Emerging Tech and the COVID-19 Pandemic Have Created a New Age of Fraud Risk
Pawneet Abramowski, an expert in compliance and risk management and the founder of PARC Solutions LLC, shares insight into how fraud has evolved as well as what new risks are cropping up in the wake of the COVID-19 pandemic and the rise of nascent technologies like cryptocurrency.
Fraud is always a risk for organizations within the financial services sector. It doesn’t matter if you’re a multi-national bank or a small independent financing company, handling money, especially other people’s money, is a highly sensitive endeavor.
Pawneet Abramowski, founder and principal of Park Solutions LLC, a consultancy that focuses on compliance, risk management and law enforcement within the financial services sector, has watched the specter of fraud change over the last 25 years. In a Q&A with Commercial Factor, Abramowski shared her expert insight into how advances in technology like cryptocurrency will continue to drastically change where fraud originates while also delving into how the shift to working from home and other effects of the COVID-19 pandemic will make a mark.
How has fraud management changed over the last decade? What are some areas of focus that have developed in that time?
Pawneet Abramowski: Fraud techniques are still the same. The criminals still try to exploit whatever weaknesses that may exist in different types of organizations. So, the basics of scamming people and scamming companies has not changed. The methods in how they go about doing that have changed. Over the last 20 to 30 years, we have moved into using more sophisticated platforms that are interconnected with different interfaces and more companies have popped up that provide those types of services, so, we've gone digital. That's the big shift. We went from a manual environment to a more digital environment and changes have come along with it, including how fraud scams and techniques have evolved to use electronics versus manual methods of scamming.
How has the advent of technology like cloud computing increased the proliferation of fraud risk?
Abramowski: There isn't a cloud out there, right? That being said, it's still physical data warehouses in which organizations have space. So, the largest risk is the vulnerability of selecting the vendors that you have your cloud computing with. And then, the controls that you have in place in order to monitor and oversee those vendors. Just because you say that it's going in a cloud doesn't mean that it's being managed well if you're not with a reputable firm. And even with one, there is the heightened risk of cybersecurity.
People can wreak havoc for large or small companies and small companies are not prepared to mitigate the risk that comes with that. In addition, a contributor to an increase in fraud, or proliferation of fraud activities, is human errors. We are the biggest culprits of inviting fraud into the organization. Before, you would get a con man talking to you face-to-face. Now you have phishing scams. Now you have randomized emails that are coming in. So, human beings are kind of contributing to the problem, but the techniques are just changing from in-person to not-in-person.
Conversely, are there technologies that have improved risk prevention? If so, what are they and how do they help?
Abramowski: I think more and more organizations rely on two-step authentication. They’re starting to use platforms that help with efficiency, and with that efficiency, there are diligent steps that are taken by people that are trained to learn the software well. I think those are the folks that I think are doing a good job. Where they know which vendor they selected, what product they're going to be using from the vendor, they get sufficient training. So, from that perspective, I think the awareness level is higher than it was back in the early days.
What are some steps firms, especially those in financial services, can take to protect digital assets?
Abramowski: The financial services sector has its regulatory-mandated monitoring in place. Organizations are looking more closely at what's coming in [and] what's going out, as far as transactional activity and payments are concerned. There are more reconciliation controls in place, whether it's from finance or operations, both sides of the house are much more in tune and have tools in place to do that. If you're monitoring on a real-time basis, that's what would prevent you from losing out on money. If real-time is not possible, then at least a daily or a shorter timeframe reconciliation. I think financial services companies are also tightening up their loose ends from a technology perspective. They’re making sure that their own cybersecurity controls are strong.
Vendor management is also important. One example was the largest breach that we know of at Target. It was not Target's fault. Target had spent plenty of money. They had fantastic controls in place. They had a good third-party risk management process. They had good monitoring fraud controls in place. It was a HVAC vendor that was coming in, doing some sort of maintenance and plugged into the point of sales system. And that's how the exposure happened to that breach. You need to knowing what your vendors are doing, who's coming in and who's approved to be accessing your platforms.
Similarly, how do you recommend companies go about attempting to identify potential fraud?
Abramowski: I recommend investing in fraud monitoring tools. I think it's a bear to deal with on the onset, so it’s important to have good people within your organization that understand fraud, that have expertise in fraud, not only detecting it, but you have to be able to prevent it. I think having monitoring controls in place and the right expertise within your organization is important.
Commercial Factor spoke with a source recently who said that the effects of the COVID-19 pandemic may have exposed some frauds that started before the pandemic, as poorly paying accounts tend to stick out more in bad economic times. Would you agree or disagree with this assessment? Why or why not?
Abramowski: I think it's a combination of the two. I've seen it before. During the financial crisis, there was an increase in fraud. Troubling times always bring out the best and worst in people. And unfortunately, the worst is what we see play out in front of their eyes. So, the COVID-19 pandemic has definitely increased fraudsters' ability to exploit people and financial institutions as well.
From the front, people are looking for a human connection, looking to talk to someone, looking to see if someone will respond to them, so personalized scams definitely increase.
And then of course, the CARES Act actually made people be more blatant in trying to exploit that. There were people that were diligently and willfully trying to get loans to support their businesses, etc., but then there were other people that were just making up stuff. There are a lot of investigations that are currently under way. There'll be more in years to come, certainly, because we just don't know the extent of the level of fraud that's taken place across different industries. And banks, unfortunately, they're going to be responding to law enforcement for years to come because the process was much different than what you would do in a standard loan origination. You would dive deep and you'd make sure that someone's able to pay you back. In this case, the government is going to forgive the loan proceeds, as long as the person complied with the spirit of the loan requirements.
How has the risk of fraud changed over the last year as more people work from home? Are there lessons to be learned from the experience that could be applied going forward, whether that be in office, work-from-home or hybrid settings?
Abramowski: I think we're going to see a hybrid model will follow with many organizations and you're going to see a resurgence in places like WeWork, which were kind of dying. I think you're going to see a resurgence in those types of shared spaces.
But that being said, maybe you're going through a secure VPN network through your work portal. So, you'll have a little bit more security that way. But at the end of the day, you’re using your home router. How secure is your home router? How many times have you seen that be evaluated in your home? A couple years ago, I was listening to one of the heads of cybersecurity at Morgan Stanley, and she said flat out, "I have a separate network for me and a separate network for my family in my house.”
However, everyone working from home is not going to say, ‘Let's go get another router from our cable provider and let's split it. This is what I'm going to use for work. This is what I'm going to use for home’. No one's doing that, so there is a vulnerability that exists.
Looking ahead, what are some potential risks that are not overly prevalent now that could become more common in the years to come and how can companies prefer for these threats?
Abramowski: I don't think we'll know. I think we'll start to see a lot more fraud that comes through with the use of different types of payments. Right now, we deal with our ACHs, credit cards, different types of completed transactions. We use those methods of payments. We’re still using real currency, but cryptocurrency is coming right at the tail of this. And we've been watching the markets go in a tailspin over the last few months, but there's an appetite for a lot of the folks to accept that.
There's nothing bad about cryptocurrency as far as having the ability to identify who is behind it. And that's where I think there is this naivety that is followed by people that think that, “If I'm using crypto, I'll be anonymous.” In fact, it's not. It takes a little bit of getting used to, but it's like doing forensic investigations, and you can peel the layers and get to the actual party behind it. So, it's not that you won't be able to identify [crypto-currency fraud]. You will be able to identify it, it's just a longer pattern to get to. And there are companies that are specializing in how to unravel the crypto blockchain and identify who's behind it and who originated it.
That's going to add a little flare into the methods of payments and the type of fraud risks that we're going to see. Even though it's traceable, people will still try to do things. People will still try to steal other people's money.