By Gillian Duncan & Wayne Malgas of Control Risks
Although emerging markets have seen slower growth since 2010, they still account for approximately half of global gross world product and continue to present significant opportunities.
Moving into these markets, or consolidating and expanding current operations, will be part of the growth plans for many international companies, particularly due to infrastructure needs and consumer demands for energy, banking and financial products and services as well as various consumer products that exist in emerging markets.
Understanding the risks in these emerging markets is critical to being able to capitalise on these developing opportunities. In particular, emerging markets are often associated with corruption and nepotism; where the business practices considered as ethical and compliant in developed countries may not yet apply. Tackling fraud, bribery and corruption is therefore a crucial step in successfully entering or expanding in emerging markets in regards to regulatory pressure but also in a broader strategic vision of establishing sustainable business and operations in those countries.
‘It won’t happen to us’
Although fraud and corruption are separate criminal offences, there are many instances where these are the flip-side of the same coin. Corruption often takes the form of misrepresentation resulting in prejudice to the victim resulting in it being intrinsically linked to the predicate offence of fraud.
Control Risks conducted a global survey in 2014 to assess the attitudes of international companies and asked respondents whether they expected to conduct an anti-corruption investigation of an employee in the next two years. The replies showed that 67 per cent of organisations do not expect to (44 per cent stated that it was ‘very unlikely’; 23 per cent stated that it was ‘somewhat unlikely’) and only eight per cent stated that it was ‘almost certain’.
Interestingly, however, in a follow-up question 57 per cent of respondents replied that they had in fact conducted an internal anti-corruption investigation. This indicates a disconnect between what companies think and the practical reality; that there is still an attitude of ‘it won’t happen to us’. This attitude could have more serious consequences in emerging markets where investigative resources could be limited and remedial measures not as straightforward as it would be in developed markets.
Prevalent fraud trends
Financial statement fraud and asset misappropriation continue to be prevalent in emerging markets. The Association of Certified Fraud Examiners (ACFE) conducted global research on occupational fraud that included high-risk emerging markets. Its report to the nations on Occupational Fraud and Abuse found that asset misappropriation accounts for the highest frequency in occurrence in the period 2010 to 2014, followed by corruption with the lowest frequency in occurrence being financial statement fraud.
However, when analysing the median loss for the three categories of occupational fraud for 2014 the list is reversed, with financial statement fraud accounting for the highest figure at $1,000,000 followed by corruption at $200,000 with asset misappropriation showing the lowest median loss at $130,000. These results indicate that notwithstanding lower frequency in occurrence, the impact of financial statement fraud is significant.
Intellectual property (IP) fraud is also receiving more attention due to its financial impact. Intellectual property theft and counterfeiting has become a major concern for many companies globally, but emerging markets continue to present particular challenges that makes combatting and enforcement more difficult than in developed markets. These challenges include systemic weaknesses in the criminal justice systems in particular, lack of law enforcement capacity, as well as compounding factors, such as consumer attitudes.
More insidious are official attitudes to IP fraud. Our experience in conducting investigations of this nature in emerging markets shows that in many jurisdictions there is a marked lack of understanding of IP rights by law enforcement. Also, it is difficult to request action from authorities on theft of IP when a country is facing political instability or serious and violent crimes, such as murder and robberies. Governments invariably allocate resources to what is perceived as more serious problems. If not for persistent lobbying of relevant government bodies as well as the dedication of resources by international companies, fighting intellectual property fraud will continue to face significant hurdles in emerging markets.
Increasingly, many fraud schemes are becoming cyber-enabled. Some of the ways in which fraud is being perpetrated is cyber dependent, such as electronic frauds where perpetrators use the web to commit an offence, while others are traditional frauds that have either become more substantial or frequent through the use of cyber means, such as the theft and sale of critical data.
Many people assume cyber breaches are a uniquely developed-markets problem as the major attacks that make the headlines are on large multi-nationals, predominantly in the United States and Europe. However, this is due to two key aspects. Firstly, data breach and protection regulations in the US and EU require greater reporting on incidents while these requirements do not exist in many emerging markets. Secondly, for some international companies, core assets and business critical information are often held in their headquarters in the US and EU, however, the ‘cyber’ route into the organisation can often be from locations in emerging markets, which are often seen as the ‘weak underbelly’ from a cyber-security perspective.
“The cyber route into an organisation can often be from emerging markets – the ‘weak underbelly’ from a security perspective”
The 5th Conference of Parties to the United Nations Convention on Transnational Organised Crime held in 2010 identified cybercrime as one of the ‘new and emerging crimes of concern’. The question arises: cyber security has featured more prominently on the agendas of multilateral organisations, national governments as well as international companies over the past decade or so, but to what extent has this awareness translated into practical action by international companies?
In the latest Deal Drivers Africa publication by Mergermarket, supported by Control Risks, the survey found that only 56 per cent of organisations contemplating acquisitions conduct cyber due diligence on their targets, against 79 per cent who conduct financial due diligence. Despite the significant and well-publicised breaches in cyber security, it is a concern that cyber risks are not fully appreciated. Many companies that expand into emerging markets through acquisitions inherit potentially weak compliance and technology processes unable to identify or mitigate fraud and/or cyber threats.
There is also a misconception regarding the prevalence of internet activity in emerging markets. In its 2013 Comprehensive Study on Cyber Crime, the United Nations Office on Drugs and Crime (UNODC) found that in 2011 at least 2.3 billion people had access to the internet. More than 60 per cent of internet users are in developing countries. The prevalence of the internet is a positive development that enhances communication and economic activity, but unfortunately also provides a platform to facilitate crimes. International companies that ignore or give insufficient attention to their cyber vulnerabilities expose themselves significantly. The saying that ‘you cannot manage what you don’t know’ applies. It is therefore essential that international companies regularly examine the resilience and robustness of their cyber security and match this to the risk profile of the operating environment.
One of the most well-known types of cyber-enabled fraud emanating from emerging markets are ‘419 scams’: the victim receives unexpected communications, usually through emails where they are persuaded to pay money upfront for further financial reward that never materialises (419 fraud is named after the relevant section of the criminal code in Nigeria, where many of these frauds originate).
These 419 frauds usually involve a scenario whereby a well-known and wealthy individual’s identity is used – often claiming to be from a familiar organisation. The targeting of companies’ clients by fraudsters pretending to be from their organisations can be embarrassing and damaging, especially if they do so in a sophisticated way, crafting realistic emails based on thorough research of the victim and the organisation they pretend to be from and spoofing emails to appear like they come from the legitimate sender. This increase in sophistication has been a key trend recently and while the bulk of 419 scams are still poorly worded emails from chiefs and princes, increasingly we have seen fraudsters using network intelligence reconnaissance to gain information about who to target for what information and communicating from seemingly legitimate, spoofed email addresses.
In addition, these scams are moving from Nigeria to other emerging markets. Nigerian ‘romance fraudsters’, who find victims through online dating and then ask for money or even use blackmail, have been relocating to Malaysia because of its internet infrastructure and advanced banking system as well as poor law enforcement, combined with the increased focus of preventative measures aimed at Nigerian-originated emails.
While these scams are frustrating, there are also far more damaging cyber-enabled frauds emanating from emerging markets. Electronic frauds, such as account take-overs and electronic fund transfers, have had a major impact on corporations as well as individuals and are becoming more widespread. This is because access to the skills needed to undertake this action is becoming easier. We have seen increased co-operation between hackers and traditional criminals, with hacking-as-a-service being bought by organised criminal groups to conduct frauds. Even in developed markets police forces have difficulty in investigating these kinds of attacks due to their complexity and they often have to be handled by specialised law enforcement agencies. In emerging markets these investigations can be impossible due to systemic weaknesses in the criminal justice system as well as weakness at the prosecution level.
Data and intellectual property theft, touched on above, is another example of cyber-enabled fraud on the rise. Cyber means can be used to illegally obtain the IP but also to trade it. Cyber marketplaces exist on the dark web providing the forum for the purchase of illegally obtained information. Business activity in the dark web has been growing, with dozens of new marketplaces launched since the closure of the infamous Silk Road marketplace in October 2013.
For organisations wanting to understand their specific exposure, dark web marketplaces and associated forums can be monitored to understand the specific illicit goods and services available, including those that relate to your organisation. These could range from corporate IP to illegal tickets for shows or even airlines. More generally, monitoring such online mediums is useful in understanding how threat actors are adapting to disruptive law enforcement action and making use of increasingly sophisticated methods to operate, which can be used to inform where best to spend your information security budget.
Looking ahead, cybercrime will continue to pose a significant and growing threat to the private sector as cybercriminals become more confident and capable to target well-defended business assets. The criminals behind this could be thousands of miles away, outside of any region your business operates in, but you could be targeted specifically or opportunistically if you have particularly valuable assets or easily exploited vulnerabilities.
When assessing risks, many international companies tend to approach this solely from the perspective of risks originating from the environment itself without considering risks emanating from within their organisations. This includes the systems and procedures that are in place to identify and mitigate risks. This approach to emerging markets compounds the problem and is, in itself, a risk. When lapses occur, the tendency is to find the causes in the environment without focussing on internal shortcomings. It therefore requires a great deal of introspection by international companies of how practically it is able to navigate the complexities of operating in emerging markets.
When dealing with fraud risks in emerging markets, be they traditional or cyber-enabled, the basic elements of risk management remain: prevention, detection and investigation. These cannot be applied through merely being hopeful that fraud will not manifest itself. It requires a directed and well-defined anti-fraud programme that achieves results through design and not mere luck.
A global manufacturing company had a suspected cyber-enabled fraud in one of its African subsidiaries. The company was concerned that many client requests were not making their way to the sales department and that it was consistently losing work on the basis of price to local competitors. It suspected foul play but didn’t have proof of what was happening. It asked Control Risks to conduct a holistic and comprehensive investigation with a focus on collecting and preserving evidence that might, in the future, be used against the perpetrators.
Control Risks and our technical partner, MWR Infosecurity, conducted remote analysis and deployed investigators on-site to rapidly understand if it had been breached and, if so, the extent. Through this process we were able to quickly ascertain that this breach was limited to email and did not appear to have come from a broader network compromise.
The investigation then focused on email logs, processes and procedures within the organisation. Our on-the-ground investigation highlighted that webmail (remote access to emails via the internet) was available to all employees, yet was not regularly used by anyone. Nevertheless, our technical investigation showed evidence of webmail being regularly accessed. In an environment where logs were not routinely retained, we therefore focused our investigation on finding evidence of this webmail access.
Through this process we traced the webmail access to a competitor’s IP address. We also found that after the passwords of the webmail accounts had been changed, there were several failed attempts to access webmail through this same IP address.
The client is considering legal action and we were able to provide corroborated evidence to pursue the perpetrators. This provides an interesting insight into the kinds of frauds that routinely occur in emerging markets. In this case, a competitor who was likely reading proposals sent to clients in order to be able to undercut on pricing.
About The Authors:
Gillian Duncan, Commercial Director Cyber Security, Control Risks London. Gillian is a Director at Control Risks. She is responsible for driving the Cyber department with a focus on strategy formulation and relationship management. Gillian brings both strategic and operational experience to cyber security with a background as Business Operations Director for Control Risks’ Europe and Africa region as well as over 10 years in strategy roles, including as a management consultant.
Wayne Malgas, Senior Consultant, Compliance, Intelligence, Investigations and Technology, Control Risks Johannesburg . Wayne leads the Corporate Investigations and Business Intelligence practice in the Johannesburg Office of Control Risks. He was previously a Chief Investigating Officer at the Directorate of Special Operations (DSO), a specialised law enforcement agency in South Africa that was mandated to investigate serious economic offences and transnational organised crime. After leaving the DSO he joined the foreign service of South Africa and served as a senior diplomat in the United Nations Security Council (UNSC) and given responsibility relating to the counter-terrorism agenda items.