Combined Industry Theft Solutions
CITS News

 

« Back to Main News
December 2017

Fraud and the construction industry

Source: https://lombard.contentlive.co.uk/content/5846379f-f00e-8d45-babe-82fbb776aef8

Watch video of the speakers: Click here

At a recent event hosted by the Combined Industries Theft Solutions, attendees looked beyond the familiar threat of plant theft to the evolving menace of fraud.

The Combined Industries Theft Solutions (CITS) is a not-for-profit body from across the construction plant industry that seeks to tackle the problem of plant theft. At its recent conference, however, it explored how companies in the sector could combat the rising threat of fraud, an ever-changing peril that is facing all industries.

David Smith, CITS chairman, explained how the theft threat had changed from physical to cyber. "We can all recall when opportunistic thieves could easily steal a construction machine because it had little security to protect it," he said. "Industry demanded an improvement and it came." Today, thanks to more effective security devices and policing methods, the number of thefts is reducing. "It is still too high and recovery rates are improving but we must not become complacent," he added.

Smith explained that the problem had evolved: the industry has witnessed a rise in fraud and attempted fraud. This ranges from an opportunist attempting identity fraud, to a disgruntled staff member passing on company protocols to a criminal gang, or a gang sending emails that contain malware to extort money.

"All it takes to succeed is for the recipient to have a momentary lapse of concentration, to inadvertently tap a computer key, ask an obvious question or carry out a rudimentary check," he said. "The outcome can be devastating."

Fraud and the construction industry

The changing face of crime

Steve Rodhouse, deputy assistant commissioner at the Metropolitan Police, was on hand to quantify the danger. The recent WannaCry cyber attack showed such criminality could result in financial loss, threaten reputation and endanger the confidential data of the company under attack as well as its supply chain.

"The threats from fraud and cybercrime are genuinely existential threats to companies," he emphasised. "They are new and driven by the technology that pervades everything we do today."

Reported fraud (and Rodhouse believes it is massively underreported) far outweighs traditional crimes such as burglary. The scale of the threat means it cannot be beaten by tracking and arresting the culprits, who often work remotely in areas where they cannot be touched. The focus must be on raising awareness.

"It has to be a joined-up effort," Rodhouse added. "It is important to report any fraud or attempted fraud as it helps us understand the threats and build solutions. Our biggest challenge is keeping up with technology."
Watch the speakers in action during the conference.

The Home Office estimates that serious and organised crime costs the UK at least £24bn a year. The Office for National Statistics estimates that, in the year ending June 2017, there were 3.3m fraud offences, of which 1.9m were cyber related, and an additional 1.6m incidents of 'computer misuse'. It is not possible for any one body or organisation to tackle the entirety of fraud and it requires a multi-agency, multi-partnership response.

Tim France from the Home Office highlighted some of the schemes in operation to combat the threat. The Joint Fraud Taskforce includes law enforcement, banks and victim organisations, and has a focus on prevention. One of its main tasks is to reduce card-not-present fraud. "We can design out this type of fraud with technology such as bionic data and simple process changes that banks can put in place," said France, "although we understand this may change the way we shop online."

Another ambition is to create a scheme to routinely trace, freeze, then repatriate funds back to the victims of fraud. This will require the development of a technical solution and the production of a legal framework for banks to operate in. A pilot kicks off in January 2018.

Finally, France spoke about Take Five, a national partnership between UK Finance and the government advising the public on how to protect themselves from financial fraud and offline fraud.

Clear and present danger

Chris Diogenous of the London Digital Security Centre illustrated the threat with recent examples. Since 2011, the Dragonfly hacking group has been targeting organisations that use industrial control systems (ICS) to manage energy data systems. The activity increased in 2017 and the group now appears to be interested in learning how energy facilities operate and gaining access to operational systems, which means potentially it has the ability to sabotage or gain control.

 

"All it takes is for the recipient to have a momentary lapse of concentration, to inadvertently tap a computer key, and the outcome can be devastating"

David Smith, chairman, CITS

 

The second example was US retailer Target. In December 2013 over 40m credit card details were stolen from nearly 2,000 Target stores by accessing data on point-of-sale systems. The delivery mechanism for the attack was through a third-party supplier who had recently installed a heating and ventilation system at a store. By gaining access to the supplier's system they were able to gain access to Target. The breach cost Target more than $250m and cost the CEO and CIO their jobs.

"The lessons drawn from these is that cybersecurity needs to be brought up at board level," Diogenous said. "It is not an IT issue because the impact is not just financial loss and reputational loss. If something did go wrong, what would you do? Do you have the right policies in place? Does your business need a dedicated executive responsible? You need to understand where your high-value data resides and protect it."

A variety of threats

There are various methods fraudsters employ, including vishing, bogus boss fraud, and invoice redirection, the latter of which is extremely prevalent. If you received a letter from a key supplier asking you to update account details you have on file, would you take this at face value or take steps to verify it?

"Think about some of the larger amounts you pay to suppliers," said NatWest fraud analyst Sarah Grant. "What would you do if you had to pay that again? Because that's what happens to some businesses. Part of the reason these methods are successful is that currently in the UK we have no payee name verification for bank payments; it's just the sort code and account number that's checked. Call your supplier on a number you already have and verify everything independently."

The profile of a fraudster

Accounting firm KPMG has been developing the profile of a typical internal fraudster since 2010. The profile is changing and technology is the big driver for this. "The characteristic everyone looks at first is that 79% are male," said Nicola Cobb, KPMG's director of risk consulting. "Most operate at a senior level. They have the opportunity, the network, the understanding of business processes. In most cases I look at, the fraudster has had almost unlimited authority.

"They have good networks and everyone trusts them so it's easy for them to bypass weak controls. If you have weak controls you're more likely to have a problem."

Changing awareness

The event culminated with detective chief inspector Gary Miles, who leads the Metropolitan Police Operation Falcon team, delivering a plea for change. "Everyone is being educated around the threat of fraud, but what I want to do is change your behaviour. I want you to go away and make changes. I need to convince you so can convince your employees. If you lead on this, it will make it more difficult for these criminals to carry out this sort of behaviour. We need a cultural change. These people aren't stupid."