ReportTitle_SRQ&A.jpg

Q&A: Managing identity fraud risks

March 2021  |  SPECIAL REPORT: MANAGING RISK

Financier Worldwide Magazine

March 2021 Issue

FW discusses managing identity fraud risks with Nadine P. Tollefsen at Brown Rudnick LLP, Philip Allister at FTI Consulting, and Andrew Herring at Pinsent Masons LLP.

FW: How would you characterise the extent of identity fraud risks facing companies today? What general trends have you observed in recent months?

Tollefsen: Until the digital age, identity fraud occurred on a small scale involving, for example, the theft of cheque and forging of a bank account holder’s signature. That type of identity theft targeted the individual consumer, and the risks, and losses, were relatively small. Although individual acts of identity theft still occur, identity fraud has evolved with technology and is now perpetrated on a much larger scale. Significantly, there has been a proliferation of cyber crime and a marked shift toward corporate targets. Cyber criminals perpetrate identity theft via data breaches, which can involve the loss or theft of personal identifying information of thousands of people. Not only does this pose a risk to the individuals in question, but also to the integrity of a company’s infrastructure and reputation, the efficacy of its security technology and its policies and procedures. There is an increasing trend for regulators to levy swingeing fines and for such breaches to form the basis for civil litigation claims.

Allister: Identity theft is undoubtedly on the rise. New working and business arrangements in response to coronavirus (COVID-19) have created new opportunities for identity thieves. As in-person meetings have been replaced by video calls, business transactions are being made without ever having met the other side. In a region like the Middle East, where business practices remain more traditional, fraudsters have exploited this by replicating historically trusted data points, such as a company website, or personal identification documents, to build trust in a transaction. But it is not just about cyber threats. More traditional identity fraud, impersonating reputable global companies to access funding from banks, also remains prevalent. An October 2020 ruling from the Singapore High Court highlighted a trade finance fraud in which the fraudsters impersonated BP and Total by creating similarly named entities to receive trade finance from the National Bank of Oman.

Herring: It is important to distinguish between identity theft, where an individual or organisation’s details are stolen, and identity fraud, which is the use of a stolen identity to fraudulently obtain money, goods or services by unlawful means. The extent of identity fraud risk very much depends on the sector. Consumer-facing businesses are thought to have more exposure than strictly B2B businesses, where trading relationships between company, customer and supplier are more likely to be closer on a personal level and where both sides of a business transaction ought to have counter-fraud policies and procedures in place to help prevent fraud. Fraud has increased generally during the pandemic. Identity fraud in the UK has reportedly been a major issue on government-backed financial support schemes such as bounce back loans (BBL) and coronavirus business interruption loans (CBIL).

The universal need for businesses to reduce costs in the wake of the pandemic has negatively impacted compliance budgets.
— Nadine P. Tollefsen

FW: What forms of identity fraud are particularly prevalent? What methods are fraudsters using and what vulnerabilities are they looking to exploit?

Allister: In my experience, fraudsters are not just stealing identities, but also increasingly creating their own online content as a veil to hide their activities. For example, it is not unusual to see fraudsters deliberately target longstanding companies that do not have a website or online presence. The fraudsters create their own websites, email addresses and online profiles, such as LinkedIn profiles, for the identities they would ultimately use. In some instances, they completely fake identities – so that their appearance on video calls cannot be independently verified – or steal or doctor legitimate photos from unrelated individuals to build up the company’s online presence. This attempted fraud highlights the vulnerability for companies that do not have an online profile. It is ultimately easier for external actors to create their own content than seek to manipulate information which they do not control.

Herring: Identity fraud conducted over the internet is reportedly at epidemic levels in the UK and can take many forms. To give one example, authorised push payment (APP) fraud is very common with fraudsters appearing to target all sectors of the economy. This is where a fraudster deceives a victim into sending them money. It often affects businesses where a fraudster intercepts electronic communications to change a supplier bank account and the victim unwittingly pays the fraudster instead of the supplier, leaving the supplier out of pocket, but still with a claim for payment against the victim. As well as hacking, fraudsters often use subterfuge and personal ‘social engineering’ techniques to discover attractive criminal opportunities, such as when a victim is due to make a large payment to a supplier, often by targeting relatively vulnerable new-joiner or junior members of a finance team over a period of time. Businesses do not have the same protection for identity fraud as consumers from the banking system in the UK.

Tollefsen: COVID-19 is fertile ground for fraud and profiteering across all sectors. There is a rapidly changing landscape of frauds committed by those seeking to take advantage of the anxiety and uncertainty that the pandemic has created. For example, the financial services sector reported the emergence of COVID-19-related e-commerce frauds involving fake or non-existent hand sanitiser and personal protective equipment (PPE). Advances in digital technology have enabled more technically sophisticated forms of identity fraud to emerge. For example, a 2020 joint report published by Interpol and tech company Onfido noted the increasing use of 2D and even 3D face masks to thwart photo and video facial ID tools. It also highlighted the increase in ‘replay attacks’ in which criminals try to circumvent video ID verification by using stolen or fake videos. This latter tactic is likely to grow in popularity given the low cost of production. The commoditisation of data has highlighted the vulnerability of social media platforms, from which sensitive personally identifiable information (PII) is easily obtained and marketed for sale on the dark web. That data is subsequently used in frauds, which are increasingly difficult to trace to perpetrators.

FW: What legal and compliance issues do companies need to consider in relation to identify fraud? What kinds of penalties might be imposed on companies that have not taken proper precautions to protect confidential information, for example?

Tollefsen: The universal need for businesses to reduce costs in the wake of the pandemic has negatively impacted compliance budgets. Such cuts inevitably hinder the ability of companies to prevent and detect fraud and compliance breaches. Companies therefore need to ensure that they do not neglect or abandon compliance, taking special care to consider increased security needs considering the ongoing work from home arrangements. Crucially, financial services must be aware of their regulatory reporting obligations in the event of a suspected or confirmed data breach. It is necessary to consider compliance obligations arising under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) in the UK. Regulators can levy substantial fines and have shown a willingness to do so. In the UK, the Information Commissioner’s Office (ICO) recently fined Marriott £18.4m, British Airways £20m and Ticketmaster £1.25m relating to data security breaches which could be used for identity fraud.

Herring: Identity fraud will usually be targeted at obtaining money, goods or services by unlawful means. It is possible that businesses will also be subject to a commercial attack to obtain commercially sensitive information that might be of value to others. This might be strategic commercial information or personal data. For instance, there is reportedly a thriving black market in personal data on the dark web and fraudsters will use identity fraud to obtain customer’s personal data which can then be sold on. The GDPR requires all organisations to report personal data breaches and comply with data protection laws to prevent personal data breaches under the ‘integrity and confidentiality’ principles. For example, in the UK, Marriott International was fined over £18m in October 2020 following a cyber attack for various issues relating to failing to keep millions of customers’ personal data secure.

Allister: Where a company is the subject of an identity fraud, it should immediately investigate the potential breaches of relevant data protection, anti-money laundering (AML) and cyber crime legislation to assess its exposure. Whether governed by the GDPR, or similar like-minded legislation, a company deemed to have failed to take appropriate measures to protect confidential information could be the subject of regulatory enforcement or fines. That also extends to jurisdictions not governed by GDPR but where the data breach concerns EU citizens. Understanding the extent and scope of the breach is paramount.

However strong a company’s processes are, ongoing monitoring is essential as system vulnerabilities can change.
— Philip Allister

FW: What steps should companies take to assess the adequacy of their security controls and monitoring processes in terms of reducing identity fraud risk?

Herring: Charity starts at home and mitigating identity fraud risk is no different. The scale of fraud today means companies have to take matters into their own hands to protect themselves. Following digital security best practices is essential, and an IT security audit is usually the first step. The technology steps ought to be allied with a comprehensive employee compliance programme to inform employees about the risks and create a secure work environment. For instance, to help protect confidential information, companies ought to have well planned user data access, so strategic commercial information can only be accessed on a ‘need to know’ basis. These steps will also help a company comply with its legal obligations, particularly in the UK in connection with the failure to prevent offences under the Bribery Act and Criminal Finances Act.

Allister: For internally held information, there is a simple two-step approach all companies should regularly undertake. The first step is to undertake a rigorous check to identify what the company’s key assets, which need to be kept safe, are. Secondly, the company should examine the controls already in place to understand how effective they are keeping these assets protected. When taken in combination, these two steps provide a strong level of comfort that data is not being extracted from their systems. However strong a company’s processes are, ongoing monitoring is essential as system vulnerabilities can change. In one recent example, a company was attacked by fraudsters who ultimately falsified invoices to extract money from an unsuspecting customer. It was only after the successful attack that the company revisited its systems to find its defences had previously overcome multiple attempts to access the same part of the server. A more effective monitoring process, which recognised where fraudsters were attempting to access the system, could therefore have stopped the ultimate success of the attack.

Tollefsen: Companies must first understand how such a fraud might arise from a security breach and the potential consequences of any fraud. Once there is an understanding of the ways in which such a fraud might arise and the potential consequences, companies can reverse-engineer policies, procedures and controls that mitigate the risk. The sole focus should not, however, be fraud prevention but also fraud detection. Even where monitoring processes are as efficient as possible, this will not have a 100 percent success rate. Companies should therefore also aim to implement procedures, analytical in nature, that can flag anomalies and set up reporting lines and mechanisms that are quick and efficient. There are important learnings in this regard from the decisions of the ICO in Marriott, British Airways and Ticketmaster, particularly that monitoring needs to be continuous and proper due diligence needs to be carried out with third-party systems. It is not enough to rely on the skill and expertise of an outsourced third party in charge of the operation and maintenance of the system. The current advice of government agencies, such as the UK’s National Cyber Security Centre (NCSC), should be followed carefully.

FW: How can technology assist companies in the fight against identity fraud? What kinds of innovations and solutions are available?

Allister: Technology, when used effectively, is an invaluable component of a compliance toolkit. After designing a controls process to protect the most valuable assets, there are many ways to proactively assess the strength of defences. The use of penetration testing, for example, mirrors real-life external attacks to identify vulnerabilities in systems so that a company can react before these weaknesses are exploited. In the case of external threats, such as a fraudster creating a fake website, technology can be used to regularly monitor the internet for website domains that are similar – either in name or content – to the company’s. The increased use of the dark web – where personal, corporate or financial information is regularly sold by fraudsters – also increases a company’s exposure. However, tools are also now available to regularly monitor the dark web for mentions of a company’s domain, meaning it can react in real-time to these threats.

Tollefsen: Technology is, it almost goes without saying, critical in the fight against identity fraud, and not only because many of the fraud cases we are seeing these days result from cyber attacks. There are technologies which are increasingly available that can assist in the design of system architecture. So, for instance, where a system has multiple layers of security and uses a variety of security techniques, solutions can be set up that can monitor this system and identify patterns and anomalies. These patterns and anomalies can be flagged by algorithms prepared by a first line human review followed by a manual review to ensure all bases are covered.

Herring: With the majority of fraud occurring online, technology solutions to combat and prevent fraud risk are the obvious place to start. Technology is also a double-edged sword for fraud investigations – technology is often used to commit the fraud, but it also leaves behind the evidence to investigate the fraud. Identity theft risk can also be minimised through various means including encryption, multifactor authentication and cryptology. Indeed, there is a prevailing view that blockchain technology might offer the best current protection by creating a system of recording information that is very difficult to hack. In the coming years, we may see governments and businesses increasingly use blockchain technology to secure data and their interactions with third parties. However, companies should never forget the human element and the power of human error. Fraudsters often target employees as the weak link in a security system, as it is thought easier to con someone into providing unauthorised information than to hack that information.

Technology is also a double-edged sword for fraud investigations – technology is often used to commit the fraud, but it also leaves behind the evidence to investigate the fraud.
— Andrew Herring

FW: What essential advice would you offer to companies looking to implement new procedures or strengthen existing ones to monitor, detect and mitigate identity fraud?

Herring: Fraudsters are looking for easy targets. For companies looking to protect themselves, they should implement the best practices for their sector and that will often put off most external fraudsters. That will involve a combination of technology upgrades and employee compliance programmes. For example, the UK government launched an industry-backed scheme called ‘Cyber Essentials’ to help organisations take basic steps to protect themselves against common online threats. This would be a good starting point for companies starting from scratch. For more sophisticated companies facing more complex cyber and identity fraud risks and with existing protective policies and procedures, they should conduct regular audits of their existing processes. Senior management should also consider staging interactive crisis simulations to improve their preparedness for a worst-case scenario.

Tollefsen: The security of business systems which handle data undoubtedly needs to be treated very seriously. The appointment of a qualified chief information security officer (CISO) with board-level access is critical for businesses handling a lot of personal data. Thorough, regular due diligence needs to be carried out on a continuous basis, system updates cannot be left to a more convenient time, state of the art guidance needs to be followed and a company needs to have a plan in place if a breach arises, protecting the company and mitigating the loss to the individuals concerned. Such mitigation has been an important factor in reducing fines for offending companies. Training employees is vital; the robustness of procedures against identity fraud is significantly reduced where employees do not have the requisite understanding of what the procedures are for. Most data breaches are the result of human error. Companies should endeavour to update themselves. Fraudsters are continuously changing their methods and the way that they commit identity fraud. Companies should be vigilant and to some extent flexible in amending their procedures to improve prevention and detection.

Allister: While companies may think that enhanced technology alone is the answer, in fact, technology is only as strong as the people who use it. Technology needs to be complemented by training and education. Especially since the COVID-19 pandemic, cyber security has become the buzzword for companies to address the threat of external actors. But, to effectively mitigate identity fraud, it needs to be addressed as an individual mindset rather than a standalone department. Fraud may have evolved, but fraudsters still look for the most accessible vulnerability in a company. As techniques like social engineering become more sophisticated, often the biggest threat remains the individual employee. Therefore, educating key stakeholders should remain a priority. This not only includes employees, but also customers and suppliers. By having an engaged and informed supply chain, you also help protect them from the threat of third-party actors.

FW: In an era of increasing digitalisation, how would you describe the task of protecting against identity fraud in the years ahead? How important is it for companies to proactively address this issue, and to keep it in focus as threats evolve?

Tollefsen: As the conduct of business becomes almost entirely digital, data security will become a basic prerequisite for successful trade. Companies that fall behind their competitors on this front should expect to contend with adverse publicity, issues in compliance with regulatory obligations, potentially severe financial penalties and, ultimately, the loss of consumer confidence. Data security is therefore closely linked to a company’s reputation, performance and profitability. It is a board-level issue. The last decade has demonstrated that as technology advances, the methodology of fraud changes, and it is therefore imperative that companies commit to keeping pace with the threats and counteract the risks by investing in, and maintaining, adaptive compliance capabilities.

Allister: Proactivity is undoubtedly the key to mitigate rising identity fraud. While fraudsters are becoming more sophisticated, some of the recent cases I have seen have involved the theft of information to create a new identity which they control. Therefore, a multipronged approach to stay protected is needed. This includes a regular assessment of what data and assets need to be protected, proactive testing of company defences, an ongoing robust monitoring system that identifies and adapts to changing threats, scanning the deep web for attempts to create websites or other content in the company’s name, regular sweeps of the dark web for the sale of company data, and an ongoing education programme for employees, customers and suppliers. While identity fraud may never be completely eradicated, a proactive approach keeps the company, and not the fraudsters, in control.

Herring: The threat of identity fraud is unfortunately only likely to increase, meaning companies need to be ever vigilant. Because it is a crime committed largely online, identity fraud is also borderless and international. This makes the risk all the more dangerous to victims. Businesses will need to increase their future investment in protecting against identity fraud to stay ahead of the game. One reaction of the private market to this risk is the increasing availability of cyber and fraud insurance to protect businesses against the risks of internal, external and cyber fraud, and to cover losses caused by these frauds. This insurance cover will commonly make a certain level of IT security requirements a condition of coverage. Many insurers include technical assistance with managing a cyber breach as part of the insurance policy. It is still surprising how few companies have comprehensive insurance protection for identity fraud, but I would expect this to change significantly in future years.

 

Nadine Tollefsen is an associate in Brown Rudnick LLP’s litigation & arbitration practice group. Prior to joining Brown Rudnick, Ms Tollefsen was a trainee solicitor with the firm where she worked on a wide variety of matters supporting the bankruptcy & corporate restructuring, litigation and arbitration, white-collar defence and government investigations, and corporate practice groups. She has also worked as a legal intern for a prominent Norwegian law firm. She can be contacted on +44 (0)20 7851 6169 or by email: ntollefsen@brownrudnick.com.

Philip Allister is a senior director at FTI Consulting based in Dubai. He leads FTI Consulting’s business intelligence and investigations team in the Middle East. He has over 10 years’ experience of helping clients identify hard to find information across the MENA region and offshore jurisdictions. He has also spent his career focusing on managing complex business intelligence and asset tracing investigations across the globe, helping clients find information upon which they can rely. He can be contacted on +971 4 437 2124 or by email: philip.allister@fticonsulting.com.

Andrew Herring is a partner in the Band 1 UK Legal500 ranked civil fraud team at Pinsent Masons who specialises in commercial litigation. He has acted in a wide variety of claims up to and including the Supreme Court, including both advancing and defending urgent interim court applications including worldwide freezing injunctions. He is an accredited mediator, current vice-chair of the Midlands Fraud Forum and a member of the Commercial Fraud Lawyers Association. He can be contacted on +44 (0)121 335 2985 or by email: andrew.herring@pinsentmasons.com.

© Financier Worldwide

THE PANELLISTS

 

Nadine P. Tollefsen

Brown Rudnick LLP

 

Philip Allister

FTI Consulting

 

Andrew Herring

Pinsent Masons LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.