Some CSPs wait until it’s too late to hire a fraud manager, while others don’t listen to the ones they do hire. Guess what happens next?
“We will take the risk” – the words that no fraud or security manager wants to hear from their CFO or management team. Often this statement will be made by a person who has no idea what that risk is, and would not think of justifying this decision with a formal risk assessment. If they took the time to fully evaluate the consequences of not doing something, particularly as it relates to any direct financial impact, brand and reputation damage, impact on the customer, etc. they may find that the total financial implications of “taking the risk” are way outside their delegated financial authority.
The media over the past few years has frequently reported on issues from within the telecommunications industry where decisions have been made to not do something, which have backfired and resulted in huge avoidable costs to the business. These issues have been raised right around the world, from Australia to Korea to Central Europe.
Without access to the knowledge and experience of a fraud or security specialist, it is difficult to expect a leader in a small start-up, for example, to fully appreciate the consequences of not managing his or her fraud risk adequately. It is fairly common during the development of a new business for fraud management to be put in to the second or third stage of the business development, as it is considered a function that can be implemented as the business grows. The risk here, of course, is that the fraud function is not properly resourced until there is an event that demands it.
I recently dealt with a small MVNO that had a staff of ten and provided services to a specific customer segment. Despite the business having been in existence for almost ten years, none of the staff had any accountability for fraud management, and the business was not very fraud-aware. It was targeted by an organized fraud group, and despite the management team taking what they thought were adequate precautions with a new customer, they got hit with an international revenue share fraud (IRSF), losing $2.3 million over a very short period. Unfortunately, the losses could not be sustained by the business and it was forced into voluntary liquidation.
With very basic fraud monitoring, these losses could have been avoided. And certainly had external specialist advice been sought years earlier, this would have allowed for a fraud management strategy to grow with the business during the company’s development and perhaps saved the business.
You didn’t listen
While this case was clearly one where having a suitably experienced fraud or risk professional within the business could have saved it, there are other examples where such expertise is available, but senior management are not prepared to take the advice the fraud manager gives them.
Another recent case I dealt with demonstrating this involved a situation where an experienced fraud manager at a CSP recommended that the ability to use international call forwarding on mobile devices when roaming should be an opt-in feature and not a default one. A senior manager disagreed on the basis that a customer may want to use this feature while roaming and should be able to do so without having to make a request for this to be activated.
Some customers had their handsets stolen while roaming, and the fraudsters utilized the international call forward capability to forward the SIM card to IRSF destinations. They were then able to generate multiple simultaneous calls through the forwarded mobiles to the IRSF destinations, with one mobile making over 81,000 minutes of calls over a 900-minute (15-hour) period. It is unlikely that this CSP could ever recover this accumulated loss through the legitimate use of this call forward feature at any time in the future.
Another case involved a medium-sized mobile company who commissioned a new prepay platform and, during the user acceptance testing, failed to notice that six or seven roaming destinations did not have tariffs entered in the rating table. The impact of this was that if a prepaid roamer set up a call, the prepay platform would be queried to check the per-minute price of a call to that country and check again that the prepaid user had sufficient balance to meet the cost of that call. If the called country was one of those destinations that had no tariff entered, then the platform would assume that the call was free, and allow it without charge.
As luck would have it, some of these “free” destinations were IRSF destinations, and this was discovered by fraudsters. The fraud manager from the company involved had previously asked for an additional staff member to monitor Near Real Time Roaming Data Exchange (NRTRDE) records that were not being looked at. He was told to keep the workload down, and that he should exclude monitoring of prepaid roamers, as this was low risk. Consequently, these “free” calls continued for three months before they were discovered, with a total loss of over $2.5 million.
Fraud managers are finding the job more and more challenging. They are trying to do more with less and maintain performance measures at the level they were when they were better resourced. As the operational environment changes, new risks are surfacing and additional investment will be required from time to time to introduce controls to mitigate these new risks.
Justifying a business case by identifying potential losses that cannot be corroborated is again a challenge. A wise senior manager will accept that any reasonable requests made by his fraud manager for additional budget or resources is being made in the best interests of the business and not for any other reason. In some of the above examples, taking the advice of the fraud manager could have saved those business significant losses.
Written by Colin Yates via sister website Disruptive Views