Economic Crime: How History Repeats Itself in Rhymes
Fraud in its various guises is just as prevalent today as it was ten years ago. Peter Lilley provides an insight into the ever evolving (but strangely repeating) methods which have been used by fraudsters during the past decade.
In 1999 I wrote a book about what I termed “The global fraud explosion”. In that book I considered various types of fraudulent activity: just over ten years down the line, after recently reviewing the list of frauds that I had formulated, it actually seemed as if I could have written it this morning. The types of fraud included:
- Insider (staff) fraud
- Fraud by outsiders
- West African 419 fraud
- Organised crime and money laundering
- Insurance fraud
- Mortgage fraud
- Computer and cyber crime
Mark Twain observed that “history does not repeat itself but it rhymes.” So whilst my list of basic fraud types compiled in 1999 remains valid, there are many new twists and developments. These are just some of the more interesting ones that I have uncovered:
Number One Risk? Your Own Staff
It always amazes – and frightens – me as to how organisations ignore the fraud risks that exist from their own employees. As William Marlowe, the former head of the Computer Operations Division of Washington DC Police observed in a pre-digital age (more still true today): “the most serious problem will always be the trusted employee with legitimate access to computers.”
A very worrying trend has emerged in the financial sector, whereby staff are stealing and then selling critical customer data to tax authorities of third party countries (equally such information could be sold to criminal groups – or just the highest bidder!). In 2008 a former employee of LGT Group in Liechtenstein sold a CD containing details of the bank’s client base to the German tax authorities for $6 million (this figure is a guesstimate – as various amounts have been quoted). One current and ongoing story involves a former employee of HSBC Private Bank in Geneva who stole client data from the bank and sold it to the French tax authorities. This data now appears to have been offered to the German tax authorities and in the process has made headline news, particularly in respect of whether the countries receiving such confidential data are dealing with criminals by trading in stolen goods. As a German politician recently remarked “theft is theft”.
So what complex equipment would your staff need to steal your most sensitive data? Not much as it turns out. Just a pen: such as the one available on E-bay that contains a 4GB data stick; it also helpfully has a video and still camera. The price? About $20 or $30.
Want to Buy Stolen Data? Just Google For it!
It’s essential to realise that unless we safeguard it, our sensitive business critical data can be easily and cheaply stolen. It is almost impossible to catalogue the volume and type of stolen data that is available on the web, where stolen bank account and card details are available for less than $1 per unit.
In January 2010 a UK court convicted the founder member of DarkMarket: a sophisticated online site with over 2,000 members which acted as a marketplace for stolen data. With the motto of “Honour amongst thieves” the site provided an international exchange mechanism. As one of the detectives in the case said, “if you’re a guy in Vietnam who has got hold of details of thousands of US credit cards, you can’t use those in your own country so DarkMarket and sites like that let him sell to people in a geographical location that can be used.” Or as one seller posted as a comment after a purchase he had made: “pulled £3,000 from one (stolen) debit classic, nuff said.”
The dangers posed to organisations by social networking sites are now becoming clear. Unfortunately there is not sufficient time to explore this topic in detail now. However I want to flag this topic up as one that will become more and more relevant. Once again, your own staff could be revealing more than they think about both themselves and your organisation by posting on such sites. For example, we recently discovered that a bank employee who worked in an important IT role had posted sensitive personal data on various websites. This included his entire CV, home contact details and the full details of which bank he worked for and what he actually did there.
The Problems With Ownership
One topic that will gain greater significance, if it has not already done so, is the identification of beneficial owners, both in relation to companies and bank accounts. In simple terms, AML legislation (particularly after 9/11) demands that we correctly identify beneficial owners. However there is a fundamental problem in this: we take at face value the information we are given. In other words, we believe the person who tells us that he/she is the real beneficial owner. This resembles self-certification on mortgages – and we all know where that led!
At present I am dealing with an important case involving numerous countries, large amounts of money and various companies and bank accounts with “hidden” beneficial owners. I have copies of the bank application forms where Mr X confirms in writing that he was the true beneficial owner of the offshore company and thus he was the beneficial owner of the bank accounts opened by this company. You would therefore conclude that all of this is acceptable. There is just one crucial problem – Mr X has now confirmed that he was not the beneficial owner and was acting as a front man for a corrupt politician who was illegally receiving large bribes.
Criminals involved in money laundering are prepared to “lose” 30% of their dirty money to facilitate the laundering process. Thus Mr X and many like him are being paid handsomely to lie, declaring that they are beneficial owners when in fact they are not.
“The accomplice to the crime of corruption is frequently our own indifference” – Bess Myerson
The many facets of corruption particularly interest me and this increasingly occurs in the work that I do. Corruption has many forms: a 2009 Mori survey found that amongst 100 listed companies, 40% had begun corruption investigations in the last four years. Unfortunately all that I can offer in the space available are a few “red flags” as to the types of corruption you may encounter, such as:
- Corrupt payments to your staff so that they reveal confidential data or fraudulently award contracts.
- Bribes paid to state officials to award contracts or to favour suppliers. These funds are then placed with your organisation.
- Your facilities are being used as a “transit” point for corrupt payments.
- Your facilities are being used by corrupt states or the “ruling elite” of corrupt states.
With all of these threats, one can only conclude that it’s about time that those involved in economic crime prevention (to paraphrase Rudi Giuliani) got as organised as organised crime itself.
Author: Peter Lilley
Original publication date: April 2010