As businesses experience disruption, how they respond can determine their ability to recover and emerge stronger. In each episode of our series, PwC specialists discuss the challenges and opportunities facing business leaders in today’s environment of global uncertainty.
As businesses experience disruption, how they respond can determine their ability to recover and emerge stronger. In each episode of our series, PwC specialists discuss the challenges and opportunities facing business leaders in today’s environment of global uncertainty.
Kristin Rivera:
Welcome to our podcast series, Emerge Stronger Through Disruption. I'm Kristin Rivera and I lead global forensics at PwC as well as our Global Center for Crisis and Resilience. I'm coming to you today from San Francisco, California. In each episode of the series, we talk with global colleagues about the challenges facing business leaders during disruption.
We've just launched our first snapshot report from our Global Economic Crime and Fraud Survey. For 20 years now, we've heard from organisations around the globe on the evolving fraud landscape — from new threats to bad actors and their mechanisms of abuse. I'm delighted to be joined today by my friend, Mark Rigby, our Forensics leader in Australia, for today's chat.
Welcome, Mark. Please share a little bit about how you work with clients and solve problems today.
Mark Rigby:
Thanks very much for having me, Kristin. I'm based in Sydney, Australia, so please excuse my accent throughout the discussion. You know, when I first joined the firm more than 10 years ago, I spent most of my time helping organisations investigate issues of serious internal misconduct — think corruption, scandals, or financial misstatement.
But over recent years in more contemporary times, most of the organisations I work with now are asking for help and support to strengthen their defenses and adopt new technologies and better leverage the data they've got to keep the crooks at bay. So I'm really looking forward to the conversation.
Kristin Rivera:
As am I, Mark.
So our survey this year tells us that rates of fraud have been relatively steady for the past several years, with just less than half of organisations globally reporting that they've been the victim of some sort of fraud over the past two years. But if we dig a bit deeper, we definitely see some shifts.
So, Mark, what do you see in the numbers?
Mark Rigby:
Kristin, there certainly are some outliers — countries like the United Kingdom, also down here in Australia — saw significantly higher rates of fraud and economic crime than the global average, you know, 64, 63% respectively versus the average of 46 globally. And we have some other countries as well that stood out— Canada, by way of example, at 56%, and India at 52% were also higher than the global average.
And fraud wasn't immune to disruption caused by the pandemic, as 70% of organisations that we surveyed said they've experienced some new type of fraud or saw an increase in the risk that was caused by the disruption through the pandemic. And long periods of remote working have also presented some new challenges. Being able to evidence work done when you have staff that aren't physically on site, and increased reliance on digital communication email, by way of example, for financial approvals, which can be compromised.
Kristin Rivera:
And to add to that, as we record this, we're definitely in a period of global destabilisation triggered by geopolitical unrest, ongoing pressures with supply chain and some economic challenges.
So I think that it's reasonable to expect an enduring focus on both fraud and corruption, given what's going on in the world.
Mark Rigby:
Absolutely, Kristin. And I think that wouldn't come as a surprise to anyone. One of the things that I find most interesting when looking at the numbers inside the results is who is committing these frauds and other types of economic crime.
And we loosely bucket them into two categories. We have internal frauds committed by people within an organisation. And then those that are external — so, where perpetrators are outside an organisation looking to take advantage of their people, their processes and increasingly more importantly, the platforms and systems that they operate to interact with their customers.
Survey results showed us that those internal incidents are actually on the decline, and that's been a pretty consistent trend over the last three surveys or six years that we've collected this data. Except external incidents or collusion between internal employees and external actors is significantly on the rise.
From an internal standpoint, there are a number of factors that are impacting that: stronger regulations, healthier culture around speaking up, but there is still occurring — and with broader economic pressures over the next few years, it will absolutely be something to keep an eye on, Kristin.
Kristin Rivera:
We're definitely seeing a tectonic shift in the fraud landscape for companies that are operating in the financial services sector. External fraud has been a key focus for decades, but for other sectors, the focus has traditionally really been on the internal side. So the external focus is a bit new. The prominence of external fraud really has been creeping in this direction for some time. And I know this is an area of focus for you personally. So I really look forward to your thoughts about what companies can do to be proactive about addressing this increasing external fraud risk.
But before we go there, let's start with internal frauds. Your classic insider frauds are what we also think about as conduct risk, otherwise known as misconduct.
Just to define conduct risk: It's really the risk that your organisation's employees or your contractors, the people that you invite in to represent your company, engage in intentional acts or omissions that result in non-compliance with policies, regulatory requirements, or some sort of economic loss to the company. In short, internal fraud is when your employees or contractors don't do what you ask them to do.
Mark, what specifically are we seeing in terms of internal fraud trends in this year's responses?
Mark Rigby:
Kristin, asset misappropriation is still one of the top three frauds that organisations are experiencing regardless of the company size or jurisdiction. It is down, though, about 6% — from 31% during our last survey to 25% in this survey. One of the explanations could be that employees have reduced access to physical and other assets during the increasing remote working.
But as I alluded to before, this is a trend that we've seen over the past five to six years now. So I think there are some broader factors at play — strengthening compliance programs, more regular and digestible training, and company executives and boards communicating a far clearer tone from the top of their organisations.
We actually found in terms of how issues were detected or identified, there was a strong increase — up about 50% from the last survey — in terms of the success of internal controls. Ultimately, Kristin, all of these factors result in a stronger culture that reinforces ethical conduct, and that's here to stay.
People want to work for organisations that are values-driven. And significant ethical breaches that damage an organisation's reputation can have a really enduring impact on employee morale and retention of staff. Organisations are also looking to better leverage technology to mitigate the risk. But I think it's fair to say that there's still progress to be made on that front.
We see this in the evolving concept of insider threat, insider risk, and organisations looking to make better use of the data that they have available to them. And that includes non-traditional data such as human resources, data and information, and trying to get at issues like fraud, employee misconduct, physical security, intellectual property theft — all of these issues that typically have been managed in silos historically.
And that sort of leads to a really interesting result from our survey around the success of suspicious activity-monitoring and data analytics as the way that the organisations are detecting these issues, and that corresponds with, you know, not insignificant drop-off in tip-offs as well, Kristin.
Kristin Rivera:
So it sounds like overall really a positive trend in terms of conduct risk.
Although as you've articulated organisations still need to keep at it, creating a culture of compliance, evaluating and improving controls, and putting into place other mitigations is still critically important. And I think this is especially true as we see workers returning to the office, perhaps feeling disconnected after a few years away, maybe burnt out.
These can really increase that risk of rationalisation, which, if we look back to our good old-fashioned fraud triangle, is one of the indicators of a potential fraud risk. As you say, the pandemic disruption has increased risk in some areas specifically, so we simply can't rest on our laurels.
What else do you think businesses can do, Mark, to move this trend further in a positive direction?
Mark Rigby:
There's no silver bullet here, Kristin, but I think organisations can learn a lot from what they've done over the past sort of five to six years in particular: having their leadership be very visible on topics around ethical conduct and managing the risks around fraud and economic crime. Training is invaluable and having clear, accessible, and regular training so people know what the risks are and know what to be aware of.
And I think also just reinforcing that culture around speaking up — I think we've made significant progress over the last few years that people feel more comfortable with … if they see something that's not quite right, that that's something that they should have a conversation with their line manager or human resources or dedicated whistleblower officer within an organisation.
And I think, increasingly, just becoming more sophisticated in terms of using the data that organisations have available to them to monitor for unusual activity. And obviously the key here is prevention, but when there are issues within a business, just being able to detect those as early as possible so that organisations can jump on them and mitigate the risk.
Kristin Rivera:
So, Mark, let's shift back to something near and dear to your heart: external fraud. As you know, our survey showed it's on the rise. When it comes to external fraud, we really are still in the wild, wild west. There's not much in terms of traditional offensive measures like training; these aren't your people, they're not under your control. You can't train them. You can't have them sign a certification or review a policy. And that's just because they're outside of your four walls. So, really what you're left with is a defensive strategy.
Mark Rigby:
I think that's right, Kristin. And we've seen this type of fraud and other forms of economic crime impact financial services for many years now.
And it's generally played out where fraudsters or bad actors have abused the financial platforms and the infrastructure that has been provided by the banks, but it is definitely evolving and we're seeing some new trends on this front as well.
Kristin Rivera:
So let's unpack that a little bit. We saw this type of fraud from the outside occurring on financial platforms. We've seen that for years. But now virtually every organisation operates or uses some sort of a platform. It might be a financial platform, like a banking service. It might be e-commerce like a shopping site, a services hub, social media. You name it.
Mark Rigby:
Yeah, Kristin, digital platforms have always been important to the way organisations operate, but the speed of digitisation is definitely increasing. Physical branches are closing, virtual assistants are increasingly being used to assist with customer inquiries. These are just some examples of the way in which organisations are connecting with their customers and increasingly relying on digital channels to do that.
So personal data and identity credentials and access to them have become the key currency in an increasingly digital environment as it unlocks so many doors for criminal actors.
In terms of our global survey, 40% of the respondents said that they saw a heightened fraud risk due to their digital platforms. The good news here is that we can apply some of the lessons that we've learned in financial services and use that in other businesses and across other sectors.
Kristin Rivera:
So, who's committing these crimes? And how do they gain access? And what can companies do about it?
Mark Rigby:
Interestingly, perhaps unsurprisingly, the largest increase in incidents that we saw from a perpetrator standpoint was from organised crime elements — incredibly determined and increasingly sophisticated. And one area where this has never been clearer is around scams.
And we've seen a veritable explosion in scam activity over the last two years in particular. It is so hard for organisations, regardless of industry, to manage and detect scams, as they've become more sophisticated and have strengthened their defenses. Criminals have sort of diverted their attention and their focus on customers and sought to exploit them.
And I think many of your listeners will be familiar with romance scams, but there are literally dozens of different variants — holiday scams, shopping scams, etc. We see disinformation and ransomware as a service becoming more prevalent, underground business models built for the purpose of fraud that's committed largely on organisational platforms.
And we see a continuing trend around identity takeover, and the use of organised criminal elements of synthetic IDs. And synthetic IDs occur when criminals are obtaining legitimate credentials. So an address from one person that exists, a phone number from another person that exists, and combining them together and, you know, a Frankenstein-type model where all of these things are legitimate, but they're pieced together in a synthetic way.
And there's no silver bullets for the way organisations can ultimately strengthen their defenses. But I think it broadly lies across a few fronts.
Firstly, and this will be not new to anyone that has worked in fraud risk management, but just invest in skilled people. Make sure you've got talented, motivated staff that have access to training.
We've talked about this a couple of times, Kristin, but investing and exploring disruptive technologies — a lot of software vendors are moving away from traditional rules-based detection methods to more analysis of customer behavior, and using that as a way to identify anomalous or strange unusual activity in order to detect these issues. And things like biometrics, as well, which are far more available in the marketplace.
Finally, and perhaps most importantly, organisations need to significantly invest in educating their customers. Having a customer base that understands and are aware of the risks will be one of the best defenses for them.
Kristin Rivera:
Mark those are really useful, practical suggestions. So thank you for those. Are there any particular hotspots that you've noticed lately where this is a particularly significant problem?
Mark Rigby:
It's a really interesting question, Kristin. I think in government, we've seen a greater variety in the types of threats that have emerged from an external perspective.
I think in terms of identity theft, criminals are looking to exploit government services in terms of access to identity credentials, like licenses and travel documents. And also, you know, governments still play an incredibly important role in providing benefits to the broader community. And criminals are looking to access things like welfare payments, government rebates, which has been a particular focus over the last couple of years, due to the pandemic and disruption.
We've also seen it in health and an incredibly important document or certificate that people globally have had to acquire over the past two years is in relation to vaccination status and certificates. And we see criminals looking to fabricate or steal those.
Kristin Rivera:
And looking at this from the outside-in, managing external fraud is important to managing the bottom line and to meeting compliance obligations. But it's also really critical in terms of maintaining customer loyalty and your brand, which is a bit different than the traditional insider fraud. There really is an external customer impact here, which provides an additional incentive to getting this right.
Mark Rigby:
Kristin, this has been one of the most interesting and from my personal perspective, most welcome developments in this space over the last few years. And we've long talked with fraud and corruption and financial crime risk managers within organisations. But now we're increasingly talking to division and business heads, strategy folk that are responsible for growing a business, increasing customer footprint and expanding into new customer segments.
And we live in a time where customers have incredible choice — and anything an organisation can do to earn and retain customer loyalty should be prized. So organisations are in a battleground for customer trust, and whatever they can do to protect their customers from being the victims of identity takeover from being scammed and losing their hard-earned income is only going to have a positive impact on the relationship that they have with customers.
Obviously that needs to be balanced with customer friction — and by customer friction I mean your detection and prevention efforts can't make it too cumbersome or labor intensive for a customer to access the services and benefits that they need. But there are ways to strike that balance. And I think that a lot of progressive organisations are seeing this and better managing the risk of fraud and economic crime as a way to differentiate themselves from their competitors.
Kristin Rivera:
And on that note, Mark, I would really like to thank you for joining me today. This has been a really interesting conversation.
Mark Rigby:
Thanks for having me, Kristin. It's been great to talk.
Kristin Rivera:
Please visit pwc.com to see our first installment of the Global Economic Crime and Fraud Survey report. We'll be sharing key insights throughout the year.
In the meantime, remember to subscribe to our podcast series Emerge Stronger Through Disruption, wherever you get your podcasts. And don't forget to connect with Mark and me on LinkedIn. Until next time, thanks for listening.