Is It Time To Rethink the Fraud Triangle?

The COVID-19 pandemic has, undoubtedly, changed a lot of things around the world, and our worlds, in just two years’ time. With those changes in environment, many of the things we’ve grown accustomed to have needed to be tweaked. So, in the fraud examining world, is it time to change the tried-and-true Fraud Triangle?

Not exactly, says Mary Breslin, CFE, CIA, and founder of Verracy Training and Consultancy. In her virtual session at the 33rd Annual ACFE Global Fraud Conference “Rethinking the Fraud Triangle for the ‘Business’ of Fraud,” Breslin says we need to rethink the Fraud Triangle — which helps explain the circumstances that lead people to commit fraud — because it is revolutionizing. She says fraud investigators need to think more in terms of a long game and potential future impacts, and they need to reevaluate the different parts of the Fraud Triangle.

Let’s first backtrack to what the Fraud Triangle is. It consists of three parts: opportunity, pressure and rationalization.

  • Opportunity exists due to lack of controls and oversight.

  • Pressure includes financial pressure, unrealistic goals and targets and possible incentives for committing the fraud.

  • Rationalization includes thoughts from a fraudster like “I’m owed,” “I’ll pay it back later,” “it’s insignificant to the company,” etc.

Because occupational fraud remains alive and well, even in our post-COVID outbreak world, the Fraud Triangle will always be relevant. Breslin says organizations are facing more complex fraud threats. Since organizations and corporations have had to change with the pandemic, so has human behavior. Because of this, Breslin says we need a new perspective, and we need to discuss fraud risk before it happens.

According to Breslin, fraudsters love change because it provides them with opportunity. When the world is faced with confusion and chaos — like during the throes of the pandemic — fraudsters are provided with opportunity to commit fraud. Breslin says fraud has seen a wave of “pandemic creativity” with new and everchanging fraud threats that use the following:

  • Online shopping scams

  • Government imposters

  • Tech support

  • Online education

  • College loan relief

  • Debt relief

  • Romance scams

  • Prizes and sweepstakes

  • Loans

  • Puppy scams, where fraudsters target hopeful pet owners

  • Phishing

Phishing is not a new concept, but Breslin says it has ramped up significantly since the start of the pandemic. Last year, it was the most common type of cybercrime, and the numbers are staggering. 2021 saw 323,972 reported cases of phishing, compared to less than a third of that two years before, in 2019 (114,702). There were 13 times more complaints of phishing in 2020 compared to 2017. Fraudsters are getting more savvy with phishing, using several different techniques including deceptive phishing, vishing and smshing.

Meanwhile, social engineering in the fraud game remains very rampant. Hackers and fraudsters know it’s much easier to hack people and their behavior as opposed to complex systems. Social engineers prey on emotions by gathering information, establishing a rapport, asking for small pieces of information and then executing the fraud. Breslin says all of this is possible because people are naturally trusting.

She shared an example from a previous instructional session. Breslin said she started a conversation, asking people where they lived and then moved on to the subject of people’s pets. It wasn’t surprising that people were eager to share these details during a friendly conversation. At the end of the conversation, Breslin shared that, with this information, she could find their pets’ veterinarian, check about upcoming appointments and then masquerade as a veterinary office to retrieve credit card numbers from pet owners. It was an unsettling, and frustrating, scenario for those in the session — people Breslin says are “trained to professionally be skeptical.”

Breslin says we need to rethink our preconceived notions of fraud – that fraud occurred because someone or some organization didn’t take action – because that’s just not true anymore. She says it’s not all about opportunity for fraudsters anymore. For some, fraud has become a business and occupation as fraud rings grow more prevalent. You’ve heard of SaaS (software as a service). Well, Breslin says FaaS (fraud as a service) and SeaaS (social engineering as a service) are becoming more common.

So, how can you prevent these everchanging fraud tactics from hitting your organization? Breslin couldn’t stress this enough: training. She says all of an organization’s employees need to part of the fraud risk conversation so it’s not all left to just internal auditors.

At the end of the session, one attendee asked how organizations can be re-educated. Breslin recommended two things:

  1. Define where fraud risk is in the organization and provide examples.

  2. Teach skepticism by having employees constantly questioning success.