Turning the tide against fraud

Fraudsters are evolving, and so must our defences. In today's changing business environment, it's essential for Canadian organizations across all sectors, large and small, to enhance their fraud prevention strategies, particularly as technology like generative artificial intelligence (generative AI), and other key factors outlined below transform the fraud risk landscape.

To stay ahead, organizations must understand their risk exposures, both internal and external, and equip themselves with the right tools, skills, and partnerships to navigate the evolving risk landscape.

Read ahead for a view into pressing fraud risks and actions organizations can take to better secure their business.

No industry or organization is immune to internal and external fraud risks. Canada's vast community of small to medium-sized businesses (SMBs) are often more susceptible to fraud due to a lack of awareness and robust controls, making them ill-prepared to fend off attacks. And while larger Canadian organizations may have more fraud prevention resources and controls, their size often makes it challenging to adopt organization-wide strategies and controls to effectively deal with the volume of fraudulent threats.

In recent years, the rise of generative AI, cryptoassets, digital wallets, and regional payment modernization efforts have opened a number of attack vectors for domestic and international fraudsters. While regulations and best practices around fraud prevention are catching up, they are not evolving fast enough, leaving organizations highly vulnerable to attacks.

Fraud, by definition, is the act of deceiving for financial or personal gain. It can be carried out externally by threat actors across the globe or internally via your own employees seeking to take advantage of their access. Moreover, in today’s age of digital currencies, virtual communications and generative AI, the act of fraud itself can take increasingly deceptive forms.

Consider crypto fraud, for example, where digital con artists are wooing unsuspecting victims into bogus investments (e.g., Romance Scams, rug pulls, pig butchering, etc.). In 2023 alone, US$24.2 billion of funds were received by illicit cryptocurrency actors*. These attacks leave victims with little or no recourse to recover their losses.

The days of cheque fraud may be fading as fewer consumers use cheques. Nevertheless, online payment frauds (e.g., account takeovers, data theft, chargeback fraud, etc.), social engineering attacks (e.g., phishing, whaling, elder fraud, honey traps), “man-in-the-middle” attacks (e.g., stealing personal and financial data), and other more sophisticated scams are filling the void.

Environmental, Social and Governance (ESG) fraud is another key area of concern. It occurs when an organization misrepresents its ESG activities and outcomes to satisfy various stakeholders, including investors, customers, partners and regulators (this is sometimes labelled as "greenwashing"). An example of ESG fraud is misrepresenting greenhouse gas emissions. These types of misrepresentations can lead to severe reputational and financial damage. Other types of fraud fall under the ESG umbrella, such as bribery and corruption, money laundering, and other unethical activities.

The mounting pressure on businesses to meet stakeholder expectations and regulatory requirements can inadvertently lead to ESG fraud if not properly managed. Naturally, this can have a damaging effect, eroding trust among customers, industry partners, regulators, and the broader public.

With the advent of new regulations like Canada's Fighting Against Forced and Child Labour in Supply Chains Act, it's essential for organizations to accurately gauge risks in their operations, such as sourcing from conflict areas and implement rigorous anti-fraud program and internal controls. These measures ensure reliable ESG disclosures and reporting and can help to mitigate other types of ESG fraud.

We cannot discuss the fraud landscape without addressing AI and its dualistic role in this space. On one side, AI – and now generative AI, is equipping fraudsters with profound new abilities to circumvent traditional security controls and trick their way into an organization's inner workings. Headlines about fraudsters using deepfake audio or video to "trick" organizations into transferring money or enabling access to vital data and systems are becoming more frequent. At the same time, AI is being used to take age-old scams (e.g., phishing, identity theft, etc.) to new levels.

On the other hand, AI is fast becoming a staple of fraud prevention. Many large institutions have already been using AI to automate their threat detection, provide real-time alerts, and reduce the time and resources spent on manual monitoring. In fact, 67% of Canadian SMB leaders whose organizations have experienced fraud indicate they're using AI and/or Machine Learning in their anti-fraud defences, demonstrating the growing reliance on these technologies. Partnering with trusted vendors and emerging technology specialists is key to helping to ensure AI models are well-tuned, trustworthy, and aligned with the organization’s security objectives.

Accurately verifying and managing digital identities is key to combating many forms of modern fraud. And yet, this is easier said than done because many SMBs lack the resources, specialized skills, and customer identity and access management (CIAM) tools to keep fraudsters at bay, increasing risk for identity theft and account takeover attacks. Larger organizations with these resources might be better equipped but challenged to scale their identity-proofing processes and technologies effectively. 

Establishing effective CIAM and identity proofing can be daunting, especially as fraudulent actors can come from inside or outside an organization's walls. Fortunately, organizations have access to supports, technologies, and specialists throughout their community who can help in establishing bespoke CIAM solutions, assessing and enhancing data security management, and embedding extra layers of security (e.g., multi-factor authentication or MFA) to fill their security gaps.

The Canadian fraud scene may be shifting but organizations can take definitive measures to navigate it effectively. At the core of these efforts should be the continuous education of employees, customers, and other stakeholders, with the aim of creating (and sustaining) a culture of security.

Beyond this, there are a few other significant steps to consider when developing strong anti-fraud programs, including:

Assessing your fraud risk exposure: 
The first step towards fraud prevention is understanding where you are vulnerable. Conducting a threat assessment will reveal your internal and external risks, define your risk tolerance, identify what’s currently being done to prevent them, and help pinpoint what can be done to fill your fraud prevention gaps.

Optimizing your controls:
Fraudsters will exploit the tiniest cracks in an organization's defence system. For this reason, it is vital that you understand which fraud controls are in place, how well they are performing, and where gaps exist. This begins with an in-depth risk exposure assessment and testing the effectiveness of controls that are in place to manage the risks. It is also important to continue testing and evaluating your controls to make sure they're holding up against the latest threats.

Advocating for the sharing of information:
In fraud prevention, no one wins by keeping their experiences, insights, and practices in a silo. Purposeful information sharing between functions, offices, industry peers, law enforcement, and the business community at large helps everyone understand new and upcoming threats, as well as hone in on the most effective controls, rules, and best practices.

Exploring tech alliances:
Fraudsters may have their toys but organizations should too. Many sophisticated technologies and technology partners can help organizations stay one step ahead of potential threats and respond promptly. For example, through our recently formed strategic agreement with Chainalysis, we are combining our shared experienced and knowledge to provide clients with enhanced blockchain monitoring, support, governance and risk management to both strive to ensure alignment with cyrptoassets regulations and elevate their Anti-Money Laundering Compliance programs.

Knowing your customer (but also your employee):
You may be surprised by how much fraud is committed internally, be it through employees who unknowingly let the enemy through the gate via social engineering or phishing frauds, or those who consciously decide to do damage from within. These incidents can be curbed by insider risk monitoring and identity verification and management controls, as well as through partnerships or alliances with trusted third parties who can help implement internal identity-proofing strategies and technologies.

Taking a cross-disciplinary approach:
Combatting fraud is no longer the domain of one discipline or skill set alone. Today, an effective fraud defence is one in which all organizational departments are coming together to design, implement, and sustain complete anti-fraud programs, be they related to legal, ESG, cybersecurity, anti-bribery, and anti-money laundering, among others. A holistic approach also means that organizations are aligning with external stakeholders to attack fraudsters on a united front.

This article was produced with the valuable input of:

Marylin Abate, Partner, Forensic & Financial Crimes risk services
Kunal Bhasin, Partner & Co-Lead, Cryptoassets & Blockchain CoE
Enzo Carlucci, National Service Line Leader, Forensic
Conor Chell, Partner, ESG Legal services, KPMG Law

Amrit Dev, Senior Manager, Forensic risk services
Nisal Samarakkody, Partner, Cybersecurity services
Becky Seidler, Partner, Forensic & Dispute Advisory Services
Serena Tejani, Partner, Customer Identity Access Management services