Frank W. Abagnale has a message for CIOs who think automation will save loads of money and protect their companies from fraud.
Abagnale, the muse for the movie Catch Me If You Can, is the notorious con man who kept the FBI at bay for decades while he embezzled millions of dollars out of unsuspecting individuals. His message: Automation — business processes run automatically without human intervention — could actually make fraud easier and cost more in the long run.
“What I did 40 years ago as a teenager is 2,000 times easier to do today,” Abagnale says now. “Every day, criminals are realizing that crime is getting easier than the day before because corporations are going digital.”What I did 40 years ago as a teenager is 2,000 times easier to do today.Frank W. Abagnale>Text Why trust a former fraudster, you might ask? Because he and other fraud experts can prevent you from being defrauded by criminals who attack corporate networks for information that they can harness to steal on a large scale. And indeed, Abagnale is among a growing army of consultants who are working with CIOs at some of the nation’s largest banks to fight what many believe will be a surge in check fraud, already at US$19 billion a year, as banks move from processing paper checks to transporting digital check images to other banks and customers.
The Check Clearing for the 21st Century Act (Check 21), a federal law that allows for the creation and processing of digital check images and substitute checks, is one of the more significant business process automation transformations in the private sector. It is expected to save the banking industry $2 billion to $3 billion a year in labour and transportation costs, which include flying 42 billion checks around the country every year.
Yet Check 21 also creates a higher risk of fraud and abuse. As banks make digital images of checks available to customers online, criminals can more easily gain access to the information they need to create counterfeit checks. All they have to do is obtain a customer’s user name and password.
Fraud is affecting not only the financial industry but other industries as well. Health care, transportation, utilities, retail, government, entertainment and others are all vulnerable. Indeed, any business that operates a network to process payroll, employee personnel information, contracting or financial reporting could be a victim of fraud. And if you don’t think it will happen to you, think again, warns Toby Bishop, president and CEO of the Association of Certified Fraud Examiners (ACFE). “This is only going to get worse,” Bishop warns. “Pretty soon we will have war rooms with technologists working 24/7 fighting fraud.”
The bad news is that completely eliminating fraud from business is impossible, experts say. The good news is that CIOs can minimize the potential for losses by developing antifraud strategies in the initial design phase of an automation project, and continuing to make it a high priority throughout daily operations.
But this requires a revolutionary shift in thinking and culture for many organizations. That’s because too many CIOs, including most of the executives we interviewed, don’t consider fraud prevention a high priority. They tend to be much more focused on the ROI of business automation and the improved service to customers rather than the vulnerabilities a new electronic process creates.
As IT automation becomes more critical to corporate revenue, an entirely new mind-set is necessary. Mark Tizzard, vice president of strategic integration for Wachovia Bank, admits as much.
“Sometimes you roll out programs and see what happens,” Tizzard says. “But this is different. People need to be prepared.”
Denial ain’t just a river in Egypt
For the vast majority of CIOs interviewed for this article, preventing fraud is simply not a top priority. Nor is it something many are willing to talk about. About a dozen CIOs we contacted in the retail, investment and manufacturing sectors refused to talk to us about how they are defending themselves against fraud — if at all.
Of those who did talk to us, many have the mistaken perception that automation will reduce fraud. One CIO for an insurance company told us that when company executives agreed to deploy a new electronic process to handle claims, the business argument behind the system was not only to lower costs but to reduce the incidents of fraud as well. The executives had not considered the possibility that the system could create opportunities for new, more virulent means of fraud. “I really haven’t given it a whole lot of thought,” he says.
Many CIOs are also hampered by misperceptions about who commits fraud. For instance, while executives think that fraud is typically committed by outside criminals, research shows that about 85 percent of all fraud is perpetrated by employees. These inside fraudsters will account for an estimated $660 billion in losses this year, up from $600 billion in 2002, according to the ACFE.
The typical employee who commits fraud has many years with the company, is an authorized user, is in a nontechnical position, has no record of being a problem employee, uses legitimate computer commands to commit the fraud and does so mostly during business hours. For all of these reasons, CIOs seem to be seriously underestimating the potential for fraud with automation.
According to a 2003 KPMG survey, 43 percent of IT executives believed fraud would decrease in the future. By comparison, only 7 percent believed fraud would increase. As a result, CIOs are underequipped to deal with the problem. Only one-third of companies have a comprehensive fraud program in place, according to a recent survey by PricewaterhouseCoopers.
Yet at the same time, more than 80 percent of companies reported that attacks on their networks have increased, and one in five said a hacker has infiltrated their company’s network, according to the Computer Security Institute. What’s troubling about these statistics is that corporations are now automating processes directly linked to generating revenue and profits.
In years past, CIOs focused on easier, less critical processes, such as electronic employee expense forms and giving employees the ability to sign up for vacation time online. Now, CIOs are automating the processes central to a business’s operations. This promises to bring a higher rate of ROI, but also a higher risk of fraud and abuse. It’s as if CIOs are playing a version of the arcade game whack-a-mole, only a more costly one. CIOs use automation like a hammer to smash fraud in one place, only to see it pop up unexpectedly in another place.
Automated systems, particularly when they are enterprisewide, are vulnerable for a number of reasons. First, they require significant changes in work processes and cultural shifts throughout the company. Employees are not used to the new processes, and therefore not attuned (nor trained) to see anomalies that indicate fraud.
In addition, these new processes tend to be highly complex, which makes weak links in the system more difficult to identify. This could explain why some Russian hackers were successful at hacking into personal accounts at major U.S. banks and online payment services in the latter half of the 1990s, when that online business was relatively new.
“CIOs tend to underestimate the potential for fraud when they change business processes,” ACFE’s Bishop says. “They tend to fight yesterday’s battles,” designing defenses for schemes that they know about.
Scamming digital checks
Take Check 21, for example. Banks invested in Check 21 for two reasons. First, it will save the industry an estimated $2 billion a year in paper check pr