Misconceptions – The four big mistakes
1. Companies assume that their staff and business partners are honest.
2. Managers assume that employees will automatically report any suspect activity.
3. When companies uncover a fraud, they often try to deal with it in-house, letting the fraudster get away with it.
4. Organisations are complacent and assume that they have adequate safeguards in place.
When the US State of Utah set up a fraud detection system to monitor doctors’ Medicaid claims, they were surprised at what it dug up: A group of doctors who had been prescribing themselves two drugs that, when taken together, could give them a heroin-like high.
Then there was the practitioner who was over-billing by so much that the system calculated that he must have been working 40-hour days.
Such problems are the same the world over. In the UK, for example, a local health authority implemented fraud detection software from SAS Institute and discovered that one of its locum doctor’s had over-billed for his services to the tune of £4 million.
When supposedly up-standing professionals such as doctors cannot be trusted, it is little wonder that fraud has become such a widespread problem – and that fraud detection software has consequently become so widely deployed.
Indeed, the huge, well-publicised frauds that have taken place in recent years at WorldCom, Enron and Barings Bank are dwarfed by the much smaller, but more widespread frauds that are perpetrated on credit cards, in shops and against businesses and individuals every day.
“The small value, high volume frauds outweigh the large corporate cases,” says Peter Dorrington, head of fraud solutions at SAS Institute. But with the right processes and procedures, combined with the right software, most of these can be caught, he says.
Estimating the size of the fraud detection market is difficult because fraud detection software is often wrapped up in so many different packages. These include billing (particularly in the telecoms sector), data warehousing and customer relationship management. Fraud detection is also often sold as a service rather than a product, particularly for online merchants.
How it works: Fighting the fraudsters
There are a number of techniques used to detect fraud:
- Verification. This simply involves data matching. For example, checking a name and address against the electoral register and a credit reference agency, such as Experian or Equifax. However, the increasing pervasiveness and sophistication of such systems has led to an increase in identity theft, whereby a fraudster will pose as someone else in a bid to get goods and services in their name.
- Visualisation. This involves plotting transaction data in tables and graphs in the hope that fraudulent activity will stand out – either visually or by filtering it through various mathematical algorithms. “Its main use is in a forensic context, after you have discovered the fraud,” says Dorrington. Typically, it is used to find out what – or who – else is involved, and to build up the case against the fraudster.
- Modelling. This seeks to understand the behaviour of customers and to stratify them according to who they are. For example, the spending patterns of 30 year-old males from south east London will be very different from 50 year-old women from East Anglia. If they step outside the parameters of their expected spending patterns, an alarm will ring. Alternatively, vendors can model the behaviour of known fraudsters and if a customer’s spending patterns start to resemble such behaviour, the software can send an alert. However, the problem with this technique is that, at times of frenzied spending, such as the run up to Christmas, everyone’s spending patterns looks more suspicious.
- Scoring. This is a relatively recent technique in which the system automatically evaluates a whole series of factors, filtering the transaction information through a series of algorithms and returning a score, typically between nought and 99. The higher the score, the riskier the prospect.
Finally, many vendors will apply a series of business rules, often based on one or more of the techniques above.
Tomorrow’s challenge: Online fraud detection
Online merchants are a prime target for credit card fraudsters, many of whom prefer the Internet’s impersonal nature. To help combat the problem, a growing number are turning to fraud detection services.
In addition to checking out a ‘hot list’ of stolen or dubious credit card numbers, fraud detection services also weigh up a variety of factors, including the user’s IP address, their email address, previous shopping sites visited and the billing and delivery addresses.
If the IP, billing and delivery addresses are in three different countries, for example, the merchant will get an immediate alert. Many merchants also input rules that automatically reject billing and delivery addresses in countries with a reputation for high levels of credit card fraud.
The facts: The cost of fraud
- Credit card fraud costs an estimated $1 billion every year, or seven pence for every £1000 spent, according to Raf Sorrentino, vice president of risk management at First Data Corporation.
- Fraudulent use of mobile phones costs network operators between 2% and 5% of their annual revenues.
- The average US corporation loses $9 a day – up to 6% of total revenue – to employee fraud, according to the Association of Certified Fraud Examiners.
- The infamous Nigerian advanced-fee fraud has claimed more than $5 billion since the early 1980s, according to US authorities.
- During the 1990s, the New York mafia set up a bank, called DMN Capital Investment Bank, as a vehicle for financial crime.
- Analyst group Gartner estimates that online fraud costs e-tailers $700 million a year.
Swag – Fraudsters’ favourite ‘purchases’
Perfume, Jewellery, Videos, DVDs and CDs, Mobile phones *, Personal stereos
Fraudsters tactics: Identity theft
The refinement of fraud detection systems in the credit card industry has forced many fraudsters to change tack. Instead of stealing cards, many are now seeking to ‘steal’ someone else’s identity instead.
Identity theft is defined as the misappropriation of the identity of another person, without their knowledge or consent. The crime has taken off in the US and in 2002 accounted for 43% of all fraud complaints to the Federal Trade Commission (FTC).
Fraudsters use a variety of tricks to obtain the information or documents they need to carry out the crime. In one instance, fraudsters obtained the credit histories of more than 30,000 people with the help of an insider at the credit arm of car-maker Ford.
At a more basic level, bills and bank statements, which are often used as a proof of address for credit applications, can easily be stolen from rubbish bins. Thieves that do not want to get their hands dirty frequently target the mail delivery of blocks of flats.
Post addressed to the UK Driver and Vehicle Licensing Agency (DVLA) in Swansea, Wales has become a particular target since photo card driving licences were introduced. This is because drivers have been encouraged to send their passports and other valuable forms of identity to the agency to support their applications.
The response of many credit card companies to the increase in identity theft has been to boost the level of monitoring. Now, it is not unusual for users with erratic purchasing patterns to receive a phone call from their credit card company, asking them about particular transactions that may only have occurred ten minutes earlier.
But often, the first that anyone will know that they are a victim is when the bills – or even the bailiffs – turn up at their door. And then, it can take a year or more for the victim to clear up the mess.