Critical fraud types

What kind of fraud that is critical and which one is not, is depending on what type of business it is and what context they are operating in. What we found from our interviews is that it is a common understanding for businesses that are storing sensitive information that they have to

protect this at all costs. Company A, Company X and Company B all said that it would be a disaster if someone managed to hack into their systems and cause a leak of information about employees, patients or customers. It would not only be very critical for those who are inflicted, but also the reputation of the company itself would take a huge hit. All kinds of threats that could harm the trust between a company and their stakeholders, is seen as a very serious type of threat that has to be dealt with. A leak of information do not only have reputational consequences, but also monetary, just imagine the amount of money a fraudster could demand by blackmailing a health institution if he had sensitive information about patients as hostage.

Company A talked about how the picture of the threat have evolved for them in the latest years. The traditional picture of threat for a bank have in many years contained threats such as bank robbery, burglary or sabotage. If we were to ask them a few years back they would maybe have considered these threats as critical. Today, even if a robbery actually occur, the bank will not lose much since the amount of money that are stored in the banks have decreased to a very low level. Respondent 3 explained this shift like this:

“The reason for this shift is that banks have quitted regular cashier services, but also the potential to get more value through cybercrime is a lot bigger, the chance of getting caught is a lot smaller, and the punishment is also different. The criminals are professionals, and they choose what gives them the best outcome combined with the smallest chance of getting caught.”

They could further confirm that their biggest concern today is to protect the sensitive information they have in their databases, since that is what they live on. Respondent 2 pointed out that banks today rely greatly on trust, both when it comes to managing money, that the money customers are saving is safe, but also managing information. He emphasized not only are the information sensitive, but there is such huge amounts of data, which also increase the potential consequences of a leak. Not surprisingly was their biggest challenge in the future to secure this information, and protect the trust from their stakeholders, especially customers.

Regarding this they said that it is hard to keep a balance between making sure new products are secure from hackers, and at the same time make them easy to use, since too much security can be experienced as a struggle for customers. Company X shared the same opinion

regarding the importance of protecting the trust between them and the customers, and said that worst case scenario was to inflict their customers and hurt them.

Regarding more regular businesses, in our case Company Y, the major concern seems to be more monetary. Since they are not protecting sensitive information about customers, the respondent was talking more about internal control routines to prevent fraud like theft, both externally and internally. Despite that it is not the major concern, reputational harm and bad marketing was still mentioned by Company Y as threats they need to pay attention to. Based on information we have collected from the experts we have talked to from KPMG and BDO we can say that smaller and more regular businesses are not that aware of the threat from cybercrime and its consequences. Unfortunately, they are not any less exposed to cybercrime as the fraudsters see them as less prepared to protect themselves, which makes them easier targets. This explains why the economy chief at Company Y couldn’t give us very much information about threats from cybercrime, but rather talked about more traditional types of fraud like theft.

Phishing, or basically ransomware, was mentioned under the headline “common fraud types”

but it has the potential to be one of the most critical types of fraud as well. What is deciding if it becomes critical or not is the type of information or systems that are encrypted, and also if the victim have backup solutions to recover and the quality of these. A worst case scenario regarding this is that the fraudster have managed to encrypt your most sensitive files or taken down the most central systems, and there is no backup solution to recover, then your fate is basically in the hands of the fraudster. When the files are encrypted, it is as mentioned above, impossible to decrypt them again. Then, if you are very dependent on that information, and the fraudster know this, he can require a very high amount of money to help you out. The solution is either to have backup recovery systems, pay the fraudster and hope he gives you the decryption key or catch the fraudster. In most cases, the police do not have capacity to deal with these kind of frauds, especially if the fraudster have no ties to Norway. Besides contacting the police, you can contact your IT-supplier, because sometimes there are backups in your computer system that you don't know of, but this is not certain.

Another type of fraud that can be critical in the right context is DDoS attack. None of our respondents was concerned about this as they did not consider it critical in their industry, but both Company A and Company X stressed that this type of fraud could be very critical in

other industries. DDoS (distributed-denial-of-service) attacks are an attack where you deny someone or something to access information or resources they need access to, often towards websites. A successful attack can for example take down a website so that it will not be available for employees, customers or other stakeholders. There was only one of our respondent that told us they have experienced this towards themselves and their internet supplier. The last time was a couple years ago, and they confirmed that all of their services was unavailable, both internally and externally for about 15-30 minutes. Further they said that they are not very dependent on having internet access 24/7 since the employees can still do their job in cases like this, and they do not sell any products or host any critical services through their website.

However, some of our respondents emphasized that this can be a very critical type of fraud in other industries where companies are depending on online booking systems or online sale.

Examples that was mentioned in our interviews was the hotel and aircraft industry, since they are depending on having a website up and running 24/7. Big companies like Norwegian, SAS and Thon Hotels can lose millions if their website is down for only an hour, since customers cannot access their online booking system and then order from their competitors instead. Also companies that are depending greatly on internet shopping is very exposed for this kind of threat. Besides the consequence of not selling tickets or products, this kind of incident can also create panic when the employees cannot access information that is stored in online systems. This can be information like how much is left in stock or information about existing orders.