South African businesses are at serious risk from rapidly increasing payments fraud – often from within their very own organisations.
Ryan Mer, CEO at eftsure Africa, says while criminal syndicates behind ransomware and business email compromise (BEC) attacks shouldn’t be ignored, it’s important for organisations, irrespective of size, to tighten the internal controls needed to prevent serious fraud.
“Taking preventative measures against internal fraud can seem daunting as employees occupy privileged positions of trust. With access to internal systems and knowledge of internal processes, employees know where the gaps lie in a company’s internal controls,” says Mer.
The cost of fraud is rising at an alarming rate. Respondents to PwC’s Global Economic Crime and Fraud Survey of 2022 reported total losses of $42-billion – over and above damages to brand, reputation and market share.
Another report from the South African Association of Certified Fraud Examiners found that a typical organisation loses at least 5% of its annual revenue to fraud. The same study also found that once victimised, an organisation is unlikely to recover the losses.
“Internal fraud is often committed by a trusted employee and can go undetected for several years. External auditors may struggle to detect financial anomalies thanks to the many subtle ways employees can secretly profit at their employer’s expense,” notes Mer.
Common fraudulent activities include:
* Changing supplier banking information;
* Colluding with suppliers to issue fake invoices;
* Submitting fake expense claims;
* Actioning illegitimate refunds; and
* Diverting incoming payments to other bank accounts.
Positions that involve administering payments to creditors and suppliers, overseeing and processing invoices and electronic payments, and capturing bank statement transactions present a higher risk for businesses.
“Theoretically at least, many businesses do have the right controls in place to fight fraud, but there are gaps that need serious attention. Employers should also be able to identify the red flags that point to malicious activity,” adds Mer.
Some of the top insider threat red flags are:
* Requesting unnecessary access to systems and sensitive information – Sensitive information should be on a need-to-know basis. A member of staff snooping in confidential company files should be questioned.
* Disorganised or incomplete record keeping – Shoddy record keeping may be a deliberate attempt to hide nefarious activity. Maintaining high administrative standards is therefore a must.
* Employee doesn’t take annual leave – A reluctance to take annual leave may be a result of a fear of being uncovered while certain duties are handled by a colleague or superior.
* Conflicts of interest with suppliers – If an employee shows undue favour towards a certain supplier, it’s worth taking a closer look to establish whether the third party involves a friend or relative of your employee.
* Living a lavish lifestyle – Extravagant purchases and a sudden, drastic change in lifestyle are obvious indicators of a financial windfall and a sign to pay closer attention without jumping to conclusions.
* Signs of financial distress – While most people who find themselves in a tough spot never turn to crime, some employees may act out of sheer desperation. Keep lines of communication open and offer assistance if possible.
* Gambling addiction – Such concerns should be handled delicately by HR.
* Being rejected for a promotion – An employee who feels they are underpaid or deserves to occupy a higher position of authority may feel justified in defrauding their employer.
* Accessing network resources after normal working hours – Insiders may attempt to access files, applications, networks or intellectual property outside normal working hours.
“Robust risk management policies, data management controls and staff training can all go a long way in minimising insider threats. In addition, eftsure helps protect organisations against payment fraud by automating manual controls, placing less reliance on the manual and human factor, which gives those responsible for releasing payments the confidence that processes and controls are in place and working effectively,” says Mer.