Anti-fraud by design, not by chance

A new wave of financial crime (FinCrime) is unfolding and the outlook looks daunting. In 2022, 62% of financial institutions reported an increase in fraud and financial crime as global transactions increased 44% year on year[1]. Cybercrime incidents have also skyrocketed since the pandemic. Closer to home, scam victims in Singapore lost a total of $660.7 million in 2022, up from $632 million in 2021.[2]

Is it a losing battle against FinCrime?

The rise in FinCrime is possibly due to three key reasons:

·?????? First, a prevalent mindset that technology alone is the primary consideration often leads to an imperfect, less-than-holistic solution that gives a false sense of security. The “best” technology will invariably consist of one or more blind spots that threat actors can readily exploit, such as encrypting malware-laden files to bypass content inspection gateways. Even technology advancements for bolstering defenses can be just as vulnerable to attacks.

·?????? Second, more attackers are bypassing cyber defenses without getting noticed. Organizations take, on average, 207 days to identify a breach.[3] The failure to detect breaches swiftly is one of the most critical issues that must be addressed urgently. ?

·?????? Third, cyber-related fraud is not confined by geographic boundaries and no part of the Internet is out of reach for attackers. They also take advantage of the friction between cross-border regulators and law enforcement agencies. Executing their near-perfect attack playbook, threat actors launch their attacks from safe-haven jurisdictions and swiftly move illegal proceeds to offshore bank accounts.

One other fundamental issue is the human factor. While some hold the view that the human factor is key to the solution, on the contrary, having seen enough incidents, I would like to counter with the view that human behaviour will continue to be fallible. While reliable and competent experts are needed to design, build and operate our defenses, we should expect lay persons to continue to fall for that deceitful phishing email, rogue mobile application embedded with malware or some new social engineering attack vector that will surface in future. Yes, end user cybersecurity education and awareness must continue and evolve as attack vectors evolve, but we also need to design layered defenses to expect the inevitable human failures and use technology wisely to compensate.

The way forward is anti-fraud-by-design

Having worked in the cybersecurity field in the early 2000s, I saw the benefits of security-by-design and privacy-by-design. These engineering frameworks proactively involve cyber and privacy subject matter experts in the co-creation of resilient systems and products at the time of inception – rather than roping them in as an afterthought.

By extending this concept to fighting fraud, we can also construct an anti-fraud-by-design framework, with fraud and forensic technology experts playing a pivotal role.

What can these experts bring to the table? An acute knowledge of root cause failures and red flags cumulated from working on complex investigations, and experience in working with best-of-breed technology solutions and building proprietary solutions when nothing else seems to fit. These experts also bring onboard expertise in collecting, triaging and analyzing vast amounts of data from internal and external data sources.

Crucially, fraud and forensic technology experts must be involved to work alongside multidisciplinary teams at the inception of creating new products or channels or making any key changes to business practices. Their involvement must start before production status is reached. These experts will architect, design and test the ability to prevent and detect fraud risks as well as ensure compliance with relevant laws and regulations.

A good example of anti-fraud by design is the absence of endemic corruption in Singapore. Over the past five years, Singapore has consistently ranked among the top five least corrupt nations, in the Corruptions Perception Index (CPI) by Transparency International. The fact that Singapore is largely free of corruption is not by chance, but by considerate design. A culture of zero tolerance for corruption was promulgated by the country’s founding leaders, backed by political will, tough laws, enforcement and much more.

Key elements of anti-fraud-by-design

1.?????? Whole-of-system approach

For anti-fraud-by-design to be impactful, governments and private organizations must work together more effectively to stay ahead of threat actor organizations. ?

The anti-scam command center[4] in Singapore is a good example of public-private-partnership. More can be done, even among private organizations, to share threat intelligence and form joint action taskforces to swiftly coordinate action across organizations to disrupt attacks.

Within organizations, anti-fraud defenses – both preventative and reactive – must be reinforced end-to-end and across channels. For one, it is imperative to collect and use data across the entire ecosystem more agilely to develop risk profiles and build predictive AI models that can accurately detect suspicious activities.

2.?????? Analyzing fraud schemes and scenarios

As part of the multidisciplinary team creating new products, service channels or business processes, fraud and forensic technology experts will analyze, dissect and enumerate the permutations of possible threat actors, fraud schemes and attack scenarios – setting the foundation for building a resilient defense.

For each threat actor group and the identified modus operandi, “whole of system” defenses should be designed to prevent attacks from succeeding. Detection systems should be put in place for continuous monitoring of key risk indicators (KRIs). That said, incidents will happen – a matter of not if, but when – so fail-safe and fail-strong options should be configured for the event of a compromise.

3.?????? Continuous and dynamic monitoring

A significant root-cause failure in many successful attacks is the lack of effective and continuous monitoring. Defining how and what to monitor, tweaking the analytics as the fraud landscape changes and using predictive models to reduce false positives and improve accuracy is key.

Based on experience, effective monitoring would have raised alarm bells and mitigated the impact and severity of the breach. (Read about why monitoring indicators of compromise (IOCs) is a crucial part of organizations’ cyber defense strategy in my other article).

Anti-fraud-by-design - put it to practice

All in, tackling FinCrime is a complex issue as threat actors employ increasingly sophisticated tools and methods. Now is the time to embrace anti-fraud-by-design, establishing robust public-private partnerships within the ecosystem to address the onslaught of FinCrime. ?

[1] Top 7 Trends Shaping the Financial Crime Compliance Landscape in 2023, https://risk.lexisnexis.com/insights-resources/infographic/financial-crime-compliance-trends

[2] https://www.straitstimes.com/singapore/scam-victims-in-s-pore-lost-6607-million-in-2022-almost-13-billion-in-past-two-years

[3] Cost of a Data Breach Report 2022, IBM Corporation, 2022.

?[4] Opening Of Anti-Scam Command Office (police.gov.sg)