Technology has been both a blessing and a curse in the fight against fraud, as new developments make it easier to both detect and commit.
When it comes to committing fraud, Tiffany Couch, founder and CEO of Acuity Forensics, noted that the options for moving money around have grown dramatically in just a few years, citing Venmo, Square and other widely used applications. With this added convenience, though, has come a higher potential for abuse, as shown by a recent case she worked on, where a woman at a dental office had set up a Square account and was diverting the practice’s credit card payments to herself.
“When we think of cash skimming, we think in terms of cash and coins someone is stealing. We don’t think about the fact that it’s just as easy to divert electronic payments or checks as it is cash,” Couch said. “Our changing world allowed her to set that up, seamlessly, and take payments easily.”
Similarly, Robert Sprague, managing director of the forensics and valuation group at Top 20 Firm BKD, said there is so much more data online than even a few years ago, which means there’s more to take and potentially misuse. He saw this recently when investigating fraudulent unemployment insurance claims, where scammers were using stolen personal information to file for payments.
“We had dead people filing claims, people in jail filing claims, 90-year-olds filing claims. The states just weren’t anticipating that huge influx to their systems and weren’t set up to handle all the claims, which set up opportunities for fraudsters to dive in and take advantage of that,” he said.
Technology, however, has made efforts to fight fraud much more powerful, especially when it comes to data analytics. Just as a financial audit can now draw on an entire data set to find anomalies, so too can fraud investigations process mountains of data to spot red flags. Johnny Lee, practice leader for forensic technology and forensic advisory services at Top 10 Firm Grant Thornton, noted there are thousands of discrete analytics that can be used to find signs of potential fraud.
“These are not necessarily indications of misbehavior but things that merit an explanation: Why are you paying invoices before you receive goods against them? Why would you frontload your vendor with money if you haven’t received goods? Is there something frustrating about receiving goods as a process in the system or are you in collusion with the vendor?” he said. “That’s basically how we wade into these waters: What’s the underlying data set? What’s the disconcerting fact pattern? Can we establish a baseline and measure against that?”
Lee is not alone in looking to data. Andi McNeal, director of research with the Association of Certified Fraud Examiners, confirmed that data analytics is now a key part of detecting and preventing fraud. She said that 40% of organizations have increased their use of analytics in anti-fraud programs over just the past two years alone. This has allowed more capacity in not only retrospective analyses but in proactive monitoring as well. Digital footprints can tell investigators things like what files someone has accessed, when they were accessed, and whether they were transferred to an external drive. Later technology, she said, allows for even finer observations, and as time goes on the number of things investigators will be able to detect will only grow.
“We’re talking about red flags we hadn’t even noticed before, where it’s a series of transactions surrounding one department in an organization where, on their own, doesn’t mean a red flag but does show a pattern, like [transactions] right below a certain limit,” she said.
McNeal said firms are already seeing benefits from this, evidenced by the fact that 60% of organizations plan to expand their anti-fraud technology budget in the next two years.
Grant Thornton’s Lee said that, beyond analytics, powerful cybersecurity tools allow automation of many security functions. He pointed to the development of endpoint detection and response programs that, as the name implies, monitor endpoints for things that indicate possible fraud.
“It can be highly automated to do things without human intervention, like taking a machine completely off the network, quarantining it instantly and taking it away from the end user who may have been compromised or is abusing it. So that technology, and its customizability, is a really revolutionary difference. It is today what antivirus was six or seven years ago: It’s becoming the mandatory minimum to guard against sophisticated attacks from both insiders trying to flout security controls or outsiders trying to break in using compromised credentials,” he said.
Balancing human and machine
Dawn Brolin, head of Powerful Accounting and a forensic investigations specialist, said as human input becomes less relevant in business functions, human error and human ethics will also become less relevant, bolstering internal controls.
“When someone has control over payroll and can override systems and add employees because they’re using a program allowing that control … that is a broken internal process,” she said.
Brolin warned, though, against relying too heavily on technology, saying it has already given many a false sense of security. She pointed to knowledge-based authorizations, which ask personal questions to verify one’s identity.
“I can call my client and ask what town did you live in when you were 10, did you ever own a Mazda Miata? Humans can trust humans to the point of their own demise and we know how to get around systems … We just make assumptions that because something does multilevel authorizations it’s perfect, but really who is going to have control? Who understands the systems? The humans who understand the technology and can make it work for their benefit,” she said.
Couch agreed, saying that as much as technology can help fight fraud, there is no substitute for old-fashioned detective work.
“An accounting system should be considered false until the source documents prove it’s accurate,” she said. “I could put anything into an accounting system I want. I can put anything into an [automated clearing house] bill pay system I want. It’s not true until the source documents prove it’s true.”