Organisations have typically been aware of the fraud risks that come from the outside, such as fraudulent applications, documents or identity crime. The same cannot always be said for the risks faced from within. And yet, fundamentally, the risks are the same.
Organisations will check numerous sources of information, e.g., credit checks, voters’ roll and fraud prevention services such as the CIFAS National Fraud Database, when dealing with a customer application to verify information before any decision is made. The checks for potential employees should, therefore, be no different. Organisations need to guard against not only the risk of employing someone who could cause serious financial or reputational damage, but also against those people committing the same acts at another, unsuspecting organisation after they have moved on.
While many employers check criminal records and references, it is widely acknowledged that fraud is rarely reported to law enforcement, nor mentioned in references, which means employees who have committed fraud don’t show up on searches and are free to commit fraud again and again. It was in response to these factors that the CIFAS Internal Fraud Database was founded.
The Internal Fraud Database allows organisations to share data on several types of confirmed fraud (those that meet a legal standard of proof), committed inside an organisation. It was described by the National Fraud Authority in its National Fraud Strategy as a success in the area of “sharing data within a framework that safeguards people’s privacy” that “is critical to identifying and preventing fraud” and was cited as an example of best practice by the Financial Conduct Authority.
Fundamentally, the frauds committed by insiders (in other words, the people an organisation most needs to trust: its staff) are not very different to those committed by outsiders. The same standard of checks therefore need to be applied.
In 2013, the most prevalent fraud recorded on the Internal Fraud Database was employment application fraud, which is no different, for example, to a potential customer making fraudulent declarations on an application form for credit.
While a customer could lie about employment status, income or commitments, a prospective employee could submit an application with fraudulent declarations about employment history, income or qualifications, or attempts to conceal information such as adverse credit where disclosure is required for the position. In 2013, some applicants also gave a false visa status, or said that they had left a position to move onto a new challenge when, in fact, they had been dismissed.
If you are not prepared to take on fraudulent customers, why should your approach be any different when it comes to employees? By performing checks on aspects such as qualifications, full references and criminal records—and making use of data sharing services such as the Internal Fraud Database—organisations can gain a fuller picture of who they might offer employment to and whether or not the applicants are truly who they say they are.
Fraud as theft
Other common frauds in 2013 included dishonest actions to obtain a benefit, through either theft or deception. Examples of this included the submitting of false expenses. There is no real difference between this and fraud affecting consumers, such as a customer having funds fraudulently taken from their account.
Both are fraud as theft. Both have a financial impact that goes beyond the initial amount taken and both affect the confidence and morale of the customer and staff. The net result is that consumers take their business elsewhere, productivity is jeopardised and the organisation suffers.
Theft not just of money
The unlawful obtaining or disclosure of data is also a very serious threat that has direct parallels with the external risks and dangers organisations already tackle.
Mention “organised criminals” or “malicious hackers” to most organisations and they easily perceive the threat. Most organisations have long been putting in place counter fraud measures to stop a remote attack from an external source. It is rare, however, for the same organisations to have in place policies and procedures to stop staff (who are often targeted by the same criminal gangs) from, for example, downloading a portion of a customer database to a USB or sending valuable data to their home e-mail address.
Numerically, data thefts might seem few and far between, but one instance of it can encompass thousands of customer records. The CIFAS National Fraud Database, which includes these “consumer fraud figures”, classifies over 60% of frauds as an identity crime, i.e., a crime reliant on the misuse of personal or account data, highlighting the scale of the problem.
The real cost
The real cost of internal fraud goes far beyond the value of what is stolen. There is the cost of investigation, possible fines by regulatory bodies, compensation to customers, etc. In addition, there is the unquantifiable damage to reputation and internal morale and productivity.
Organisations therefore have every reason to treat fraud inside their organisation as seriously as a fraud attack from an external source.
A recent piece of research commissioned by CIFAS and carried out by the University of Portsmouth looked into the true cost of insider fraud to help organisations understand just how damaging insider fraud can be. No matter how small an initial loss may be in an average internal fraud, the true cost to the organisation is always going to be much higher: up to four times the cost. This is quite a sobering realisation and strongly counters the common attitude that “fraud doesn’t happen here and if it did, it wouldn’t cost us much”.
Prevention: always the first and best step
Tackling fraud from the outside means tackling fraud from the inside too. An organisation cannot successfully promote safe practice to its customers if its own house is not in order.
While it is impossible to entirely eliminate the risk, the best thing to do is try to prevent it before it starts causing damage and eating away at an organisation’s bottom line.
Adding a system such as the Internal Fraud Database to an employee vetting process allows organisations to check applicants against recorded fraud cases in real time. It also allows organisations to record confirmed frauds, which can then be shared with other organisations.
By ensuring that all subscribing organisations adhere to data protection laws, CIFAS insists its users are explicitly open to both existing and potential employees about the use of the database. Not only does this add to the deterrent effect, but it helps to underline a culture of cooperation and transparency. Organisations must cultivate this in order to instil a zero-tolerance attitude to fraud, while reassuring the honest majority of staff that every effort is being taken to protect them from having to work alongside fraudulent members of staff.
If organisations want to protect themselves fully against the risk of fraud, it is clear that they need to be looking internally as well as at the external threat. By sharing information, best practice and current trends, organisations can minimise the risk to themselves and can also help each other do the same. If steps are not taken to tackle cases of internal fraud to the same level as external fraud, then a door is effectively left open, and fraud will always find a way in.
CIFAS has worked with the Chartered Institute of Personnel and Development to produce a guide to employee vetting.
The Anti-Fraud Network is a network of professionals who specialise in the prevention and investigation of fraud and white collar crime, and the pursuit of claims arising out of the theft or other dishonest appropriation of assets, corruption, misuse of confidential information or similar breaches of duty. Recovering the proceeds of fraud and corruption is one of the truly global problems facing organisations today. Proceeds rarely stay in the country where they have been stolen. For organisations to recover stolen or corrupt assets they need access to lawyers and professionals specialising in their recovery across the world.
The Anti-Fraud Network is dedicated to providing access to trusted points of contact across the globe and offering a unified first-class international service to clients, at a time when experience, speed, co-operation and highly responsive service are most important.
The Anti-Fraud Network has been Highly Commended by the Financial Times in the 2008 FT Innovative Lawyers Awards Report