Research from SAS and the Centre for Economics and Business has shown that efficiencies gained by businesses through better fraud detection tools could total £290 million from 2015 to 2020.
The trouble is that many small and medium-sized enterprises (SMEs) rely solely on the fraud detection provided by their payment gateway, says Gerry Carr, chief marketing officer at anti-fraud startup Ravelin. “The main job of a payment gateway is to validate your customer’s credit card details securely, and make sure the funds are available for the payment and you get paid.
“As they only typically see the payment page activity, because they simply need to approve or decline a transaction, they are not able to see all the events in the customer journey, thus limiting their ability to provide end-to-end fraud protection.”
Ravelin’s own analysis shows that a mature business with a fraud solution in place would expect to drive fraud down to less than 0.5 per cent at its peak. But in the period between kick-off and maturity, that is during the high growth period for SMEs, the level of fraud can reach 5 to 9 per cent of all transactions and represent an even larger slice of revenue, as fraudsters tend to spend more, which can hit an SME even harder.
“While it can be easy for an SME to spot a customer buying large numbers of items in quick secession, it’s more difficult to spot multiple accounts making relatively small purchases across an extended period of time. Spotting these connected purchases is not easy and can seriously damage a business’ bottom line,” says Mr Carr.
Sundeep Tengur, fraud solutions and financial crimes specialist at SAS, says: “Fraud has evolved from simple and opportunistic modus operandi to more complex and patient scenarios. Fraudsters are becoming increasingly sophisticated and often hide within complex networks where they employ ‘mules’ to do their bidding. Those networks are often hard to detect as they contain both fraudulent activity as well as legitimate and compliant transactions.”
And it’s not just professional fraudsters who pose a risk to small businesses. “Also contributing to the rising velocity of fraud is the proliferation of online services and the anonymity those digital channels provide to consumers,” says Mr Tengur. “For example, when making insurance claims, it’s easy to inflate the value of a damaged or stolen item or to add a few additional items to the claim, therefore resulting in what’s often referred to as ‘soft fraud’.”
Organisations must be in a constant state of readiness, he says, and this requires a multi-layered and pragmatic strategy. “It is critical that organisations adopt a holistic approach that encompasses data management and fraud detection, as well as robust policies and strict internal governance,” says Mr Tengur.
Fraud can affect business in a multitude of ways, not just financial. “In the case of an SME that itself is implicated in a fraud, perhaps bribery to secure a contract, it could find itself the subject of an SFO [Serious Fraud Office] or other regulatory investigation,” says Alex Jay, partner at Gowling WLG, counter-fraud specialist and a member of the independent Fraud Advisory Panel.
The costs of responding to and addressing such an investigation, both financially and reputationally, can be severe. Mr Jay says: “For company directors or senior management personnel, failing to implement anti-fraud measures or control such risks could also give rise to criticism or even claims against them in severe cases.”
Managed security services can ensure you are as well protected as larger firms
Training is crucial, but he says: “Any training programme should be considered with input from a variety of areas of the business and preferably with the assistance of anti-fraud professionals to ensure it is fit for purpose. An SME should look to have regular fraud risk assessments, and seek to develop an anti-fraud culture and policies within the business. A focus on increasing the perception that fraud will be investigated, detected and not tolerated is a good place to start.”
Scott Zoldi, chief analytics officer at FICO, which uses predictive analytics and data science to improve operational decisions, says ongoing checks should be in place. “Regularly review what information you store. Check over what information is being stored on your servers and verify that any confidential or monetary data is sufficiently protected,” says Mr Zoldi.
He suggests using managed security services: “Advances in cyber-security technology, including the use of more sophisticated analytics, can be difficult to keep on top of. Managed security services can ensure you are as well protected as larger firms.”
Mr Zoldi also suggests a disaster recovery plan. This, he says, should include: “Who to call when something bad happens, off-site back-up in order to recover from fire, flood, physical theft and hackers, and records of what, if anything, your insurance policy covers from down time and other costs associated with hackers.”
It’s important to do your data homework. Mr Zoldi says: “Collect computing logs and occasionally review them because they will prove valuable during incident response, helping you to learn what your computers normally do, respond to cyber attacks more quickly and potentially spot hackers before a damaging breach.”