Jeremy Cooper, Crowe Clark Whitehill managing partner of the Thames Valley office, invited journalist John Burbedge to talk to national partner Jim Gee, the firm’s head of forensic and counter fraud services.
“The annual cost of fraud to the UK economy* is now £190 billion – more than the Government spends on health and defence combined; more than all the UK’s revenue from income tax. It equates to around £10,000 per UK family.”
Of that colossal fraud burden, £140.4b (74%) relates to the private sector, £40.4b the public sector, £6.8b to individuals and £2.3b to charities, explained Jim Gee in a cool matter-of-fact manner almost as unnerving as his words.
But then, Gee knows this enemy very well and assisted by Crowe colleagues and other sector experts he is constantly and pragmatically fighting the ongoing international battle against fraud.
Gee chairs the Oversight Board of the United Kingdom Fraud Costs Measurement Committee (UKFCMC) that annually estimates the total cost of fraud – a very detailed evaluation of all known fraud plus criminal ‘known unknown’ activity. He also chairs the Advisory Panel for the Centre for Counter Fraud Studies, which provides the largest European repository of data, research and knowledge about fraud, and importantly countering it.
Therefore, his words are definitely worth noting.
Who’s winning: Us or the bad guys?
“Nationally the situation is not a good one. I would not have believed it 20 years ago, but today fraud is the most common crime in this country with 54% of all crime (5.8 milion crimes) being fraud and cybercrime related. We have an epidemic of fraud and we need to respond to it.
“We can’t remove fraud entirely, it is with us, so we need to establish at what level and then minimise it.
“The bad guys are continually changing, reviewing, and updating their methodologies to make sure they get the greatest benefits for the least risk.
“Fraud is a continually evolving problem like a clinical virus, which makes it intrinsically difficult for controls to work effectively.
“Like coughs and colds, you can’t say you’ll never suffer one, but you can help minimise how often and how long you are infected. It’s not just about building the security wall, but managing a fraud and recovering from it. What really matters is the strength of your business’s immune system.
“Individual organisations doing the right things are winning. We have examples of Crowe clients cutting their total cost of fraud by up to 40% in 12 months.
“The average percentage cost of fraud to a business is just under 6%. With profit margins in the low percentages, reducing fraud can make a significant difference to business profitability.
“Organisations should view fraud as an ever-present, ongoing business cost, not as sporadic marginal events that they hope to avoid.”
And where is fraud happening most within our region?
Everywhere, regardless of industry or business size, from Oxford to the South Coast, Newbury to west London, said Gee.
“Wherever there is wealth and a developing economy there are fraudsters and cyber criminals. Like any legitimate corporation they will look for where the market is richest and will bring them their greatest ill-gotten gains.
“The only difference – in any sector – is between those organisations that do protect themselves well against fraud, and those that don’t. There is a clear correlation – those better prepared and protected, lose less,” said Gee.
How much are victims losing?
The scale for fraud resilience is 0-50, the best being 50. Organisations rating less than 15 lose around 10% or more of their potential revenue; those scoring over 40 lose roughly 1% – “but that’s as low as it gets.” New types of fraud are continually being invented and there is a lag-time until they are spotted and tackled, explained Gee.
“It’s not what you detect – most fraud is ‘high volume/low value’ making it hard to detect and only one 30th of fraud occurring gets detected – but if you protect yourself so it doesn’t happen, then that can make the greatest impact.
“The sectors that don’t think they have a problem are often the ones where the problem is the greatest, because their focus on fraud prevention is not at a high enough level.”
Is technology helping or preventing fraud?
It’s more difficult today to say where cyber crime is taking place because businesses can run their digital operations from various worldwide locations, but modern technology is now being increasingly used to target and track-down criminals.
Ironically, the two-edged sword of technology is also enabling cyber-criminals to set up sophisticated online ‘dark web’ markets and operate internationally as illegal entities. “The days of individual hackers in their bedrooms is long gone,” stated Gee.
And, a fraud prevention mindshift is gathering momentum, he believes, not least because international publicity and social media activity are boosting awareness. People are hearing about cyber scams and hacking at all organisational and professional levels including government departments and possibly elections; some may have had their business operations infiltrated, personal IDs or savings stolen … fraud has become a very personal experience.
Jeremy Cooper highlighted the increased demand from Crowe’s clients over the past 12 months for fraud prevention advice and assistance. “We’ve certainly seen a big uptake for our services and that reflects what’s happening in the wider business community. The numbers speak for themselves.”
Crowe’s Thames Valley operation is growing organically and is currently at almost 100 partners and professional staff. But as Cooper adds: “We are a national firm and the UK member of Crowe Horwath International, the 8th largest global professional services network, and as such we can always get the necessary resource for our Thames Valley clients, whether that’s in countering fraud by building and preparing resilience or in a triage situation where they need active help because they have an immediate issue.”
What are the most common frauds to avoid?
Trending over the past few years has been mandate fraud – people contacting organisations and changing bank or supplier details to divert payments into their own accounts. Also, fraudsters monitoring social media to discover when decision-makers are out of their office, then sending fake emails instructing subordinates to make major payments.
“But trends move on, so I am sorry to say that I’m absolutely confident there will be new scams next year,” said Gee.
* Details of the UKFCMC Annual Fraud Indicator 2017 from croweclarkwhitehill.co.uk
What things should businesses be doing?
Jim Gee suggested these fundamental fraud resilience focuses:
- Establish a strong anti-fraud culture throughout your business and its product and services providers.
- Ensure there is a strong and well-known deterrent regime for potential fraudsters. Eg loss of job, cancelled contracts.
- Design-out the business process and system weaknesses that allow fraud to take place.
“If you understand how well protected you are, then you can see where you need to strengthen protection, and we often help clients with that.”
The procurement process, for example, is a major area of fraud, so supply-chain systems and security should be regular and accepted standard evaluation procedures.
“The human element is key. Your people need to be aware of the possibility of fraud, and understand that they have a stake in minimising it because if their company is more secure, stable and healthy, it indirectly brings benefits for them.”
- Map your systems and data. “If you don’t understand where your data is you really are wide open – effectively you don’t know what’s there to be stolen.”
- Meet the Government’s Cyber Essentials Plus standard for security.
- Test your systems through ‘ethical hacking’. “In all my years, I’ve yet to come across a penetration testing report that did not reveal a serious vulnerability in the organisation it was assessing. I am looking forward to the day when a report doesn’t.”
- Test your workforce preparedness with some crisis scenario planning and ‘live’ training. “When the breach happens you need to be able to manage it, investigate its cause technically, seal it, report it correctly (NB: new GDPR requirements from May 2018), and also to mitigate any reputational damage.