Fraud risks are mitigated by using countermeasures (also known as controls) to prevent, detect, and respond to those risks. Through our investigations and prosecutions at the SFO, we have found that gaps or weaknesses in countermeasures are one of the most significant factors in the enabling of fraud. Countermeasures are important to help limit the opportunities that fraudsters have to commit fraud. By using the fraudster personas it can help an organisation to implement countermeasures that specifically target the actions of a persona.
Mitigating fraud risks with countermeasures has two components to it:
- Implement countermeasures
- Assess if the countermeasures have been effective in mitigating the risk
Implement countermeasures
Each fraudster persona displays certain behaviours that rely on specific methods to be successful. A fraudster is successful in their method by being able to recognise vulnerabilities in an organisation’s processes, which they can then target.
For example, in the case of 'The Impersonator' persona the fraudster uses a method of impersonating other actors or by creating entirely fictitious actors to deceive an organisation. By impersonating this other actor they are able to gain a benefit for themselves or another person.
To help mitigate the risk of an impersonator being able to target a programme, organisations should implement countermeasures that are focussed on identity security and authentication.
The fraudster personas guide [PDF, 1.3 MB] can help to identify the countermeasures that can be effective against each of the different personas.
Assess countermeasure effectiveness
Fraudsters often look for opportunities to target organisations by recognising where in certain processes there are control vulnerabilities. Sometimes a countermeasure might have already been implemented but it is not operating as designed or as effectively as it could. Sometimes an employee may not understand the importance or purpose of a control, or in some organisations there may be a culture of circumventing controls. It is important to be able to identify where these weaknesses are as they can provide fraudsters easy opportunities to commit fraud.
Pressure testing is a process that can help an organisation to assess if their countermeasures are functioning effectively to stop fraud. Pressure testing can help an organisation to identify weaknesses in a countermeasure before a fraudster has the opportunity to exploit it. In their countermeasures before it is exploited.
Knowing which methods a fraudster persona uses can help you to consider the ways they might be able to bypass controls. Once you have identified all the ways it might be possible to bypass a control it can help you to prioritise ways to remove weaknesses and the opportunity for fraudsters to take advantage.
To learn more about how to carry out pressure testing on a control check out the Centre’s Pressure Testing guide.