It can start with the click of an email. It can commit damage well beyond the initial "hack." No matter the origin or intent, however, organizations in every field must be prepared to disrupt the cyber-fraud journey.

That journey can take many forms. Research shows that 75% of fraudulent activity originates within the walls of the organization itself. In some cases, it's a result of an employee falling prey to social engineering ploys or email "phishing" scams. In others, fraudsters may use fake credentials (sometimes known as "synthetic IDs") to slip through security controls without setting off alarms.

No organization is off-limits. Today, fraudsters are targeting companies and organizations of all sizes and across all industries. And whether the goal is to steal valuable data, disrupt operations, or plant fake credentials for later use, it's important to remember that the first breach is rarely the final threat.

After the hack

Headlines about cyber hacks and breaches may grab attention, but it's what typically comes next that is the real story. In many cases, the initial attack is a fraudster's way of obtaining the data they need to commit larger, more malicious operations against the same target or another organization or sector entirely.

For example, stolen customer information (e.g., social insurance numbers, addresses, credit card info, etc.) can be used to create fake or "synthetic IDs", which enable fraudsters to conduct legitimate transactions (e.g., bank loans, monetary transactions, etc.) under false pretences. Similarly, stolen logins and passwords can be used to take over legitimate accounts, and proprietary data sold or wielded for leverage.

It's important to remember that stolen data exists forever. When outside of an organization's control, sensitive information can be copied and shared indefinitely for profit or to facilitate future hacks. This means the impacts of cyber fraud can linger, crippling an organization's finances and/or operations and leaving victims of stolen identifies with a mess that can take years to clean up.

Third-party risk management (TRPM)

In the digital age, no organization is an island. And as organizations fast-track their digital initiatives in response to the COVID-19 pandemic, fraudsters are discovering even more opportunities and vulnerabilities to exploit, particularly among supply chain networks.

A significant part of disrupting the cyber-fraud journey is embedding and maintaining third-party risk management controls. It's not enough to sign a basic contract with standard terms and conditions with vendors and partners; organizations must be vigilant in ensuring the data they're sharing outside their walls is being protected to the highest standards. This often means a closer look at specific cyber security-related clauses within these contracts.

After all, the saying remains true: when it comes to cyber-fraud prevention, an organization is only as strong as its weakest link.

Thinking beyond the "moat"

Traditionally, cyber security has been treated as a protective digital "moat" that encircles an organization's data. Once anyone gains access behind the walls – be it through legitimate means or otherwise – the entirety of the kingdom is theirs to take.

The challenge with this approach is that it does not take internal threats and vulnerabilities into account, nor does it provide sufficiently layered defences when a perimeter breach occurs. As a result, there are several cyber-fraud prevention strategies and concepts that have emerged as top priorities. They include:

Zero trust security: Assume breach, trust nothing, verify everything. Regardless of who the employee is or where they're logging in from (e.g., their desk, a coffee shop, airport, etc.), all system users are subject to the same amount of verification measures and scrutiny. Here is where the principle of least privilege can also apply, which involves granting just the right amount of access based on the user's entitlements.

Automated defenses: Focusing on automated detection and response mechanisms, using technologies such as artificial intelligence (AI) and machine learning to actively scan for potential threats and block them at their source without manual intervention. These tools are increasingly being used to help organizations stay vigilant even when their human teams are not. Rapid containment and eradication of a malicious threat can ensure it doesn't spread throughout your network and cause broader damage.

Human firewalls: The best defense against cyber-fraud are the people at the receiving end of cyber attack attempts. Remember, many cyber-fraud journeys begin with fraudsters tricking employees into enabling access or sharing sensitive data. This can be countered with better training and awareness for cyber-fraud attacks (e.g., phishing, fraudulent payment requests, synthetic IDs, etc.).

The case for digital identities

One of the most compelling cyber-fraud mitigation strategies is the use of digital IDs. These are digital identifiers that give individuals a unique verification that only they possess, along with the control to share as much or as little information as they want in their day-to-day transactions.

Fraudsters are often searching for identity-related data. This isn't difficult to come by given the propensity to share personal information online, thereby creating honeypots of personal information everywhere we transact.

Instead, a digital ID could enable individuals to simply confirm the bare minimum amount of information required for a given transaction. For example, they could be used to prove an individual is of legal age when purchasing alcohol, instead of requiring them to share their address, full name, or other personal details.

Similarly, digital IDs could be used to transmit only necessary details and histories with healthcare practitioners, ensuring their details aren't being collected and stored outside their control. Moreover, the same digital ID could be used to interact with all specialists within an individual's healthcare network to share information securely among all relevant and approved stakeholders, thereby preventing the unnecessary proliferation of personal data.

Provinces like Alberta and BC are already exploring digital IDs among their populations, with Ontario and Quebec now pursuing their own solutions. For Canadians to feel safer in the digital world of the future, there is certainly merit for the rest of the country to explore all possible ways to give individuals more control over what parts of their lives they share.

No passing trend

Cyber-fraud threats are only increasing. As businesses move online, attack surfaces are increasing, and hackers and fraudsters are growing more adept at getting through.

Moving forward, organizations must make peace with the fact that the cyber-fraud journey often begins within their walls. That means acquiring the skills, training, and tools to surround the organization with effective cyber controls and strengthening the human firewall. It also requires constant security testing to make sure controls and protocols are working as intended so that the cyber-fraud journey ends before it has a chance to begin.


Yassir Bellout is a Partner in the Cyber Security Practice at KPMG in Canada.

Imraan Bashir is a Partner in the Cyber and Digital Solutions Practice at KPMG in Canada.

As organizations continue to move online, they must do so in a way that stays one step ahead by investing in the people, technologies, and best-practice strategies that will drive safe and secure digital transactions.

KPMG can help companies combat online fraud with a carefully considered, strategic approach. COVID-19 has undoubtedly been a crisis, but it provides us with opportunities to analyze the present and invest in future resilience – and, hopefully, come out stronger on the other side.

Contact us to learn more about fraud prevention strategies or to discuss a fraud risk assessment for your organization.

Connect with us

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today