“We will take the risk” – the words that no fraud or security manager wants to hear from their CFO or management team. Often this statement will be made by a person who has no idea what that risk is, and would not think of justifying this decision with a formal risk assessment. If they took the time to fully evaluate the consequences of not doing something, particularly as it relates to any direct financial impact, brand and reputation damage, impact on the customer, etc. they may find that the total financial implications of ‘taking the risk’ are way outside their delegated financial authority.
The media over the past few years has frequently reported on issues from within the telecommunications industry where decisions have been made to not do something, which have backfired and resulted in huge avoidable costs to the business. These issues have been raised right around the world, from Australia to Korea to Central Europe.
Without access to the knowledge and experience of a fraud or security specialist, it is difficult to expect a leader in a small start-up, for example, to fully appreciate the consequences of not managing his or her fraud risk adequately. It is fairly common during the development of a new business for fraud management to be put in to the second or third stage of the business development as it is considered a function that can be implemented as the business grows. The risk here, of course, is that the fraud function is not properly resourced until there is an event that demands it.
I recently dealt with a small MVNO that had a staff of 10 and provided services to a specific customer segment. Despite the business having been in existence for almost 10 years, none of the staff had any accountability for fraud management and the business was not very ‘fraud aware’. It was targeted by an organised fraud group, and despite the management team taking what they thought were adequate precautions with a new customer, they got hit with an international revenue share fraud (IRSF), losing $US2.3 million over a very short period.
Unfortunately the losses could not be sustained by the business and it was forced into voluntary liquidation. With very basic fraud monitoring, these losses could have been avoided, and certainly had external specialist advice been sought years earlier, this would have allowed for a fraud management strategy to grow with the business during the company’s development and perhaps saved the business.
While this case was clearly one where having a suitably experienced fraud or risk professional within the business could have saved it, there are other examples where such expertise is available, but senior management are not prepared to take the advice the Fraud Manager gives them.
Another recent case I dealt with which demonstrates this involved a decision not to take the advice of an experienced fraud manager within the business. It was recommended that the ability to use International Call Forwarding on mobile devices when roaming should be an opt-in feature and not a default one. A senior manager disagreed on the basis that a customer may want to use this feature while roaming and should be able to do so without having to make a request for this to be activated.
Some customers had their handsets stolen while roaming and the fraudsters utilised the international call forward capability to forward the SIM card to IRSF destinations. They were then able to generate multiple simultaneous calls through the forwarded mobiles to the IRSF destinations, with one mobile making over 81,000 minutes of calls over a 900 minute period. It is unlikely that this CSP could ever recover this accumulated loss through the legitimate use of this call forward feature at any time in the future.
Another case involved a medium sized mobile company who commissioned a new Prepay Platform and during the User Acceptance Testing failed to notice that 6 or 7 roaming destinations did not have tariffs entered in the rating table. The impact of this was that if a prepay roamer set up a call, the Prepay Platform would be queried to check the per minute price of a call to that country and check again that the prepay user had sufficient balance to meet the costs of that call. If the called country was one of the 6 or 7 that had no tariff entered, then the platform would assume that the call was free, and allow it without charge. As luck would have it, some of these ‘free’ destinations were IRSF destinations and this was discovered by fraudsters. The fraud manager from the company involved had previously asked for an additional staff member to monitor Near Real Time Roaming Data Exchange (NRTRDE) records that were not being looked at. He was told to keep the workload down, he should exclude monitoring of prepay roamers, as this was low risk. Consequently, these ‘free’ calls continued for 3 months before they were discovered, with a total loss of over $US2.5 million.
Fraud managers are finding the job more and more challenging. They are trying to ‘do more with less’ and maintain performance measures at a level they were when they were better resourced. As the operational environment is changing, new risks are surfacing and additional investment will be required from time to time to introduce controls to mitigate these new risks. Justifying a business case by identifying potential losses that cannot be corroborated is again a challenge. A wise senior manager will accept that any reasonable requests made by his fraud manager for additional budget or resources is being made in the best interests of the business and not for any other reason. There are a couple of examples mentioned earlier where taking the advice of the fraud manager could have saved the business significant losses.