American Board of Information Security and Computer Forensics

By William Anderson, CFCI, CAS, CHS-III

It’s Saturday night at 11 p.m. and your cell phone rings. It’s your information security manager, fraud manager, and public relations manager. The information security manager informs you of suspicious activity on several accounts. The fraud manager indicates the company’s security hotline has also received calls from consumers, law enforcement agencies, and industry fraud/security colleagues for assistance on activities around these same accounts. In addition, the media has also called your public relations manager and would like to know if your company can comment on the story they are preparing for the Monday edition newspaper regarding fraudulent activities. Does this scenario sound familiar? Do you have an operational fraud program? Does your operational fraud program link to your enterprise-wide incident response plan?

In the wake of financial bailouts and financial crises, are organizations equipped to meet the demands of fraudulent activities, identity theft, and insider threats? How does an operational fraud program or anti-fraud program play a pivotal role in reducing fraud? Recently, the Federal Bureau of Investigation announced that the number of open mortgage fraud investigations was more than 1,600 at the end of fiscal 2008, which ended September 30, 2008, compared with 881 in 2006.

What is Operational Fraud?
Operational fraud is the risk of incurring fraudulent loss of assets due to an organization’s exposure to deception, theft, diversion or mismanagement of transactions, customer information, account information, and data transfers. Operational fraud detection requires the blending of traditional fraud, corporate security, forensic investigation, and information security disciplines coupled with the infusion of information sharing with the law enforcement community and industry colleagues to reduce potential fraudulent risks and fraud losses. As the evolving cyber terrorist manipulate or social engineer business creates new fraudulent schemes and risks such as phishing, identity theft, or account takeovers, it is incumbent on fraud or security departments to encompass anti-fraud activities at the organizational and process levels to recognize warning signs of fraudulent activities. As warning signs and fraudulent incidents are recognized, fraud departments should leverage information sharing with local, state, and federal stakeholders, along with other fraud departments, to establish and maintain a data-sharing platform to track, trend, and analyze fraudulent patterns to mitigate risk to their organizations. Unfortunately, not all companies have in-house expertise or bandwidth to identify, detect, monitor, or mitigate fraudulent risks and may require the chief security officer (CSO), security director, or fraud director to adopt a centralized strategy or seek the assistance of a third-party vendor with expertise in financial crimes, identity theft, intellectual property investigations, technology investigations, account takeover fraud, transaction fraud, or digital forensic investigations.
An operational fraud program should have three core program areas: governance, tactical, and compliance. These core program areas can create and support a fraud resilient culture.

Governance: An effective operational fraud program should start with a tone at the top charter and policy, which creates a control environment. An operational fraud policy should be devised by leveraging elements of the Code of Conduct/Ethics statement to provide the policy with the appropriate authority and visibility. In the governance phase, the CSO or security director should be instrumental in developing and implementing a charter or policy based on defining and documenting an anti-fraud strategy and promoting the importance of anti-fraud programs to executive management and employees. Once governance is established, the implementation or tactical phase should begin.

Tactical: The tactical phase is the “how the program is implemented phase.” The operational fraud implementation phase should incorporate the following elements:

Risk assessment
Anti-fraud procedures and practices
Anti-fraud countermeasures
Communication strategy for anti-fraud programs to employees
Anti-fraud and social engineering awareness training for employees
Continuous event monitoring strategies to identify, detect, monitor, and mitigate fraud risks
Communication strategy and memorandum of understanding to share information with industry colleagues and the law enforcement community
A repeatable, measurable, and actionable information-sharing platform with industry colleagues and the law enforcement community

In the tactical phase, information sharing is a significant hurdle for organizations and law enforcement agencies to overcome. In some cases, information sharing is a sizeable internal challenge for organizations. With balancing priorities and competing projects, business units may have individual fraud data points (i.e., credit card fraud, anti money laundering activities, account takeover fraud, identity fraud, deposit fraud, mortgage fraud, etc.) but no centralized depository for housing, analyzing, and sharing fraud data or information with other business units, let alone government or law enforcement agencies. While each business unit has a specific mission and respective mandate (i.e., Bank Secrecy Act, anti money laundering, FACTA identity theft red flags, credit card fraud, etc.), internal organizational structures or policies can place limitation on information sharing. In contrast, the bad guys or fraudsters have a clearer understanding of the limitation by organizations to share data. The fraudsters have demonstrated the value of sharing data with other fraudsters by identifying solutions to circumvent anti-fraud programs. Although there are a number of information-sharing initiatives, organizations and law enforcement agencies have begun to implement prudent strategies and methods for sharing and analyzing fraudulent information through adhoc operational fraud concepts like financial information sharing and analysis or fusion centers.

The security or fraud department can play a vital role in information sharing, performing a fraud risk assessment, providing awareness training, and implementing a continuous event monitoring protocol. The focus of the fraud risk assessment is identifying potential threats or risks related to fraud controls or safeguards and recommending new preventative fraud solutions to further reduce risk in this area. The development of a fraud assessment team with traditional fraud investigation, corporate security, forensic investigation, account takeover, account set-up, account maintenance, customer service, information technology, and information security disciplines is crucial. In my experience with assessment teams, it was important to bring in many skill sets with diverse backgrounds. For example, during critical infrastructure assessments I have worked with or bounced risk concepts off of David Hiscott, Jack Platt, Chris Albright, Justin Wilson and Rich Baich. David is an oil/gas industry safety, security, and emergency response advisor. Jack is a former U.S. Marine, although he would adamantly argue, “Once a Marine, always a Marine.” He is an intelligence & counter-surveillance advisor. Chris is former military and now a digital forensic investigative advisor. Justin Wilson is a police officer and a Homeland Security Coordinator. Rich Baich, a former CISO, is now an information security advisor. All of these individuals bring a different value and added skill set to the assessment process. More importantly, each of these individuals understands the impact of fraud on critical infrastructure (i.e., banking, oil/gas, telecommunication, information, transportation, etc.) as it (fraud) relates to their respective areas of expertise. In my assessment experience, the best way to reduce risk is having many varying views and sets of eyes with different disciplines. In my personal opinion, if you have two people in a room with the same thought process, one of them is not needed.

Compliance: The compliance phase is a crucial pillar. Once the operational fraud program has governance and a tactical approach, it is critical to maintain the anti-fraud program by delivering balance of people, processes, and technology. The compliance phase should include but not be limited to:

Program testing (drills and tabletop exercises)
Program audit
Risk management integration with your company’s enterprise risk management plan (i.e., incident response plan, disaster recovery plan, business continuity plan)
Program adjustment (change management process)
Metrics and reporting
General annual anti-fraud awareness training for employees
Detailed annual anti-fraud awareness training for employees with anti-fraud responsibilities
Periodic self-assessment to identify, detect, and mitigate fraud risks associated with the overall program

Again, the security or fraud department can play a key role in performing self-assessments, managing and reporting operational fraud metrics, testing the elements of the fraud program, and providing annual employee awareness training.

The operational fraud strategy is aligned with the existing company’s enterprise-wide security model. This fraud strategy supports the security “protection in-depth concept” of deterring, delaying, detecting, denying, and preventing an adversary from exposing an organization to losses resulting from fraudulent activities or events. Operational fraud risks will continue to evolve and will require organizations to evaluate and expand capabilities to maximize the value and effectiveness of anti-fraud controls. There are several key regulatory or industry mandates requiring fraud control reviews to reduce or mitigate fraud. The key focal point to reducing fraud risk from emerging threats is transitioning towards a resilient fraud enterprise. Challenging economic conditions will continue to impact and contribute to the increase in fraudulent activities from mortgage fraud, credit card fraud, identity theft, and insider threats. As local, state, and federal law enforcement resources reach full capacity to investigate and enforce fraud, the CSO or security director may be required to adapt additional proactive in-house solutions or data analytics to reduce and manage operational fraud activities in the future.