Written by Richard Hurley, Communications Manager, CIFAS – The UK’s Fraud Prevention Service
Analysis of frauds recorded on the CIFAS Internal Fraud Database reveals another sharp increase in the level of staff fraud during 2013 (when compared with 2012). Within this increase, however, several interesting variations have been spotted:
- There was an 18% rise in the total number of staff frauds recorded in 2013 when compared with 2012.
- Attempts to obtain employment fraudulently (e.g. by not declaring previous convictions for falsely claiming qualifications) shot up by over 70%, demonstrating that organisations are now increasingly vetting prospective employees properly.
- While the level of dishonest actions by staff to gain a benefit by theft or deception (e.g. theft of cash from customer accounts) decreased, these frauds still account for 40% of all confirmed insider frauds.
- Frauds where an organisation’s staff stole customer or commercial data continued to rise.
(Numerical tables are included in the Notes for Editors below).
Success of counter fraud measures leaves unprotected organisations vulnerable
Historically, many organisations readily accepted the potential damage that customer fraud might inflict, but remained reticent about acknowledging the dangers and risks of fraud committed by staff. The 18% increase recorded during 2013 proves that organisations have started to treat these insider frauds as seriously.
CIFAS Communications Manager, Richard Hurley, comments: “Like customers, the vast majority of an organisation’s staff will be totally honest. However, it is the few who are not so honest that tend to be the first to identify the Achilles’ heel or weak controls within an organisation. Enhanced screening processes, tightened security and a better understanding of how insider fraud is committed will impact upon far more than just a balance sheet: all these measures have undoubtedly contributed to the continued increase in identifying confirmed fraud levels. While the frauds may always have been there, organisations are now being seen to do something about them. Identifying and sharing data about such frauds is a small but powerful step. Organisations that do not take the insider threat seriously should be aware of the inherent danger in underestimating the risks.
K.Y.E. – Know Your Employee!
In 2013, organisations that shared data on confirmed cases of insider fraud noted a very large (71%) increase in fraudulent attempts to gain employment. With the UK reported to be entering a more robust and healthy period in terms of recruitment, the dangers of employing someone who has made wholly fraudulent claims regarding his or her employment eligibility, history or professional qualifications become more marked.
Richard Hurley notes: “There is a huge difference between an individual submitting an application that might exaggerate professional achievements and making knowingly false declarations. These have ranged from some individuals concealing poor credit histories – when financial regulators require a clean history for specific positions – through to others claiming to have professional qualifications (essential for the role) that they do not. The risk posed by employing someone – for instance – in a role with a huge budget responsible for hundreds of jobs, when that person has fraudulently claimed to have necessary financial qualification is a serious one. Inevitably organisations are increasingly aware that the efforts that they have put into verifying information submitted by consumers applying for products have to be matched by the same rigour when it comes to recruiting an employee.”
Deceptive actions and theft of data remain serious issues
Attempts to gain benefit by deception or manipulation while in a job remained a serious threat during 2013, in spite of the apparent 5% decrease. The theft of cash from either a customer, submitting false invoices or attempting to manipulate systems in order to beat targets are some of the most common frauds of this kind. Such frauds constituted 40% of all insider frauds in 2013. While economic hardship might be a motivating factor for some, many such frauds are purely exploitative (e.g. targeting accounts of elderly or vulnerable citizens or attempting to undermine other colleagues). The continued high level of these frauds therefore underlines why organisations must have good support networks in place for staff who are struggling financially, to help reduce the risk of them committing internal fraud in desperation.
Recent years have also seen a dramatic rise in the number of instances of staff unlawfully obtaining and disclosing data, and the increase recorded in 2012 continued into 2013. This fraud type specifically relates to organised criminality, with a large number of proven cases related to staff disclosing customer data to third parties. With data-driven identity crime accounting for over 60% of all frauds recorded to the CIFAS National Fraud Database, this continued increase must serve as a warning to all organisations: such frauds may be comparatively rare, but they help to facilitate thousands of other frauds that affect you, your customers and your commercial reputation.
Comment from CIFAS Chief Executive
CIFAS Chief Executive, Simon Dukes, concludes: “The vulnerabilities inside an organisation are as real and in many cases even more dangerous than those that outsiders might try to exploit. This is something that responsible governance has recognised: that the insider risk may occur less frequently, but it is the insider who can wreak far more damage and breach the trust of an organisation. Not only does the rogue element inside your organisation have access to your most valuable possessions but, as recent CIFAS research has demonstrated, the collateral damage created by their frauds far exceeds any initial financial amount and can actually be four times greater than the sum that is initially lost. Such frauds attack an organisation’s productivity and the morale of remaining staff, and can result in fines, compensation payments, many man-hours taken to clear up the resultant mess and incalculable reputational damage. Simply put, being attacked from the inside is something no organisation wishes to face. The trends captured here therefore indicate underlying good news: namely that more and more organisations have started to detect, identify and share data on confirmed internal fraud cases in order to prevent further fraud. They also underline, however, the very real dangers posed by those few bad apples whose frauds undermine the health of an organisation and the morale and livelihood of their honest, hardworking colleagues.”
This press release is also available online: www.cifas.org.uk/insiderfraudtrends_janfourteen
Notes to Editors:
- CIFAS is the UK’s Fraud Prevention Service – providing the UK’s most comprehensive databases of confirmed fraud data, as well as an extensive range of fraud prevention services, to 300 organisations from the public and private sectors. Organisations share fraud information in order to prevent fraud and come from a variety of sectors including banking, grant giving, credit card, asset finance, retail credit, mail order and online retailer, insurance, saving, telecommunication, factoring, share dealing, vetting agencies, contact centres and insurance brokering sectors. CIFAS is unique and was the first data sharing scheme of its type in the world. Other schemes modelled on CIFAS have been set up in Southern Africa and Germany.
- CIFAS launched its Staff Fraud Database in 2006, which currently has 104 Members encompassing over 260 organisations sharing information on frauds that have been perpetrated against participating organisations. These organisations are drawn from the UK financial services industry, telecommunications, insurance, recruitment and other business sectors. The launch of the Database was carried out in consultation with: the Information Commissioner’s Office, the Financial Services Authority (now Financial Conduct Authority); the Confederation of British Industry; the Trades Union Congress and Chartered Institute for Personnel and Development.
- The following tables show a summary of the statistics and the number of fraud cases recorded by CIFAS Staff Fraud Members during 2012, broken down by the type of fraud identified. Definitions are given below the table.
|Fraud cases identified||539||638||+18.4%|
CIFAS Members must investigate and reach a ‘burden of proof’ (i.e. there must be evidence of an identifiable criminal act) before filing to the Staff Fraud Database. More than one reason for filing a fraud can be identified, meaning that the total number of reasons can differ from the number of staff fraud cases identified. Reasons for filing to the database are defined as:
|Fraud Type||2012||2013||% Change|
|Dishonest action by staff to obtain a benefit by theft or deception||268||254||-5.2%|
|Employment application fraud (successful)||34||31||-8.8%|
|Employment application fraud (unsuccessful)||171||293||+71.3%|
|Unlawful obtaining or disclosure of commercial data||2||4||+100.0%|
|Unlawful obtaining or disclosure of personal data||46||48||+4.3%|
Account Fraud – Unauthorised activity on a customer account by a member of staff knowingly and with intent to obtain or attempt to obtain a benefit for himself or others.
Dishonest action by staff to obtain a benefit by theft or deception – Where a person knowingly, and with intent, obtains or attempts to obtain a benefit for himself and/or others through a dishonest action, and where such conduct would constitute an offence.
Employment application fraud (Successful) – A successful application for employment or to provide services with serious material falsehoods in the information provided. This includes the presentation by the applicant of false or forged documents for the purpose of obtaining a benefit.
Employment application fraud (Unsuccessful) – An unsuccessful application for employment or to provide services with serious material falsehoods in the information provided. This includes the presentation by the applicant of false or forged documents for the purpose of obtaining a benefit.
Unlawful obtaining or disclosure of commercial data – The use of commercial/business/company data where the data is obtained, disclosed or procured without the consent of the data owner. This includes the use of commercial data for unauthorised purposes that could place any Member at a financial or operational risk.
Unlawful obtaining or disclosure of personal data – The use of personal data where the data are obtained, disclosed or procured without the consent of the data controller. This includes the use of personal data for unauthorised purposes that could place any Member at a financial or operational risk.