While anti-fraud initiatives such as chip and pin have had their successes, it seems only a matter of time before enterprising fraudsters find other means to boost their income. Can business fraud ever be overcome? Charlie Patrick, director of KPMG's forensic team, investigates... Fraud is a fact of life. Where there's a weakness, a fraudster will exploit it. Sixties sex symbol and well-known animal rights campaigner Brigitte Bardot found this out to her cost. To crack down on the exploitation of dancing bears in Romania, Bardot offered cash compensation to entice people to turn their bears over to a sanctuary. What she got instead were wild bears, captured from the woods and forests, by rogues on the trail of an easy fortune. Entrepreneurial by nature, fraudsters are out to derive greatest value for minimum outlay and effort. They are adept at spotting openings in the marketplace, responding quickly to demand and exploiting opportunities for personal gain. They move on before the market becomes either saturated or too dangerous due to heightened anti-fraud measures or enhanced scrutiny from the police and prosecuting authorities. Chip-and-pin insecurity The world of payment cards is no different. By making it more difficult to counterfeit or use stolen or lost cards, chip-and-pin technology has already had some success at cutting payment fraud. According to the Association of Payment Clearing Services (APACS), total card fraud losses in the United Kingdom fell by 13 per cent from £505 million in 2004 to £439 million in 2005. However the headline decrease conceals a hike in one area - cardholder not present (CNP) transactions up 21 per cent from £183 million to £151 million. Nonetheless, the rate of increase has slowed to its lowest level since 2003, thanks in part to increased checks by retailers on cardholder addresses, the three extra digits on the signature strip and online initiatives such as Verified by Visa and MasterCard SecureCode. While security enhancements are said to be in the pipeline, these transactions, by phone, internet or mail order that do not require a pin, are potentially fraudsters' easiest pickings right now. Also vulnerable are those eight per cent of retailers that failed to convert to chip-and-pin on February 14, 2006. On that date it was estimated that 825,000 tills were chip-and-pin compatible. Those that aren't will still be liable for any payment fraud. It's a visible shortcoming that fraudsters will be quick to exploit. Chip-and-pin hasn't found favour with everyone. A paper written by three Cambridge University technologists finds that "the safer way to pay" spin isn't all that it is cracked up to be. They observe that when a card is incompatible with another jurisdiction's technology or where the chip is either damaged or dirty, the ATM or POS terminal will fall back to magnetic strip operation. This, they say, is an opportunity for criminal gangs to clone chip and pin cards and to make withdrawals at ATMs overseas where chips are not necessary. Interestingly, in May this year, Lloyds TSB announced that criminals are increasingly using copied bank cards abroad, although it could not put a figure on the extent of the abuse. According to Chip and Pin's press office, there are no immediate plans to remove the magnetic strip fallback. This is because not all UK retailers and overseas visitors have chip and pin capability. It does, however, raise questions about security enhancement now that liability for card fraud sits with the retailer rather than the financial institution. Trickster tactics While chip and pin has closed down some avenues for fraudsters, new scams constantly test the robustness and sophistication of anti-fraud measures. Skimming: On May 7 2006, petrol giant Shell suspended chip-and-pin payments at 600 filling stations amid fears of a £1 million card swindle. Motorists' credit and debit card details were copied by fraudsters, allegedly posing as engineers, who implanted devices into chip and pin machines. The devices read cards' magnetic strips and may even have recorded pin numbers, allowing money to be siphoned out of customer accounts. This technique, known as skimming, is testing how tamper-proof chip and pin pads really are. Cloning: It is probably only a matter of time before swindlers install an interception device between the pin reader and POS terminal. Just imagine, sitting in a restaurant, paying for your meal on a hand-held chip and pin reader while a fraudster, parked outside, captures your account number and pin information using wireless technology. This information will then be cloned onto magnetic strip cards, enabling the fraudster to plunder accounts. Sleeper fraud: Fraudsters, operating individually or in organised groups, open multiple bank accounts and obtain credit cards and store cards using fake or stolen identities. Cash is regularly withdrawn from ATMs and regular payments made on credit and store cards. For an improved credit rating, the reward is increased facilities from the lenders. The fraudsters then simultaneously max out all facilities and disappear, often writing cheques to clear debt balances - which subsequently bounce. To help the fight against this so-called sleeper fraud, KPMG's forensic team uses advanced computer software to run checks over customer accounts to identify patterns of behaviour. These pre-emptive tools seek to block sleeper fraud before it happens. Phishing: Using spoof e-mails that look as though they originate from a genuine online bank or business, phishing tricks unsuspecting recipients into disclosing personal security information at a bogus website operated by a fraudster. These individuals unwittingly become money mules as their accounts launder money stolen from other people's accounts, and also have their own accounts emptied. Despite warnings that banks never seek confirmation of a log-in or security password by clicking on a link or visiting a website, 18,840 unique phishing reports were made in March 2006 alone - up 50 per cent on 2005. Seventy brands were hijacked by phishing campaigns, 90 per cent of which were financial institutions. Pharming: More insidious and technologically-advanced than phishing, pharming attacks the way that internet providers' addresses are translated into domain names. It targets vulnerable servers and redirects customers to bogus websites that mirror the genuine site. It is effective as it does not rely on customers responding to spoof e-mails. Dynamic deception Will fraud ever be wiped out? No chance. It is dynamic and constantly evolving, involving the exploitation of system weaknesses by unscrupulous swindlers with motive and opportunity. There are, however, steps that can be taken to prevent you or your business falling victim to fraud. These include: * Regularly review internal controls. * Know your customers and employees. * Have a documented and communicated anti-fraud policy. * Implement some form of whistle-blowing or anonymous reporting channel. * Keep your cards and pins safe, whether personal or company ones. This includes being vigilant when entering your pin. It may well be visible to an observer or a security camera mounted above you. * Be aware of ATM security and never use a machine that looks irregular or as though it has been tampered with. * Run anti-virus and anti-spyware software on your PC regularly. * Never respond to unsolicited e-mails or telephone calls requesting personal information. * Only shop from legitimate websites. Check that a secure icon such as the locked padlock is displayed in the bottom of your browser window. * Check all statements as soon as you receive them and report any unrecognised transactions to the financial institution immediately. * Shred all documents relating to your personal details or financial affairs - both at home and at work. ..SUPL: | 
