During the first round of breakout sessions at the 35th Annual ACFE Global Fraud Conference, cybersecurity management consultant Gideon Rasmussen delivered a crash course on fraud concepts, 15 kinds of fraud schemes and best fraud response practices to demonstrate how cybersecurity insights contribute to fraud prevention.

The Fraud Threat Landscape

We often think of fraudsters as operating outside a company, but Rasmussen reminds us that they’re often an internal threat. When organizations better understand a fraudster’s mindsight and the pressures that motivate them, they can be better prepared to prevent and respond to fraud threats.

He also explained that fraudsters are known for pushing, testing and smiling: they constantly push the boundaries for what they can access and get away with, test an organization’s response and are quick to reassure them that there’s nothing wrong.

Another critical component to understanding the current fraud threat landscape is determining a company’s residual risk. When Rasmussen conducts cybersecurity investigations, he interviews a company’s chief financial officer (CFO) and chief information security officer (CISO). A trend he has discovered in his interviews is an overall lack of effective oversight. Many companies do not test their fraud prevention controls during their annual financial audit. They’ve also often failed to implement a function that acts as a second line of defense for fraud prevention. When asked what he believed was the most common control gap in organizations, he answered that many don’t have a fraud response plan. “It’s like running out to play football without having practiced,” says Rasmussen.

Common Fraud Schemes

Rasmussen then went through 15 major fraud schemes. These included schemes such as creating accounts to make payments and using shell companies. He also talked about ghost employee schemes, where an illegitimate employee is added to a payroll, and retrospective purchase order schemes, where an order is created after an invoice instead of before.

Some suspicious behavior companies can look out for includes vendors’ invoices that have been processed unusually quickly, employees not taking vacation, users accessing more accounts than usual (a good indicator that they’re stealing personal data), duplicate payments and management overriding controls.

Responding to Fraud

Rasmussen assures his audience that “it’s okay to notice suspicious activities.” During awareness training this is important to note so that people alert others of anything suspect that’s going on.

When coming across someone attempting business email compromise (BEC) and impersonating a CEO or other executive, an effective strategy is performing good authentication procedures. This means getting someone’s phone number on file and then calling them to check that it’s the correct number, verifying someone’s identity visually during a video conference call (you can do this by asking the individual to turn to the left or right – a deepfake won’t be able to do this properly), answering security questions that have been set up ahead of time and requesting confirmation of a personal identification number (PIN).

In addition, two tools can help with responding to fraud. One is analyzing fraudster personas, which Rasmussen illustrated through an example of invoice payment fraud. In his example, the fabricator fraudster submits a duplicate invoice to be issued, which the exploiter uses to create false records of suppliers and invoices. The organized bribes an official to process the false invoices, the coercer convinces an official to verify an invoice for services that have only been partially delivered, and then the Impersonator changes the supplier’s bank account to steal the payment.

A company can also use a failure mode and effects analysis (FMEA) to conduct a process risk assessment and identify steps during a process where a fraud could potentially occur. 

Since 43% of fraud is detected by tips, according to the ACFE’s Occupational Fraud 2024: A Report To The Nations, a best fraud response practice is implementing a fraud, waste and abuse hotline. It’s also imperative to implement a fraud response plan. We tend to mainly focus on fraud prevention, but responding to a fraud immediately when it happens is just as important, especially if you’re able to stop a wire transfer a fraudster has attempted to make.

Rasmussen highly encourages commissioning a fraud assessment by a Certified Fraud Examiner (CFE) to identify potential fraud schemes and evaluate fraud prevention controls. He also suggests companies reach out to their finance departments and cyber teams. These are the partnerships that will help organizations be more effective in combating fraud and better understanding the fraud risks within their organizations.