat and was something they needed to include in their SOP, and my assessment was that they needed to refresh some things around that. The likelihood that they could get in, launch an attack, steal something and either leave or occupy to some degree was slim, but it’s good for both the operation and the insurer to be thinking about.
What about this experience was impactful for you personally or for the client? Clearly the whole process resonated with you.
As I mentioned, the SOP’s were dated, in fact the person who had written them was no longer there. Over time, things had clearly changed in their operations, so while the SOPs weren’t wrong per say, they had to update them in line with the way the business was operating currently. They were looking to potentially hold more stock, for example. So, we didn’t reinvent the wheel, the SOPs were written by a pretty competent person, but what they realized they needed to do was pull them out of the drawer more often and compare them to what was going on in the world. What problems are out there and keeping their procedures relevant?
For me, there’s always two benefits to this type of work. One, you’re pleased you’re helping keep people safe, and two should a loss happen, I did everything on the insurers’ behalf possible to mitigate the risks and insure these high value goods, to mitigate every conceivable threat in that respect. For us, the client is always primary, we want to make sure they aren’t hit with any kind of major loss. If we’ve done our jobs right, we can avoid that. For me, SOPs are key, keeping them relevant. They’re awesome to have, but if they’re stuck in a drawer and don’t see the light of day for 10 years or until there’s a problem, that’s not going to work out for anyone real well, is it?
Insurance loss happens for many reasons. For a business, common causes include armed robbery, theft, customer injury, floods, fires, and storm damage; but any natural disaster, large-scale event, or man-made act can bring about a claim. When an event involves the loss of physical stock or damage to property, the loss is immediate, and it creates an urgent need for the business owner to settle the claim so that the business can resume operations and avoid further lost revenue.
This desire to quickly return to business as usual is a natural one, but in the wake of an event, it’s not uncommon for the resolution process to test the business owners’ resolve. And while most claims post-incident are legitimate, from time-to-time, human emotions will complicate the process and create an environment that enables fraudulent activity, sometimes in unexpected ways.
Why Does Insurance Fraud Happen?
The Fraud Triangle provides all the insight required to answer this question. Our team has written extensively on this, but Donald Cressey’s hypothesis in his book “Other People’s Money” says it all: Trusted persons become trust violators when they conceive of themselves as having a financial problem which is non-shareable, are aware this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation.”
It’s true that some fraudulent claims start out as legitimate but become ‘exaggerated’ during the claims process due to perceived opportunity. In other cases, if the business is not doing well and is losing money, desperation can create enough pressure to commit fraud. In rare cases, the fraud may involve large organized criminal gangs; these are often well-planned and involve multiple parties where the sole intent of the activity is a rational attempt to defraud an insurance provider.
It’s for these reasons that impartial guidance through the claims process is crucial. As an insured, it is important to work closely with your insurance broker and the loss adjuster in preparing your claim and validating your losses. Without this professional assistance and oversight, fraud can easily find its way into the conversation.
How Does Insurance Fraud Happen?
Below are a few examples of insurance fraud we’ve seen over the years at Lowers & Associates:
‘Padding’ legitimate claims to increase the claim amount
Including losses from previous shortages or events within a big ‘single event’ claim
Manipulating inventory, possibly running two sets of books, to allow for the tracking of actual inventory versus the falsely reported inventory
Exaggerating the damage suffered as a result of a natural disaster (storm), or even causing some additional damage not caused by the original disaster
Staging accidents or thefts
The current COVID-19 situation globally, coupled with other localized events (recent looting losses in the U.S. or the extreme poverty facing certain areas in Brazil), is resulting in retail sales for certain sectors falling by over 50% and as much as 100%, which is clearly not sustainable.
In such unprecedented times as these, the possibility of a spike in fraudulent claims is a real concern. There is an increase in both the pressure and opportunity factors, resulting in an increased likelihood that potential perpetrators may rationalize their fraudulent thoughts and act on them as a result. For business owners, it can be hard to find consistency and understand what their default problem-solving steps should be. When the Lowers & Associates team is presented with uncertainty, we often lean on process and procedure to identify a way forward in our work together with clients. This path can always be informed by intuition, experience, and empathy, but for a business, without process and procedure to provide impartiality, the risk of insurance fraud increases significantly.
What Can You Do About It?
Ideally insurers would commission a pre-risk survey to establish security protections, stock levels, and standard operating procedures to satisfy themselves that the risk meets their requirements. While this is recommended, it is not always feasible due to time or cost restraints.
Post-event, once a claim has been filed, relying on the findings of a law enforcement investigation may not be feasible due to timing or any related circumstances related to the event (especially if it’s large-scale or a natural disaster). And even if law enforcement is doing an investigation on an event, it may not be a priority, creating an extended period of uncertainty. Lastly, law enforcement may also be very hesitant to provide any info that they do have knowledge of, especially when it is an active investigation.
To manage this process, business owners and insurers need independent third parties that are flexible, have experience across multiple industries and can dedicate the appropriate time required to work through a claim (i.e. gathering facts, evidence and necessary documents) to support the basis of the claim. For truly complex fraud matters, business owners and insurers should expect the third party to have a Special Investigations Unit (SIU) with extensive experience in technical surveillance countermeasures (TSCM) and counterintelligence that regularly work on international assignments.
With enterprise risk mitigation and insurance solutions that include UAV/UAS, special investigations, forensic accounting, loss adjusting and more, Lowers Risk Group stands ready to support our clients through the claims process with the speed, accuracy and dedication you’ve come to expect from over 30 years in the business. To learn more, contact us.
About the Authors
Neil Watson brings nearly 30 years of insurance industry experience to Lowers & Associates, where he currently serves as Global Operations Director. With key insurance industry relationships in both the London and International insurance markets, Neil’s primary responsibility is to grow all verticals and assist in building out L&A’s claims adjusting capabilities.
Keith Gray has been with Lowers & Associates for over 15 years and currently serves as the VP of Client Relations. In his current role, Keith provides oversight with respect to program coordination, management of a nationwide team of industry professionals, investigation, and client communication. Keith possesses a degree in Accounting and is certified as both a Certified Fraud Examiner (CFE) and Certified Anti-Money Laundering Specialist (CAMS).
As discussed in our most recent LinkedIn post, COVID 19 has forced companies to review and amend their operations top to bottom. And whether these changes are temporary or long-term, one thing is certain: the impact on both business and employee culture is permanent.
The best businesses right now are doing two things: 1) finding ways to stay open and 2) evaluating the future. And the best leaders of these businesses understand the value of employee training, especially in times like these: a safe, secure environment creates well-being for employees and customers, which enables more innovation with less interference. Given the current circumstances, employees want to be sure that their employer is looking out for them. The first step in achieving this (while also keeping the cash registers ringing so that your strategic plan has a future) begins with a wholistic understanding of the business risks. That is, surveying.
While traditional consulting and surveying is simply not plausible right now, recent advancements in technology and encrypted video have made virtual surveying a viable option. For businesses considering a virtual survey, the team at Lowers & Associates has compiled a list of insights and considerations that may be helpful in your discovery process:
The primary benefit of virtual surveying is that it can be conducted anytime, anywhere. With no travel, virtual surveying is one of the best ways forward-thinking businesses can control costs.
Virtual surveys are less disruptive to the organization and provide quicker report-in-hand turn around. This can be a massive advantage for organizations pressed for time or with reduced staff capacity.
Always a collaborative exercise and NEVER the “lesser of two evils,” virtual surveys can often provide deeper insights than those conducted in-person (sometimes business owners feel more at ease with a physical distance between themselves and the surveyor).
Rapid advances in technology come with a learning curve. Leading risk mitigation consultants should be versed in a suite of technology applications to successfully execute a virtual survey.
Information is information, right? Sort of. Asking the right questions matters, knowing how to analyze the answers makes all the difference, and consistency is king. Virtual or not, surveyors reviewing requested documentation and/or an audio/visual recording of the survey should be able to turn around the same exact results.
Consistency is key in both business and surveying. Virtual surveyors should be able to hand over responsibilities to another surveyor if one should fall ill or become unavailable. Process can be both a businesses’ arrow and its Achilles Heel!
Virtual surveying should include an ability to perform the following:
Pre- survey meetings
Staff competency and interviews
Day to day operations
Site physical security
Policy & Procedure
Crime and illegal activity (Local and Countrywide)
Facility Design Consultation
Follow up consultation meetings
Adaptation is crucial for businesses during this real-time reinvention of the workplace, and for 30 years, Lowers & Associates has pushed the boundaries of technology to keep those workplaces safe (this includes virtual surveying). #OurWork #Together has also always been collaborative, and so we encourage you to view and share the insights, stories and applicable tips that our team has been publishing at the Lowers & Associates LinkedIn page. If you have any questions, please contact us.