External fraud refers to manipulation, deception or illegal activities committed against the company by external parties. External fraud could be a vendor lying about the work that they did and how much the work cost or a vendor working with an employee to produce wrongful statements and invoices. This is an example of a combination of external and internal fraud.
The most common external fraud schemes
All types of fraud are changing in today’s world. You need to be aware of what external fraud could look like to be able to create strategies to prevent it and recover from it. Let’s look at the most common schemes:
1. Identity theft
2. Credit card fraud
3. Loan stacking
4. Vendor fraud
5. Account takeover
1. Identity theft
Identity theft occurs when a criminal steals the identity of an employee (usually one of a higher level position with greater access) to hack accounts, trick their colleagues and steal assets and information. Identity theft is dangerous because depending on the amount of responsibility an employee has, the more damage the criminal could do to the business. For example, if the employee is responsible for managing a company’s bank account, then the thief has access to high amounts of funds.
The criminal could send emails posing as the employee and ask their colleagues to give them access to sensitive information. They could also try to send phishing emails as employees will be more likely to click on links from people they trust. This is why protecting passwords and not sharing is so important.
2. Credit card fraud
Credit card fraud is a common type of external fraud that occurs when a third party gets access to a company’s credit card and uses it to make personal purchases. If the organisation isn’t regularly checking their bank accounts, then they might not notice external fraud until it’s too late. Criminals usually make smart purchases that will not need a net code so as not to notify the company of the purchases that they’re making. To combat this, it will be beneficial to have someone check the business’s bank accounts or simply have someone enable notifications for any funds leaving the accounts. If the fraudulent transactions are noticed on time, then the organisation can make a dispute with the bank.
Credit card fraud can also occur by customers of the business. A customer can buy products or services that they don’t intend to pay for and upon receiving the products and services they could ask their bank to charge back the money, claiming that they never received what they paid for.
3. Loan stacking
Loan stacking is another example of external fraud that occurs when a criminal takes out loans in the name of the business. They might pose as one of the employees and give the bank any necessary information that they need to take out as many loans as they can. Of course, they don’t intend to pay those loans back which can lower the credit score of the individual or the business.
4. Vendor fraud
Vendor fraud can happen in a number of ways. A vendor might create a fake account number and give it to the business, create a shell company to work with a business or duplicate payments on invoices with the hope that the buyer isn’t going to notice. The vendor may be acting alone or with the help of an employee inside the company. When the employee is involved, they may purchase items at a higher price so the vendor can benefit, buy items that aren’t necessary or falsify invoices to show that they bought items even though those items haven’t been delivered. The aim is to spend the funds for personal reasons.
5. Account takeover
Account takeover, commonly known as ATO, can occur when the fraudster uses phishing emails or malware to steal the credentials of an employee. They use the credentials to log into the account and steal information, change the account details and perform other malicious activities. Without the right safety measures in place, account takeover may not be noticed. In 2023, account takeover increased by 131% compared to 2022.
The impact of external fraud on the business
There are a few ways that the business could be imparted by external fraud. These include:
Reputational damage
If it becomes public the business details have leaked to criminals and the safety measures within the company are not strong enough to prevent credit card fraud or account takeover. then customers are likely to lose trust in the company. If the company can’t guard its own details, what guarantee is there that it will safely store the details of its customers? How will customers feel safe working with a company when there is insecurity about their personal information being leaked? The damage to the reputation can ultimately lead to lower sales and, as a result, a drop in performance.
Financial losses
Financial losses are the most common consequence of external fraud. Most criminals try to go after funds or assets the company possesses which means that when external fraud occurs, there’s a high possibility that the business will lose money; either from the fraudster stealing the money directly or from the money spent on legal proceedings and investigations.
Lost opportunities
Another way that the business might be impacted by external fraud is by having their partnerships cut short or future partners not wanting to work with them. This usually happens because companies want to work with trustworthy businesses that have built a strong reputation and won’t be a risky partnership.
Similarly to customers, an organisation could view working with the affected business as a risk to the success of their own company. This is because working with them might mean that their details won’t be secured and any financial information that is exchanged between them can be leaked. Moreover, if internal employees were also involved in external fraud, then the future partner may not trust the person that they are working with.
How to prevent external fraud
At this point let’sis to be clear: There’s no real way to prevent external fraud completely. Assuming that the elements of the fraud triangle are satisfied, fraud is possible. However, this doesn’t mean you shouldn’t try to prevent fraud. Here are some ways to protect your business:
Create a culture of cyber awareness: Employees need to be aware of the risks they face when they go online. They need to be aware of where they are entering the passwords, ensure they aren’t sharing them with anyone, what websites they visit and be cautious of any links that they receive in emails or text.
They also need to have spatial awareness when they’re outside.
For example, if they are entering the passwords while on the train; Are they aware of who is behind them? Is their screen clearly visible? Is it really necessary to use their passwords right now? These are the types of questions that they need to ask themselves before logging into their accounts.
Understand who you are working with: Before entering an agreement with a vendor it is important to do a background check on them to ensure that they are honest and have similar values to the one of your business. This is especially necessary if they’re going to deal with sensitive information or you’re going to be making big purchases from them.
If possible, ask them to share their incident response plans. What happens if they suspect fraud in their business? Will they notify you? What steps will they take to ensure that it doesn’t happen again? This is important if fraud is committed by one of the people you work directly with. If they don’t notify you in time, you may not be able to recover any lost funds or assets.
Limit access to bank accounts and sensitive information: If a criminal manages to trick one of your employees and steal their credentials, then depending on their position they will have a lot of power over your data and funds. To minimise the risk of this happening, it is necessary to give access to sensitive login details only to those who are directly responsible for handling them. If another employee needs temporary access, upon finishing their work, the password should change. As a habit, you should be changing your passwords regularly.
Use tools to monitor real-time activity: It may be a good idea to invest in software that will monitor the activity of employees and notify you if something seems out of the ordinary. The software can give red flags if an employee is logging in from a different location, if a larger than usual transaction is being made or if there are reports of a higher number of phishing emails received by employees. This will allow you to adopt a proactive rather than a reactive response, as you will be able to identify the fraud early and act quickly before it can actually damage the company.
Knowing how to recognise external fraud is important but what happens when you have to investigate it?
Unfortunately, a lot of companies will be in a place where they don’t want to be: They will have to investigate fraud to protect their business. Our customers have also been in that place and this is usually when they call on us to help their investigation team conduct a faster and more effective investigation.
Polonious has over 18 years of experience in improving investigation workflows and saving money and time for our customers. We automate reminders, provide progress updates and give investigators a safe space to store the evidence for as long as they need to. We are ISO 27001 and ISO 9001 certified, highlighting a high-quality system that prioritises security and confidentiality. If you are looking to investigate external fraud, reach out! Book a demo and we can show you how we can help you.
Let's Get Started
Interested in learning more about how Polonious can help?
Get a free consultation or demo with one of our experts
Eleftheria Papadopoulou
Eleftheria has completed a Bachelor's of Business with a major in Marketing at the University of Technology Sydney. As part of her undergraduate studies she also obtained a Diploma in Languages with a major in Japanese. Following her graduation she has been working as a Marketing Coordinator and Content and Social Media Specialist.
Eleftheria is currently finishing her Master in Digital Marketing.