From Fraud to Infosec and Vice Versa... Part 1

Wednesday, April 18, 2012

Neira Jones

9f19bdb2d175ba86949c352b0cb85572

In my last post, I attempted to give some real business metrics to help secure information security investment.

One of those metrics set related to our ability to link infosec to fraud and in this post I’d like to examine the connection a bit further.

Lucky for me, the UK National Fraud Authority have just released their 2012 Annual Fraud Indicator (readers beware, it’s 58 pages...), so with my infosec lens, I’ll take you through the report and hopefully give you some more KPIs to think about...

The report estimates the fraud loss to the UK economy at £73 billion in 2011, compared to £38 billion in 2010. However, whilst the increase is significant, it doesn’t represent an increase in the level of fraud: this year’s report benefited from improvements in the quality and quantity of data available, the inclusion of previously undetected fraud losses in the private sector and new estimates against individuals.

Fraud by industry sector...

The report gives extensive details on the fraud attribution to each sector/sub-sector and (page 31 onwards) details fraud types by victim sector. This is summarised below:

FRAUD LOSSES

DETAILS & FRAUD TYPES

£45.5bn for the private sector.

£26.7bn is attributed to large businesses and £18.9bn to SMEs.

Participants estimated that fraud losses could be in the region of 1.4% of turnover.

Details by sub-sector:

Wholesale & Retail: £16.1bn

Manufacturing: £7.4bn

Financial Services: £3.5bn

Construction: £3bn

Professional Services: £2.8bn

Utilities, Mining, etc.: £2.7bn

Information & Comms: £2.4bn

Arts, Entertainment & Recreation: £1.1bn

Accommodation & Food:  £1bn

Other: £5.5bn

The most common fraud types were payment fraud (71%) followed by employees / volunteers fraud (49.5%) and cyber enabled fraud (41.9%).

22.6% participants suffered at least one insider-enabled fraud.

Fraud types:

Procurement fraud (estimate £20bn)

Insurance fraud (£2.1bn)

Mortgage fraud (£1bn)

Payroll fraud (estimate of £1bn)

Telecommunications fraud (£972M)

Plastic card fraud (£341M, see my earlier post for details)

Transport fare evasion (£210M)

Online banking fraud (£35M)

Cheque fraud (£34M)

Motor finance fraud (£15.3M)

£20.3 billion for the public sector

This is a decrease from previous year primarily due to a reduction in fraud against the tax system.

Tax: £14bn (£15bn in 2010)

Tax fraud (£14bn), vehicle excise duty evasion (£40).

Central government: £2.5bn

Procurement fraud (£1.4bn), grant fraud (£488M), television license fee evasion (£202M), payroll fraud (£181M), patient charges fraud (£158M), student finance fraud (£31M), pension fraud (£11M), National Savings & Investments fraud (£0.46M).

Local government: £2.2bn

Housing tenancy fraud (£900M), Procurement fraud (£890M), payroll fraud (£153M), council tax fraud (£131M), blue badge scheme abuse (£46M), grant fraud (£41M), pension fraud (£5.9M).

Benefits & tax credits: £1.6bn

Benefit fraud (£1.2bn), tax credits fraud (£380M).

£6.1 billion for individuals

1 million (2%) UK adults sent money in reply to unsolicited communications in the last 12 months and 50% of those were defrauded as a result.

9.4% (4.6 million adults) suffered identify fraud, 55.3% did not recover their losses and the average loss is £481.

2.1 million people fall victim to online ticketing fraud each year with an average loss of £406 per victim.

[Telephone banking fraud: 16.7M]*

Mass marketing fraud: £3.5bn

Electricity scam: £2.7M

Identity fraud: £1.2bn

Online ticket fraud: £864M

Rental property fraud: £488M

*Note: telephone banking fraud appears under “private sector” in the report, but since the method used essentially tricks individual into disclosing personal details, I felt it was better placed here.

£1.1 billion for the not-for-profit sector

This was estimated to cost registered charities 1.7% of their income.

The most common fraud types are payment fraud; employee / volunteer fraud (27%) and cyber enabled fraud.

Just fewer than 4% of respondents reported that they had detected fraud in the last financial year.

The British Retail Consortium (BRC) Retail Crime Survey reported that fraud increased significantly in 2011 for Wholesale and Retail, 78% of retailers recording a rise. Fraud accounted for 12.3% of retail crime volume and 28.2% of value, a notable increase on the previous year.

Retailers identified fraud arising from their growing online and multichannel operations as the most significant emerging issue they faced. Overall, retailers estimated that 50.5% of fraud could be attributed to organised groups, while a further 42.7% was the result of opportunists. In addition, retailers only reported circa 50% of offences to the police, suggesting the true extent of fraud is likely to be higher.

It is also interesting (and scary) to note that mass marketing fraud represents more than half (£3.5 billion) of all fraud against individuals. I will explore this further in a later post.

Just get a little closer...

So, to all of you information security professionals out there: if you need one way to show you can add value, get closer to your fraud colleagues and try to understand what their big ticket items are. Depending on your industry sector, you can even ask them the right questions as the big ticket items are more than likely those detailed above.

Similarly, to all of you fraud professionals: please reach out to your infosec colleagues. Admittedly, they will not be able to solve/help with all your problems (e.g. tax or benefit fraud), but every time a fraud type could be reduced by better integrity or confidentiality, they will have lots of good ideas, and the payback is potentially massive compared to the investment that might be required.

Don’t you find it uncanny that the above analysis shows some very obvious parallels with the Verizon DBIR 2012 analysis?...

My next post will finish the analysis of the Annual Fraud Indicator by looking at the various fraud enablers to all the fraud types discussed in this post.

Until next time...

Cross-posted from neirajones

Possibly Related Articles:
11412
Enterprise Security
Information Security
fraud Compliance Enterprise Security Data Loss Prevention Cyber Crime report Infosec DBIR 2011 Cost of Data Breach Study
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.