Fraud incidents in S'pore up, risk to get bigger

SINGAPORE--The average number of fraud incidents in the country is on the rise, and with technology increasingly permeating the workplace, the fraud risk carried by IT is becoming bigger, cautions consulting firm KPMG Singapore.

According to its Fraud Survey report 2011 released Thursday, since 2008, more than one in five or about 23 percent of companies in Singapore had experienced some kind of fraud. This number stayed relatively stable over the three-year period, but the average number of incidents reported by victims more than doubled from 3.8 in 2008 to 9 in 2011, the report revealed.

Likewise, the total estimated cost of fraud incidents increased from S$5.3 million (US$4.3 million) to S$6.5 million (US$5.2 million) during the same period.

The survey was conducted in fourth-quarter 2010 and covered the period between third-quarter 2008 and third-quarter 2010. Most of the 110 businesses polled in Singapore were multinational corporations (MNCs).

According to the survey, 56 percent of respondents indicated that weakness in IT security carried "very significant" fraud risk. In comparison, 59 percent said employee or management unfamiliarity were red flags of fraud, while 50 percent cited weak management or board oversight.

These results pointed to weak preventative measures on the part of organizations and their staff as potential risks, rather than any particular ingenuity or sophistication from perpetrators, Bob Yap, head of forensic at KPMG Singapore, told ZDNet Asia.

He warned that IT fraud will become a bigger risk because technology is "intertwined in every facet of our existence" and businesses are increasingly conducted through IT. For instance, employee unfamiliarity with IT systems and controls can be a "particular weakness" for fraud, Yap said in an e-mail interview.

Many organizations have weak controls around administrator-level access to IT systems or poor coordination between HR (human resource) and IT, leaving "ghost" user accounts active long after employees have left the company, he added.

In companies with low-centralized IT environments, IT is often little more than networked PCs with a single networked server. Such environments are typically poorly protected against non-targeted attacks such as viruses, use of unauthorized software, or accidental or deliberate data loss, he noted.

At the same time, fraudsters' abuse of IT systems is also taking a "more sophisticated" form, as seen by the recent attack on RSA, which Yap said appears to have been specifically targeted at securing data to circumvent RSA SecurID authentication. "This sort of attack is an indicator of what is to come in the future."

IT against fraud: hazard or help?
Asked if IT is a bane or boost in the fight against fraud, Yap replied that technology can bring both advantages and risks.

IT can create new challenges such as the need to educate employees on using IT safely and responsibly, secure data and establish business continuity. But it can create opportunities for companies to help detect and respond to fraud as well, he said.

He suggested that companies utilize the wealth of data available to them--thanks to IT--to detect fraud. For example, data analytics can be used to mine organizational data across diverse databases in real-time, to automatically check for anomalies indicative of fraud and provide a "swift response" to defend against outside threats.

Aside from technology, Yap also emphasized people-focused efforts. Employees, he noted, must understand the role they play in fraud prevention if they are to be an effective component of their company's defenses.

The KPMG survey found that "inside jobs" dominated fraud incidents in companies. Some 47 percent of respondents said employees--referring to junior management or general staff--were the perpetrators of fraud. This 2011 number represented a slight drop from 51 percent in 2008.

However, the number of fraud perpetrated by senior or board management increased from 9 percent in 2008 to 17 percent this year.

Yap described this trend as a "great concern" because these individuals set the "ethical tone" of the organization and are also in the position to do the "greatest harm".

External parties, customers or vendors made up 36 percent of fraud perpetrators. The figure was 40 percent in 2008.

That internal sources remain the major fraud threat mean organization only need to look within to determine where to start in their efforts to manage fraud risk, KPMG highlighted. This is further bolstered by the fact that employee fraud, at 37 percent, was the most common type of fraud incidents, followed by consumer fraud at 27 percent, and computer fraud at 18 percent.