Skip to content

Our Privacy Statement & Cookie Policy

All Thomson Reuters websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.

Risk and Fraud

Fraud risk: The fundamentals

· 20 minute read

· 20 minute read

With fraud risk a significant concern for organizations of all sizes and types, dive deep into the fundamentals of a risk management strategy.

← Blog home

Motion graphic of TR website messaging on laptop screen— Transforming tomorrow's/today's work with AI

 

Jump to ↓

 What is fraud risk?

 Why does fraud occur?

 Types of fraud

 Potential signs of fraud

 Why managing risks is important

 Understanding the fundamentals

 Future fraud risk trends

 Final words

 

One of the biggest risks nearly every organization faces is fraud. Fraud risk puts all kinds of organizations at financial risk– financial institutions, legal and tax firms, nonprofits, government benefits agencies (such as those that manage Medicaid), large corporations, and small businesses. And statistics suggest that fraud risk will only increase in the coming years:

  • In 2022, financial institutions submitted more than 3.6 million suspicious activity reports (SARs) to the U.S. Treasury’s Financial Crimes Enforcement Network. According to a Thomson Reuters Institute report, SAR filings in March 2023 set a monthly record, with more than 351,000 reports—a sign that potentially fraudulent activity will continue to surge.
  • An FBI internet crimes report noted that email scams increased 111% from 2018 to 2022, with victims losing $2.7 billion in 2022. Email scammers are using social engineering techniques to gain the trust of unwitting targets with the goal of getting them to send funds to a fraudulent person or entity.
  • According to the Association of Certified Fraud Examiners (ACFE), small businesses experienced a higher frequency of fraud from 2002 to 2022 than larger organizations.
  • Thomson Reuters Institute’s 2023 Government Fraud, Waste and Abuse Survey Report found that most of the government workers it surveyed believe fraud, waste, and abuse (FWA) will increase over the next two years. Respondents also cite more sophisticated fraud schemes as one of the major challenges they’re facing going forward.

Late in 2023, the Dallas County government faced significant IT challenges throughout the year, including a $2.4 million fraudulent wire transfer discovered in November, leading to an FBI investigation. This incident involved social engineering tactics using a fake business email impersonating one of the county’s partners. The county has also experienced other IT failures, such as auctioning laptops with personal data, payroll system issues affecting employees’ pay, and problems with new court management software causing delays in criminal justice proceedings. Additionally, the county fell victim to a ransomware attack in October, prompting ongoing investigations and security measures to safeguard sensitive data and address cybersecurity threats.

In another case, a Minnesota woman was charged with stealing nearly $4 million from her employer, a small business whose financial records she had managed for several years. What complicates the case is that the woman herself was allegedly a victim of fraud. According to the charges, she had siphoned off company money to pay a man with whom she was having an online relationship. The man claimed to need U.S. currency so that he could collect millions he was supposedly owed for work he’d performed in the Middle East. With its suspicions growing, the company had an outside auditor investigate. The auditor detected evidence of fraud, the woman was fired, and she now faces criminal charges. The man cannot be tracked down.

As the experience of that small Minnesota business or Dallas County government demonstrates, organizations of all kinds need a deep understanding of fraud risk. Those risks can come from either inside or outside the organization (or both, in this case). While often committed by a lone individual, global criminal gangs with sophisticated digital skills are increasingly involved—though susceptible individuals often are crucial to their success.

Organizations and government agencies are prone to fraud risk in ways that can affect their operations and even their effectiveness. What can they do to manage fraud risk—and protect themselves and their stakeholders from potentially disastrous financial losses?

What is fraud risk?

Fraud risk is the potential exposure of an organization to deceptive or dishonest actions, resulting in financial losses, reputational damage, or legal consequences.

To understand what fraud risk means, we need a clear understanding of what fraud is. Fraud involves intentional deception to gain something of value, usually money. One commits fraud through false statements, misrepresentation, or dishonest conduct intended to mislead or deceive. Fraud risk, then, refers to the possibility of financial loss due to the intentional deception perpetrated by an individual or a group either inside or outside the organization. In some cases, the perpetrators may be both internal and external.

Consequences of fraud

Fraud has a very long history. The first documented fraudster was a Greek merchant named Hegestratos, who operated around the year 300 BCE. He took out a loan as a kind of insurance policy, promising to pay it back in interest when his ship, which was carrying a cargo of grain, came into port. Hegestratos’s plan was to secretly unload the grain and sink the boat—and claim that he couldn’t pay back the loan. He would then sell the grain without the lender’s knowledge. When his crew foiled his plot, Hegestratos drowned trying to escape.

Financial fraud first appeared in history in the Roman Empire in 194 AD, when a group of soldiers assassinated the emperor with plans to sell the empire’s leadership position to the highest bidder. This plot too failed.

Those failures haven’t stopped innumerable people from engaging in fraudulent schemes. Throughout the centuries, fraudsters have sought to separate gullible individuals or unobservant businesses from large amounts of money. Some of the biggest fraud schemes in history have involved people who promise investors astonishing financial returns. Bernie Madoff’s asset management firm, which defrauded thousands of investors of billions of dollars, is a prime example.

One of the most massive instances of fraud in the business world came to light in 2001. Texas-based energy company Enron was one of the world’s most successful companies, ranked number 7 on the Fortune 500. But more and more investors thought something wasn’t quite right. Investigators dug deep into the company’s financial filings and found that executives had crafted a highly complex scheme that misrepresented Enron’s revenues and earnings. Within a year, the company’s share price plummeted from $90 to less than a dollar. Investors were out millions, employees lost their equity as well as their jobs, and numerous vendors were stuck with large unpaid bills.

In short, fraud can damage just about any kind of business, even if the company doesn’t experience fraud directly. Financial losses can be particularly difficult for smaller companies. Another risk factor is compliance risk—fraudulent activity can put certain types of businesses out of compliance with industry regulations, with costly consequences.

Why does fraud occur?

Fraud occurs due to a combination of perceived opportunity, financial pressure, and rationalization, as described by the fraud triangle, wherein individuals exploit weaknesses in internal controls to commit deceptive acts.

Another way to ask the question is: Why does fraud risk exist? Either way, the answer might seem simple: People sometimes commit fraud because of greed or desperation. But that doesn’t explain why many avaricious or financially strapped individuals don’t engage in fraud.

A fuller explanation is provided by what’s called the fraud triangle. The fraud triangle is a model that’s used to describe the three elements that, when combined, are likely to lead to fraud. While fraud can be committed by a group of people, the fraud triangle’s explanatory power comes from the fact that fraud is typically initiated by an individual. Organizations seeking to undertake risk management—and all organizations should—need to understand the fraudster mindset.

Side 1: Pressure (or motive)

The “simple answer” may be incomplete, but it’s not necessarily wrong. A great deal of fraud is driven by greed or financial difficulty (such as gambling debts). But sometimes the motivation isn’t that simple. If the allegations are correct, the motive of the Minnesota woman charged with defrauding her company wasn’t personal financial gain. She was doing it for someone with whom she was romantically smitten.

Side 2: Opportunity

The fraudster needs access to money. In many cases, he or she oversees an organization’s funds as an accountant or a bookkeeper. That person typically writes checks and maintains the entity’s financial records. Such a person probably may not be managed or overseen closely. Perhaps the fraudster has a reputation for trustworthiness. Or perhaps the organization is so large and its records so complex that it’s difficult to detect fraudulent transactions.

Side 3: Rationalization

This may be the most fascinating and complicated side of the fraud triangle. Individuals who commit fraud typically don’t think of themselves as “bad people.” Perhaps they tell themselves “I’ll pay it back just as soon as I can.” Or they might think, “Well, other people in the organization are using funds for their own benefit.” They often separate their fraudulent actions from the rest of their lives, reassuring themselves that, after all, they still go to church, give to charity, or spend quality time with their family. (Criminals in organized fraud gangs may simply think they have no legitimate alternatives.)

 

Types of fraud

Fraud detection begins with an understanding of the types of fraud risk organizations face. Generally speaking, they can be distinguished as internal and external.

Internal fraud

As the term suggests, this is fraud committed by people within an organization. Some examples that any organization should beware of:

  • Accounting fraud involves deliberately falsifying financial statements and misappropriation of assets. This can be done in any number of ways, including overstating or understating revenue, assets, or expenses.
  • Mail fraud involves using the U.S. Postal Service to commit fraud. For instance, if someone mails a contract regarding a fraudulent deal, the government could pursue a fraud conviction against the person who sent it. Wire fraud is similar to mail fraud, except that non-postal transactions are used.
  • Check fraud involves creating counterfeit checks to defraud another. Someone may attempt to give a bad check to a bank to withdraw money that isn’t theirs.
  • Payroll fraud, which in some cases could be considered a form of accounting malfeasance, can take many forms: requests for fraudulent reimbursement, sales contracts that turn out not to be real, or paychecks for nonexistent employees.
  • Executives in a business may make false claims on financial statements to drive up its stock price or attract investors. Enron is an obvious example.

External fraud

  • Identity theft occurs when someone uses another person’s name, Social Security number, credit card number, or other personal information. This is done to open new accounts, make purchases, or take out loans. It is a common technique used by external bad actors pursuing one of the following types of fraud.
  • Bank fraud. Outsiders can illegally obtain money from a financial institution by any number of methods, most notably through false documents, forging signatures, or using stolen account information.
  • In cases of insurance fraud, the person lies or withholds information to obtain insurance benefits or coverage to which they’re not entitled. Techniques include using false identities, exaggerating the cost of damages, and faking injuries (which can include falsified medical documents).
  • Benefits fraud could be considered a kind of insurance fraud. Fraudsters will attempt to steal government benefits using false documents or false identities. They may also claim that they have a disability that makes it impossible for them to work.
  • Healthcare fraud could involve schemes related to pain management, insurance scams involving false documents or unnecessary treatments, and kickbacks.
  • Investment fraud. Investment fraudsters use false or misleading information to convince people to invest in a company or an investment strategy. The perpetrator may claim to have some secret knowledge or expertise, something that the “very wealthy” know that ordinary folks do not.
  • Many of these forms of fraud can also be instances of cyberfraud. The best-known examples are phishing and ransomware attacks. Cybercriminals are typically looking to lock up an organization’s IT system for ransom payments or to make off with its valuable data.

Some of these external forms of fraud can also be committed internally. Bank fraud is an obvious example, though an organization insider might also participate with an outsider in investment fraud or insurance fraud.

Potential signs of fraud

While fraud risk is prevalent, it’s also worth noting that a great many fraudsters are detected. But it’s often several costly years before that happens. In most cases, organizations overlook red flags that might be signals of potential fraud. Red flags aren’t necessarily evidence of actual fraud. But they are examples of risk factors that an organization should be aware of–and investigate.

  • Insurers and financial services organizations need to be alert to signs of potential money laundering. Such red flags vary depending upon whether the potential perpetrator is a customer, broker, or vendor. Organizations required to comply with anti-money laundering (AML) regulations need to be especially vigilant.
  • Employee red flags include living beyond his or her means, financial difficulties, and spending time in the office alone outside of work hours. Remote work has made the detection of employee fraud more challenging.
  • There also are risk of fraud factors specific to top organizational leaders. Examples of management red flags include frequent disputes regarding risk audits, a lack of transparency with employees about the organization’s financial performance, and overly complex financial transactions.

Why managing risks is important

Managing risks is crucial as it helps organizations anticipate, mitigate, and respond effectively to potential threats, safeguarding their assets, reputation, and sustainability in an ever-changing business environment.

All this means that organizations need to be able to manage fraud risk. Risk management is the process of identifying, assessing, and controlling potential risks or uncertainties that could negatively impact its objectives or finances. It helps organizations anticipate potential obstacles and reduce their impact, thus facilitating smoother operations, greater financial stability, and improved decision-making. In other words, risk management provides a roadmap for navigating potential risks in a proactive rather than reactive manner.

Risks are typically categorized as either operational risks or enterprise risks. Operational risks, which are risks associated with the execution of an organization’s operations, can originate from a variety of sources, including human error, third parties, or cybersecurity threats such as data breaches or ransomware attacks. Risk management professionals also identify technical risks associated with changes in technology and equipment. Technological advances can present new opportunities–and new opportunities for fraudulent behavior.

Benefits of risk management

Robust fraud risk management programs can provide numerous benefits, including:

  • Reduced financial losses due to undetected fraud
  • Reduced costs of responding to fraud (investigations, legal costs, etc.)
  • More thorough regulatory compliance
  • Improved employee sensitization to and awareness of fraud
  • More effective corporate governance

Challenges of risk management

Effective fraud risk management isn’t simple to establish. Organizations need to be aware of risk management challenges and best practices.

Complexity and globalization

More and more fraudsters are operating within complex networks, many of which function across national borders. They also may collude with insiders and other digitally driven networks, which makes risk management and efforts for prevention, detection, and investigation more difficult.

Risk assessment

Risk assessment addresses relevant key areas pertaining to the organization’s size, complexity, industry, and goals. Effective fraud risk assessment should identify what types of fraud an organization is most susceptible to, where inside or outside the organization it could occur, and how it might be perpetrated. These fraud risks should then be prioritized based on their significance and likelihood. An organization should perform and update its risk assessment regularly to accommodate evolving fraud risks and the specific vulnerabilities that might arise.

Risk mitigation

Mitigation is a set of responses intended to reduce the harm of a risk event. Some forms of mitigation aim to prevent such an event. Others are intended to handle the event once it occurs. Most organizations can’t avoid every kind of fraud risk. But they can establish rules for handling them and minimizing their impact.

Establishing internal controls

Internal controls play a crucial role in minimizing fraud risk. Risk audits conducted by several parties across the organization (as well as by external auditors) can boost the effectiveness of fraud prevention, detection, and investigation efforts. These controls should be regularly reviewed and updated as needs change and new fraud risks arise.

Employee training

Education is an essential element of fraud prevention. An organization’s employees need to be able to recognize potential red flags as well as fraudulent emails and other forms of communication.

 

Understanding the fundamentals

To execute the process of risk management, organizations first need to understand its principles. They also need to find the right balance between these principles so that they’re using their resources efficiently and effectively.

Prevention

Fraud prevention, it should be obvious, is the best way to manage fraud risk. For government agencies, for instance, preventing fraud before it happens can be easier and certainly less costly in the long run than investigating and trying to claw back fraudulently obtained benefits.

Whatever the organization, fraud prevention is easier said than done. The reason why fraud often goes undetected for so long is trust. Few people want to believe that long-time employees, customers, or vendors might be capable of fraud. But accepting that possibility (however remote it might seem) is a necessary part of fraud prevention.

For those organizations involved in financial services, insurance, and government benefits, a key strategy is identity verification–ascertaining that customers, vendors, and benefits applicants are who they say they are. Following the risk management practices discussed above can help an organization create a vigorous culture of fraud prevention.

Detection

Fraud detection identifies activity that has occurred or been attempted. It responds to an existing threat. Detection methods tend to vary according to the type of fraud being committed. A great deal of financial fraud is due to manipulating accounting procedures. Fraud detection here requires auditors who know how to look for often hard-to-detect irregularities. For agencies managing government benefits, fraud detection often means giving application documents and related data painstaking scrutiny.

Investigation

Investigation refers to activities an organization pursues after it has detected suspicious behaviors. Fraud investigation typically requires a deep, targeted look at financial records and databases, as well as poring through records and databases of individuals and outside companies. Such a process, however necessary, is expensive and time-consuming.

Future fraud risk trends

History suggests that fraud risk will never disappear. With digital technology increasingly used as a fraud tool, technology will also play a key part in risk strategy as organizations face new fraud risks.

Synthetic identities

Digital technology is enabling individuals and fraud gangs to create synthetic identities–fake identities built upon real Social Security numbers or other purloined individual data. According to the McKinsey Institute, the use of synthetic identities is involved in about 85% of all fraud worldwide. This kind of identity fraud is expected to proliferate precipitously.

That doesn’t mean that phishing attacks using “realistic” emails supposedly from vendors and colleagues will let up. But cyberfraud is starting to take on new and disturbing forms. Fraudsters can disguise themselves as company executives and request accounting to immediately pay a fraudulent invoice or transfer money to a phony bank account.

Artificial intelligence

Fraudsters can use artificial intelligence (AI) to more effectively create synthetic identities or more convincingly disguise themselves. But AI also can help organizations combat AI and safeguard their business. AI can analyze large data sets to identify patterns of behavior that may indicate fraudulent activities. Machine learning algorithms are developing predictive models that can identify which individuals or groups are more likely to commit fraud. AI also could be used in verifying customer or applicant identities.

Multi-channel approaches

With fraud becoming increasingly complex, organizations will need to break down departmental silos to develop a risk management strategy that looks across numerous data points and risk signals. Such an approach can reduce risk and prevention expenses while making risk prevention, risk audits, and risk mitigation efforts more effective and timely.

Final words

In navigating the intricate landscape of fraud risk, organizations must remain vigilant and adaptive. As fraud schemes evolve and technology advances, the imperative to stay ahead of the curve becomes ever more crucial. While technological solutions offer valuable support, they should complement, not replace, robust risk management frameworks grounded in principles of prevention, detection, and investigation.

Moreover, the collaborative effort across departments and the integration of multi-channel approaches are paramount in fortifying defenses against fraudulent activities. By embracing a proactive stance towards fraud risk management and fostering a culture of awareness and accountability, organizations can safeguard their assets, reputation, and stakeholder trust. While the challenge of fraud risk may seem daunting, it is through diligence, innovation, and continuous improvement that organizations can effectively mitigate this pervasive threat and thrive in an ever-changing business environment.

While fraud risk can be mindbogglingly complex in this age of digital technology, it can also be as (relatively) simple and as timeless as what some organizations experienced. Because of the complexity of the data and the increasing sophistication of fraud schemes, more and more organizations are exploring the use of technology solutions. These tools, while extremely helpful, should be used along with other fraud risk management techniques, including risk audits, internal controls, and sound organizational governance. Fraud risk is complex, and managing risk requires many tools—not to mention vigilance.

More answers