Fraud Presentation Norway Anne Green


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fraud Presentation Norway Anne Green

  1. 1. Fraud Presentation Norway Anne Green Fraud Consultant 0044 (0) 7813 855872 [email_address]
  2. 2. Background <ul><li>BA (hons) Law/Social Science combined studies </li></ul><ul><li>Member Institute of Credit Management (MICM) </li></ul><ul><li>Member International Association for Financial Crimes Investigators(IAFCI) </li></ul><ul><li>Five years as a Private Investigator </li></ul><ul><li>Six Years in Credit Management/ Civil Litigation </li></ul><ul><li>Thirteen Years HSBC Bank </li></ul><ul><li>Last two years on attachment to the Dedicated Cheque and Plastic Crime Unit (DCPCU) </li></ul>
  3. 3. Fraud In an International Perspective The UN estimates that between $590 billion and $1.5 trillion per year is laundered globally by arms and human traffickers, drug dealers and other criminals Global fraud losses are expected to reach $15.5 billion dollars by the end of 2005 Meridien Identity theft annual losses are estimated at $5-8 billion; some estimates as high as $19.8 billion (US alone) Financial Insights, Celent, Javelin 30% of consumers would close all accounts and move their business to another financial institution if their personal information was compromised EDS
  4. 4. Fraud in an International Perspective <ul><li>$67.2 billion: FBI estimates of what US businesses lose annually because of computer related crime Source USA Today </li></ul><ul><li>On-line banking fraud up 90% 2004 –2005) APACS </li></ul><ul><li>An incidence of card fraud takes place on average every 9 seconds in the UK APACS </li></ul><ul><li>Insurance fraud in the UK costs an estimated £2 billion per year </li></ul>CIFAS CIFAS Meridien
  5. 5. Fraud Awareness <ul><li>Fraud is happening </li></ul><ul><li>Many companies think this its not hitting them </li></ul><ul><li>Think they have adequate controls </li></ul><ul><li>They don’t </li></ul><ul><li>It is costing them </li></ul><ul><li>They don’t know how much </li></ul>
  6. 6. Organised Financial Crime <ul><li>Financial services based on trust </li></ul><ul><li>People, families known </li></ul><ul><li>Local Knowledge </li></ul><ul><li>No longer Opportunist white collar crime </li></ul><ul><li>Removal of borders </li></ul><ul><li>EU Membership </li></ul><ul><li>Economic Migrants </li></ul>
  7. 7. Organised Financial Crime <ul><li>Importation of foreign criminals for fraud </li></ul><ul><li>Cross-border nature of this crime </li></ul><ul><li>Networks of corrupted staff </li></ul><ul><li>Cellular working </li></ul><ul><li>Technical sophistication </li></ul><ul><li>Criminal gangs working internationally </li></ul><ul><li>Global patterns, the scams travel </li></ul>
  8. 8. Fraudsters Profile <ul><li>Who predicts fraud? </li></ul><ul><li>The fraudsters, what are they doing? </li></ul>
  9. 9. So it’s growing <ul><li>Fraud against financial institutions is increasing </li></ul><ul><ul><li>Frequency </li></ul></ul><ul><ul><li>Average value of fraud </li></ul></ul><ul><li>Not just Banks </li></ul><ul><ul><li>Criminals target public & private sectors indiscriminately </li></ul></ul><ul><ul><li>Look for weak links </li></ul></ul><ul><ul><li>Find weaknesses in the system & the people </li></ul></ul><ul><li>Most fraudsters are not opportunists – they are linked to </li></ul><ul><li>serious and organised criminal groups </li></ul><ul><li>Finding the links can be difficult </li></ul>
  10. 10. Real size of the problem <ul><li>Real size of the problem unknown </li></ul><ul><li>Many go undetected </li></ul><ul><li>Many institutions `bury’ fraud in their bad debt numbers </li></ul><ul><ul><li>Because they don’t know </li></ul></ul><ul><ul><li>Or because they can’t be certain </li></ul></ul><ul><ul><li>Collections staff are generally not fraud experts </li></ul></ul><ul><li>All we know for sure is: </li></ul><ul><ul><li>It’s bigger than we think! </li></ul></ul>
  11. 11. In simple terms <ul><li>Theft </li></ul><ul><li>Deception </li></ul><ul><li>Dishonestly obtaining and retaining credit </li></ul>
  12. 12. Fraud Methods Traditional <ul><li>Application Fraud </li></ul><ul><li>Account Takeover </li></ul><ul><li>3 rd Party Fraud </li></ul><ul><li>Clearing Cycle Fraud </li></ul><ul><li>419’s </li></ul><ul><li>Telemarketing </li></ul><ul><li>Insurance Claims </li></ul><ul><li>Money Laundering </li></ul>
  13. 13. Current Trends <ul><li>Identity Theft </li></ul><ul><li>Account takeover </li></ul><ul><li>Cybercrime </li></ul><ul><li>Phishing </li></ul><ul><li>Hacking </li></ul><ul><li>1 st Party Fraud </li></ul><ul><li>Data compromise </li></ul><ul><li>Internal/staff Fraud </li></ul><ul><li>Bust out/credit manipulation </li></ul>
  14. 14. Cybercrime <ul><li>Criminal economy that’s robs US businesses of $67.2b </li></ul><ul><li>FBI & US Secret Service work on disruptions </li></ul><ul><li>Typical cost of goods and services in Forums:- </li></ul><ul><li>- $1,000 to $5,000 Trojan program that can transfer funds between online accounts </li></ul><ul><li>- $500 credit card number with pin </li></ul><ul><li>- $80 to $300 change of billing data, to include account number, address, social security number, DOB </li></ul><ul><li>- $150 driver licence </li></ul><ul><li>- $150 Birth certificate </li></ul><ul><li>- $100 social security card </li></ul><ul><li>- $7 to $25 credit card with security code and expiry date </li></ul><ul><li>- $7 paypal account logon and password </li></ul><ul><ul><ul><ul><ul><li>USA Today </li></ul></ul></ul></ul></ul>
  15. 15. Application Fraud <ul><li>Application fraud involves criminal using stolen or false documents to open credit accounts </li></ul><ul><li>Criminals may obtain details from public sources </li></ul><ul><ul><ul><li>Telephone directory </li></ul></ul></ul><ul><ul><ul><li>Newspapers </li></ul></ul></ul><ul><ul><ul><li>Internet </li></ul></ul></ul><ul><ul><ul><li>Electoral register </li></ul></ul></ul><ul><li>Criminals will pay for data </li></ul><ul><ul><ul><li>Internal staff fraud an increasing threat </li></ul></ul></ul><ul><ul><ul><li>Corrupt staff </li></ul></ul></ul><ul><ul><ul><li>Example, bank clerk using false documents to open 60 accounts </li></ul></ul></ul>
  16. 16. Application Fraud <ul><li>Prosecutions for individuals making fraudulent applications for credit are rare </li></ul><ul><li>Credit reference agencies place great trust in Voters Roll </li></ul><ul><li>Council departments do not verify identity </li></ul><ul><li>Can change your name at any time </li></ul><ul><ul><li>Form completed, taken to Solicitor £5 fixed fee, sworn on oath </li></ul></ul><ul><ul><li>No identity checks undertaken </li></ul></ul><ul><ul><li>Form can be used to have passport amended </li></ul></ul>
  17. 17. Application Fraud Alternately they may try to steal documents such as utility bills and bank statements to build a personal profile <ul><li>They may use counterfeited documents for identification purposes </li></ul><ul><ul><ul><li>Driving licences </li></ul></ul></ul><ul><ul><ul><li>Passports </li></ul></ul></ul><ul><ul><ul><li>ID Cards </li></ul></ul></ul><ul><li>All readily available over the internet cheaply </li></ul><ul><ul><ul><li>A convincing driving licence in any name for $33 </li></ul></ul></ul><ul><li>Total loss through application fraud over $24million in 2004 in the UK alone </li></ul>
  18. 18. Spoof web Site <ul><li>Web sites set up to obtain details </li></ul><ul><ul><ul><li>Know Cases </li></ul></ul></ul><ul><ul><ul><li>Credit Records </li></ul></ul></ul><ul><ul><ul><li>Cheap Car Insurance </li></ul></ul></ul><ul><ul><ul><li>Internet Service Transaction Supplier </li></ul></ul></ul><ul><li>Be wary of sites selling goods/services at unbelievable prices, the old adage `if it seems too good to be true it probably is </li></ul>
  19. 19. Identity Theft/Impersonation <ul><li>Identity theft fastest growing financial crime </li></ul><ul><li>Home Office figures state costing UK economy £1.7bn </li></ul>
  20. 20. An attractive crime <ul><li>Relatively low risk </li></ul><ul><li>Offers high returns </li></ul><ul><li>Easily attempted </li></ul><ul><li>Frequently regarded as victimless crime </li></ul><ul><li>Many organisations have weak defences </li></ul>
  21. 21. Identification <ul><li>A variety of documents are used as evidence of identity and will vary between countries. No harmonisation amongst EU Countries </li></ul><ul><li>UK </li></ul><ul><li>Driving Licence </li></ul><ul><li>Passport </li></ul><ul><li>Birth certificate </li></ul><ul><li>National insurance Number </li></ul><ul><li>NHS Card </li></ul><ul><li>USA </li></ul><ul><li>Social Security Number (SSN’s) used universally for credit applications </li></ul><ul><li>Photo driving Licence </li></ul>
  22. 22. Identification <ul><li>Netherlands </li></ul><ul><li>No unique Identifier – antipathy towards ID historical resonance from world war 11 </li></ul><ul><li>Uses Verification of Identity System (VIS) lost/stolen documents Dutch Police </li></ul><ul><li>Six Million records including deceased file, also includes other country documents Passport </li></ul><ul><ul><li>Database can be accessed by public & Private sectors </li></ul></ul><ul><ul><li>3million checks to data base made each year </li></ul></ul><ul><ul><li>Specific offence for identity, e.g.. Forging a driving licence 5 years </li></ul></ul><ul><ul><li>Strict controls for changing names ‘reason’ </li></ul></ul><ul><ul><li>Can change forename by disposition in front of a Judge </li></ul></ul>
  23. 23. Identification <ul><ul><li>Belgium </li></ul></ul><ul><ul><li>Compulsory Identity Cards </li></ul></ul><ul><ul><li>10 million Belgium's must notify their address to police </li></ul></ul><ul><ul><li>Check made to home address to confirm </li></ul></ul><ul><ul><li>SIS card for social security purposes </li></ul></ul><ul><ul><li>France </li></ul></ul><ul><ul><li>60 Million Citizens hold Identity cards, but not compulsory </li></ul></ul>
  24. 24. Identification <ul><li>Passport presented for formal proof of ID </li></ul><ul><li>ID valid for 10 years but numbering not continuous </li></ul><ul><li>Legal constraints on Public/private sharing of data </li></ul><ul><li>SPAIN </li></ul><ul><li>Compulsory ID Card Issued by local police at age 14 </li></ul><ul><li>46 million cards valid for ten years </li></ul><ul><li>Must be carried at all times </li></ul><ul><li>Contains, name, address, photo, nationality, signature,place, DOB, parents name </li></ul><ul><li>Also used as a travel document </li></ul>
  25. 25. Identification <ul><li>Germany </li></ul><ul><li>82 million Citizens obliged to carry Photo ID </li></ul><ul><li>Passport for claiming benefits </li></ul><ul><li>Passport for driving licence or offences </li></ul><ul><li>Home addresses registered with local civic authorities </li></ul><ul><li>Processes used in the issuing and checking of documents used as evidence of identity are not secure </li></ul>
  26. 26. Identification <ul><li>Denmark </li></ul><ul><li>All 5 Million Citizens have a unique ID number </li></ul><ul><li>-linked to centralised civil registration System </li></ul><ul><li>-holds data on name, address, place of birth, kinship, marital status, spouse details </li></ul><ul><li>System introduced in 1968 </li></ul><ul><li>Id number used almost entire public administration, including tax, banks and insurers </li></ul><ul><li>Citizens legally advised to inform government when they move house </li></ul><ul><li>Between 1968 and 1995 individuals were issued with a card bearing their name, ID number, dob, but no photo on card </li></ul><ul><li>Stopped as ineffective and expensive </li></ul>
  27. 27. Identification The Problem <ul><li>Identification Legacy systems </li></ul><ul><li>Pre computers </li></ul><ul><li>No world experts on document validation </li></ul><ul><li>Fake/genuine documents easily bought </li></ul><ul><li>Demographic changes </li></ul>
  28. 28. Account Opening <ul><li>New accounts, essential </li></ul><ul><li>- Authentication of people </li></ul><ul><li>- Validation of documents </li></ul><ul><li>- Verification of data </li></ul><ul><li>- Cross matching for data irregularities </li></ul><ul><li>Fraudsters know to make multiple requests on assumption one will pass </li></ul><ul><li>Willing to sit on accounts for years before attack </li></ul>
  29. 29. Data Protection <ul><li>Data protection Act set up to protect privacy of individuals </li></ul><ul><li>Fraudsters exploiting the DPA to their advantage </li></ul><ul><li>Organisations unwilling or unable to share fraud outcome data </li></ul><ul><li>Cross border/Cross EU communities interpretation or understanding of DPA </li></ul>
  30. 30. Organised Criminal <ul><li>Will cross organisations </li></ul><ul><li>Different sectors </li></ul><ul><li>Countries </li></ul><ul><li>Understand fraud detection systems, hot lists </li></ul><ul><li>Company policies and procedures </li></ul>
  31. 31. Internal Staff Fraud <ul><li>Weakness within any organisation </li></ul><ul><li>THE PEOPLE </li></ul>
  32. 32. Internal Staff Fraud <ul><li>As measures are put in place to combat fraud like Chip N Pin </li></ul><ul><li>Fraudsters moving with the times to exploit weaknesses and look for new opportunities, they need help from within! </li></ul><ul><ul><ul><li>Account takeover </li></ul></ul></ul><ul><ul><ul><li>Data compromise </li></ul></ul></ul><ul><ul><ul><li>Genuine Plastics/Bank accounts </li></ul></ul></ul><ul><ul><ul><li>ID Fraud / Improvisation </li></ul></ul></ul><ul><ul><ul><li>CNP Fraud </li></ul></ul></ul><ul><ul><ul><li>Bust out/credit manipulation </li></ul></ul></ul><ul><li>New technology utilised to transfer data </li></ul><ul><ul><ul><li>Mobile phones </li></ul></ul></ul><ul><ul><ul><li>Key catcher </li></ul></ul></ul><ul><ul><ul><li>Portable data storage devices (e.g: Pen) </li></ul></ul></ul>
  33. 33. Methodologies <ul><li>Staff recruited whilst at night-clubs, bars,cafes close to financial institutions premises </li></ul><ul><li>Generally young and impressionable </li></ul><ul><li>Easy target / weaknesses </li></ul><ul><li>Low paid jobs – call centre, data inputting </li></ul><ul><li>Unmotivated, lack of loyalty, bravado </li></ul><ul><li>Motive for employees to supplement income </li></ul>
  34. 34. <ul><li>Case Studies </li></ul>
  35. 35. Operation Horizon <ul><li>High performance sales staff at a high street bank </li></ul><ul><li>Opened 1,200 accounts over nine months period </li></ul><ul><li>Losses c.£3m </li></ul><ul><li>Had accepted false ID’s and documents </li></ul><ul><li>Used same on all accounts </li></ul><ul><li>Audits on accounts would have highlighted same details used </li></ul>
  36. 36. Operation Ecru <ul><li>Eight bank staff members identified </li></ul><ul><li>Unknown/unconnected to each other </li></ul><ul><li>Recruited in the street and offered £1,000 a time for account information </li></ul><ul><li>Targeting “high status” accounts </li></ul><ul><li>Changed address then opened up card facilities </li></ul><ul><li>Fraudulent CHAPS payments to transfer money from premier account to card account </li></ul><ul><li>Attack on bank bears hallmarks of organised level two criminal group with access to bank procedures, personal information and stolen/counterfeit documents </li></ul>
  37. 37. Operation Ecru <ul><li>CHAPS (Clocks) password changed daily </li></ul><ul><li>Used stolen bank CHAPS forms. Faxed over to CHAPS, altered to reflect a recognisable fax number </li></ul><ul><li>Post-arrest, `how to defraud the banks’ book recovered on suspect </li></ul><ul><li>One staff member had Rolex watch and drove top range Mercedes. Previously sacked from another bank </li></ul><ul><li>Also found Dun company searches showing directors home address and bank details </li></ul>
  38. 38. Operation Rhea <ul><li>Referral from high street bank </li></ul><ul><li>Premier accounts compromised and fraudulent transfers made to student accounts </li></ul><ul><li>Students recruited to accept bill payments into their accounts </li></ul><ul><li>On receipt of funds, taken shopping to obtain goods/cash </li></ul><ul><li>Common link on premier a/accounts (point of compromise) identified by bank as a major insurance company </li></ul>
  39. 39. Operation Rhea <ul><li>Insurance company holding bank details to send insurance credits </li></ul><ul><li>Originally problems in insurance company’s audit trails – no system in place to see who had viewed accounts </li></ul><ul><li>Fix put into place and staff member arrested </li></ul><ul><li>Evidence that data from most of the high streets banks had been compromised </li></ul><ul><li>Student turned victims as payments reversed off a/accounts so left with the debt </li></ul>
  40. 40. Easy Policing <ul><li>Assumption or fact, most internal fraud in call centres </li></ul><ul><li>Temporary staff </li></ul><ul><li>Systems in place to detect </li></ul><ul><li>High volumes found/low value </li></ul><ul><li>Other areas, procurement, acquisitions high value </li></ul><ul><li>Technology in criminal fraternity, greater than found in most organisations </li></ul><ul><li>If not looking, will not find </li></ul>
  41. 41. Who’s at risk ? <ul><li>Any organisation </li></ul><ul><li>Fraudsters know no boundaries </li></ul><ul><li>Despite best practice (audit, compliance etc), fraudsters have the motivation, incentive and time to look for weaknesses in your systems </li></ul>
  42. 42. Warning signs <ul><li>Lifestyle </li></ul><ul><ul><li>Living beyond means </li></ul></ul><ul><ul><li>Obvious sighs of wealth </li></ul></ul><ul><li>Exceptional performer </li></ul><ul><li>Experienced staff, not wanting job changes or promotions </li></ul><ul><li>Excessive (unpaid) sick time with no explanation </li></ul><ul><li>Complaints (customer / external) </li></ul><ul><li>Increase in losses </li></ul>
  43. 43. Lessons to be learned <ul><li>Customer sign up procedures more rigorous than staff recruitment ? </li></ul><ul><li>Know your customer vs. know your staff </li></ul><ul><li>Thoroughly check CV’s </li></ul><ul><li>Identify discrepancies </li></ul><ul><li>ID’s </li></ul><ul><li>Exam certificates </li></ul><ul><li>Status enquiries (voters roll, credit enquiries) </li></ul><ul><li>Limiting computer access/regular password changes </li></ul><ul><li>Regular audit trails </li></ul>
  44. 44. Lessons to be learned <ul><li>Third party suppliers </li></ul><ul><ul><li>Regular audits </li></ul></ul><ul><ul><li>Processes / Procedures </li></ul></ul><ul><ul><li>Staffing policies </li></ul></ul><ul><ul><li>Seasonal Staff, urgency </li></ul></ul><ul><li>Upon identifying internal staff fraud, decide early in the process which route to take </li></ul><ul><ul><li>Criminal / Police </li></ul></ul><ul><ul><li>Civil / Employment law </li></ul></ul>
  45. 45. Controls <ul><li>Do your staff know where to go if they have suspicions ? </li></ul><ul><li>Have you got controls in place to identify and deal with suspicions of fraud ? </li></ul><ul><li>Are they adequate, up to date, reviewed ? </li></ul><ul><li>Are staff aware of potential consequences if caught committing fraud </li></ul><ul><li>Are they applied ? </li></ul>
  46. 46. <ul><li>Sharing Intelligence </li></ul>
  47. 47. Experian Fraud solutions <ul><li>Product solutions </li></ul><ul><ul><li>Hunter </li></ul></ul><ul><ul><li>Authenticate </li></ul></ul><ul><ul><li>Detect </li></ul></ul><ul><ul><li>Detect Credit Score </li></ul></ul><ul><ul><li>Fraud Bureau </li></ul></ul><ul><ul><li> </li></ul></ul>