Fraud Presentation Norway

1
Fraud PresentationNorway

• Anne Green
• Fraud Consultant
• 0044 (0) 7813 855872
• anne.green_at_uk.experian.com

2
Background

• BA (hons) Law/Social Science combined studies
• Member Institute of Credit Management (MICM)
• Member International Association for Financial
  Crimes Investigators(IAFCI)
• Five years as a Private Investigator
• Six Years in Credit Management/ Civil Litigation
• Thirteen Years HSBC Bank
• Last two years on attachment to the Dedicated
  Cheque and Plastic Crime Unit (DCPCU)

3
Fraud In an International Perspective

Global fraud losses are expected to reach 15.5
billion dollars by the end of 2005
Meridien
The UN estimates that between 590 billion and
1.5 trillion per year is laundered globally by
arms and human traffickers, drug dealers and
other criminals
4
Fraud in an International Perspective

• 67.2 billion FBI estimates of what US
  businesses lose annually because of computer
  related crime Source USA Today
• On-line banking fraud up 90 2004 2005) APACS
• An incidence of card fraud takes place on average
  every 9 seconds in the UK APACS
• Insurance fraud in the UK costs an estimated 2
  billion per year

Meridien
CIFAS
CIFAS
5
Fraud Awareness

• Fraud is happening
• Many companies think this its not hitting them
• Think they have adequate controls
• They dont
• It is costing them
• They dont know how much

6
Organised Financial Crime

• Financial services based on trust
• People, families known
• Local Knowledge
• No longer Opportunist white collar crime
• Removal of borders
• EU Membership
• Economic Migrants

7
Organised Financial Crime

• Importation of foreign criminals for fraud
• Cross-border nature of this crime
• Networks of corrupted staff
• Cellular working
• Technical sophistication
• Criminal gangs working internationally
• Global patterns, the scams travel

8
Fraudsters Profile

• Who predicts fraud?
• The fraudsters, what are they doing?

9
So its growing

• Fraud against financial institutions is
  increasing
• Frequency
• Average value of fraud
• Not just Banks
• Criminals target public private sectors
  indiscriminately
• Look for weak links
• Find weaknesses in the system the people
• Most fraudsters are not opportunists they are
  linked to
• serious and organised criminal groups
• Finding the links can be difficult

10
Real size of the problem

• Real size of the problem unknown
• Many go undetected
• Many institutions bury fraud in their bad debt
  numbers
• Because they dont know
• Or because they cant be certain
• Collections staff are generally not fraud
  experts
• All we know for sure is
• Its bigger than we think!

11
In simple terms

• Theft
• Deception
• Dishonestly obtaining and retaining credit

12
Fraud Methods Traditional

• Application Fraud
• Account Takeover
• 3rd Party Fraud
• Clearing Cycle Fraud
• 419s
• Telemarketing
• Insurance Claims
• Money Laundering

13
Current Trends

• Identity Theft
• Account takeover
• Cybercrime
• Phishing
• Hacking
• 1st Party Fraud
• Data compromise
• Internal/staff Fraud
• Bust out/credit manipulation

14
Cybercrime

• Criminal economy thats robs US businesses of
  67.2b
• FBI US Secret Service work on disruptions
• Typical cost of goods and services in Forums-
• - 1,000 to 5,000 Trojan program that can
  transfer funds between online accounts
• - 500 credit card number with pin
• - 80 to 300 change of billing data, to include
  account number, address, social security number,
  DOB
• - 150 driver licence
• - 150 Birth certificate
• - 100 social security card
• - 7 to 25 credit card with security code and
  expiry date
• - 7 paypal account logon and password
• USA Today

15
Application Fraud

• Application fraud involves criminal using stolen
  or false documents to open credit accounts
• Criminals may obtain details from public sources
• Telephone directory
• Newspapers
• Internet
• Electoral register
• Criminals will pay for data
• Internal staff fraud an increasing threat
• Corrupt staff
• Example, bank clerk using false documents to open
  60 accounts

16
Application Fraud

• Prosecutions for individuals making fraudulent
  applications for credit are rare
• Credit reference agencies place great trust in
  Voters Roll
• Council departments do not verify identity
• Can change your name at any time
• Form completed, taken to Solicitor 5 fixed fee,
  sworn on oath
• No identity checks undertaken
• Form can be used to have passport amended

17
Application Fraud
Alternately they may try to steal documents such
as utility bills and bank statements to build a
personal profile

• They may use counterfeited documents for
  identification purposes
• Driving licences
• Passports
• ID Cards
• All readily available over the internet cheaply
• A convincing driving licence in any name for 33
• Total loss through application fraud over
  24million in 2004 in the UK alone

18
Spoof web Site

• Web sites set up to obtain details
• Know Cases
• Credit Records
• Cheap Car Insurance
• Internet Service Transaction Supplier
• Be wary of sites selling goods/services at
  unbelievable prices, the old adage if it seems
  too good to be true it probably is

19
Identity Theft/Impersonation

• Identity theft fastest growing financial crime
• Home Office figures state costing UK economy
  1.7bn

20
An attractive crime

• Relatively low risk
• Offers high returns
• Easily attempted
• Frequently regarded as victimless crime
• Many organisations have weak defences

21
Identification

• A variety of documents are used as evidence of
  identity and will vary between countries. No
  harmonisation amongst EU Countries
• UK
• Driving Licence
• Passport
• Birth certificate
• National insurance Number
• NHS Card
• USA
• Social Security Number (SSNs) used universally
  for credit applications
• Photo driving Licence

22
Identification

• Netherlands
• No unique Identifier antipathy towards ID
  historical resonance from world war 11
• Uses Verification of Identity System (VIS)
  lost/stolen documents Dutch Police
• Six Million records including deceased file, also
  includes other country documents Passport
• Database can be accessed by public Private
  sectors
• 3million checks to data base made each year
• Specific offence for identity, e.g.. Forging a
  driving licence 5 years
• Strict controls for changing names reason
• Can change forename by disposition in front of a
  Judge

23
Identification

• Belgium
• Compulsory Identity Cards
• 10 million Belgium's must notify their address to
  police
• Check made to home address to confirm
• SIS card for social security purposes
• France
• 60 Million Citizens hold Identity cards, but not
  compulsory

24
Identification

• Passport presented for formal proof of ID
• ID valid for 10 years but numbering not
  continuous
• Legal constraints on Public/private sharing of
  data
• SPAIN
• Compulsory ID Card Issued by local police at age
  14
• 46 million cards valid for ten years
• Must be carried at all times
• Contains, name, address, photo, nationality,
  signature,place, DOB, parents name
• Also used as a travel document

25
Identification

• Germany
• 82 million Citizens obliged to carry Photo ID
• Passport for claiming benefits
• Passport for driving licence or offences
• Home addresses registered with local civic
  authorities
• Processes used in the issuing and checking of
  documents used as evidence of identity are not
  secure

26
Identification

• Denmark
• All 5 Million Citizens have a unique ID number
• -linked to centralised civil registration System
• -holds data on name, address, place of birth,
  kinship, marital status, spouse details
• System introduced in 1968
• Id number used almost entire public
  administration, including tax, banks and insurers
• Citizens legally advised to inform government
  when they move house
• Between 1968 and 1995 individuals were issued
  with a card bearing their name, ID number, dob,
  but no photo on card
• Stopped as ineffective and expensive

27
Identification The Problem

• Identification Legacy systems
• Pre computers
• No world experts on document validation
• Fake/genuine documents easily bought
• Demographic changes

28
Account Opening

• New accounts, essential
• - Authentication of people
• - Validation of documents
• - Verification of data
• - Cross matching for data irregularities
• Fraudsters know to make multiple requests on
  assumption one will pass
• Willing to sit on accounts for years before
  attack

29
Data Protection

• Data protection Act set up to protect privacy of
  individuals
• Fraudsters exploiting the DPA to their advantage
• Organisations unwilling or unable to share fraud
  outcome data
• Cross border/Cross EU communities interpretation
  or understanding of DPA

30
Organised Criminal

• Will cross organisations
• Different sectors
• Countries
• Understand fraud detection systems, hot lists
• Company policies and procedures

31
Internal Staff Fraud

• Weakness within any organisation
• THE PEOPLE

32
Internal Staff Fraud

• As measures are put in place to combat fraud like
  Chip N Pin
• Fraudsters moving with the times to exploit
  weaknesses and look for new opportunities, they
  need help from within!
• Account takeover
• Data compromise
• Genuine Plastics/Bank accounts
• ID Fraud / Improvisation
• CNP Fraud
• Bust out/credit manipulation
• New technology utilised to transfer data
• Mobile phones
• Key catcher
• Portable data storage devices (e.g Pen)

33
Methodologies

• Staff recruited whilst at night-clubs, bars,cafes
  close to financial institutions premises
• Generally young and impressionable
• Easy target / weaknesses
• Low paid jobs call centre, data inputting
• Unmotivated, lack of loyalty, bravado
• Motive for employees to supplement income

34

• Case Studies

35
Operation Horizon

• High performance sales staff at a high street
  bank
• Opened 1,200 accounts over nine months period
• Losses c.3m
• Had accepted false IDs and documents
• Used same on all accounts
• Audits on accounts would have highlighted same
  details used

36
Operation Ecru

• Eight bank staff members identified
• Unknown/unconnected to each other
• Recruited in the street and offered 1,000 a time
  for account information
• Targeting high status accounts
• Changed address then opened up card facilities
• Fraudulent CHAPS payments to transfer money from
  premier account to card account
• Attack on bank bears hallmarks of organised level
  two criminal group with access to bank
  procedures, personal information and
  stolen/counterfeit documents

37
Operation Ecru

• CHAPS (Clocks) password changed daily
• Used stolen bank CHAPS forms. Faxed over to
  CHAPS, altered to reflect a recognisable fax
  number
• Post-arrest, how to defraud the banks book
  recovered on suspect
• One staff member had Rolex watch and drove top
  range Mercedes. Previously sacked from another
  bank
• Also found Dun Bradstreet.com company searches
  showing directors home address and bank details

38
Operation Rhea

• Referral from high street bank
• Premier accounts compromised and fraudulent
  transfers made to student accounts
• Students recruited to accept bill payments into
  their accounts
• On receipt of funds, taken shopping to obtain
  goods/cash
• Common link on premier a/accounts (point of
  compromise) identified by bank as a major
  insurance company

39
Operation Rhea

• Insurance company holding bank details to send
  insurance credits
• Originally problems in insurance companys audit
  trails no system in place to see who had viewed
  accounts
• Fix put into place and staff member arrested
• Evidence that data from most of the high streets
  banks had been compromised
• Student turned victims as payments reversed off
  a/accounts so left with the debt

40
Easy Policing

• Assumption or fact, most internal fraud in call
  centres
• Temporary staff
• Systems in place to detect
• High volumes found/low value
• Other areas, procurement, acquisitions high value
• Technology in criminal fraternity, greater than
  found in most organisations
• If not looking, will not find

41
Whos at risk ?

• Any organisation
• Fraudsters know no boundaries
• Despite best practice (audit, compliance etc),
  fraudsters have the motivation, incentive and
  time to look for weaknesses in your systems

42
Warning signs

• Lifestyle
• Living beyond means
• Obvious sighs of wealth
• Exceptional performer
• Experienced staff, not wanting job changes or
  promotions
• Excessive (unpaid) sick time with no explanation
• Complaints (customer / external)
• Increase in losses

43
Lessons to be learned

• Customer sign up procedures more rigorous than
  staff recruitment ?
• Know your customer vs. know your staff
• Thoroughly check CVs
• Identify discrepancies
• IDs
• Exam certificates
• Status enquiries (voters roll, credit enquiries)
• Limiting computer access/regular password changes
• Regular audit trails

44
Lessons to be learned

• Third party suppliers
• Regular audits
• Processes / Procedures
• Staffing policies
• Seasonal Staff, urgency
• Upon identifying internal staff fraud, decide
  early in the process which route to take
• Criminal / Police
• Civil / Employment law

45
Controls

• Do your staff know where to go if they have
  suspicions ?
• Have you got controls in place to identify and
  deal with suspicions of fraud ?
• Are they adequate, up to date, reviewed ?
• Are staff aware of potential consequences if
  caught committing fraud
• Are they applied ?

46

• Sharing Intelligence

47
Experian Fraud solutions

• Product solutions
• Hunter
• Authenticate
• Detect
• Detect Credit Score
• Fraud Bureau
• Backgroundcheck.com