1 April 2012

FROM FRAUD TO INFOSEC and vice versa... Part 1

In my last post, I attempted to give some real business metrics to help secure information security investment. One of those metrics set related to our ability to link infosec to fraud and in this post I’d like to examine the connection a bit further. Lucky for me, the UK National Fraud Authority have just released their 2012 Annual Fraud Indicator (readers beware, it’s 58 pages...), so with my infosec lens, I’ll take you through the report and hopefully give you some more KPIs to think about...

The report estimates the fraud loss to the UK economy at £73 billion in 2011, compared to £38 billion in 2010. However, whilst the increase is significant, it doesn’t represent an increase in the level of fraud: this year’s report benefited from improvements in the quality and quantity of data available, the inclusion of previously undetected fraud losses in the private sector and new estimates against individuals.

Fraud by industry sector...
The report gives extensive details on the fraud attribution to each sector/sub-sector and (page 31 onwards) details fraud types by victim sector. This is summarised below:

£45.5bn for the private sector.
£26.7bn is attributed to large businesses and £18.9bn to SMEs.
Participants estimated that fraud losses could be in the region of 1.4% of turnover.

Details by sub-sector:
Wholesale & Retail: £16.1bn
Manufacturing: £7.4bn
Financial Services: £3.5bn
Construction: £3bn
Professional Services: £2.8bn
Utilities, Mining, etc.: £2.7bn
Information & Comms: £2.4bn
Arts, Entertainment & Recreation: £1.1bn
Accommodation & Food:  £1bn
Other: £5.5bn
The most common fraud types were payment fraud (71%) followed by employees / volunteers fraud (49.5%) and cyber enabled fraud (41.9%).
22.6% participants suffered at least one insider-enabled fraud.
Fraud types:
Procurement fraud (estimate £20bn)
Insurance fraud (£2.1bn)
Mortgage fraud (£1bn)
Payroll fraud (estimate of £1bn)
Telecommunications fraud (£972M)
Plastic card fraud (£341M, see my earlier post for details)
Transport fare evasion (£210M)
Online banking fraud (£35M)
Cheque fraud (£34M)
Motor finance fraud (£15.3M)
£20.3 billion for the public sector
This is a decrease from previous year primarily due to a reduction in fraud against the tax system.
Tax: £14bn (£15bn in 2010)
Tax fraud (£14bn), vehicle excise duty evasion (£40M).
Central government: £2.5bn
Procurement fraud (£1.4bn), grant fraud (£488M), television license fee evasion (£202M), payroll fraud (£181M), patient charges fraud (£158M), student finance fraud (£31M), pension fraud (£11M), National Savings & Investments fraud (£0.46M).
Local government: £2.2bn
Housing tenancy fraud (£900M), Procurement fraud (£890M), payroll fraud (£153M), council tax fraud (£131M), blue badge scheme abuse (£46M), grant fraud (£41M), pension fraud (£5.9M).
Benefits & tax credits: £1.6bn
Benefit fraud (£1.2bn), tax credits fraud (£380M).
£6.1 billion for individuals
1 million (2%) UK adults sent money in reply to unsolicited communications in the last 12 months and 50% of those were defrauded as a result.
9.4% (4.6 million adults) suffered identify fraud, 55.3% did not recover their losses and the average loss is £481.
2.1 million people fall victim to online ticketing fraud each year with an average loss of £406 per victim.
[Telephone banking fraud: 16.7M]*
Mass marketing fraud: £3.5bn
Electricity scam: £2.7M
Identity fraud: £1.2bn
Online ticket fraud: £864M
Rental property fraud: £488M
*Note: telephone banking fraud appears under “private sector” in the report, but since the method used essentially tricks individual into disclosing personal details, I felt it was better placed here.
£1.1 billion for the not-for-profit sector
This was estimated to cost registered charities 1.7% of their income.
The most common fraud types are payment fraud; employee / volunteer fraud (27%) and cyber enabled fraud.
Just fewer than 4% of respondents reported that they had detected fraud in the last financial year.
Table 1

The British Retail Consortium (BRC) Retail Crime Survey reported that fraud increased significantly in 2011 for Wholesale and Retail, 78% of retailers recording a rise. Fraud accounted for 12.3% of retail crime volume and 28.2% of value, a notable increase on the previous year. Retailers identified fraud arising from their growing online and multichannel operations as the most significant emerging issue they faced. Overall, retailers estimated that 50.5% of fraud could be attributed to organised groups, while a further 42.7% was the result of opportunists. In addition, retailers only reported circa 50% of offences to the police, suggesting the true extent of fraud is likely to be higher.

It is also interesting (and scary) to note that mass marketing fraud represents more than half (£3.5 billion) of all fraud against individuals. I explore this further in a later post.

Just get a little closer...
So, to all of you information security professionals out there: if you need one way to show you can add value, get closer to your fraud colleagues and try to understand what their big ticket items are. Depending on your industry sector, you can even ask them the right questions as the big ticket items are more than likely those detailed in Table 1.

Similarly, to all of you fraud professionals: please reach out to your infosec colleagues. Admittedly, they will not be able to solve/help with all your problems (e.g. tax or benefit fraud), but every time a fraud type could be reduced by better integrity or confidentiality, they will have lots of good ideas, and the payback is potentially massive compared to the investment that might be required.

Don’t you find it uncanny that the above analysis shows some very obvious parallels with the Verizon DBIR 2012 analysis?...

My next post will finish the analysis of the Annual Fraud Indicator by looking at the various fraud enablers to all the fraud types discussed in this post.

Until next time...


  1. Hi Neira,

    Some quite scary numbers there, clearly showing how fraud can affect the wider economy.

    If we worked on the basis of the UK economy being worth around 2.5 trillion for 2011 then the total fraud would be at 2.92% of GDP. (If I'm doing my maths correctly - *flame ensues..)

    Procurement fraud alone (circa 0.88% GDP) could be the difference between a recession or not. When estimated GDP growth was only 0.8% for 2011.
    So, to impact the UK economy directly those fraudulent-funds would have to "leave the economy" which isn't going to be true in all cases. I'm sure some fraudsters spend their ill gotten gains in the UK. The community has lots of examples from payment fraud and stolen card data that they certainly do end up outside of the UK quite often.

    Frustratingly, relatively manageable, straight forward information security controls could help our fraud management colleagues reduce procurement fraud. Controls such as decent access controls, logging of access (reviewed), random spot checks, coupled with sensible segregation in duties.
    As fraud detection tools get better, the bad guys are going to look increasingly at circumventing them technically so that the processes appear to be normal.

    Better information security = better economic prosperity (?)..... Now there is a thought...

  2. Yes,you are right the payment fraud rate is very high.Mainly every one effected from payment fraud.Thanks for this information.

    Fraud Detection

  3. Thanks for the feedback Johny :)