Title: Fraud Presentation Norway
1Fraud PresentationNorway
- Anne Green
- Fraud Consultant
- 0044 (0) 7813 855872
- anne.green_at_uk.experian.com
2Background
- BA (hons) Law/Social Science combined studies
- Member Institute of Credit Management (MICM)
- Member International Association for Financial
Crimes Investigators(IAFCI) - Five years as a Private Investigator
- Six Years in Credit Management/ Civil Litigation
- Thirteen Years HSBC Bank
- Last two years on attachment to the Dedicated
Cheque and Plastic Crime Unit (DCPCU)
3Fraud In an International Perspective
Global fraud losses are expected to reach 15.5
billion dollars by the end of 2005
Meridien
The UN estimates that between 590 billion and
1.5 trillion per year is laundered globally by
arms and human traffickers, drug dealers and
other criminals
4Fraud in an International Perspective
- 67.2 billion FBI estimates of what US
businesses lose annually because of computer
related crime Source USA Today - On-line banking fraud up 90 2004 2005) APACS
- An incidence of card fraud takes place on average
every 9 seconds in the UK APACS - Insurance fraud in the UK costs an estimated 2
billion per year
Meridien
CIFAS
CIFAS
5Fraud Awareness
- Fraud is happening
- Many companies think this its not hitting them
- Think they have adequate controls
- They dont
- It is costing them
- They dont know how much
6Organised Financial Crime
- Financial services based on trust
- People, families known
- Local Knowledge
- No longer Opportunist white collar crime
- Removal of borders
- EU Membership
- Economic Migrants
7Organised Financial Crime
- Importation of foreign criminals for fraud
- Cross-border nature of this crime
- Networks of corrupted staff
- Cellular working
- Technical sophistication
- Criminal gangs working internationally
- Global patterns, the scams travel
8Fraudsters Profile
- Who predicts fraud?
- The fraudsters, what are they doing?
9So its growing
- Fraud against financial institutions is
increasing - Frequency
- Average value of fraud
- Not just Banks
- Criminals target public private sectors
indiscriminately - Look for weak links
- Find weaknesses in the system the people
- Most fraudsters are not opportunists they are
linked to - serious and organised criminal groups
- Finding the links can be difficult
10Real size of the problem
- Real size of the problem unknown
- Many go undetected
- Many institutions bury fraud in their bad debt
numbers - Because they dont know
- Or because they cant be certain
- Collections staff are generally not fraud
experts - All we know for sure is
- Its bigger than we think!
11In simple terms
- Theft
-
- Deception
- Dishonestly obtaining and retaining credit
12Fraud Methods Traditional
- Application Fraud
- Account Takeover
- 3rd Party Fraud
- Clearing Cycle Fraud
- 419s
- Telemarketing
- Insurance Claims
- Money Laundering
13Current Trends
- Identity Theft
- Account takeover
- Cybercrime
- Phishing
- Hacking
- 1st Party Fraud
- Data compromise
- Internal/staff Fraud
- Bust out/credit manipulation
14Cybercrime
- Criminal economy thats robs US businesses of
67.2b - FBI US Secret Service work on disruptions
- Typical cost of goods and services in Forums-
- - 1,000 to 5,000 Trojan program that can
transfer funds between online accounts - - 500 credit card number with pin
- - 80 to 300 change of billing data, to include
account number, address, social security number,
DOB - - 150 driver licence
- - 150 Birth certificate
- - 100 social security card
- - 7 to 25 credit card with security code and
expiry date - - 7 paypal account logon and password
- USA Today
15Application Fraud
- Application fraud involves criminal using stolen
or false documents to open credit accounts - Criminals may obtain details from public sources
- Telephone directory
- Newspapers
- Internet
- Electoral register
- Criminals will pay for data
- Internal staff fraud an increasing threat
- Corrupt staff
- Example, bank clerk using false documents to open
60 accounts
16Application Fraud
- Prosecutions for individuals making fraudulent
applications for credit are rare - Credit reference agencies place great trust in
Voters Roll - Council departments do not verify identity
- Can change your name at any time
- Form completed, taken to Solicitor 5 fixed fee,
sworn on oath - No identity checks undertaken
- Form can be used to have passport amended
17Application Fraud
Alternately they may try to steal documents such
as utility bills and bank statements to build a
personal profile
- They may use counterfeited documents for
identification purposes - Driving licences
- Passports
- ID Cards
- All readily available over the internet cheaply
- A convincing driving licence in any name for 33
- Total loss through application fraud over
24million in 2004 in the UK alone
18Spoof web Site
- Web sites set up to obtain details
- Know Cases
- Credit Records
- Cheap Car Insurance
- Internet Service Transaction Supplier
- Be wary of sites selling goods/services at
unbelievable prices, the old adage if it seems
too good to be true it probably is
19Identity Theft/Impersonation
- Identity theft fastest growing financial crime
- Home Office figures state costing UK economy
1.7bn
20An attractive crime
- Relatively low risk
- Offers high returns
- Easily attempted
- Frequently regarded as victimless crime
- Many organisations have weak defences
21Identification
- A variety of documents are used as evidence of
identity and will vary between countries. No
harmonisation amongst EU Countries - UK
- Driving Licence
- Passport
- Birth certificate
- National insurance Number
- NHS Card
- USA
- Social Security Number (SSNs) used universally
for credit applications - Photo driving Licence
22Identification
- Netherlands
- No unique Identifier antipathy towards ID
historical resonance from world war 11 - Uses Verification of Identity System (VIS)
lost/stolen documents Dutch Police - Six Million records including deceased file, also
includes other country documents Passport - Database can be accessed by public Private
sectors - 3million checks to data base made each year
- Specific offence for identity, e.g.. Forging a
driving licence 5 years - Strict controls for changing names reason
- Can change forename by disposition in front of a
Judge
23Identification
- Belgium
- Compulsory Identity Cards
- 10 million Belgium's must notify their address to
police - Check made to home address to confirm
- SIS card for social security purposes
- France
- 60 Million Citizens hold Identity cards, but not
compulsory
24Identification
- Passport presented for formal proof of ID
- ID valid for 10 years but numbering not
continuous - Legal constraints on Public/private sharing of
data - SPAIN
- Compulsory ID Card Issued by local police at age
14 - 46 million cards valid for ten years
- Must be carried at all times
- Contains, name, address, photo, nationality,
signature,place, DOB, parents name - Also used as a travel document
25Identification
- Germany
- 82 million Citizens obliged to carry Photo ID
- Passport for claiming benefits
- Passport for driving licence or offences
- Home addresses registered with local civic
authorities - Processes used in the issuing and checking of
documents used as evidence of identity are not
secure
26Identification
- Denmark
- All 5 Million Citizens have a unique ID number
- -linked to centralised civil registration System
- -holds data on name, address, place of birth,
kinship, marital status, spouse details - System introduced in 1968
- Id number used almost entire public
administration, including tax, banks and insurers - Citizens legally advised to inform government
when they move house - Between 1968 and 1995 individuals were issued
with a card bearing their name, ID number, dob,
but no photo on card - Stopped as ineffective and expensive
27Identification The Problem
- Identification Legacy systems
- Pre computers
- No world experts on document validation
- Fake/genuine documents easily bought
- Demographic changes
28Account Opening
- New accounts, essential
- - Authentication of people
- - Validation of documents
- - Verification of data
- - Cross matching for data irregularities
- Fraudsters know to make multiple requests on
assumption one will pass - Willing to sit on accounts for years before
attack
29Data Protection
- Data protection Act set up to protect privacy of
individuals - Fraudsters exploiting the DPA to their advantage
- Organisations unwilling or unable to share fraud
outcome data - Cross border/Cross EU communities interpretation
or understanding of DPA
30Organised Criminal
- Will cross organisations
- Different sectors
- Countries
- Understand fraud detection systems, hot lists
- Company policies and procedures
31Internal Staff Fraud
- Weakness within any organisation
- THE PEOPLE
32Internal Staff Fraud
- As measures are put in place to combat fraud like
Chip N Pin - Fraudsters moving with the times to exploit
weaknesses and look for new opportunities, they
need help from within! - Account takeover
- Data compromise
- Genuine Plastics/Bank accounts
- ID Fraud / Improvisation
- CNP Fraud
- Bust out/credit manipulation
- New technology utilised to transfer data
- Mobile phones
- Key catcher
- Portable data storage devices (e.g Pen)
33Methodologies
- Staff recruited whilst at night-clubs, bars,cafes
close to financial institutions premises - Generally young and impressionable
- Easy target / weaknesses
- Low paid jobs call centre, data inputting
- Unmotivated, lack of loyalty, bravado
- Motive for employees to supplement income
34 35Operation Horizon
- High performance sales staff at a high street
bank - Opened 1,200 accounts over nine months period
- Losses c.3m
- Had accepted false IDs and documents
- Used same on all accounts
- Audits on accounts would have highlighted same
details used
36Operation Ecru
- Eight bank staff members identified
- Unknown/unconnected to each other
- Recruited in the street and offered 1,000 a time
for account information - Targeting high status accounts
- Changed address then opened up card facilities
- Fraudulent CHAPS payments to transfer money from
premier account to card account - Attack on bank bears hallmarks of organised level
two criminal group with access to bank
procedures, personal information and
stolen/counterfeit documents
37Operation Ecru
- CHAPS (Clocks) password changed daily
- Used stolen bank CHAPS forms. Faxed over to
CHAPS, altered to reflect a recognisable fax
number - Post-arrest, how to defraud the banks book
recovered on suspect - One staff member had Rolex watch and drove top
range Mercedes. Previously sacked from another
bank - Also found Dun Bradstreet.com company searches
showing directors home address and bank details
38Operation Rhea
- Referral from high street bank
- Premier accounts compromised and fraudulent
transfers made to student accounts - Students recruited to accept bill payments into
their accounts - On receipt of funds, taken shopping to obtain
goods/cash - Common link on premier a/accounts (point of
compromise) identified by bank as a major
insurance company
39Operation Rhea
- Insurance company holding bank details to send
insurance credits - Originally problems in insurance companys audit
trails no system in place to see who had viewed
accounts - Fix put into place and staff member arrested
- Evidence that data from most of the high streets
banks had been compromised - Student turned victims as payments reversed off
a/accounts so left with the debt
40Easy Policing
- Assumption or fact, most internal fraud in call
centres - Temporary staff
- Systems in place to detect
- High volumes found/low value
- Other areas, procurement, acquisitions high value
- Technology in criminal fraternity, greater than
found in most organisations - If not looking, will not find
41Whos at risk ?
- Any organisation
- Fraudsters know no boundaries
- Despite best practice (audit, compliance etc),
fraudsters have the motivation, incentive and
time to look for weaknesses in your systems
42Warning signs
- Lifestyle
- Living beyond means
- Obvious sighs of wealth
- Exceptional performer
- Experienced staff, not wanting job changes or
promotions - Excessive (unpaid) sick time with no explanation
- Complaints (customer / external)
- Increase in losses
43Lessons to be learned
- Customer sign up procedures more rigorous than
staff recruitment ? - Know your customer vs. know your staff
- Thoroughly check CVs
- Identify discrepancies
- IDs
- Exam certificates
- Status enquiries (voters roll, credit enquiries)
- Limiting computer access/regular password changes
- Regular audit trails
44Lessons to be learned
- Third party suppliers
- Regular audits
- Processes / Procedures
- Staffing policies
- Seasonal Staff, urgency
- Upon identifying internal staff fraud, decide
early in the process which route to take - Criminal / Police
- Civil / Employment law
45Controls
- Do your staff know where to go if they have
suspicions ? - Have you got controls in place to identify and
deal with suspicions of fraud ? - Are they adequate, up to date, reviewed ?
- Are staff aware of potential consequences if
caught committing fraud - Are they applied ?
46 47Experian Fraud solutions
- Product solutions
- Hunter
- Authenticate
- Detect
- Detect Credit Score
- Fraud Bureau
- Backgroundcheck.com