As Trade Barriers Fall, Businesses' Exposure to Fraud Increases

As high-profile CEOs continue to march off to court or to prison over accounting and business scandals, they serve as yet another reminder that corporate fraud continues to be a concern. But as experts from the Wharton School and from Bank of America note, another kind of corporate fraud-perpetrated by individuals and directed against companies and their customers-also poses a dangerous threat. In the public's mind, fraud is perhaps most commonly associated with hackers and others who use computers to steal private credit card and other information, which may then be resold around the globe, and utilized to make purchases using the unsuspecting victims' identity. Indeed, estimates of international cyber-crime total "billions of dollars" according to insiders like U.S. presidential cyber-security advisor Howard Schmidt. And in a report issued in March 2003, titled Efforts of the Financial Sector to Address Cyber Threats, the U.S. federal Government Accounting Office noted that "The use of computer interconnectivity by the financial services sector for customer services, such as Internet banking and electronic securities trading, and for business operations, such as clearing and settlement, has increased the degree of access to the systems that support these services. This increased access poses significant information security risks to computer systems and to the critical operations and infrastructures they support, if those systems are not properly secured." But while such technological safeguards as secured intranets and password protection may play important parts in security efforts, experts from the Wharton School and from Bank of America note that every instance of fraud can be traced back, ultimately, to one or more human beings. Recognition of the human factor is important, they say, since this realization, or lack of it, may significantly influence a company's efforts at protection. "Ever since history's first recorded instance of fraud-the serpent who tricked Adam and Eve into eating an apple-some people have made their living by preying upon others," says Brendan Hewson, Bank of America's Senior Vice President, International Corporate Security. "Today, many people identify fraud with Internet-based schemes, but the fact is that the Internet is just a tool-it may extend a criminal's reach, but it's not necessarily the basis for a fraudulent act." Phil Nichols, an Associate Professor of Legal Studies at Wharton and Vice Chair of UN/CEFACT (United Nation's Center for Trade Facilitation and Electronic Commerce) Law Group, echoes that view, characterizing such fears as "overblown" and noting that many years ago, similar concern about increased opportunities for fraud were expressed when the first telephones were introduced. Indeed, the role of the Internet as an enabler of fraud-rather than as a primary tool-has been dramatically demonstrated by recent cases of accounting and other scandals that exploited internal control and audit function weaknesses, rather than a lack of physical or electronic barriers. A recent court case in England, involving an executive with a travel agency, serves as an example of a decidedly low-tech approach to fraud. According to a report issued by London's Metropolitan Police department, the Financial Controller of DNATA Travel (UK) Ltd., a travel agency, "fraudulently cashed company cheques and used his company credit card in order to steal company funds" that exceeded US $3 million (£1.8 million). The report goes on to note that, "Enquiries revealed that the majority of this money was used to feed his gambling addiction in the casinos," and in April 2003, a "confiscation order" for some U.S. $55,000 (or £33,000) was issued against the defendant, who faces a 12-month sentence if he does not pay the specified sum. In fact, debit and credit card fraud are near or at the top of the list when it comes to swindling financial institutions, with an estimated global cost to individuals and banks of nearly US $718.1 million (£430m) a year, according to the UK-based Association for Payment Clearing Services. That's in line with analyst estimates presented in Business Week, which said that credit-card issuers lose a total of $1 billion to $3 billion every year to fraud. "I would suggest that the exposure to credit card fraud is much greater than most individuals and corporations realize," says Hewson, who previously served as an officer with the Company Fraud Department of London's New Scotland Yard. "With devices like high-speed, palm-sized scanners that can easily capture encrypted information, a credit or debit card is at risk the moment it leaves your hand, even if it's passed to a waiter at a restaurant to pay a bill." Hewson says the stolen information is quickly transmitted electronically, and multiple fraudulent bank cards-under the original holder's personal or corporate name-may be printed, resulting in considerable financial damage. Corporate checks and bank notes are also vulnerable, he adds. "Companies may safeguard their checks, but once they're released for payment they can be scanned and counterfeited," he points out. In one such example, a con artist walked into a bank branch and purchased a relatively low-denomination cashiers check. As he did so, he struck up a conversation with the cashier then casually walked over to the desk of a person who was away and picked up that person's business card. Later, the cashiers check was replicated reflecting a significantly higher dollar amount, signed with the name on the business card. This way, if anyone called to verify the issuer's identity, it would register as a legitimate employee, likely an authorized cashier check signer. "Soon, fraudulent cashiers checks bearing the institution's name were being cashed across the world," adds Hewson. While noting that fraud can come in a wide variety of formats, he says that virtually all share some common threads. "One of the main goals of perpetrators is to achieve anonymity by presenting a convincing, but false, identity to the intended victims," says Hewson. "They prey on a victim's gullibility, greed or fear, often offering fantastic returns on an investment as a 'hook.' Of course, the victim will never see any of it." In each case, he explains, a swindler is dealing with an individual who either acts on his or her own behalf, or is acting on behalf of a company. As Hewson puts it, "They're either taking money directly from the victim's wallet, or from funds that the victim controls." Often, there are common elements between financial fraud that targets individuals and fraud that targets financial institutions, observes Colin Crook, a Senior Fellow at Wharton's SEI Center for Advanced Studies in Management and the former Chief Technologist for Citicorp. "In both cases, there is an assumption that the target will not notice the fraud for some time-the fraudulent scheme is designed to achieve this-and in both cases the deceived party may have lax security practices," he explains. One widespread style of fraud utilizes con artists who claim to be government officials, often from African or Middle Eastern countries. They supposedly have come into possession of a significant sum of money and need to transfer it to the United States. In exchange for an "advance fee"-or for personal information including the target's birth date, bank account, phone, fax and e-mail numbers-the "officials" promise a share of the non-existent booty. Of course the "advance fee" will yield no return, and any personal information presented will be used for credit card and other fraudulent financial schemes. In one recent case, according to New Scotland Yard, a science professor at a university in California received an unsolicited e-mail, "offering him a fortune if they could use his bank account. When the victim was asked to travel to London to meet with a representative of the South African High Commission and pay $26,000 as a clearance fee, his suspicions were confirmed." The matter was reported to the Metropolitan Police Fraud Squad and the con artist, who attended a meeting claiming to be Dr. Christ Oliver of the South African High Commission, was arrested and later sentenced to 15 months' imprisonment in the UK. In this case, the would-be victim was suspicious and notified the appropriate authorities. But Hewson points out that the target could also be a treasurer, CFO or other corporate officer who may choose to engage in the scam, placing his company's funds at risk. "It's a problem, but we try to be proactive," he says. "The early stages of domestic and international fraud can be difficult to detect, and once it's uncovered, identifying and moving against the perpetrators can be cumbersome." Returning to the issue of the Internet-as-a-tool, Hewson notes that a company may be vulnerable to fraud from an emerging country even if the business does not have a local presence. "Businesses often wonder about the threat levels associated with operating in former Eastern Bloc or third-world nations, but the fact is that you don't even have to be there in order to have exposure," he comments. "First, consider that because of a lack of legal and enforcement infrastructure, it may be fairly easy to launch fraudulent and other hostile activities from these countries. Then, using a vehicle like the Internet, they can gain entry into your systems and wreak havoc. And it might be as easy as establishing contact with, and corrupting, a single senior executive." Once a company has been defrauded, gaining restitution may be difficult, if not impossible, even if the perpetrators are finally identified. One obstacle is jurisdiction-despite efforts to forge uniform statutes, definitions of fraudulent activities often vary between countries. And even when such statutes are in place, local law-enforcement authorities may not have the resources to deal with the crimes. Hewson suggests that in some cases it may pay to pursue con artists in civil court, rather than in criminal court. "There are a few elements in favor of a 'discovery, freeze and seize' approach," he explains. "For one thing, the standard of proof may be somewhat reduced in a civil court as compared to a criminal court. Also, if the perpetrator has assets in the plaintiff's country, they may be frozen while the case is being heard, much the way the U.S. seized Libyan assets in connection with the terrorist attack against Pan Am flight 103." Given the damage that fraud can cause to a company's finances and reputation, and the difficulties in gaining restitution, Hewson suggests that implementing and updating preventative measures may be the most effective strategy. "The first consideration in a system of corporate defense is identifying who or what you're guarding against," says Hewson. "In the case of fraudulent credit card activity, for example, statements should be reviewed and reconciled on a timely basis." Another effective step involves the design, implementation and maintenance of a system of internal controls, including segregating duties so one person does not have responsibility for recording and receiving or disbursing cash. Crook notes that within financial institutions, the "role and effectiveness of internal audit has gained prominence" as a view develops that, "some external auditors simply do not have the expertise to detect fraud problems from a determined and skilled insider." He says, for example, that one key internal control is, "to make sure that people handling sensitive areas go away on vacation so that others take over," reducing the risk that an insider can cover his or trail of deceit. Turning his attention to partnership and client relationships, Hewson advises "getting behind" the people or companies to see who's actually there. "As an example, if an offshore company has nominee directors you should ask for a reason for the practice," he suggests. Nominee directors typically consist of non-beneficial individuals who are listed as directors but do not have authority to actually mange the company. This approach enables the true owners to remain anonymous on the corporate register and other filing documents "Also, if the mailing address is a P.O. Box instead of a physical building, you should be suspicious-especially if it's a high-net-worth company. After all, the art of fraud is appearance and conning people." Hewson points out that geographic expansion can make a company a target, particularly if it's moving into a country with a newly emerging economy. "When corporations set up branch offices, Regional Treasury Centers or other shared service center hubs, they need to be aware of the associated risks," he says. "For example, let's say you establish a new branch in Vietnam, Latvia or another country with an emerging system of commerce. And let's say you're about to set up an account with a local vendor. The company may be registered locally, and may be able to provide you with a customer list, but if something makes you suspicious (perhaps many of the 'customers' share a single address), then be prepared to exercise additional caution." Using trusted people who know a local market and who can obtain adequate documentation to support or refute the claims of a new account may be a useful approach. It is also wise to establish a Know Your Customer (KYC) program, along the lines of the ones used by financial institutions in the United States. Internally, Hewson says companies should consider running background checks on employees who have access to, or control over, cash and equivalents and other valuable assets. Such checks could be run on a random basis or whenever an employee's responsibilities increase to a certain level. He also says that ongoing training programs can make employees aware of the warning signs associated with scams. "A training program must involve more than simply sending out a video," cautions Hewson. "It's best to have a true interactive dialogue with experienced trainers who can promote understanding. They need to discourage employees from using the word 'assume' and get them to realize that the either know a transaction is okay or reasonable, or don't know it and need to engage in further investigation before signing off." He offers Bank of America as an example, noting that if a third party offers to sell a standby letter of credit as an investment tool, "our trade finance people know it is a fraudulent transaction." Hewson says that factoring is another potential trouble spot, particularly in an emerging country. "While a factor may be genuine, one must take care to ensure that that the person is not factoring on behalf of himself, or a phantom party," he comments. While concerns about fraud may have some negative effect on international trade, Nichols says, "I cannot believe that in reality it is a very large effect because there is usually a way to do things differently. I think that what most people really are concerned about is not the effect on current trading relationships, but on the trade relationships that could exist if there were not concerns about fraud or other manipulations of transmissions." He notes, for example, that technological advances in communication "should be opening up vast swaths of Africa, Asia and South America but are not," and that although relationships across the Atlantic should be formed "to the same degree as relationships across the street," they are in fact not. Consequently, he adds, "the benefits promised by technology will not accrue until people trust those forms of communication, and that is where concerns of fraud really affect trade. Those concerns affect what could be rather than what is." "In the final analysis, companies that stay alert are less likely to be victimized by fraud," says Hewson. "Warning signs include strange or unusual terms, and requests for non-circumvention and other agreements. But perhaps the key issue is a con artist's ability to gain the trust of an individual. As an investigator reviewing the paper trail of a fraud, you cannot see the charisma that a criminal can cast over his victim. It's like a snake that hypnotizes a rabbit before gobbling it up." Web Links: Could a Cyber-Terrorist Take Down Your Company? Don't Wait to Find Out Internet Fraud Complaint Center BBC-Tuesday, 10 June, 2003 France tops the league for card fraud against UK holidaymakers, followed by Spain and the US, according to new research. Metropolitan Police Fraud Alert Association for Payment Clearing Services «back to home page