In 2021, a group of fraudsters were arrested after siphoning approximately $300,000 from a European metallurgy company. By impersonating the CEO, the criminals put pressure on the accountant to make a discreet transfer with urgency, leading to significant financial loss. Had the staff known about each of the fraud risks and vulnerabilities, this fraud could have been stopped.
Learn how to deal with fraud risk, and handle ongoing monitoring with Trustpair’s account validation software.
What are the consequences of fraud?
There is a reason why the concept of fraud in business is so feared: it’s not only about the initial financial impact. In fact, the consequences of falling victim to a scam can also impact:
- Reputation
- Operational activity
- Regulatory compliance
Initial financial impact
As shown by the example above, the initial financial fallout from fraud can be in the hundreds of thousands, if not millions. Somewhat fortunately, the accountant from the metallurgy company realized their mistake immediately after sending the first payment. That meant that no further transactions could be made, or cash and assets lost.
But actually, a good proportion of business fraud cases repeatedly lose out to the same techniques. These might not be detected until an external party, like auditors, come to work in the company. In fact, 43% of businesses were targeted more than once, and 12% noticed more than 10 attempts of fraud in 2022. Download the full report to get more trends and insights!
Moreover, if the news of fraud is released to the public, it could affect share prices, financial statements, and future plans. With an unhappy board, investors could pull out too.
Reputation
Secondly, the reputation of the business can be damaged after a case of fraud. The main reason for this impact is due to the perception of security and data privacy. That’s because customers begin to believe that their information may not be safe if the company has been penetrated by fraudsters.
For example, there was a case of fraud at Twitter in 2020, when the perpetrators took advantage of the sudden move towards remote work. Without existing policies in place, employees were targeted by business email compromise scams. The cyber attackers impersonated HR services and asked employees to verify their login and password information.
They then used the information they had gained to log into the accounts of employees themselves. They then sent out a set of false tweets from high-profile, celebrity accounts. The reputational damage was clear and impacted both customer and investor trust – as the stock price plummeted by 4% as soon as the fraud was known by the public.
Operational activity
Another key impact of fraud is that it can disrupt normal activities and operations. After being discovered, many day-to-day activities will need to be shut down in order to assess the damage and figure out:
- How the fraudsters gained access
- Whether they are still inside the system
- Which systems were compromised
- How to respond and which actions to take next
Therefore, many of the typical tasks won’t be able to be completed as they take a backseat.
In fact, one case of invoice fraud that caused huge disruption was the Tinkle Management Inc (TMI) case. When the owner of TMI delivered his products, packing materials, to a client in Houston, he always added more supplies to the invoice than were actually delivered. It was a classic case of material misappropriation. Over time, the invoice fraud was not caught, and it led to $15 million dollars worth of payment for products undelivered.
This led to significant disruption as the fraud was ongoing because the Houston company didn’t have the right inventory to match packing slips and invoices. By diverting their focus to audit these, the auditor found the fraud – but also lost out on using their resources to grow and scale the company.
Regulatory compliance
Finally, in some cases, falling victim to fraud can highlight problems with regulatory compliance, and therefore lead to penalties from the regulators. This is typically more appropriate for companies that exist in highly regulated industries, such as financial and legal.
For example, Deutsche Bank was fined approximately $130 million by the SEC in 2021 due to regulatory violations. A case of employee fraud meant that an insider was able to falsely record payments for bribery and corruption on the bank’s books as legitimate payments. But the penalty came from a failure to maintain proper accounting practices. Indeed, this case of employee fraud would have been prevented or detected, had they been in place.
What are the steps in fraud risk management?
There are three key steps to successful fraud risk management:
- Identify and measure
- Monitor
- Respond
Identify and measure
Identifying the risks is all about performing a detailed risk assessment across all departments and systems in the business. The fraud triangle details opportunity as one of the primary motivators for fraudsters – so it’s important to identify each of the opportunities and treat them as risks.
For example, one internal fraud risk might be the fact that only one individual within accounting is required to approve a payment. This is risky because it means that the employee could be corrupted. He could begin intentionally abusing his responsibility by sending fraudulent payments to themselves.
Alternatively, if the employee is duped by a business email compromise or a phishing scam, he could unknowingly make a payment to fraudsters. Instead, a second pair of eyes (under the 4 eyes principle) could spot the risks and detect this risk of fraud before any money is lost.
Each risk that is identified should be measured for its impact on the business. This makes it easier for organizations to quantify and prioritize the protection of high-impact risks.
Monitor
Monitoring fraud risks is all about placing detection measures into your systems and processes. This generates a guide for ‘normal’, and makes it easier to spot suspicious requests, behaviors, or anomalies.
However, monitoring fraud risks through detection is best done automatically. For example, Trustpair’s ongoing account validation enables businesses to verify the accuracy of third-party details. By checking company, banking, and international databases automatically, clients can be confident in the identities of their third parties.
However – this is not only a one-time check. Trustpair automatically provides ongoing monitoring, so that even if trusted vendors request a change of payment details, you can verify that it’s really them. This enables confident supplier risk management, even with international contracts.
Monitoring is not only useful to detect suspicious behavior, but it can also highlight gaps in current fraud prevention strategies.
Respond
Speaking of fraud prevention, introducing strategies to protect your business from the outset is the best way to ensure it’s shielded against the risks. Responses to fraud risks can include the likes of:
- Reporting
- System changes to plug vulnerabilities
- Investigations
- Actions to prevent immediate threats, such as closing access to the bank accounts
Trustpair can also be useful in fraud prevention strategies because when suspicious accounts are detected, the platform acts automatically. By physically locking your account against making any payments to unknown third parties, staff payment requests will not go through. Of course, this means preventing the financial effects of falling victim to fraud.
A focus on fraud risk assessment best practices
Investing in the right risk assessment approach is essential. It can mean the difference between vulnerabilities and a strong shield against fraud. And without relying on best practices, organizations can suffer from a disorganized approach that affects the overall customer experience.
Best practices include:
- Identifying the occurrence of fraud risks in real-time – both through staff and automated
- Updating the risk assessment regularly (especially as new technologies, and therefore new threats, emerge)
Identifying the risk occurrence in real time
It’s all well and good to perform a risk assessment, but it’s important for businesses to be able to identify when these risks actually occur.
For example, having only one individual overseeing all invoice payments could be listed within the risk assessment. But how does your business successfully track how many people oversee invoice payments?
In the case of the example, introducing payment governance and internal control procedures could be a good way to ensure that at least two members of the team have to approve invoices before they are paid. This could be implemented through technology, which requires two sets of login information.
But for each of the risks within an assessment, each entity needs to find a way to detect the risks in real-time, in order to prevent fraud.
Updating the risk assessment regularly
Similarly, as time goes on, technologies evolve. This could present new challenges around risk management and even generate new fraud risks that threaten companies.
For example, AI technology is a hot topic, and some fraudsters are able to use this in order to replicate the exact voice of their target. In a famous case of vishing, the “CEO” of an international enterprise (actually fraudsters who used AI to capture the CEO’s voice) rang his next in line. On the call, the fraudsters asked for the transfer of $243,000 to a supplier. Without questioning anything, the employee complied and transferred the funds straight to the fraudsters.
It’s clear that regular audits, evaluations, and updates to risk assessments should enable organizations to get ahead of potential new threats. This would enable staff to have a full understanding of emerging risks. They could then create a report around the exact requirements to prevent them and form a strategy for fraud detection.
Here’s a quick recap:
Risk management is all about performing a risk assessment, setting controls, monitoring key factors, and reporting changes. Manage the fraud risks within your organization by taking actions to include ongoing account monitoring (via Trustpair) and automatic prevention responses to protect assets.
