John Duffley

ACFE Communications Manager

In the closing session of the 2023 ACFE Fraud Conference Europe, ACFE President and CEO Bruce Dorris led a discussion on the current fraud landscape, including considerations that fraud investigators and organizations alike should be mindful of when building effective anti-fraud controls. Taking part in the panel session, sponsored by AuditBoard, was Marcin Nadolny, Head of EMEA Fraud, Fincrime and Data Science at SAS; Natina Thalien, CFE, Chief Information Security Officer (CISO) at Arkema Group, author and public speaker; and Chrysti Ziegler, CFE, CIA, CRMA, Chief Audit Executive of CITGO Petroleum Corporation.

Topics ranged from geopolitical concerns facing global organizations to the importance of due diligence to protect companies working with third parties. Collectively, the discussion laid the foundation for what’s ahead as digitization of business data and cybersecurity risks grow in an evolving world.

Global Cybersecurity Concerns

With geopolitical tensions including the Russia-Ukraine conflict, China’s zero-COVID policy and rising energy and food costs around the world, the current cybersecurity landscape is far from traditional “best practices,” according to Thalien. Where occasional anti-fraud check-ins were once commonplace, this new landscape has created a need for on-going training and reinforcement in order to minimize risk and protect organizations from cyberattacks.

Increasing ransomware attacks by sophisticated, coordinated groups requires companies to better understand how these criminals are gaining access to sensitive information. Thalien, who has conducted cybersecurity audits and assessments in more than 63 countries, outlined spam and phishing campaigns, poor user practices and gullibility, weak passwords and access management, and a lack of internal cybersecurity training that can cause companies that do not have proper cybersecurity systems in place to go belly-up.

Risk Management Changes Within the Energy Sector

Following the Colonial Pipeline cyberattack that forced a temporary shutdown of the business’s operations in 2021, the U.S. government sent out mandate to all pipeline operators to increase their cybersecurity controls. This attack resulted in changes the entire energy sector had to adapt to, and as Ziegler has observed, governments are starting to get involved in implementing anti-fraud controls at scale more often.

“It’s not just a company’s problem or a personal problem,” Ziegler said. “It’s becoming a government problem as well, especially when you have something like a Colonial where they’re an integral part of the infrastructure of the country that they’re operating in. When you shut down a pipeline, it’s not just their operations — it’s anybody else who is operating on that pipeline as well. And if those other integrated pipelines aren’t able to operate, then it expands from there, and other pipeline operators are also affected and having to shut-in their products.”

Large-scale organizations are likely to require additional assistance from governments in the future so that cyber controls and anti-fraud frameworks are in place and effective, which helps to avoid potentially detrimental consequences to both companies and the citizens they serve.

Geopolitical Tensions and Navigating Risk

An increase of organized fraud groups and fraudsters for hire are only part of the growing threats that come from geopolitical tensions, according to Nadolny. Citizen fraudsters have created a new set of challenges, as this emerging group is driven to commit fraud based on their personal situations turning for the worse. By utilizing the dark web, anyone can have access to highly sophisticated frameworks for cyberattacks.

Additionally, accelerated digitalization resulting from hybrid work environments means that business is happening faster online, and consequently, fraudsters from across the world are able to collect sensitive information from companies that have a growing volume of data and transactions stored digitally.

Nadolny, who is both an anti-fraud expert and data scientist with expertise in applying machine learning in business, raised the additional challenge that sanctions have on businesses operating both nationally and abroad.

“Sanctions are growing. Actually, we are in a moment where it was never like this, that every week, every month, we have new sanctions,” Nadolny said. “Organizations now need to adjust and understand how to cope with this and how to apply them in the proper way. And that gives a rise towards AI-driven modernization within sanctions screening.”

Post-COVID Risks and Training

Phishing attacks and social engineering are some of the most common risks facing organizations today, primarily by the end users who must be able to identify malicious emails or attempts to collect sensitive data. As Thalien pointed out, the mixing of professional and personal devices and accounts opens even more opportunities for fraudsters to break through a company’s security system and wreak havoc. Ziegler agreed with this point, adding that the threat of social engineering — using psychological manipulation to coerce people into revealing information or performing specific actions — adds even more pressure to individuals who may not be able to spot inconsistencies in what is being asked of them.

The silver lining of returning to in-person office settings is that companies can provide hands-on training and reinforcement of anti-fraud controls in a way that helps mitigate the risks that increased while the global pandemic kept business happening primarily at home.

“We’re stronger, we’re better — COVID showed us all another way to do things virtually,” Thalien said about her organization’s growth. “Our digital personalities are certainly different than our real-life personalities in a meeting room.”

Machine Learning and Generative AI

When it comes to the adoption of machine learning and AI technologies in analyzing data for fraud detection and investigations, Nadolny has seen digital applications growing in a number of areas. In particular, the growing sophistication of attacks (now combining multiple techniques like spoofing, social engineering and remote access trojans) and growing propensity for fraudsters to use Generative AI, particularly deepfake technology, AI-generated photos and documents, makes it harder to prevent fraud and spot falsified records. Here is yet another area where training and education is critical for organizations so that end users are able to authenticate and validate documents before it’s too late.

“Digitalization is going forward. Fraudsters are going digital, and they are using the most recent technology,” Nadolny said. “We also need to view this from the [perspective] of vendors; we need to help to protect people and companies with AI technology as well.”

Third-Party Risk Management

As Ziegler pointed out, not only do third-party relationships pose additional threats of ransomware or phishing attacks by fraudsters, but if you conduct business with a third-party who themselves are working with a sanctioned organization, that opens a “pass-through” that can expose your company to indirectly doing business with a sanctioned entity. Due diligence is critical to understanding the contractors and organizations that you, your clients or your company may be considering working with.

“You try to understand, ‘OK, what is the sensitive information you’re going to touch of us? What’s our systematic relationship from a cyber point of view?’ Once you understand that, you try to minimize risk. Third parties already pose a great risk, but the fourth parties can pose even a greater one” Thalien added.

While risk will never reach zero, understanding the different avenues through which threats can be presented can help you and your organization in getting those risks to be as low as possible.