How the internet turned ram-raiders into sophisticated fraudsters

Opinion Fraud and theft has always been as much of a part of the technology channel scene as fast cars and bonus time excess. But it seems the shift to electronic communications has handed the bad guys a more subtle arsenal.

If we look back over the years, it's clear your best defence is to refine your ability to detect when something is just too good to be true.

A supplier some years ago came upon an impending order placement that aroused suspicion. The order itself was not necessarily out of kilter but the salesperson noted earlier training tips on fraud and advised the risk team accordingly. Checks were made and it became clear this apparent order was not an "official" order placed by the client.

The trap was set – these were the days when local "bobbies" did have the time to assist and catch crooks. They patiently waited for their arrival to collect goods from a warehouse but were obliged to pounce when only one of the offenders entered the warehouse while the other steadfastly refused to leave the van. The result was panic, with the one in the warehouse apprehended and the other chased down the motorway by sirens and blue lights. They caught him too.

Job done it seemed, and a loss of some £10,000 avoided. The following day however, the studious boys in blue presented two further copy documents showing earlier collections of £5,000 and £7,500 in the two preceding days. Both these orders and the one prevented were invoiced to a totally unsuspecting client who would no doubt have raised the issue on receipt of invoices for goods not ordered or received. The supplier of course, would have to credit these invoices.

Another supplier got wind of a slightly dodgy application but the apparent "client" was determined, giving assurances they were genuine and would indeed pay £75,000 up front for the product required. They even submitted a cheque tab with the bank stamp on showing payment to the supplier account and on cue, two days later rang up asking to collect that day.

The cheque's bouncing in the post

An astute analyst called the bank to clarify receipt of funds and was advised a cheque credit had been received... but the cheque had yet to clear. Needless to say, the pressure was on to allow collection from the "client" and sales but caution prevailed. The cheque presented bounced two days later. A police investigation and report later showed the cheque book had been stolen and that a number of unfortunate suppliers of products across varying sectors had lost close to £1m.

Simple fraud processes would have tripped them up and yet they were hugely successful when a supplier failed to install policies and practices to limit or eradicate such opportunity.

In truth, until the advent of email, the internet and electronic communication, external fraud – certainly on distributors or others holding inventory – was limited to good old-fashioned ram-raids: the hijacking of trucks delivering or the theft of memory chips, leaving behind the carcass of a desktop that had no real value.

Safe and snug behind a fake email addy

The startling growth and changing technologies since the '90s have provided fertile ground for those intent on making an easy buck or indeed "meellions" of them. Indeed in recent years, the ground has been so fertile it has attracted those who previously traded in less salubrious criminal endeavours. The fact is this type of fraud is safer to work on, less likely to lead to a lifetime behind bars or self-imposed exile in some backwater with no extradition treaties. Indeed, terrorism has to a large extent been funded by fraudulent activity.

But why is the technology channel sector in particular so vulnerable? In short: it has commodity product, new gizmos that are in demand, a vast bottomless grey market that absorbs product with no questions asked, volatility and pricing, fast obsolescence, excess inventory. Add to this a lack of control or risk management processes to counter the "greed" factor of a sale, a total lack of police interest either pre- or post-event (or only if it exceeds around £7,500) and the knowledge that few will acknowledge, admit or pursue those involved.

There is of course, the embarrassment factor and denial too. When the supply chain is restricted or there is pressure to achieve sales, reduce inventory, or where a lack of focus on risk management is noted, attacks will occur and any chink in one’s armour will be exploited ... again and again.

Those involved in fraud are not all running around in a striped shirts and balaclavas. Commercial fraud was at one time viewed as opportunistic. In an electronic age with fast slick business transacting, it has developed and matured into a sophisticated process, patient in its approach, very knowledgeable of the sector and quite adaptable to process check implementation. Today's fraudster has in-depth knowledge of the supply chain and industry pressures and presents new challenges in management and prevention.

Hijacked

We have witnessed plants into the supply chain, identity theft, fraudulent filing and changes to company details, false accounting records and a term I came up with back in the late '90s called "company hijack". The latter was more predominant in cases of VAT carousel fraud or "long firm fraud" intentions.

A classic case of company hijack was a well-known and respected European sub-Distributor and OEM that had successfully traded for some eight years and had achieved good business ratings and sound credit insurance. Sales had grown to a very healthy €40m.

Quite suddenly, the company filed a set of accounts just one month after its normal year end showing a massive hike in sales to €140m. This led to higher ratings and higher levels of insurance but in some quarters, unusually quick filing and ridiculously high growth in sales prompted visits and questions. It was then discovered that the original owner and shareholder had "sold" the business for some €3m and was no longer part of the firm.

Suppliers were short on data quality so instead of supporting higher credit lines, one or two of the businesses opted to reduce exposure and move away until they were fully satisfied in terms of ownership and performance.

A year later, accounts were filed again quickly, showing increased sales to over €200m. Those shrewder suppliers who had opted to move away quickly moved out altogether at this piece of news and a continued lack of data on new owners. Some three months after filing these accounts, owners were nowhere to be found and the business had shut up shop and disappeared. It later transpired "ownership" was South American. It was in essence, a VAT scam.

Company hijack is so simple and yet so often missed. If you’re approached by a business that was previously involved in watch-making, jewellery manufacture or groceries, has seemingly received new inward investment, is run by an 84-year-old or is under new ownership and now all-of-a-sudden moving into telecommunications and IT, you really have to ask the right questions and be sensible.

Don't get caught out

If you’re an exporter and are happy to supply shedloads of kit on a pre-payment basis to businesses that clearly on paper do not have a pot to pee in or are technically insolvent, you have to be watchful of such trade and any associated potential future liability.

I’ve presented and given guidance on fraud prevention for some years but still find the approach of many in terms of risk management to be sadly lacking and blasé, and this extends to resellers too, which are now facing increasing levels of attack.

Are clients placing out-of-the-ordinary orders? Do those buying also sell? Are new sales recruits performing astonishingly well when your existing team are struggling? Are you raising too many credit notes at the beginning of a new month or quarter? Sensible businesses are those that have processes in place to monitor and review everyday situations and out-of-sync movements.

Fraud will not go away but can be successfully managed through sound processes, regular review, company-wide briefing, internal controls, continual training and astute risk management. ®