Who is the most likely suspect for fraud in Canadian organizations?
A typical fraudster is a male between the ages of 30 and 49, employed at the company for three to five years, and not likely in management, according to KPMG LLP, the Canadian affiliate of global consulting firm, KPMG International.
KPMG LLP’s “profile of a Canadian fraudster” is based on a survey of senior execs across Canada at organizations that reported cases of fraud.
The survey report identifies three common motives for fraud:
- Need (28 per cent) – which may be financial, work-related, or caused by an “excessive lifestyle”
- Opportunity (19 per cent) – without which the person won’t have the means to commit fraud
- A character defect (14 per cent) – “Greed”, says the report, is a key character trait of many fraudsters.
“Bad habits” including alcohol and drug abuse, and gambling were a factor in 11 per cent of cases reported.
Fame vs. fortune
A former high-profile Canadian hacker comments on how motives have changed over the past 10 years.
A decade ago, it was more about exploration, said Michael Calce. “I think a lot of people were trying to channel their abilities to see how far they could go.”
Calce gained notoriety in early 2000, for launching a series of highly publicized denial-of-service attacks against Yahoo!, Amazon.com, Dell, eBay and CNN, while he was a high school student in Montreal.
He was just 15 years old when – using the Internet alias, Mafiaboy – he brought these large commercial sites to a halt. Matthew Kovar, a senior analyst at Yankee Group Research Inc. in Boston estimated the global economic damage caused by Calce at US$1.2 billion.
What drove Calce to launch these devastating denial-of-service attacks?
“I just wanted to be the best hacker and was going to do whatever it took to be [recognized] as one of the elite hackers in my community,” he said.
He recalled that at the time denial-of-service was extremely new and hadn’t been explored much.
“I was pretty much the guy who pioneered mass denial-of-service … My motive [was] to experiment, see how far I could go, and gain a reputation and status among my peers.”
But he said today the focus appears to be monetary gain. “It’s the number one motive for everyone, it seems.”
Fraud – an inside job
When it comes to fraud, the greatest threat to Canadian companies comes from their own employees.
According to KPMG’s poll, 69 per cent of reported fraud cases were “inside jobs,” 20 per cent perpetrated by outsiders, while 11 per cent involved collusion between insiders and outsiders.
The survey confirms what has long been held by security experts – that internal threats are the most dangerous ones, noted Craig Silverman, co-author (along with Michael Calce) of the book, Mafiaboy: How I Cracked the Internet and Why It’s Still Broken.
“But there is a flipside,” said Silverman, who worked in security before moving into journalism.
“Internal people, as much as they are a threat, can be your eyes and ears,” he said. He emphasized the value of corporate awareness programs that educate staff about the right way to use systems and flag things that go wrong.
External fraud is also dangerous, Silverman said, because there’s a good chance you won’t know who did it or what happened.
The KPMG survey bears out this view. Only half of the respondents knew who had defrauded them externally.
When you can’t figure that out, said Silverman, neither can you “adapt your systems and training programs to prevent this from happening in future. It seems to be a recipe for future fraud, really.”
It was “shocking” that survey respondents “knew something bad was going down, but couldn’t point to it,” said James Hunter, national leader of KPMG’s Forensic practice.
This could possibly be because the organizations lacked proper control and reporting or the external parties were fairly sophisticated, said Silverman. “My guess is that it’s likely a combination of both.”
KPGM suggests three steps Canadian organizations could take to detect and prevent fraud: have a whistle blower line, develop a code of conduct, and perform extensive background checks to pre-screen hires.
But the whistle blower line (preferably operated by an outside supplier) is the most important, according to Hunter. “It gives people some confidence that what they say will be confidential and anonymous.”
It also offers staff a pipeline, “not just to senior management, who in some cases may be the ones involved, but to the audit committee of the Board of Directors,” the KPMG executive said.
Publicly quoted companies are now required to provide this, but a lot of private companies, government organizations and small and mid-sized businesses are also introducing them because they are “just so powerful,” Hunter said.
But Silverman notes that fraud is far more than a technology problem, or one for the auditors. “It’s absolutely a human issue, a personnel issue, a training and awareness issue.”
Companies, he said, shouldn’t just think about training employees to perform the specific parameters of their jobs.
“They also have to think about supporting people and helping them with their lives, with work-life balance and with personal issues.
If companies do this, he said, “personal issues, bad habits and financial pressures may not drive somebody to commit fraud.”
According to the survey, 73 per cent of fraud cases are performed by individuals acting alone.
“In my experience, they don’t start out intending to be a fraudster,” said Hunter. “They may be compromised by something – maybe they see one opportunity and try it on for size. If it works, they just do it over and over again.”
What role can technology play in fighting fraud? A vital one, provided one uses it effectively.
Technology can both facilitate and fight fraud, noted Hunter.
“The nature of fraud hasn’t really changed all that much, but technology enables fraudsters to steal much more in a much shorter period of time,” he said.
It also helps the fraudsters get caught.
Technology, noted Hunter, helps assemble evidence required to make the case. He said when KPMG performs an investigation, one of the first things it does is image the hard drives of suspect computers.
“In many cases, people don’t realize that when they delete stuff, it still continues to exist in the slack space.”
“The case is almost solved just by our exercise of the technology tools available,” he said. “With a few e-mails, you can really get all the evidence you need.”
The pool of potential fraudsters may be growing, according to Silverman.
“The average person has a lot more access to things that are critical, whether sensitive company secrets or sometimes even accounting information. It would appear controls haven’t really kept up with the pace of getting things networked and online.”