A cyber-crime wave is engulfing UK companies, costing billions of pounds and calling for urgent counter measures
It has long been said that nothing is certain except death and taxes, but perhaps the time has come to add a third certainty – corporate fraud.
A series of reports over the summer showed not only that fraud is more persistent than ever, but there are also more opportunities. The growth of technology, digitalisation, computer networks and the integrated nature of business, with its worldwide supply chains and customer relationships, has bought with it a whole range of new opportunities for corporate misbehaviour.
More money is spent today on compliance and fraud detection than at any time in the past, but the statistics suggest the forces for good are not winning the war.
The most successful criminal act thus far this year – at least among those which are known about – came in February when hackers penetrated the Swift banking network and extracted $80 million belonging to the central bank of Bangladesh from its account with the Federal Reserve Bank of New York.
Worryingly, the rate of increase in cyber crime was worse in the UK than in most other developed countries
But this is in fact only a small part of the tens of billions which are lost every year. Indeed according to a report from accountants PKF Littlejohn, the annual cost of fraud in the UK reached £98 billion in 2015, while the Global Economic Crime Survey 2016 published by PwC indicated that one in five UK companies had experienced a significant fraud in the last two years.
Globally PwC reported a double-digit percentage increase in crime against companies, with cyber crime the fastest growing segment. Worryingly, the rate of increase in cyber crime was worse in the UK than in most other developed countries.
What criminals get up to is an interesting mixture of the old and the new. Early in August, for example, came a warning that it was now possible to fly a drone close to a building to intercept corporate communications. Most companies have limited wireless security within their office because they assume no criminal can get close enough to compromise their systems.
But a drone adapted as a flying laptop could land on the roof and sit there intercepting guest wi-fi, Bluetooth-connected keyboards, the connections which enable contactless payment cards and much else, as easily in a private building as it could in a public café.
The counter measures are a similar mix of old and new. A business in California specialises in knocking drones out of the sky by bombarding them with radio waves. Police in Holland have a low-tech solution. They have reportedly trained an eagle to swoop and grab them with its talons.
Whole industries are under pressure. According to the World Federation of Advertisers, the marketing departments of corporations could waste more than $50 billion a year by 2025 because of “the endemic fraud” in digital advertising. Here the problem is that fraudsters have found ways to use a computer to fake the online behaviour of a human. Advertisers normally pay per click and are duped into running campaigns on websites where the only visitors are “bots”, computer programs which pretend to be people.
But the old frauds persist too and on a scale which is chilling. A recent UN report highlights how developing countries have been deprived of billions of dollars by the faking of invoices which cover the export of their commodities. It alleges, for example, that while Zambian accounts showed copper exports worth $28.9 billion went to Switzerland over the ten years to 2014, none of this showed up in Switzerland’s books. Likewise $16 billion of copper apparently left Chile for Holland, but there is no record of it arriving. Fake invoices are perhaps the oldest trick in the book, but still obviously effective.
Whatever the source of data, two things stand out for companies to note. The first is that though external fraud captures the headlines, between a third and a half of the discovered crimes are carried out by insiders taking advantage of their trusted relationships and ease of access to sensitive data.
Interestingly long-serving employees are the worst offenders, much more so than juniors, and there has been a marked increase in “silver fraud”, crimes carried out by the over-50s. These are usually people who have been with the company for decades, but feel they are no longer appreciated, are being passed over for promotion and think they earn less than they deserve. PwC reports that 18 per cent of UK frauds were carried out by senior management.
The other thing to note is the haphazard nature of fraud detection. One in five British companies never do a fraud risk assessment while about half carry one out annually. But when it comes to catching people, PwC says 22 per cent were detected by suspicious transaction monitoring, against 14 per cent by the formal fraud risk management system. The three other significant ways frauds were uncovered, each in 8 per cent of cases, were data analytics, internal audit and by accident.
Clearly no one can afford to relax, but it helps to make sure employees have to. One of the oldest, but still most effective, fraud detection devices is to insist everyone takes at least two weeks’ holiday. Even with modern technology, it is hard to conceal a fraud in the UK when lying on a Spanish beach.