Fraud Prevention or Fraud Invitation?

Fraudsters exploit two primary things in order to conduct their craft: Trust and Procedures/Processes.

Once a company has been hit by a fraudster, two primary things happen: Paranoia kicks in (triggering a suspension of trust) and new procedures are implemented to thwart the same attack happening again.

As humans require trust, even crave it, in order to do business or have relationships, suppressing trust eventually becomes difficult and potentially painful to sustain. Knowing this, as well as all the other bits fraudsters know about human drivers and emotions, provides the manipulator the seeds and the fertile soil he/she needs to engineer gate-opening behavioural responses from insiders to gain access to company accounts, client accounts, get false payments paid, acquire confidential information, etc.

And as for the idea that paperwork and audit checks will thwart fraudsters by putting up procedural security checks, or what one could think of as “bureaucratic bollards," one should consider that sophisticated fraudsters, the ones that ought to really concern an organisation, thrive in bureaucracy. They hide in paperwork. They deceive with paperwork. And the more an organisation relies on rules and mistrust the more inviting it is to a professional fraudster. Such an environment becomes a target rich environment with a plethora of entry points and places for the fraudster to hide his/her activity.

Every time a bank, for instance, reacts to a major fraud event, the clock begins for the next better, bigger fraud to occur. Yes, they have likely stopped that exact fraud from a fraudster with exactly the same profile and motivations and access from repeating the identical fraud action, but they have inadvertently designed a new set of exploitable mechanisms for a different kind of fraudster to take advantage of, as well as to have signalled to those paying attention how the bank thinks about its vulnerabilities, thus broadcasting its vulnerabilities.

A fraud prevention programme that does not take into account the human dynamics of fraud, including the mind, motivation and behaviour of fraudsters (professionals and opportunistic fraudsters, which many insider fraudsters are) and those of the unwitting enablers (employees, family members etc) who make most fraud possible, is simply turning fraud prevention into fraud invitation.

Focusing on fraud prevention alone makes anti-fraud management a bit like the Little Dutch Boy trying to keep his finger in the dyke as new holes keeping opening up in new locations across the damn. A holistic and perpetual cycle of care is necessary.

To safeguard an organisation, teams across multiple disciplines (audit, security, legal, line management, ICT, etc.) must work together like a task force. Strategically, the aim is rather simple: Stop as much fraud as possible (0 events is impossible), impede the progress of on-going fraud events, continuously learn and understand fraud and fraudsters and use that understanding to effectively disrupt and to make your organisation unattractive, and pursue those cases that are and should be pursuable. Tactically, this requires a constantly evolving and improving programme consisting of three basic elements: Prevention, Disruption and Pursuit. Underpinning a good programme must be a deep knowledge and respect of fraudsters’ ability to exploit and harness human behaviour. Behaviour-based counter-measures and factoring human vulnerability in to the design of one’s fraud protection efforts is critical.