UK: High-Tech Fraud Alert

Over the last few months, we have noticed an increasingly sophisticated use of technology both in the perpetration of frauds and also in attempts to conceal evidence of the fraud from any subsequent investigation.

Prime examples include insiders (usually employees) at major financial institutions diverting funds through misuse of those institutions' own systems after weaknesses had been identified by the fraudsters. We have also seen attempts to erase data which would provide evidence of frauds and the introduction of hardware and software tools by these insiders into victims' IT systems in order to monitor the progress of any subsequent investigation and to create further havoc and distraction following the main fraud.

While the legal tools used to bring the fraudsters to justice and make recoveries from them remain largely the same whether the scam is a "traditional" paper based fraud or a large scale diversion of funds through electronic payment systems, there are clear differences of approach required in terms of deterring and preventing such frauds and identifying those responsible for them when they happen.

There are a number of straightforward steps you can take to dramatically improve your security and the efficacy of your response if the crooks do strike:

• Careful scrutiny of prospective employees who will have high level access to your IT and security systems – experience shows beyond doubt that the majority of these frauds are carried out by insiders or at least with some level of inside help.
• Make sure you have in place a company policy permitting monitoring of emails and telephone calls in order to detect and prevent fraud. Provided such a policy has been adopted and reasonable steps have been taken to draw it to the attention of employees, the monitoring will not fall foul of the interception rules under the Regulation of Investigatory Powers Act. Intelligent monitoring in risk areas may provide advance warning of a planned fraud and, at the least, makes the insider's job more difficult.
• Ensure that your hardware and software are set up so that only those who truly need such rights can install new software to any part of your network. Also ensure that PCs do not have floppy, CD or DVD drives (whether read only or read / write) unless there is a genuine business need for the user of a particular unit. By the same token, remove or disable unnecessary USB (or equivalent) ports and thereby prevent the use the portable data storage devices that are now readily and inexpensively available to the public.
• Sensitive areas within your premises (such as server rooms) can be monitored by CCTV. This will act as a deterrent to wrongful interference and if a dishonest employee does introduce unauthorised software to your system the CCTV records may assist in identifying the responsible individual.

Most of all, you should have a clearly defined Fraud Response Plan for your organisation. No amount of security or deterrence will ever completely guarantee immunity to fraud. If it does happen, you need to be ready to investigate quickly and efficiently. A suitable senior corporate officer (and a deputy for when the primary designate is unavailable) should be designated to take the lead and head up the response to any fraud that occurs.

Those individuals should have in place delegated powers to take all such steps as the investigation may require, such as authority to instruct external specialists.

Specialists such as providers of IT forensic services, investigators and lawyers should be identified and pre-approved before the crisis happens. That way you will avoid having to go through a time-consuming appointment process when you most need speed. The first few hours of an investigation can make the difference between success and failure. Those hours should not be wasted.