Fraud risks: it's closer than you expect

The recent discovery of a terror cell, the doubling of online cheating cases, and the ongoing investigations on third-party corruption scandals are signs of a new reality faced by Singapore businesses – the global threats of cybercrime, terrorism, and fraud are now a part of everyday life.

Beware of insider threats
Here's a thought: the threat lies within. In EY 14th Global Fraud Survey 2016: Corporate misconduct ‒ individual consequences, conducted among 2,825 executives globally including 50 in Singapore, nearly half admitted that they could justify unethical behavior to meet financial targets.

In Singapore, the top three unethical behaviors that executives would be willing to engage in are allowing more flexible product return policies; changing assumptions determining valuations or reserves, and extending the monthly reporting period – so as to meet financial performance objectives. 

Not only are employees' intentional unethical behaviors putting their organisations at risk, honest cybersecurity mistakes are equally dangerous. Based on earlier research – EY Global Information Security Survey 2015, half of the Singapore respondents saw unaware employees as the top source of cyber-attacks. This is not surprising as cybercriminals are increasingly attacking employees through either social engineering or delivering targeted malicious software.

To organise a social engineering attack, criminals identify potential targets by conducting extensive research using online resources, company reports, and other social media channels. These targets receive phishing emails and malware attachments which are usually sent via compromised email accounts or spoof accounts that imitate the email addresses of staff.

To effectively defend against these attacks, this requires the rollout of adequate training campaigns to educate employees about threats and how not to be fooled by them, to supplement the usage of prevention and detection software.

In addition to these attacks on employees, there is an alarming increase in the number of email scams targeting CEOs and senior management in the Asia-Pacific region, which is a serious threat that must be proactively addressed to avoid huge financial losses. In carrying out these crimes, cybercriminals impersonate business leaders in order to deceive companies into transferring funds to unauthorised accounts.

Recent figures from the US Federal Bureau of Investigation estimates that such crimes have cost businesses more than US$2 billion (S$2.8 billion) globally in little over two years. Ironically, senior executives seem to lack appropriate risk awareness on cybercrime.

The majority of Singapore respondents view cybercrime as a low risk. This false sense of security deserves robust challenge when placed against the fact that an overwhelming 80% of Singapore respondents did not believe their information security system fully meets their organisation’s needs.

Know your third parties
These risks are compounded when seen from the perspective of the expanding footprint of Singapore companies into new or overseas markets. When setting up overseas operations through M&A ventures or third-party partnerships, companies could find themselves exposed to a more complex web of fraud risk liabilities and regulatory regimes.

In addition to the costly withdrawal from an investment, impropriety can lead to time-consuming and reputation-damaging investigations, remediation action, and regulatory fines.

Business leaders thus need to answer these questions honestly: Are you confident that those leading and working on the ground in high-risk markets understand the business culture and how work is won? Do you have enough awareness of the key third parties with which your company partners and who is really behind them? Is the business focusing the right resources on the right risks in the right locations, or is it failing to keep up with the evolving environment?

Awareness of third-party risks goes as far back as 2013, where 55% of Asia-Pacific and Singapore respondents in EY’s Asia-Pacific Fraud Survey 2013 agreed that risks are more likely to arise from third parties than from internal staff. In fact, two groups of third parties have been identified as representing the largest compliance risk to a business operation – vendors/suppliers (57%) and agents (22%).

This perceived risk was evidenced by the fact that 90% of the reported Foreign Corrupt Practices Act (FCPA) cases in 2013 involved third parties.

Although the alarm bells were rung a few years ago, one in five Singapore companies in 2016 have yet to implement systems or processes to identify third-party relationships. Organisations need to evaluate their third-party due diligence and monitoring processes and ensure that these processes commensurate with the risks faced today.

The use of forensic data analytics, particularly over payments and frequent compliance audits, should form the basis of a strong monitoring system for managing third-party relationships.

Clearly, businesses are not immune to the risks that emanate from their expanding operations. With the global enforcement landscape changing, where increased cooperation across borders, information sharing, and insights drawn from analysis of data are enabling regulators to be better informed about corporate misconduct than ever before, business leaders must take a more proactive stance on fraud risk management or face the consequences of not just a sullied business reputation but possible individual prosecution too.

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organisation or its member firms.