Economic crime against financial services organisations continues to rise around the world. Some 45% of financial services respondents to PwC’s 2014 Global Economic Crime Survey say they have been victims of economic crime. And 39% say they have been victims of cybercrime, as fraudsters increasingly turn to technology as their main crime tool. Around half who have experienced economic crime during the survey period report an increase in the number of occurrences and the financial value of economic crime during the period (more so than other industries’ respondents).
The survey, which includes 1,330 responses from the financial services sector across 79 countries, found that theft remains the most common form of economic crime for financial services firms, reported by 67% of respondents. It is followed by cybercrime, 39%, money laundering, 24%, accounting fraud, 21% and bribery and corruption, 20%.
Respondents reported significant collateral damage of economic crime to their reputation with 29% of respondents citing this as the most severe impact of money laundering.
In an email to IT Security Guru, Andrew Clark, partner in PwC’s forensics practice, said: “Financial services organisations are finding that economic crime persists despite ongoing efforts to combat it and no organisation of any size anywhere in the world is immune to the impact of fraud and other crimes. The direct financial impact of economic crime harms organisations but such crimes also damage internal processes, erode the integrity of employees and tarnish reputation.
“Whilst the financial services sector may be ahead of many industries in terms of prevention and detection of economic crime, more can be done. Of particular concern are the clear weaknesses in some organisations’ fraud risk assessments, whistleblowing mechanisms and awareness of the pervasive and sustained threat of cybercrime.”
Cybercrime
The survey shows that cybercrime is still the second most common type of economic crime reported by financial services respondents (after asset misappropriation) – 39% in 2014 (this compares to only 17% in other industries). However, this percentage of respondents is alarmingly low – our experience has shown that a clear majority of financial services organisations (especially retail banks) suffered cybercrime during the survey period.
Similarly, only 41% believe it is likely that they will experience cybercrime in the next 24 months (45% in Africa and 36 % in Asia Pacific). A further 19% are unsure whether they are likely or unlikely to experience cybercrime. Financial services respondents perceive a greater increase in the risk of cybercrime compared to counterparts in other industries (57% compared with 45% in other industries). Clearly, financial services organisations believe that cybercrime is becoming a greater threat than ever before, and yet many do not believe that it will actually happen to them.
Andrew Clark added: “The financial services sector was one of the first to be targeted by cybercrime – little wonder, as there have always been significant potential financial gains to be had from subverting computerised processes and corporate controls in banks.
“Less than 40% of economic crime in the financial services sector was reported as cybercrime in our survey. In our experience, financial services organisations do not always identify and log the cyber-element of economic crime experienced. This leaves them exposed to cyber threats in spite of any existing cyber defence: if cybercrime is not being accurately tracked, the true risk of cybercrime cannot be fully grasped and under
stood.
“Cybercrime is growing and the methods are constantly evolving – we see no abatement in attacks on banks’ infrastructure. So it is concerning that 40% of all financial services respondents believe that it is unlikely their organisations will experience cybercrime in the next 24 months. Financial services organisations need to recognise cybercrime as a risk type and establish proper cybercrime reporting.”
Where Does Economic Crime Occur?
Economic crime is a pervasive, global threat to financial services organisations but there are regional variations – in Asia Pacific at least half of financial services respondents reported an increase; in contrast, nearly 40% of respondents from South & Central America reported a decrease.
Certain cyber threats ebb and flow – for instance, the Middle Eastern cyber-attacks that targeted several large U.S. banks in 2012 and 2013 appear to have receded. The US has seen dramatic increases in financial services economic crime – from outages created by Distributed Denial of Service (DDOS) attacks to massive ATM withdrawals by organised criminal groups. Credit card fraud has become more pervasive as the US has yet to embrace the Chip and PIN system.
In Japan, phishing scams have targeted bank customers’ personal computers via virus, using fake pop-up windows or e-mails masquerading as legitimate internet banking interfaces to trick customers into inputting their personal information.
PwC cybersecurity experts have also perceived a rise in cybercrime from Africa, which correlates with big government initiatives to roll out broadband in that region. Industry sources also indicate that cybercriminals are relocating to South Africa from Europe due to increased co-operation between law enforcement agencies in the EU.
Who commits fraud?
External fraudsters are still the main perpetrators of economic crime for the majority of financial services organisations (57%). Most internal frauds are committed by junior staff (39%) and middle managers (39%) with a fifth of internal economic crime committed by those in senior management. The profile of the typical financial services internal fraudster is a male between 31-50 years old with a university level education.
Clark continued: “Typically economic crime is committed when three conditions are present: life pressure, opportunity and personal rationalisation for the crime. Financial services organisations are prime targets for external fraud given the amount of money fraudsters could potentially obtain and also the importance and sensitivity of data held by organisations, for example, credit card and personal identity details. Cybercrime is most often externally perpetrated and not just for monetary gain but also for valuable information about individuals.
“Internal fraudsters in financial services are more likely to hold at least a university degree qualification than in other sectors, a reflection of the entry requirements of recruitment in the sector. Our survey results suggest that the average financial services internal fraudster is able to carry out fraud from quite a junior level in the organisation. This may be due to the fact that financial services products can be complex by design and function, and consequently more difficult to ‘police’ despite internal controls.”
How is Fraud Found?
The financial services sector tends to be more strictly regulated and as a result many business processes and functions have corporate controls in place. This makes it more difficult for frauds to be internally perpetrated without discovery. Of the financial services respondents who knew how the economic crime in their organisation had been detected, 61% attributed the detection to having corporate controls in place compared to 56% in other industries.