Sunday 6 March 2011

Report: Joint IISP and ISACA event in Scotland

The Scottish branch of the IISP and ISACA Scotland hosted a joint talk on the 17th of February at the English Speaking Union with our guest speaker, Louise Behan, of the Lothian And Borders Police Specialist Fraud Unit.

Louise described the remit of the fraud unit, which includes investigation of contraventions of the Company, Insolvency and Bankruptcy laws, all public sector corruption enquiries, major or complex enquiries involving offences against the financial industry, major embezzlements, particularly those perpetrated by professional persons such as solicitors, accountants and bank officials, enquiries from government departments, the Procurator Fiscal and the Crown Office Fraud Unit, multiple account enquiries, e.g. cross-firing of cheques, collusive merchant enquiries, counterfeit credit cards, major credit/debit card enquiries as well as complex enquiries from other Forces and Agencies.

A significant amount of casework the fraud squad deals with originates in people misusing systems in place or getting round technical controls. In terms of honesty, Louise pointed out that a recent survey showed that most people (80%) are not 100% honest. When times are hard, as now, crime tends to increase, as people struggle with difficult economic circumstances. Very often, the cases dealt with by the Unit have as their main suspect someone with no criminal record. This also means that profiling fraudsters is hard – and of course the best ones are very good at hiding it.

Louise estimated around a third of the fraud she personally sees is internal – with an employee or manager of a company discovering a weak control that can be subverted, and using their position to hide the evidence of fraud. She provided a quick look at some niche frauds, where a criminal has found an area where they could make money in the short term – such as forging one pound coins. It’s unexpected, and when the fakes were good enough, it remained undiscovered for many years. Even ‘small’ frauds can evidently mount up to significant losses, and so the point is that a long term ‘small’ scheme can have just as much impact as a short term ‘big hit’.

In subverting IT controls for financial gain, the risk can be perceived by individuals as very low, whereas the reward can be very high. For example, mortgage fraud can net large sums of money. For the fraud unit investigating these crimes, the issue is that if the controls are too poor, gaining enough evidence to present a reasonable case can be a challenge – so if you don’t keep solid audit logs and implement strong access controls, this may lead to insufficiency of evidence when your systems are breached, without which the Procurator Fiscal cannot take the case forward to prosecution.

The nature of fraud means that investigations often take some time, and there are evidential requirements which can take some time to fulfil, such as obtaining and executing warrants to obtain information, which requires to be appropriately authenticated, and continuity of evidence ensured during seizure. Recovery of money or loss depends entirely on the criminal - if there are recoverable assets, the police always look at the potential for compensation, however, if the fraud is remote (for eg, perpetrated from outwith the UK) the likelihood of recovery tends to be less. And if the criminal has no assets then recovery isn’t possible.

The aim of the unit is to make the life of the fraudster as unattractive and uncomfortable as possible. It’s not likely to be an aim with an end in sight-fraud is only limited by human ingenuity, but we continue nonetheless to try to keep up, or sometimes get ahead a little.

So what can you do to help?

  • Keep an eye out for known individuals – the Fraud Squad and SCDEA do provide information to intelligence departments in banks
  • Audit rigorously and log everything
  • Use mystery shoppers to test in store security procedures
  • Make examples of the ones who get caught – especially for internal fraud
  • Understand the mind of the fraudster – how would YOU subvert your controls.

The next ISACA meeting is on the 17th of March, and the next IISP Scotland meeting will be towards the end of May.