In a previous article kon je lezen over toenemende fraude en de meest voorkomende soorten bedrijfsfraude. In dit artikel geven we de benodigde voorzorgsmaatregelen en kijken we naar het implementeren van een gelaagd risk assessment.
A fraud risk assessment framework is a process that helps identify areas where an organization is vulnerable to fraud so that you can develop concrete plans. When such an analysis is done correctly, you always stay a few steps ahead of a fraudster. After all, you are looking at your own organization from the eyes of a fraudster. The framework ensures that the following questions can be answered: where are weaknesses in our controls? And in what ways can our organization inadvertently help fraudsters escape?
To be effective, a framework must have several fundamental, data-driven layers. The first layer includes the effort to accurately identify potential customers or third parties - who they actually are and whether they are who they really are? Are there potential risks or discrepancies based on company data? The second layer involves examining the digital identity associated with these entities - electronic credentials that help create a comprehensive business profile during real-time transaction processes. The third layer involves evaluating operational and financial factors.
Interesting read: Corporate fraud: A growing issue
The first layer: Verifying identity
The moment when a company or supplier becomes a new business relationship is the best time to establish a due dilligence process to verify a company's legitimacy. This process is based on data - ideally data that has been rigorously vetted using multiple resources to verify the company.
Lower-risk profiles are characterized by more consistency between self-reported company data and data from trusted data parties. Inconsistencies in this data often indicate a higher risk profile and a greater likelihood of attempted fraud. These inconsistencies include small discrepancies that may be dismissed as "accidental" but are actually intentional. For example, a fraudster may add an "S" or "Inc." after a legitimate company name to create a "look-a-like" company name. Fraudsters will fabricate, exaggerate or even omit certain details to make their company look better. For example, a company may claim it was founded in 2015, while reliable data sources report 2021 as its start year. By claiming 2015 as the founding year, the fraudster can exaggerate a variety of data such as number of employees, revenue or sales figures. This makes a company appear more credible than it is.
Examining an entity's address is also an important verification step. Higher risk is typically associated with virtual office locations, post office boxes or residential addresses. Here, however, it is important that care be taken when verifying self-employed individuals because they often provide their residential address as their office address.
Questions to consider in the first layer:
- What business data do we have on this company and can it be verified?
- Companies don't commit fraud, individuals do. Can we find out all the individuals behind a company?
- Have board members been involved with other (no longer existing) companies before?
- What products do they buy, and does it make sense for them to do so?
Second layer: Exposing risks behind a device, IP or email address
As the global pandemic brought the physical world to a standstill, fraudsters took advantage of the moment. Dun & Bradstreet data shows a 251% increase in business identity theft in 2020, compared to 2019. This spike is highly correlated with large increases in digital transaction volumes and related cyberattacks. More consumer identity data falling into the hands of malicious parties translates into more cases of B2B fraud.
Typically, fraud organizations use a handful of IP addresses or hosts and go through a long list of stolen users to breach a company's security. Therefore, fraud risk should be assessed based on on the e-mail, domain, phone number or device and IP address used for transactions. In particular, the age of the e-mail is a telling risk indicator. Data analysis has shown that fraud involving newer emails is on the rise. For example, if a real company domain is abcpizza.nl, a fraudster would create email@example.com, rather than firstname.lastname@example.org. In a real example, a fraudster placed a large order for a restaurant and instead of the real company domain domain companyabc.com, the fraudster used the "look-a-like": companyabc.nl
It is also possible to do device-level research to keep out threats. You can build a profile of each device to get a good idea of which ones are reliably used. If a new device wants to add itself, an evaluation must take place. Important considerations include age, speed, reputation and device IP.
One advantage of using device-level risk data is that the device ID is stored instead of a personal profile. If a business account has already been rejected for suspicious behavior, and the fraudster uses the same device to request another account under a different name, the organization knows immediately because the returning device can be verified.
Third layer: Evaluating operational and financial factors
It can be difficult to separate fraud risk from "ordinary" credit risk. The biggest difference is intent. With normal credit risk, there is no intent; with fraud risk, the intent is to bust-out fraud. For example, a company may consistently pay on time and be considered low credit risk. But then the company begins to max out its credit line and eventually defaults on all payments. This is typical "bust-out" behavior. When activity such as this comes to light, it should trigger an investigation of the financial health of the company or supplier you are dealing with and a closer look at the transactions.
Questions to consider in the third layer:
- Is the company making more credit applications than usual?
- Has the company reached the limit of its line of credit?
- Does the company pay on time?
- Does the company show an upward or downward trend on key financial parameters?
- Is the company already in default or on the verge of bankruptcy?
Awareness is always the first step in any new process. The most common types of fraud have been discussed, and ways to prevent them. With reports of business fraud rising so rapidly, the time has come to establish a good framework and invest in good due diligence and credit risk processes.