Part of the Rosetta series of communications studies, this article uses real-world case studies of fraud to look at how organizations have managed issues and crises.The article provides tools to help organizations more effectively manage these sorts of situations.

1. Rosetta Public Relations – Communications Briefing
MANAGING FRAUD COMMUNICATIONS
THE PRICE OF FEAR
In risk management, communications often gets short shrift. It’s soft. It deals with perceptions,
which are kind of like emotions and, after all, what place do feelings have in robust risk models?
The answer is – a pivotal place. In addition to central issues like customer and stakeholder trust in
your organization (which has a ripple effect,
affecting everything from supplier relationships to Some common types of fraud
customer purchasing to stock price), there is the
actual cost of fear and anxiety to your Website hijack
organization. Scholars like Matthew Adler have CheckFree was a US e-billing and e-remittance company. In
even developed models to quantify and monetize 2008 Ukrainian organized crime gained control over its
fear. Internet domains and redirected customers to a malicious
website. Between 160,000 and 5 million customers may have
Fraud connects very viscerally to our fears – theft been affected.
of our money, our identity and all the attendant
consequences. It makes sense that we look at Hack
communications about fraud through the lens of RBS WorldPay, an electronic payment processing company,
risk communications – a discipline designed to was at the heart of an elaborate ATM scam that netted
help us understand and evaluate the things we thieves US$9 million. Hackers gained access to more than a
fear and dread. million financial records that enabled them to fabricate
debit cards and access accounts through ATMs. Hackers
may breach a system to steal data or they may install
FRAUD AS A CONSTANT malicious software.
The TJX case is to fraud what September 11th is to Employee malfeasance
terrorism. In 2005 Eastern European gangs, Not every employee is a model one; some do very bad
working with a Cuban crime ring in Florida, things. In 2007 an employee of Electronic Data Systems
hacked the company’s transaction databases and stole 500 customer identities and managed to sell 50 of
began quietly stealing data. As a major retailer them to criminals before being arrested.
(operating stores like Winners, HomeSense and
TK Maxx in Canada, the US and Europe), it had a Data loss
rich store of sensitive data like credit card records Although it may not cause financial loss, misplacing
customer data or exposing it in some fashion is corrosive to
trust. Bank of New York Mellon learned this when in 2008
it lost a backup tape containing 12.5 million customer
1
records.

2. that was tempting for thieves. The thieves made off with credit and debit card numbers and
personal information like driver’s licenses and social security numbers. All told, 100 million
records were stolen and used to run up credit card charges as well as launch a gift card scam. Banks
were forced to reissue cards by the thousands.
But most instances of fraud lack this sort of grandeur. They are more likely to resemble Polo Ralph
Lauren’s data breach in 2005, where hackers stole credit card information and made counterfeit
cards from bases in Eastern Europe. Or they make take the form of persistent phishing or card
skimming threats.
Whatever form it takes, fraud undercuts the trust and confidence needed to fuel a transition to
digital currency. We are now at the point where debit card use is ubiquitous. Newer services like
micro-payments and pre-loaded debit cards are becoming increasingly prevalent. All of these shifts
entail entry into a very complex world of payments and intermediaries and open up vistas of
opportunity for criminals. For example, in the United States alone in the past four years more than
253 million personal records containing identification like social security numbers and military
service records as well as financial data such as credit card numbers were lost or stolen. Somewhere
in the world someone is doing something highly illegal with all those records.
There is bound to be some leakage at some point in the digital world, whether online, at the point
of sale or at an ATM. For example, in 2004 the Gartner Group reported that two million
Americans had lost an average of US$1,200 each due to online raiding of their bank accounts.
Fraud is endemic to the system. Bank executives accept this and reflect it in their forecasts and
planning. However when it comes to managing communications surrounding fraud, it is not often
seen in this light – as a permanent fixture of the operating environment rather than a one-time
event. We talk as though it was an aberration, a crisis, when in fact we should be communicating it
to customers and partners as a risk. In this article I outline the principles of risk communication as
they apply to talking about fraud and dealing with instances of fraud. But first let’s begin with a
review of the environment in which you will be communicating.
TRUST
Rich Lowry of the National Review trenchantly termed the first decade of the 21st century the “Age
of Cynicism.” It is a time notable for a severe deficit of trust. We assume corruption and
incompetence in all aspects of life – government, politicians, media and
corporations, including our banks. The assumption seems to be that every public figure is a moral
illiterate and guides his or her organization accordingly. This of course doesn’t really fit the facts, as
this table shows:
Corruption rankings by country
1st Denmark, New Zealand, Sweden
9th Canada, Australia
16th United Kingdom
18th USA, Japan
180th Somalia
Source: Transparency International, 2008 Perception of Corruption
Index 2

3. But trust goes beyond faith in our corporate and government leaders; it goes right to basic
confidence in the financial system. In and of itself, a banknote is pretty worthless. You can’t eat it.
All those pretty printed designs make it hard to use as notepaper. And if you burn one it doesn’t
generate much heat or light. But as a symbol it has significant value. This is because we all trust that
it will be accepted in exchange for something. If counterfeiting is an issue then confidence in
banknotes as representatives of value is eroded (think of the last time you tried to spend a $100
bill). The same happens in the electronic banking world. If your personal file was one of the 3.9
million on a backup tape lost by CitiFinancial in 2005 then your confidence in data security is
likely low.
If trust is low people will go offline, use money orders to settle online purchases, bank at branches
or curtail debit card usage. Trust is the bedrock of the financial system. Bankers know this.
Without trust among counter-parties and depositor trust in banks the global financial system would
grind to a halt. Preserving trust is, therefore, the key element of any communications response to
fraud. Without it you are nothing.
RISK
Before we look at communications strategies to convey risk and build trust we first need to be clear
about what we mean by risk. There are many definitions, some technical for the actuarial types, but
I prefer a simpler approach. Risk is the probability of something undesirable happening. Doing
something always involves incurring some level of risk, even simple things. For example, odds are
one in 3,500 that you will injure yourself next time you mow your lawn (in comparison you have a
one in 5,000 chance of hitting a hole in one). But we need to factor in not just the probability of
the event but its scale. We end up with an equation like this:
Risk = probability of event X its expected impact
When we assess risk we need to understand what is acceptable from the corporate perspective (e.g.
how much fraud can you afford) and what is tolerable to the individual customer. For customers,
although the only truly acceptable risk is zero, this in practice may come down to a risk/benefit
trade-off, with potential financial losses and the effort required to set things right again balanced
against the convenience of online banking and point of sale transactions. Anecdotally, most
members of the public see fraud as inevitable, irritating and endemic. The fact that many folks have
some personal familiarity with it – calls from banks, card replacement and possibly account
hacking, is perversely a good thing as it undercuts the dread factor of this adverse event by reducing
the unknown.
PERCEPTIONS OF RISK
We humans are terrible judges of risk. Our brains don’t work that way. The myth of the rational
actor is, as our friends in behavioural finance tell us, just that – a myth. Two of the most common
ways we mess it up are:
3

4. 1. The zero-infinity game – here we catastrophize a totally improbable event, taking an
almost nil chance of occurrence (such as an Oklahoman being bitten by a shark) and
assigning it an almost infinite scale of awful consequences (severed limbs, death,
disfigurement).
2. The familiarity discount – if we do something often enough without suffering an adverse
event we mentally discount the risk. Familiarity breeds contempt. Think of driving a car.
Many folks have never had a car accident and therefore consider the likelihood low even
when the statistics tell us that we have a one in 81 lifetime chance of dying in a car
accident.
Other factors will affect perception of risk. Media mentions may skew our perceptions of risk. For
example, on average there are six deaths from peanut-related allergies in the US each year. Yet the
public perception of this as a significant risk is higher than that of lightning, which kills 90
Americans a year. Our understanding of the frequency of an event is actually a measure of how
prevalent that event is in the communications environment. Talking it up increases the perceived
threat. Similarly, aggressive risk communication campaigns that stress the need to protect against a
threat will increase fear and raise perception of risk.
Fraud risk perception factors
Trust – our sense of fear is in inverse proportion to the trust we have – if customer
trust in a bank is high then fear will be low.
Control – the threat we feel is lessened if we have some degree of control over it (think
of flying vs. driving when you are at the wheel).
Choice – an unavoidable risk is more dreadful than one voluntarily accepted.
Uncertainty – if the nature of the threat is hard to explain or changes quickly then it
will be seen as more dangerous.
Novelty – new threats are scarier than old ones; compare AIDS, which killed about
14,000 Americans in 2006, with influenza, which killed more than double that number
(36,000).
Awareness – we may see a risk as a greater threat than it really is if it is a frequent
media topic or the subject of a communications campaign.
Personal – how directly will the risk affect me? The more general the risk, the lower the
perception of threat. Think of global warming.
Risk-benefit – if we perceive a strong benefit we will discount the risk.
Catastrophic – what is the worst-case scenario? Identity theft leading to financial ruin
will be seen as dreadful even if the incidence of such an eventuality is quite low.
As you can see, one of the greatest challenges companies face is customer misperception of risk.
Bank customers who have never had an account compromised may perceive debit card use as
totally without risk due to the familiarity discount or conversely they may assume that doing online
banking will lead to their total financial ruin.
FRAUD IS NOT A CRISIS
When an airliner suffers a total loss of its hydraulic systems it usually crashes. No one – not the
pilots, the mechanics, the airline management and least of all the passengers, expects this to
happen. Fraud is different. We actually expect that it will happen, that some aspect of the elaborate
4

5. security systems will fail. The sudden part is often the discovery of the fraud. This is what fools us
into thinking it’s a crisis.
It is a mistake to apply crisis communications principles to an instance of fraud. This is because
crisis communications focuses on preparing an approach to managing a crisis and initiating that
plan when needed. It has defined start and end points. Fraud, because it is a constant in the
operating environment, does not have a beginning or end.
A different communications approach is needed – risk communications before and after the fraud
event and issues management during the fraud. The issues management (and customer and
stakeholder responses to it) will of course inform the risk communications approach, post-event.
Event
Risk communications
(adjusted post-event)
Issues management
RISK COMMUNICATIONS
Risk communication is a way of talking about the probability of adverse events and their expected
impact. Our goals are to put a given risk in perspective, encourage folks to use information to
adjust their perceptions to form a better understanding of a risk and ultimately to empower people
to change their behaviours to mitigate the risk.
The knowledge gap
Most good communications begin with research. In risk communication we take a two-pronged
approach. First we need to work out what’s often called the ‘expert model’ of the risk. In the case of
fraud we would map out where the potential points of fraud are in the system, which behaviours
exacerbate them and which types of fraud are not affected by customer behaviour (e.g. a customer is
not likely to have any ability to influence a hacker attacking your central database). We then need
to look at what the audience perception of the risk is. We’ve already looked at some common
elements of that perception but this needs to be sharpened, likely by at least directional opinion
research. At the end of this exercise we should have two models:
1. What our experts believe is the model of how the risk operates
2. What our audiences (e.g. customers) believe is the model of how the risk operates
Our next task is to see how the two models overlay. Assuming the expert model more closely
resembles reality, how close is the customer perception of the risk? From this we can narrow our
5

6. communications focus – we know where the perceptions are out of line with the reality. Because
comprehensive, in-depth risk communication is seldom successful we need to prioritize, based on
the potential for mitigating risk (e.g. if changing behaviour A will reduce the potential for fraud
more than behaviour B then we should work on adjusting A).
The behaviour gap
Let’s look at little more closely at behaviour. There are actually two elements to consider here:
1. The information that informs or supports behaviour
2. The reasons that knowledge is not applied to change behaviour
Old style risk communication was often didactic, based on the Pollyannish belief that, ‘if we give
them the right information, people will make the right decisions.’ In the 21st century, the era of
web 3.0 and such, we should be taking a more participatory view. Our goal is to invite people to
reconsider their perceptions in the light of new, or previously unknown evidence. To this end we
need to know what information they are using to build their risk assessment model and where it
comes from.
Sometimes though we may have received the knowledge but failed to use it to mitigate a risk. For
example, despite intensive public awareness campaigns against binge drinking, 360,000 teens 11-15
get drunk every week in the UK. As a risk communicator your question should be: what makes
them discount or ignore the message? We may distrust the messenger (government, in this instance)
or we may trust another source (e.g. peers) more. Again, opinion research will sharpen your sense of
this.
Putting it all together
So now we know what people think of a risk, how they arrived at that perception and whether or
not they act to mitigate a risk (and why or why not). How do we go from this information to a risk
communication campaign?
If we see our purpose as encouraging people to think differently about risk and make better risk
management decisions then we can see we can’t win by simply contradicting strongly-held beliefs.
We need to supplant the erroneous perceptions gradually. And we need them to some degree to
drive the process themselves.
You may consider using trusted sources, particularly if you lack credibility or are seen as biased. A
neutral expert voice, particularly one with credibility with your
audience, will help to carry your message.
Mental noise theory
Nobody likes to contemplate bad things. There’s a natural audience
When people are stressed they have
reluctance to accept communications about things like fraud. People
difficulty:
become stressed when considering the downside potential of things.
And stressed people do not make receptive audiences. Messaging
 Hearing information
must become simple, with key points repeated and supported by
 Understanding
information. Our course creative communications can help by
information
ensuring a degree of memorability. Just because we are dealing with
 Remembering information
risk doesn’t mean that the full toolbox of communications (such as
we see in conventional marketing) shouldn’t be available.
6

7. Sometimes less is more. Risk is relative. When we communicate risk we need to keep in mind that
simply by doing so we can increase the perception of the severity or possibility of that risk.
Perversely, high profile risk communication campaigns may actually undercut your desired goals by
raising fears. Establishing context and maintaining perspective can help as can ensuring the
appropriate amount of risk communications to engage in.
Finally we shouldn’t see risk communications as a standalone effort; it is part of your overall
communications effort and needs to be connected both to issues management and day-to-day
customer interactions. If you are effective in all three areas you will create a virtuous circle that
continuously reinforces trust in your organization.
ISSUES MANAGEMENT – THE BARCLAYS EXAMPLE
Fraud is, as I have stressed, a constant in a system that involves owners of money, custodians of
money, payment intermediaries, merchants and folks that want to steal money. There will come a
time when you are facing an instance either of fraud or something like a data breach that stirs up
fears of fraud. You will need to shift gears from risk communication to issues management. In these
situations we can learn from past successes.
It was supposed to have been the beginning of a new era in banking in Britain – established banks
took their businesses online and at the same time oddly-named virtual banks like Cahoot, Smile, If
and Egg were launched. But the year 2000 was not a good one for online banking security. Egg was
hit for hundreds of thousands of pounds and Barclays, in the midst of building the virtual side of
its retail banking business, ran into serious trouble.
Barclays, the first British bank to launch a free Internet banking service, had 1.7 million customers
banking online by 2000. In May of that year the bank announced plans to double its spending on
e-commerce to £325 million. It spelled potential dominance in retail e-banking. But in July routine
software upgrade inadvertently enabled customers to view others’ banking information. The bank
took aggressive measures and shut the website down while repairs were made. Compounding the
issue, a human error the next day repeated the problem. The public perception was that the
Barclays Internet banking venture was inherently insecure. Media coverage and critical consumer
advocates didn’t help.
So how did Barclay’s manage this issue? In my opinion it did well to tell a story comprised of five
elements:
1. Context – the bank gave details of what happened and what caused it as well as what the
financial implications for the victims were (no losses were incurred by customers)
2. Scale – the fact that only seven customers out of 1.7 million users were affected helped to
demonstrate the relative risk
3. Persistent risk – the bank reminded customers that these sorts of problems “happen from
time to time;” this is important because customers need to know that the risk of an event
like this is not zero, that it is not a freak random event and there is always a possibility even
if it is remote
4. Corrective measures – the bank outlined the steps that were being taken to fix the
problem and minimize the chance of a recurrence
7

8. 5. Confidence – the bank reiterated its belief in the safety and utility of the service
A WORD ON MEDIA REPRESENTATION
One problem with fraud is that the majority of cases are really not that interesting. The first
instance of a Nigerian advance payment scam was noteworthy but now that it accounts for 11 per
cent of all online fraud, it’s commonplace. So media tend to focus on the high profile instances of
fraud – TJX case or the BCCI’s and Bernie Madoffs of the world. The problem here is that this is
unrepresentative fraud. TJX was a rarity not likely to be seen again for some time and most folks
will not suffer from a rogue trader but rather from a hack, possibly orchestrated by organized crime,
or a phishing scam.
Quick quiz: match the rogue trader to the bank
a. Rusniak e. Daiwa
b. Iguchi f. Allied Irish
c. Leeson g. Societé Generale
d. Kerviel h. Barings
(Although you likely guessed them all, here are the matching pairs: a-f, b-e, c-h,
d-g).
The other problem is the prevailing narrative – banks either deliberately or inadvertently put
customers at risk. They fail them. Often consumer advocates will be quoted to support the view of
uncaring financial institutions. Fraud may be conflated with other issues such as excessive corporate
pay, high service charges and branch closures to bolster the view of the unresponsive behemoth
bank. This is the storm Barclays ran into. It’s not a fair portrayal but that’s beside the point.
Compounding this is the inevitable obsession with negative events that characterizes media, both
news and entertainment. In an always-on media environment what is presented is a “24/7
drumbeat of drama and danger,” says Harvard professor David Ropeik. Crimes, including fraud,
are over-represented – communications theorist, George Gerbner, found that crime is 10 times
more prevalent on television than in real life. The result is a climate of fear that fuels distrust.
This is obviously more of a concern for issues management but it should still be borne in mind for
any risk communications initiative, particularly one that either uses media to carry the message or
has the potential to attract media interest.
A FINAL THOUGHT
Fraud is challenging topic to communicate, one that can spark customer fears and generate media
controversy. Conditioning your customers to the potential risks and equipping them with the
information and tools to help them shape their behaviours is a more effective approach than a
8

9. reactionary crisis communication approach. Risk communication may, at the end of the day,
prevent a need for crisis response.
ABOUT THE AUTHOR
Paul McIvor is the founder of Rosetta Public Relations Inc., a Toronto-based communications
shop. Prior to creating Rosetta, Paul managed communications at the Ontario Ministry of Health
and Long-Term Care and on Bay Street, providing financial communications services.
416.516.7095 mcivor@RosettaPR.com www.RosettaPR.com
9