PREFIT for anti-fraud purpose

23 Jun 09

According to the latest figures issued by the Office for National Statistics, unemployment in the UK has risen to an uncomfortable 2.26 million. That’s the highest total for 12 years, and represents an unemployment rate of 7.2%. Last month, the number of people claiming unemployment benefit rose by 39,000. Basically, the news isn’t good.

It’s a well known fact that employer organisations face an increased threat when times are hard, and not just from the petty criminal on the street. In truth, the bigger issue is the propensity for their own employees struggling with mortgages and/or bills to turn to low (and sometimes high) level criminality. Today, it might be a few reams of A4 paper that disappear from the supplies cupboard, but next week it could be confidential data or computer hardware that’s compromised for illicit personal gain.

Just now, the Association of Chief Police Officers (ACPO) is estimating that fraud costs the UK economy something like £20 billion a year, and that the majority of fraudulent acts are committed by employees. For them, fraud and deception appears to be the easy option. Unlike the politicians, those employees will – hopefully – be put in front of a Judge when caught, but it’s often catching them that’s the problem.

Protecting Employers From Insider Threats

It’s against that backdrop that the PREFIT (Protecting Employers From Insider Threats) initiative has just been launched. The launch event took place last Friday morning inside the amphitheatre-style Conference Hall at New Scotland Yard, with SMT Online in attendance as the Official Media Partner.

It was refreshing to witness first hand how Human Resources and security professionals are beginning to break bread together in a bid to share Best Practice techniques and information on the best way of fighting employee crime.

The welcoming address came courtesy of the Met’s very own Peter Burns, chief architect and implementer – and self-confessed “honest broker” – of the Sector Fraud Forums run from the Yard. “Today is an historic day for the vetting and screening profession,” said Burns. “In co-operation with Operation Sterling that sits within the Economic and Specialist Crime Unit at New Scotland Yard, I can validate what is being done with PREFIT.”

Burns suggested it’s very clear to him – and many of his colleagues – that the insider threat poses massive problems for each and every sector of commerce. “With the skills present in this room today, we can begin to make a genuine difference in the fight against fraud. There needs to be greater co-operation and, importantly, communication between vetting and screening professionals and business leaders.”

Burns has a saying that was pretty apt for this conference. “You see what you recognise. You recognise what you know. By sharing knowledge and experiences, we can help each other to see more.” Very, very true indeed and a great base point to underpin the day.

Forging links with commerce

Keynote Speaker for the PREFIT launch was Janet Williams, assistant commissioner (specialist crime) at the Metropolitan Police Service. “The fact that there’s hardly an empty seat in this hall today tells me that people are keen to deal with the insider threat, and deal with it we shall. PREFIT is such an important initiative.”

Back in 2004, Nigel Mawer devised Operation Sterling. He foresaw that the police service alone couldn’t combat the fraud problem, and that links would need to be forged with commerce and industry.

“PREFIT follows on from other partnerships forged by Sterling, which is designed to develop industry groups that eventually become self-sustaining and self-sufficient,” said Williams. “Areas we have already tackled to date include recruitment, property, the construction industry, motor vehicle advertisers and the travel and hotel sectors.”

In what ways will PREFIT benefit us all, then? “For a start, it will lead to companies who are competitors sitting around a table and sharing information to their mutual benefit. Easy to say, I know, and less easy to accomplish. The point is that it can be done. PREFIT is also an arena for the law enforcement agencies to begin to understand the very real problems faced by businesses due to fraudulent activities, and then communicate learning.”

For Williams, the challenge lies in building a successful anti-fraud network right across the UK, linking in with the National Fraud Forum and the National Fraud Association. “How can we measure the success of PREFIT?” questioned Williams. “It’s pretty simple. Fraud will become more difficult to perpetrate, and less people will be inclined to attempt their acts of deception.”

Speakers packing an experienced punch

Williams was the first of a diverse range of speakers packing an experienced punch when it comes to dealing with employee deception, and stressed the need for early intervention. “We need to be proactive about employee fraud, not reactive. If we are reactive about this matter then the game is already lost.” For employee deception read security in general.

Next to the lectern was Rachael Tiffen, chief internal auditor and anti-fraud manager at the London Borough of Waltham Forest (although she’s about to move to the London Borough of Enfield and take on a similar role). With 20 years’ experience in the local authority field, it’s not surprising that the audience paid close attention to what Tiffen had to say.

In her present role, Tiffen and her colleagues carry out the standard checks on prospective employees. “Are the individuals before us really who they say they are? Do they live at the address they’ve given us? Are they eligible to work in the UK? Let’s not forget their employment history and qualifications. They need to be rigorously checked as well.”

At Waltham Forest, as you’d expect the focus is also on people such as caretakers and cleaners. The people who have access to office desks out of hours. “As much as possible, we try to make use of open source information. Web sites like Friends Reunited and MySpace, for example. It’s usually the case that individuals will incriminate themselves here.”

Interestingly, Tiffen next examined the points of vetting failure. These include false, forged or stolen documents to support immigration status, a contrived work history and/or associated references, previous unspent criminal convictions, false or otherwise embellished academic qualifications, abuses of the welfare benefits system, deliberate evasion of public sector debts and obtaining public sector housing or grants by deception.

Vetting and screening in place since 1995

The London Borough of Waltham Forest has been vetting and screening since 1995. When the process first began, around 20% of applicants were failing to pass the necessary tests of probity.

“I decided that it wasn’t good enough for us to just let these individuals slip through the net,” opined Tiffen. “Come last year, of the 833 people we vetted there was only a 5% failure rate.”

Typical failures are noted among agency staff. No great surprise, really, but still the figures Tiffen quoted were nonetheless pretty shocking. Of the agency staff sent to work for Tiffen’s Borough last year, 31% had no right to work in the UK, 8% harboured unspent convictions for theft and false accounting, 23% held a contrived employment record and 15% suffered from “housing fraud issues”. I know. Statistics like these beggar belief.

In 2007, Tiffen’s operation secured nine arrests and convictions for identity fraud (there were two such arrests last year). 2008 also witnessed six dismissals, seven fraud referrals and four offers of employment being withdrawn. Something tells me that Tiffen most certainly knows what she’s doing in the fight against fraudsters!

Next, Tiffen reminded us all of the startling case involving The Sheriff of Nottingham. A chap by the name of Shaukat Khan worked under contract at the London Borough of Waltham Forest from December 1999. His basic remit was to co-ordinate the Le Cheile project, a scheme designed to help members of the most poor local communities in setting up their own small businesses.

A former Sheriff of Nottingham – and, indeed, the first Asian to hold that historic position – Khan had actually been jailed in 1993 on seven counts of forgery and four of theft after stealing close on £10,000 from various ethnic community organisations. He was released after serving six months of his one-year sentence.

The day Khan was employed by Tiffen’s Borough is probably one she’d rather forget, but fair play to her for revealing this Case Study. It merely reinforces the fact that employers need to be so, so careful these days. Even City Sheriffs may not be what they seem.

Checking Passports and illegal workers

Tiffen also recalled the case of a principal officer who was found to have committed four offences in the benefits claims arena. Said officer had to pay back close on £9,000. Not only was the job offer made to her withdrawn, but the woman concerned was also given a community punishment order.

When it comes to checking on illegal workers, Tiffen’s vetting team members always check Passports with rigour. In fact, there’s a seconded police officer from the Met who works with them on this.

“I remember when we advertised for the position of finance manager in the Childrens’ Services Department,” said Tiffen. “It was a £60,000 per annum role. The first candidate who applied? It turned out he’d previously stolen 40 pcs and had written his own reference! The second candidate owed £3,000 in Community Charge payments. Oh yes, there was a warrant out for his arrest, as well! The third candidate owed the Borough £3,500 in Community Charge payments. Frightening, isn’t it?”

Paul Evans – the executive director of intervention at the Serious Organised Crime Agency (SOCA) – then gave a quite brilliant presentation before, sadly, he had to dash off immediately to the day job. I’d met up with Paul at the BT Tower a year or two ago for another launch event, and he was fascinating company, so I wasn’t in the least bit surprised that his delivery on Friday was exemplary.

Kick-starting his polemic by describing himself as a “recovering spy” and referring to the “wacky world” of organised crime, he posited the question: “Why did we form SOCA?” Why, indeed, would you take 4,500 perfectly responsible former cops and customs officers and make them all “very cross”? (which raised plenty of laughs!)

“We did it because we had to,” said Evans, who previously spent 20 years with the Secret Intelligence Service and “one day at the criminal law bar before I ran off and joined the circus”. Evans explained: “We weren’t looking closely enough at employee fraud because it was deemed as low risk. My life has been based on conducting what I hope have been top notch, dangerous covert investigations. Many of them overseas. During that time I began to see the future.”

For Evans, that future consists of two elements. “One is prevention. Two is data.” He repeated both words “just in case that wasn’t clear enough” for us all! The prevention bit certainly contains the seeds of success that need to be germinated. Initiatives like PREFIT embody co-operation between the private and public sectors. “That process is, for me at any rate, all about globalisation.”

40,000 individuals involved with organised crime

Evans’ next statistic made everyone sit up and take notice. “Ladies and gentlemen, I can tell you now that we have just mapped the number of people who are engaged in, otherwise abetting or supportive of organised crime in Britain. That total comes to over 40,000 individuals. To deal with this kind of number in any one annual period in terms of Court time, lawyer time and police time would see us look at around about 3,000 of them in the Courts. At that rate, we’d need to tell ministers to come back in 2026 and we’d have solved the problem.”

With those figures in mind, it’s easy to see why Evans’ focus on globalisation is both right and so very important.

Prevention can only be based on evidence, and evidence comes from data. To prove the point, Evans highlighted the latest series of TV adverts produced by none other than the TV Licensing Authority. “The adverts work on one principle. If you try it on [by not having a licence], you will be caught. There is an inevitability to it all.”

Evans also cited the classic series Yes Minister, and a conversation between the PM and his private secretary. “There is a difference between implying and inferring, Prime Minister. I imply, you infer!”

Incredibly susceptible to inference

Evans used that comment as a neat segue into suggesting that organised criminals are “incredibly susceptible” to inference. They spend most of their lives trying to be ordinary members of the general public, but for a sliver of their time they’re engaged in the nefarious world of criminality. We need to find out why.”

The Policing Act of 2005 paved the way for SOCA and other law enforcement bodies to have debriefing sessions with criminals – hardened thieves or otherwise. “I once interviewed someone involved with timeshare fraud,” outlined Evans, “after the man’s solicitor had told me the chap concerned was willing to speak to us. He had graduated through the career fraud ladder, became successful and then the criminal Big Boys circled like vultures to take some of his ‘business’ from him.”

It was the late 1980s. The era, according to Evans, of padded shoulders and funny hair. People “firing up their Audi Quattro’s for a pose around the block.”

The man targeted a bank – the Egg bank. He provided himself with a false identity. No-one checked it. Working on behalf of a consortium of 20 criminals, the man determined to steal the marketing profiles of the bank and replicate them in multiples of thousands to create ‘people’ who looked like the ideal customers for that bank.

“The fact of the matter is that he used a false CV. He applied to work, pro bono, for the Marketing Department. He flattered them. They believed his story. He worked there for six months and sold on the profiles to the criminal gang for multiple thousands of pounds. With a Porsche, a Dockside flat and disposable income of somewhere between £35,000 and £45,000 per annum, in the 1980s it wasn’t a question of whether you’d get a loan if you filled in the forms. More a matter of how fast they could get the money to you.”

In closing, Evans commented: “The sharing of data and information is the future. I am of the firm view that it’s possible to make a difference. We all have a part to play. Organised crime is out there trying to rip you off because you’re low risk. Sometimes it’s too damn easy for the fraudsters. Reflect on that, because we need to make life much harder for those who would seek to steal from us.”

Protecting critical infrastructure sites

Following on from Paul Evans was a representative from the Centre for the Protection of National Infrastructure (we cannot name the person concerned for security reasons). The CPNI is the lead Government authority providing protective security advice to protect our critical infrastructure sites and locations, and the businesses and organisations that maintain national security while keeping it free from the terrorist threat.

The Government’s CONTEST2 strategy, of course, concentrates on Prevent, Pursue, Protect and Prepare such that people can “go about their daily business freely and with confidence”. “We are all about protection,” said the spokesperson. “Protection of our energy sector, finance, Government and public services, the water industry, telecommunications, the health service, transport, the food chain and, now, the 2012 Olympics.”

“We want to reduce the insider threat, not just from permanent members of staff but also contractors and secondees. Anyone, in fact, who works for us. To do so, we recommend that companies carry out several exercises that will assist them in their aims.”

The first of these is a risk assessment. Yes, that old favourite far too many people seem to forget. There must also be robust pre-employment screening. “Ensure that only those who are unlikely to present a security concern are employed”. Ongoing security measures must be in place – maximise the deterrent factor, limit opportunities for fraud and deliver the means to identify and manage any concerns.

The CPNI spokesperson also said: “It’s vital that you promote a strong security culture within the organisation. This helps promote compliance with any security measures you might introduce, and will reduce unintentional breaches of the rules.”

Proportionality in pre-employment screening

Pre-employment screening is hugely important. Here, proportionality ought to be recognised. Not all roles will require all forms of checks to be carried out, but at the same time the opportunity for someone to cause harm or damage to the organisation must be kept to a minimum.

The case of journalist Ryan Parry was cited. You may remember that he used false documentation to gain employment as a footman at Buckingham Palace. The massive headline ‘Intruder’ was splashed all over the front of the Red Top tabloid The Daily Mirror who employed Parry at the time. Although there were inconsistencies on Parry’s false CV in terms of education and employment history, none of the ‘facts’ presented were ever checked.

“There needs to be a culture within your company wherein everything is challenged,” said the spokesperson. “That culture must be present and reinforced all the time.”

To help delegates in that regard, the CPNI produces several guideline documents. These include Personnel Security Risk Assessment, the Good Practice Guide to Pre-Employment Screening, the Good Practice Guide to Ongoing Personnel Security and Personnel Security in Offshore Locations (the latter due for publication before the end of this month). Check them out.

Vetting and screening in the transport sector

The next speaker to the stage was David Elbourne, assistant director responsible for maritime and land transport security at TRANSEC (the Transport Security and Contingencies Directorate). What, then, is the view of a Regulator on the matter of the insider threat? A Regulator that needs to protect against acts of terrorism and otherwise unlawful interference?

At TRANSEC, security programmes are designed around a team of inspectors who uphold the ‘law’. In 2007, the organisation commissioned a review of security issues that was undertaken by Stephen Boys Smith. The report was presented last summer, looking at security measures right across the UK’s transport sector.

On top of general concerns, the driver of the review was a feeling that the transport industry might well be vulnerable to insiders with a terrorist intent. That concern was brought into focus when the illegal immigrants working in the security sector were brought to light.

The conclusion was that there were no immediate causes for concern. “However, there were key areas we needed to address,” added Elbourne. “The first was risk assessment. The second issue was that of industry ownership. The industry has to ‘own’ the risk assessment process as it’s the practitioners within it who have the best understanding of the vulnerabilities faced. Then there’s ongoing personnel security, and its importance.”

Programme of work to address key areas

In response to the review, TRANSEC has commissioned a programme of work to address these three key areas. First of all, a series of joint assessments are being run with industry managers and, indeed, the CPNI. Those managers will be security managers and Human Resources professionals. “A different approach, as there’s a clear and important role here for HRs.”

Elbourne stressed: “We are creating personnel security sounding boards. Semi-formal meetings that will run twice a year to take stock of issues. People can work collectively to find solutions. We are also working to ensure that both Government and industry personnel security processes are continuous. They must include aftercare to supplement the snapshot provided by standard pre-employment checks.”

In closing, Elbourne mentioned a couple of issues that he feels would be worthy of taking forward under PREFIT’s wing. “There are real challenges in dealing with meaningful personnel security when you’re confronted by long and complex chains of contractors, subcontractors and so on. If those contractors are only with you for a day, how do you make sure reasonable assurances have been met before taking them on?”

The second issue is the challenge of handling sensitive information that you learn about during the process of carrying out checks. “The information you discover,” said Elbourne, “must be handled with care. Continuing aftercare is vital, though. I cannot stress that enough. Managers must always be aware of staff behaviour, too. Raise an alarm if people begin to behave in an odd way. That’s the only way you’ll catch out the ‘clean skins’ as we call them in the counter-terrorism fraternity.”

Benefits of sharing data and collaboration

Peter Hurst is the chief executive of CIFAS, the UK’s Fraud Prevention Service. He has spent 30 years in the fight against staff crime, having worked at BT and for Barclaycard. In short, he knows what he’s talking about.

CIFAS is a not-for-profit organisation with 260-plus members and a harbinger of the world’s largest data sharing scheme. The corporate members span a wide variety of individuals from asset banking, the insurance sector, retail and the communications arena. Members have saved £5 billion through membership by sharing Best Practice advice, £1.8 billion of which was clawed back over the past two years.

“We need to set competitive behaviour to one side,” suggested Hurst with great conviction. “Only by trusting one another and sharing advice and information can we make a difference to the insider threat.”

Hurst looked at the movement of staff fraudsters. Five years ago, CIFAS recognised that people were moving jobs on a regular basis to evade detection, and were able to do so because vetting and screening wasn’t up to scratch. As a result, the CIFAS Staff Fraud Database was established, having been designed in consultation with the Information Commissioners’ Office.

“Collaboration allows you to reduce the risk of employing fraudsters,” urged Hurst. “Second, you’ll be able to minimise the risk of fraud from opportunists and, third, statistical analyses allow you to be proactive on this matter.”

Hurst then made a very salient point. “Our members have made us aware of what they perceive to be a lack of interaction within many companies between the security and fraud prevention specialists and HR managers when it comes to dealing with internal fraudsters. That’s why we developed the Guide to Tackling Staff Fraud and Dishonesty in partnership with the CIPD.” That document may be downloaded from the CIFAS web site.

Background screening: the first line of defence

Hurst then quoted from Control Risks’ Screening Division. “In a world of constantly changing threats, background screening is a first line of defence. Successfully implemented screening reduces the risk to a company from potentially fraudulent employees.”

He also cited Sterl Greenhalgh, a partner at Grant Thornton. “What companies need from a culture standpoint is to have staff as attuned to the threats or risks of fraud as the fraudster is aware of the opportunities available – and when.”

If you don’t have preventative measures in place, the thieves will infiltrate your organisation. There are members of staff using fake letters supposed to be from their GP so they can remain on the sick register. People will steal money. They’ll appropriate data to sell it for lots of money. They need to be stopped and prosecuted.

“In the current climate, people are turning to fraud out of desperation,” explained Hurst. “We all have a responsibility to make the workplace a hostile environment for the fraudsters. Data sharing will help us fight them.”

Today, there are 400 people listed on CIFAS’ Staff Fraud Database, and that number is rising rapidly. “They’re working somewhere,” concluded Hurst. “Where are they now? Are you sure one or more of them isn’t working for your organisation?” Food for thought, isn’t it?

Staff fraud: the legal perspective

Offering a legal take on the subject of staff deception was Joy Hankin, an immigration and employment lawyer with popular and successful practice Blake Lapthorn. Both a barrister and a solicitor, Hankin is a regular speaker on this issue and everyone was keen to listen to what she had to say.

“Being asked to provide a lawyer’s perspective on this issue is a bit like being given a toothbrush to scratch the itchy back of an elephant. I would make two key points, though. My comments are aimed very much at the Border and Immigration Agency, and they relate to issues that can be championed on behalf of UK plc.”

Hankin is of the opinion that there’s a deep hostility between businesses and enforcement agency regulators. “What do you do if your company is raided by the Border and Immigration Agency? It’s a very stressful experience. It can lead to businesses going under if every staff member is carted off for questioning.”

Clients may be left in what Hankin referred to as “enormous operational difficulty”. Hankin added: “If the regulations could be drafted not in a more lenient way but in a manner that shows a greater understanding of the very many and real pressures UK businesses face then that would lead to far greater compliance on employee checks from employers.” Good point very well made.

Hankin feels there’s a “great degree of ignorance” on the issue of insider threats among too many employer organisations who, this issue aside, are running very successful operations. “It amazes me, to be honest”. There is “far too much assumption going” on that agencies have been thorough with their checks.

“Part of the answer does lie with the regulatory bodies,” commented Hankin. “The insider threat is massively important, and must be at the top of the agenda. Industry has to shoulder some of the burden, certainly, but there are so many layers of red tape, so many elements to compliance businesses must grapple with that greater understanding of this fact on the part of regulators would be welcome.” No-one can argue with that.

Some wise words from the chairman

David Chernick, who works as senior manager for KPMG Forensic, is not only the chairman of PREFIT but also passionate about reducing employee fraud. He spoke eloquently and brilliantly at both IFSEC 2008 and our own Threat Within Conference last December, and did so again last Friday in an engaging, humorous and informative talk.

“Trying to establish the information sharing networks that we need is quite a tricky business,” said Chernick. “Some people object to them, but as difficult as they are they remain extremely necessary. Vital, in fact.”

At this point, Chernick’s PowerPoint presentation clicked on to a green molecular structure. “Once you start setting up networks you’ll find better ways of using them to greater effect. Employment law needs to be taken into account when we form the network.” Then it was the turn of a red molecular structure to appear, duly signifying the rise of the bad guys.

Peter Burns was asked by Chernick to ‘arrest’ one of these bad guys on one of the molecules, at which point Burns stood up and picked a ball from the screen. A real plastic ball! There was loud laughter in the room. This is the way to grab peoples’ attention. “We need to address the enablers that allow people to perpetrate crime, you see!”

Chernick gave a brief idea of the problem employers now face. A graph showed an exponential rise in criminality among employees among both the rank and file and management. “Employee theft has rocketed. It was opportunist at one point, but much more of it is now of a sophisticated and organised nature.”

Support from the National Fraud Authority

Chernick recently spoke with Dr Bernard Herdan, former interim chief executive at the Security Industry Authority and now in the same role at the National Fraud Authority. Herdan had said: “I am delighted to lend the support of the NFA and myself to PREFIT. By bringing together lots of agencies with industry we can start to create a very strong anti-fraud network.”

What will PREFIT do with that network? The first thing to note is that a web site has been launched (www.prefit.info). “Use it to share information,” urged Chernick. “There are some handy tips on there for combating staff fraud. We are also in the process of organising some workshops. Proposed ideas include data privacy, management and protection, the benefits and threats of technology and managing the candidate experience during screening.”

PREFIT is a fantastic project. Support it in any way you can. Your business will benefit if you do.

Get the latest stories first with info4security's newsletters: Click to signup

Post and bookmark this story at the following sites:

What is this?

del.icio.us	Digg	Reddit	Google	Newsvine