The Power of Data Podcast
Episode 81: Combatting Fraud In A Pandemic Era
Guest: Bruce Dorris, President and Chief Executive Officer, Association of Certified Fraud Examiners
Interviewer: Andrew La Marca, Leader of the Global High Risk and Fraud Insight Team, Dun & Bradstreet
Welcome to The Power of Data Podcast. Good morning, good afternoon, good evening. My name is Andrew La Marca; I'm the Director of Fraud and Compliance Operations at Dun and Bradstreet and today we are honored to be welcoming back Bruce Dorris, President and Chief Executive Officer for the Association of Certified Fraud Examiners. Welcome back Bruce.
It's great to be here. It’s one of my favorite topics to talk about with the anti-fraud community.
It's great to be speaking with you again, and we hope you are well.
Doing great and hope you are as well Andy.
Absolutely. So last year, we had the same very discussion where we talked about the early days of COVID-19, and how it causes such a huge disruption in the fight against fraud, whether against commercial or government entities. We also discussed how sharing of intelligence between entities is a great mechanism to help combat fraud, but also how data and analytics can play a big role in every company's fight. Last but not least, providing our audience more background about the ACFE, the Association of Certified Fraud Examiners and what a great organisation it is. And I recall, I'm sure if some of our audience members were thinking the same that they couldn't wait for 2020 to be over with, right. 2020 Definitely caused an uproar definitely caused some chaos.
And I think about 2021 and I really think it's no different, right? I'm looking forward to 2021 being over with, right. It's just the new nature of the times, right?
Yeah, I mean, when you start thinking about you know how different waves. Waves and how COVID-19 impacted someone's country or someone's region, us you had a huge surge, then it dropped down another surgeon you think we're gonna make it through this one will be okay, and then another one comes. And so 2020 became 2021, add without hope, what do we have? Just thinking that 2022 is going to give us some respite? So you see it from those numbers around the world starting to dissipate and starting to see travel open up again. But hopefully, 2022 is, is better.
Yeah, I can't wait. I think one of the things that I'm anticipating and hoping for fingers crossed is as a little bit of a cooling off period with all the fraud and the bad actors that's happened. But just out of curiosity, Bruce, what are you hearing from other Certified Fraud examiner's or other agencies or companies about fraud and what they're seeing? And are they experiencing a cooling off period?
Not really. I mean, when you think about it, we all are in this pandemic, having to deal with so many issues, increasing fraud risk that we saw on 2020, not really slowing down at 21. I mean, we may have figured out how to handle part of it, but just like variants within the Coronavirus, finds a way around some of the things that we were using in order to stop that spread, if you will. If you look at some of our studies, and throughout the pandemic, that we talked about this in the last podcast, that you know, the benchmarking studies that we were using with Certified Fraud Examiner's around the world, really strong sample, because over 1500, CFEs, participated in this quarterly, and then we had another one that came out in this past summer - but that benchmarking study showed that three quarters of our anti-fraud professionals expect fraud risk to continue and increase through the timeframe being next summer. So it was a 12 month period that they expected to see those increases from summer of 21 into the summer of 22. So it is very clear that the bad actors are still taking advantage of the disruptions that impacted business and economics around the world.
Yeah and with that, if it's going to continue to rise, and based on projections, and what we're hearing and seeing, I think we both agree that it's going to continue to rise - but what surprises you the most about this; looking back to January, February of last year when this was all new to us, but looking back, what has surprised you the most, what's one takeaway?
Well, you know, I think part of it is we as fraud examiner's and just as human beings for that matter, you look toward an end. I mean, it's like when you see, let's say a weather calamity made you know that there's going to be an end to it at some point. With this, it's like you're thinking it's going to be there, we're going to get back to normal, we'll be able to get our internal control structure back to where it needs to be, operating with that first line of defense, second, third, but it just doesn't. We have this start and we start bringing people back and trying to get things back to what we had done before with our control environments, but there's a surge and we have to stop. So I think that to me - I a guess you want to call out a surprise and that we've not been able to navigate this as we would like to, as fraud examiner's we're very analytical. And that's been the challenge, I think for everyone, not just in our industry and with the association, but rather just with everyone is trying to navigate this and getting some sense of normalcy.
I think that's true. And you know, you mentioned analytical, right? So as fraud examiners analysing stuff, right if you're used to this one activity or threat occurring, you remember it. But say, then you go back to the office or something else happens, or maybe we open back up, that could be the new norm. Right? So then no new trends kind of look the same. They're all different, right? So I think that's a great example.
Well, and it's one thing that you say that, because we are now in the process of cleansing data for the report to the nations with The Global Fraud Study, which we put out every two years; that report will be released in April of 2022. And so, when you're trying to compare that data to previous datasets, I mean that the analytics of it just become challenging, and you have to really focus on that information, because it's got COVID all over it. And the paradigm shift that we had to make, I mean, I'm always interested every two years of this report and all the reports that we generate, and the research that ACFE, but this one's going to be extra special, because it's got that taint from the pandemic and I'm anxious to see what it looks like.
Yeah, I'm very much looking forward to it as well. I always find fascinating the depth and breadth of research and analysis that's done in those studies, and just the information. It's really great information. So our audience, come April, go to the ACFE.com. and make sure you get a copy of that benchmarking report. It's gonna have some great information for sure.
But Bruce, there was a report that was put out by the ACFE and Grant Thornton, titled The Post Pandemic Fraud Landscape Report, the top five fraud risks that are predicted over the next 12 months are cyber fraud, social engineering, identity, crime, unemployment fraud, and payment fraud. Can you talk to a bit as to why these fraud risks are among the top five? And then, why they can expect it to continue to rise?
Well, I mean, sure, when you look at those five that came out of the study, and topped once, I mean, there's a tremendous amount of overlap there. They're really successful for fraudsters, especially in recent years. But in particular, when the pandemic started, so much of our change what digitalisation a more ecommerce demand, we're shifting in labor markets. Yeah, it's tough. So it's easy to see where fraudsters are continuing to use what's been working for them. And then kind of evolving that, especially as the pandemic hits. Because you go back to March of 2020, we go from overnight of our normal controls and our processes and what we've done in terms of data security, and protecting the cyber infrastructure of organisations to working from home working from kitchen tables, and the like. And so when that changed, fraudsters are going to take advantage of that. And the thing is, is we were mentioning earlier, we haven't really shifted completely out of that yet, we've done a lot of protection. There are a lot of missteps early on, yeah, especially when in the US and related to a lot of money's coming out with very limited controls. And there was a need for that and that's the human side of it. But there's also a tremendous risk that goes along with it and that came out. But the thing is, the cyber is real, we were able to figure that stuff out with the banking within a few months and started putting more controls in place and additional loans and PPP continued after that. But the cyber risk are still there, and that is ever evolving. And because of that, that's why I think when you look at the study that we did with GT, that those five fraud risks cyber, social engineering, identity theft, unemployment fraud - huge since the pandemic started, I think it was the Governor of Maryland that uncovered unemployment fraud. So using that identity, I mean, fraudsters are pretty brazen right now, because of the ability to navigate the lowered cyber defenses that are out there, because we're not in a controlled environment anymore. It's changed and we have to make sure that we're vigilant about it.
And I would imagine, it doesn't help that the availability of the data to impersonate an individual or a business is readily available now.
You think of all the cyber breaches and the malware and the phishing attacks that occur, that data is readily available for these bad actors to jump on, and it allows them to exploit these weak controls.
Absolutely. We see it, I'm sure D&B’s seen it. Fortunately, people are paying attention to it, but cyber criminals are pretty, they've had a lot of time to perfect their trade. And they're ever evolving, which is why we are as well.
Exactly. And you're right, you know, that's one thing that we see. But we also hear is very much the same. But what can companies or agencies do to better protect themselves from potential reputational risk that comes from these fraud risks?
The first thing that I tell everyone on that and you can go beyond cyber, but especially cyber is just educating your employees on what those risks are. In fact, you know, and that's the one thing that we do with Fraud Week every year is taking that time period pandemic or no pandemic. Just telling your staff about what fraud risk are, and especially as it relates to cyber. So making sure that they understand what a phishing scam is, what a business email compromise is and going through the mechanics of that. Not just think about it from an IT perspective, not just think about it from internal audit, but really doing a good overall fraud risk assessment. And knowing where the potential liabilities are within our organisation. Remember conversations not too long ago with fraud examiners in the hospitality industry and they're talking about how a part of their organisation run by a third party because of helpers coming in and cleaning and things like that. But they had addresses that were related to the domain. So CEOs got at XYZ Corp comm, but so does the cleaning staff. But they're third parties, and so they're not part of the overall fraud risk plan is their thing. But wow, what an opportunity for cybercriminals. That's how they found that a phishing attempt through one of those parties, and so we have got to really think outside that box using that term of where our fraud risks coming, because we're coming out of pandemic, but still, there are problems. I mean, cyber criminals have evolved. And we've got to make sure that we think about them, you look at some of the major cyber breaches – I think it was Target came through what? An air conditioning vendor that had credentials. And so making sure that the we understand that if someone has those credentials, and they're an independent contractor, once they're done, they're done, we've removed them. But that requires a sweep and just making sure that we're on top of things. To me, that's the most important part is just educating everyone. We don't have to turn them into mini fraud examiner's, but they have to understand that, and there's plenty of low-cost ways to do that. So whether you're a 10,000 plus employee organisation, or you just have 50, there are ways to do that that are economical.
Yeah. And, you know, as we've seen in the news, what makes the news majority of the time is that the larger organisations who are victims to these cybercrimes or cyber enabled fraud, but it's more costly to small to medium sized businesses, because they don't have the wallet to scale their cyber practices. So as a small to medium sized business, what is the minimum thing that they should be doing? Is it education? Is it awareness?
I mean, when you're talking about 10,000 persons, and you're in financial services, that’s completely different because of regulation at all. And so you've got to make sure that you've got almost in house education, things going on. So when you're talking about, you know, under 100 shop, there are platforms out there that could, quarterly, perhaps, you know, every six months or so, just going through some of the 30 minute of what a phishing scam is, and then take just a 5-10 question test about. And if they don't need to go back and do further training, make sure they're paying attention to it. But to me, that's just a bare minimum. And to your question doesn't require a lot. I guess the next step would be more from the IT side, at least in my opinion, in terms of penetration testing. So it's getting a little bit more expensive, but not tremendously. When you start running a lot of firewalls and having those third party cyber defense, that is starting to scale up. I mean, I recommend it, of course, because we've started thinking about it in terms of margin, what you're spending on those data security, cyber breaches versus what you're going to have to end up paying, and sending that email out to all your clients and customers that we've been breached, and you may be part of it. It is a small portion of what that would be. That to me, that's just a minimum. And then, of course, the easiest part is just backing up your data. And I think we all know me, it's not just a matter of if but when you are going to have some type of attack, whether or not it’s successful, a lot depends on what you're doing. But if worst case scenario that happens, which are playing, what are we going to do? How do we go in and recover that so that we're not dealing with ransom issues and things like that, we've got a plan in place. That's just a matter of sitting down, you know, a few people at a table that are the right parties to it as part of an overall fraud risk assessment or just a mini one as it relates to security. But just doing that is going to save you a lot of heartache later because we thought about it in advance.
You mentioned a great point about dealing with it afterwards, right after it gets out telling their vendors and so forth. I recall a case that we had this year, where a business was a victim of identity theft. When their suppliers learned about it, they threw up the red flag and they lost some of their reputational - their trustworthyness out there and so doing nothing's more proactively obviously would help. And it could diminish the possibility that your brand could be tarnished as a result of cyber enabled fraud for sure.
Yeah, I mean, the human element is still there. I mean, we can put a lot of defenses up, and we need to do that as businesses, but you’ve still got human beings that are working. That's part of it.
Yeah. So staying on the topic of these five fraud risks, as part of the ACFE and GT Post Pandemic Fraud Landscape Report, call center fraud has picked up. I've seen it, I've heard it, and no surprise, I would imagine because of the readily available data for these bad actors to use. But can you share with our audience why this might be and best practices to mitigate account takeover in a call center.
Think about the business. So you've got your business, and you're able to handle your frontline employees from let's say, you know, those who handle customer service type of activities, to the accounting to legal, the HR, etc. you're able to control that to a certain degree and making sure that they understand. But if you are an organisation or business that has call centers involved, you're obviously giving that out to a third party, which may or may not have the same standards that you do. You're gonna hope they are and part of your due diligence is to make sure that you’ve vetted someone that understands those best practices and conducts that accordingly. But I mean, they're a popular target for fraudsters for a couple of reasons. One, they provide, or at least potential access to incredibly valuable data. I mean, so you're talking about customer accounts, identifying information for just a number of individuals, businesses, wherever the client lives may be. The use of social engineering makes it a little bit, I would say, easier with them, or the ability, at least to successfully employ social engineering at a call center. If you think about it, fraudsters are going to know the times of days when the employees are assigned to shifts in a call center that may be newer. They're doing their homework, I have seen this happen routinely, they know that if they start getting questions from the call center employee, or just hang up a call back, let's try again with someone else, you know, especially if it's in another language that may not be there first. So it's just taking advantage of that. And so it's kind of easier to socially hack a call center employee to get that account information than it would be to technologically hack if you will, into that database, because it at least with the constant I mean, you're talking about ones and zeros we're dealing with on the tech side of it. But as it was mentioned a few minutes ago, the human side is completely different, and the way the brain is wired, and what it can fall for, I've seen some incredibly intricate emails that, you know, fortunately, I've been doing this for 30 years, so I kind of pick up on it. But for people who aren't as aware are, especially at a call center, who may have just been hired and a fair amount of turnover there. It could be problematic. So it's the same issue that it is with others, though, is just making sure those call center employees are just watching out for account takeover and have the right type of education and making sure that frontline defense is there. Ensuring they know how to authenticate and make sure that they're not falling for those tactics. And you're hoping that the call centers are doing that. But that's, that's where you see that pickup.
Excellent. That's great information for the audience. I want to switch gears a little bit and ask some more fun and insightful questions here. If you were to build out a fraud practice at a firm, how would you design it? And what are must haves?
Oh, man, so I'm keen for a day with no budget. Let's start there. So yeah, as I'm going to have a credible fraud examination staff, of course. I'm going to have the top of the line real-time data analytics platform running, and you know, with all the parameters needed, and even you're moving into AI and, and a little bit more than machine learning and trying to do that, depending on size. And I'm kind of joking there. But you know, I want to make sure that I have got the right mix again, depending on the specifics of the organisation, between fraud examiners, and having a good audit staff on within that business that can read it as well. And just having that overall training. So you've got those who are experienced at making that examination, not just on the investigation side, it obviously still needs to be there because there's no way to completely eradicate fraud. But making sure that we've got proactive platforms and the controls that we have in place, but with good data analytics. So that we know as human beings going back to what we're talking about earlier, that we know how to read this and we know how to be effective. When you start looking at internal control. One of the part that is missing a lot of times is the monitoring aspect, it really is that analytics, and so making sure that we've got sufficient staff and the platform to know I only have all the controls in place that we need, but that we are effectively looking at it that we are monitoring and that we are continually evolving the assessment of our organisation. So you give me that, and I'm in good shape from the beginning.
I definitely could second you on that one, right. But Dun and Bradstreet has over 420 million businesses within our data cloud. And many of our clients rely on our data to make decisions. As noted in the December 2020, ACFE, Benchmarking Report, we saw an increase of 80%, in fraud by vendors and sellers. What can you recommend referring back to the previous question about data and analytics what can you recommend as a best practice, maybe it's a type of data or a type of technology to aid in business decision making in the b2b space?
I mean, it's just due diligence. I mean, it really boils down to due diligence with your vendors, your suppliers. I mean, that was interrupted. And mean, there was a reason for that. I mean, so much was interrupted what we could do what was normal. So it took us a while to get our footing, and we got there. And so whether it was due to supply chain disruptions, the move to just overall virtual operations, the inability to go to physical sites, we still needed to move quickly, but we couldn't. So we kind of found ourselves having to do business with new vendors and sellers. And we weren't really able to check all the boxes. So but you know, the thing is Dun & Bradstreet, there are tools out there that can help companies close that gap. And so whether it's by helping to research the new providers, or just scanning invoices, looking for red flags related to b2b fraud, you know, that's what we're seeing an increasing number of companies leaning on the tech to really help address that risk. The tools are there, it's just a matter of using them, and helping that as part of our overall fraud risk management plan in organisations.
Yeah, I think it's that balancing act, right? How many humans, how much technology? What's the right methodology to approach when building out the firm, but then also, in conducting daily business? Right, got to have that solid balancing act? If you could get your hands on any data set, as an investigator, or as a business owner? What would it be and why?
You know, going back to my days before I came to ACFE, the evaluation side, and even doing that, just a true ratio analysis, and really going back over time, and whether it's by the quarter, or whatever the time period, you know, the data nerd, me just kind of comes out. I mean, we have to have inquisitive minds, but then what we do in the fraud space, and to me, ratio analysis is one of those because you get to see those trends, really pay attention to it. The data is there. They don't lie, it's there. It's just a matter of being able to be inquisitive, you know, don't assume it, go in there and looking for it. That's, to me, that's fun. And looking for something that is an anomaly. And then kind of investigating a little bit.
I think for me, right is going back to some of the techniques and technology that you can deploy and seeing the outputs of that and getting the raw data and just analysing it. And just like you had just said, being a data geek, right? Having every fraud investigator is a little bit of a data geek, because we're always looking at things all day long. There's stuff that's very inquisitive to us, and we just really enjoy it. So I think you got to get a hands on your data set. And you got to see what's really going on.
But making sure it's material, though. I mean, I think we both agree on that. It's good that we go through, let's say, for example, prevalent entertain, of course, hadn't seen that in 18 months. But those are smaller. I mean, there's a place for I mean, we certainly don't want expense accounts, reimbursement, fraud and things like that. But within our organisation, that's why fraud risk assessment is so important, because we got to make sure that we are allocating what resources we have, I want to make sure that I'm getting the biggest bang for our buck. And that's going to be different for every organisation. But that's part of that analysis. As investigators, let's just make sure it's valuable for our organisation.
Yeah, and you can use that same approach when looking for a new vendor to aid in your fight against fraud. Yeah, what am I getting for $1 or $1 transaction or whatnot, making sure you're getting the best bang for your buck?
Yeah, the platform's are out there.
Exactly. So before we finish off, what would be your advice or recommendation to other businesses and fraud fighters out there?
Just keep fighting the good fight. You know, assuming there's not some other Greek alphabet variant on the horizon. And I pray it's not but I mean, it's, you know, we just have to keep going through this knowing that our circumstances have changed, and we've got to go in and really focus on looking at changes that fraudsters will make in the scope of what they're doing. I mean, we may not be in the same predicament that we were 20 months ago, but the business models have changed and there's still work from home policies that are in place, and that's okay. But we have to be mindful of the risks that are associated with it and simply because we're out shopping and the Coronavirus transmission rates are down doesn't mean that the fraud risk goes away. And we've got to make sure that we are vigilant that we keep fighting that good fight. And just be curious. I mean, we get really enraged a lot of times about, Wow, I can't believe they stole $8 million. As a fraud examiner, I want to know, why did they do that? And how did they do it? Because I want to be upset about it, sure. But I want to make sure that I can find a way to stop it in the future. That's the advice, that’s the recommendation.
Right. And you look at the fraud triangle: pressure, opportunity rationalisation, to figuring out that why, what actually occurred and why they're doing it. It's great advice. Bruce, we appreciate you joining The Power of Data Podcast and sharing your expertise with our listeners. Should any of our listeners want to learn more about the ACFE please visit ACFE.com. Thank you very much. And we look forward to seeing you in Nashville in June.
Take care. We'll see you in Nashville.
Have a great day.