The Fraud Squad

Whether it's done by customers, employees or organized criminals, fraud takes a bite out of business's bottom line. Here's what CSOs can do about it.

External frauds may be less common than internal ones, but the perpetrators are far more adept at using technology. Frazzini notes that one of the largest threats businesses now face is from organized crime syndicates out of Eastern Europe that specialize in identity and credit card theft for the purposes of extortion or financial fraud. "[Between] 15,000 and 20,000 customer account records can be stolen at a time," he says. "Technology has given these criminals the ability to conduct mass victimizations because all the information is often stored in a single depository."

Not surprisingly, financial services companies are the biggest targets. Techniques like "salami slicing" (stealing small, hard-to-notice amounts from many thousands of accounts on a given day) are profitable scams in the aggregate. Credit card numbers are often sold in chat rooms for $2.50 each; a few dollars more can get you enough information on a person to perpetrate identity theft. "Many of the countries [where this is done] don't even have cybercrime laws," says Tom Kellerman, a data risk-management specialist for the financial strategy and policy sector of the World Bank. "From their perspective, we are the wealthy elite, we created the game of capitalism, and now we're seeing the dark side of it."

Not only do CSOs have to stay up on the various flavors of fraud, old and new, but they are also under increasing pressure—especially in financial services—to comply with such government regulations as the USA Patriot Act. This omnibus antiterrorism law mandates that financial institutions verify the identity of anyone seeking to open an account, maintain records of their identification and check all such people against the "denied persons" list of suspected terrorists. That has added another layer of complexity to corporate antifraud measures in these industries.How CSOs Plan to Fight FraudCSOs' reporting relationships may define their degree of responsibility for fraud detection and prevention. A CSO who reports to IT is likely to govern the technical side of a fraud investigation, whereas a CSO who reports to the legal, risk-management or CEO's office may handle the investigation from both the business and IT angles. Rick Mercuri, vice president and corporate security director for Citizens Financial Group (the parent company of Citizens Bank), has worked in fraud investigations for 19 years. At Citizens, he and his group of 25 investigators are responsible for investigating all fraud incidents and the tracking, statistical reporting and trend analysis of fraud across the company. That is in addition to his role in managing the company's physical security. Mercuri stakes a large part of his unit's success on its independence from business functions that may hamper fraud investigations. He reports to the auditing group and then ultimately to the group executive of risk management. Both of those entities are historically autonomous. "In my career, I've seen cases where the investigation group reported to HR or another business unit that had too much of a vested interest," he says. "I've seen investigations that were hindered, where there was too much oversight or involvement. With straight-line reporting to auditing and risk management, we have free reign over investigations."