News

In the world of white-collar crime, companies and government agencies in the United States alone are bilked of an estimated $660-billion (U.S.) annually, according to the Association of Certified Fraud Examiners (ACFE).

It arrived at that staggering figure based on its 2004 report that determined a typical organization loses 6 per cent of its annual revenue to fraud and illegal activity. And all too often, the Internet and computer networks are the tools used to perpetrate electronic scams or bring companies to a standstill through electronic sabotage.

In a classic example of high-tech fraud, a company with 60,000 credit card accounts in its sales database began receiving calls from customers who needed to change their credit card data. Within a few months, 25 per cent of the company's customers changed credit card information because of unauthorized purchases on their bills. Nothing obvious indicated that the company's database had been hacked, but an investigation by security experts found an unauthorized application known as a "sniffer" hidden on the company's network. The sniffer sent network access passwords and data to an on-line chat room where, experts presumed, a hacker captured it all.

It couldn't be determined for certain whether the hacker was someone on the outside or the inside, or whether they gained access to actual credit card data. However, the company revamped network security to prevent anyone from depositing such a payload on the network again. And since prevention is not always guaranteed, it set up security to detect suspicious activity on the network, says Jeffrey Posluns, CEO of Montreal-based SecuritySage Inc., the IT security firm that discovered the sniffer (he declined to identify the client to protect its privacy).

Theft is an ever-present threat for businesses, but people lurking inside or outside organizations sometimes want to harm rather than defraud companies. In one such case, managers were unable to boot up their network servers the first morning of a strike. Kroll Lindquist Avey, a Toronto-based independent forensic accounting firm, investigated and discovered that a malicious program had shut down the network. Kroll produced conclusive evidence that a system administrator had planted it.

Forensic accountants have unearthed complex and cunning frauds and illegal activity of virtually every nature -- insider trading scams, theft of intellectual property, misuse of computer systems, Internet fraud, kickback and procurement schemes, and many other nefarious undertakings, says Bob Macdonald, head of Kroll.

While many companies have basic policies and procedures in place regarding electronic fraud and sabotage, most also depend on trust internally. When trust is misplaced and policies breached, firms are left scrambling to close barn doors after the horses are gone, experts warn.

Mr. Macdonald says three factors are at the root of most computer-related fraud and sabotage: greed and need; opportunity; and low expectation of being caught. Rapidly growing companies are particularly susceptible, as everyone is focused on growth, he adds.

Greed is difficult to combat, but the other factors can be dealt with. Companies can set up systems that can keep out all but the most sophisticated hackers and detect any attempts at intrusion, Mr. Posluns says. Doing so requires constant diligence and updates to ensure the gates are barred and remain so.

But what about keeping tabs on employees who have authorized access? To minimize fraud by those on the inside, Mr. Macdonald recommends that companies install and maintain internal controls. These can include things that go beyond basic anti-intrusion security. For example, a technology known as business assurance analytics keeps tabs on a company's business transactions, looking for honest errors as well as fishy financial activity.

Other internal controls aren't necessarily high-tech. In fact, one of the simplest electronic-fraud prevention methods -- publicizing company policies and doing random audits that apply to everyone in the organization -- can be an extremely effective deterrent, some security experts say.

A solution any business can adopt is to have a written code of ethics, Mr. Macdonald says, that everyone must sign. In addition, fraud hotlines should be set up in larger companies, government departments and agencies to receive tips about unethical activity.

It sounds simple, but do Mr. Macdonald's suggestions work?

Yes, according to the ACFE. Its research shows organizations with simple fraud hotlines cut electronic-fraud losses by about half, with 60 per cent of the tips coming from employees.