Email a colleague    

April 2015

Insider Fraud: How to Create an Anti-Fraud Culture in Your Telecom Organization

Insider Fraud: How to Create an Anti-Fraud Culture in Your Telecom Organization

Insider fraud is as old as man himself.  After all, stealing that apple from the Forbidden Garden was an insider’s job.  Eve came up with the plan and Adam happily joined in: together they conspired to con the Big Boss.  The rest is history :- )

Thirteen years after the WorldCom scandal, experts generally agree that insider fraud remains a massive problem in telecom, though no one, not even the CFCA has published an estimate of how big the problem is.

And that news can be rather disturbing to revenue assurance and fraud managers who have successfully stopped external fraudsters and claimed the credit for it.  Another uncomfortable fact is that insider fraud is much harder to detect than external frauds such as IRSF or International Bypass.

So where to begin?  Well perhaps the best place to start is to speak with a true expert, such as Mark Yelland, a man who regularly consults with and trains the staff at telecom operators on the matter of insider fraud.

The interview below is the first of two Black Swan interviews with Mark on the subject.  In the article below, he gives tips on how telecoms can begin to build the right methodologies and company culture to combat insider fraud.  In the second article (to be published in a few weeks) he delves into the tactics of the fraudsters: how they avoid detection, and the telltale mistakes that often lead to their discovery.

Dan Baker: What’s your take on human nature, Mark?  Have we made any progress on insider fraud since Adam and Eve?

Mark Yelland: Well, I’m not sure we have!  People remain rather self-serving and cunning.  They have their own vested interests at heart.  I don’t think I’ve ever met anyone who said, “Oh, I am being paid too much.” On the contrary, people say all the time, “I could do with some extra money.”

Just a couple weeks ago, we have the example on the British Television where Malcolm Rifkind and Jack Straw were selling access to the government and politicians.  And yet they make 67,000 pounds a year in salary in a country where the average working wage is 24,000 pounds.  So, they were well over the average working wage, but still felt compelled to make money by selling access.

Now, of course, we in the telecom industry have big issues of our own .  One of the more interesting examples of a fraud culture I’ve heard about was the case of some switch engineers who committed fraud and said, “Yes, my manager knows I do this.  He would like to pay us more but because the company doesn’t have the budget to pay us what we’re worth, he lets us do this as a way of compensating for our lower wages.”

Now, whether the manager did or didn’t actually approve this fraud doesn’t really matter.  The point is: how do you fight that as a culture?  Because if that’s what all the people around him believe, how does he know it’s not okay?  He can justify to himself that what he is doing is perfectly acceptable.

That says you really need to be careful in your HR and hire the right people who are honest and respect their employer.

I actually think it goes deeper than that, Dan.  If you look at the various national cultures around the world, there are some where doing favors for people and being rewarded is a way of life.  This is prevalent in places like the Middle East, Afghanistan, India, and Pakistan, for example.

Places like the U.S. and the U.K. have tried to address this with their new rules on financial conduct not accepting bribes.  Even still, business people need to be careful because you may end up not succeeding in certain countries because that is the way business is done in, say, the Middle East: they do business with people who they know because you build relationships with them.  You scratch my back, and I scratch yours.

The Middle East does business with people it has done business with before.  So, it doesn’t matter whether your money is good or bad, if they know you and trust you, that is all that matters.  You might get a little thank you.  It is the culture.  I suppose that is one of our main concerns about internal fraud, is it fraud or is it the culture?  You can tackle fraud, but you cannot tackle the culture.

What can be done if the culture encourages fraud?

Well, whether the culture is specific to a country or to a business, you have to make sure that you operate inside the restrictions of that culture.  There is no right or wrong culture, but still, you cannot turn a blind eye to fraud.

And fraud these days is not just happening in sales, of course.  Fraud happens in all departments, we have seen people in the billing department selling billing records to private investigators because they were investigating potential divorce cases.  We have seen senior management claiming expenses for things that they shouldn’t have been claiming.  We had instances where someone got imprisoned because they were collecting credit card information and passing it on to relatives for them to exploit.

These people did their time in prison, and in many cases, they come back, take a similar type of job at another company and commit the exact same fraud again.  And the reason they were put in that position a second time indicates a lack of proper HR screening and not doing thorough background checks.

I see, to win in combating insider fraud, you need to be very methodical in your procedures.  Now, when you go in and consult with a client about internal fraud, what’s the first thing you look at?

It’s ironic, I suppose, but the first thing I look at are the people in the fraud department who are responsible are fighting the fraud.

I can’t emphasize enough: you cannot break the law yourself.  It doesn’t matter what the other guy does, someone in the fraud department cannot embarrass the company by doing something illegal himself.

And that means: don’t fudge your expenses, don’t take a company pen home with you.  People think these things are inconsequential, but when people see you have a criminal capability, they figure you can be exploited.

“Why did you take the pad of paper?  Well, it just lying around and I needed some paper, so I took it.” Once you start explaining that as your motivation, you are compromised.  The easiest thing for the fraudster to say is that you are a criminal too, and in that way divert all your attention away from themselves so that you become the subject of investigation for some alleged comment that was made.  You have to be squeaky clean and it maybe difficult and it may be painful, but you have to do it, otherwise, if you are compromised, your whole work is threatened.

You see it in cases in the States.  There have been cases involving people on death row where the investigating officer has been found to have fabricated evidence or withheld evidence, so all his cases need to be reviewed.

It doesn‘t matter: if his reputation has been sullied, all his other decisions are now being questioned.  It’s much better not to put yourself in a position where you are at risk.  That’s my philosophy.

OK, once you’re satisfied that the right people are fighting fraud, what’s next?  What procedures do you usually put in place in a service provider organization?

I tend to start on the HR procedures needed for dealing with someone who has committed fraud.  Every organization needs to decide how they are going to handle these cases and what the outcome is going to be.  What you don’t want is an ad-hoc process whereby someone from HR walks down the hallway, has a conversation, and as a result of that, there is a disciplinary action.

You’ve got to make sure that everything is above board, legitimate, and cannot be challenged.  Employees need a clear understanding of what behavior is acceptable and what is not — and what the penalty is for deviation from that behavior.

The next thing is to set up a network so it’s easy for people to report suspicious behavior without compromising themselves.  In the classic whistleblower scenario, you’re sending an email.  The problem is that when you send an email, everyone knows who sent it.  Picking up the phone and dialing to a free phone number is reasonably okay, but then people have to act on it.

My concern is having the right person in the place to deal with the fraud first.  So, if you haven’t got the right person in place and if you sack someone for an offence and you don’t take action for the same offence by someone else, you are on dangerous ground to fight a claim for unfair dismissal.  What you don’t want to do is set yourself up to be sued by someone who has committed a fraud.

So there’s quite a bit of planning and setup before you can establish a solid an anti-fraud culture and program.

Yes, and unfortunately, a lot of organizations only take their anti-fraud measures halfway.  They’ve got the processes and procedures in place for instant dismissal for certain types of offences.  What they haven’t thought deeply about is the evidence they need to collect to be able to show that the fraud was committed.

How should you hold this evidence?  And how do you make sure that the evidence doesn’t get lost, destroyed — or whatever — should the case eventually go to court?

Have you got people who are trained to interview properly?  And what are the proper ways of getting people to talk about what they are doing?  In some respects, finding the fraudster is the easy part: the hard part is making sure you can do something with the evidence.

Knowing what steps to take and when is key.  If you waste time or bungle the interviews, you maybe give the fraudster enough time to destroy the evidence or to resign from the company.

So the hard part is the preparation — make sure things are in place.  And the other thing you don’t do is change your tactics based on who you are interviewing.  So, if you boot out a low-level maintenance engineer, he should get the exact same treatment as if it’s the head of operations.  If they both commit a fraud, they should both be treated with the same level of respect and given the same opportunities.

Sounds like senior management needs to have an active role in the anti-fraud program.

Absolutely, and one of the reasons their support is vital is that the senior execs are responsible for how the business is perceived in the local community.  If the community sees the company as treating its employees poorly, that has serious business consequence, such as the inability to hire quality people.

But much of what senior management needs to shepherd is ensuring the right people and processes are in place in fraud management.  And that includes knowing where you would store the information, who you would notify, how you notify them.  And also understanding the outcomes you want to achieve: have you decided to get rid of the guy, discipline him, or take him to court?

If you take him to court, it becomes public knowledge, so you have reputation issues.  If you sack him, are you guilty of an unfair dismissal by taking away his pension rights?  Lots of employee rights issues to nail down.

Mark, your insights are wonderful and highly interesting.  What are your final thoughts about growing an anti-fraud culture?

Dan, educating employees about the seriousness of fraud issues is certainly key.  You have got to get people to understand what is at stake.  And what’s at stake is the ethics of the company.

Now to show that you mean business, you must plan your anti-fraud strategy upfront — and in great detail.  You can’t make these decisions on a day-by-day basis.

And when you plan properly, it allows you to win on the fairness issue.  People need to see that your anti-fraud program is being applied consistently and fairly.  People need to know: it doesn’t matter how high up in the organization you are, you still get treated the same if you are a fraudster.  It gives confidence to the whistleblower and others whose support you need.

When the policy is ingrained in the culture, then people start respecting what people in the fraud and security department do.  But if the guy at the top gets away with fraud, and the guy at the bottom doesn’t, what does it say about you?

Copyright 2015 Black Swan Telecom Journal

 
Mark Yelland

Mark Yelland

Mark Yelland has been working in the revenue assurance and fraud space for over 20 years.  For the last five, he has run a small consultancy firm, RAAIIM, targeting the smaller and newer operators, helping them get started or improve their revenue leakage and risk management.  Showing them what can be achieved with minimal spend — getting more out of their existing systems, or developing tools using open-source products.

Like all engineers, he enjoys solving problems of all types, trying to find elegant, cost effective and simple solutions to big problems.  His engineering training comes from the degree course at Cambridge University and his business skills come from the Open University MBA.   Contact Mark via

Black Swan Solution Guides & Papers

cSwans of a Feather

  • Insider Fraud: How to Create an Anti-Fraud Culture in Your Telecom Organization interview with Mark Yelland — Thirteen years after the WorldCom scandal, experts generally agree that insider fraud remains a massive problem in telecom.  In this article you’ll learn the outlines of building a program to instill an anti-fund culture at your telecoms organization.
  • Converging Criminal and Technical Intelligence: Secret to Combating the Explosion in Telecom Fraud and Security Threats interview with Mark Johnson — A fraud and security expert gives a big picture talk on why industry convergence is driving the need for a broader “revenue risk intelligence.”  His prescription?  Yes, telecoms surely need to excel in technical  infrastructure such as traffic usage data, IP intrusion appliances, and physical barriers.  But just as important is the need to pair that knowledge with the real-life lessons of fighting criminals in general.
  • Insider Fraud: Detecting Criminal Activity in the Telecom Sales Process interview with Tal Eisner — One of the biggest problems telecoms now face is fraud done inside their offices, dealer stores and firewalls.  This type of fraud is especially dangerous because it’s performed by people fully authorized to transact for the company.  The story dicusses the major causes of insider fraud, presents a case study, and explains basic techniques that software uses to detect insider fraud.

Related Articles

  • Black Swan Guide: Araxxe’s Revenue Assurance Consulting, Testing, and High Definition Billing Analysis Service by Dan Baker — How Araxxe’s end-to-end revenue assurance complements switch-to-bill RA  through telescope RA (external and partner data) and microscope RA (high-definition analysis of complex services like bundling and digital services).
  • Subex’s IDcentral Monetizes Telco & Enterprise Data to Deliver Digital ID & Risk Metric Services for Financing, KYC & More interview with Shankar Roddam — A new digital intelligence service that monetizes the idle data of telecoms and enterprises while also earning a good return for the owner of the data.
  • Opportunities & Obstacles: Consultant Luke Taylor Muses on the State of the Telecom Risk Assurance Business interview with Luke Taylor — A rambling discussion on the state of the risk assurance business with Luke Taylor, independent consultant in telecom revenue/fraud assurance and solution requirements and marketing.
  • LATRO’s Tips for Launching a Successful Revenue & Fraud Assurance Program for Mobile Money Operations in Developing Countries interview with Don Reinhart — A company building mobile money RA/FM tools and  managed services gives a concise, but detailed tutorial on how the Mobile Money Ecosystem works.  Revenue assurance pros will get tips on  what to look for in analytics/assurance tools, controls, and professional services.
  • A WeDo Conference Talk: Consulting & Analytics: Improving your Business Today, Enhancing it Tomorrow interview with Carla Cardoso & Bernado Lucas & Thomas Steagall — Leading risk management consultants explain their mission and walk-through RA, subscription fraud, and collections cases.  They also explain how analytics and machine learning can supplement process optimization.
  • PrologMobile’s Simple and Brilliant Plan to Save US MNOs Billions a Year in Recovered Phones & Retained Customers interview with Seth Heine — An expert in the mobile phone reverse supply chain explains how MNOs — via a neutral third party information exchange — can recover their original phones on the used market and save huge sums in multi-year customer retention.
  • WeDo Explores the IoT Ecosystem in Search of Tomorrow’s Pivotal Fraud & Business Assurance Solutions interview with Carlos Marques — A veteran product manager scans the IoT terrain, discusses key fraud and assurance challenges, and explains the preparatory steps WeDo is taking to become a key player in this emerging market.
  • New Report: Telecom Fraud & Business Assurance Solutions, Services & Strategies by Dan Baker & Luke Taylor & Colin Yates — TRI publishes a new market research report, Telecom Fraud & Business Assurance Solutions, Services & Strategies.  Free executive summary available.
  • Subex Juggles a Wide Variety of Business Assurance and Big Data Analytics Use Cases interview with Rohit Maheshwari — A expert in business assurance solutions explains top use cases such as: IoT security, big data analytics/AI, network asset optimization, multi-player gaming assurance, onboarding mobile subs, and AI customer analytics.
  • MTN Agility: Mastering Exponential Technologies in Revenue/Fraud Assurance and Beyond interview with Danie Maritz & Tony Sani & Luke Taylor — An in-depth look at RAFM operations and innovation at the MTN Group.  Topics discussed include RA/fraud control challenges, strategies, and MTN’s journey to exploit exponential tech (AI, robotics, and ML) in its RAFM program and support of internal non-telco businesses.
  • From Byzantine Software Contracts to Simple & Flexible RA Managed Services interview with Philippe Orsini — Is the way B2B/enterprise software is sold and delivered today progressive — or is it Byzantine in the age of cloud?  An expert lays out the case for managed services in RA and billing verification.
  • Premiere Experts Set to Speak at Summer RAG Conference in London, July 7th and 8th by Dan Baker — The Risk and Assurance Group (RAG) has announced that its 2016 summer conference will expand into a two-day event and feature many premiere experts. 
  • WeDo Hosts Revenue Assurance & Fraud Management Conference in Washington DC by Dan Baker — Black Swan is pleased to announce what looks to be a first class revenue assurance and fraud management conference being put on by WeDo Technologies, on October 1st and 2nd in beautiful Washington DC.
  • Test Call Generators: An Essential Test & Debugging Tool in Mobile Billing Assurance interview with Steffen Öftring — An “active” test call generator (TCG) can see problems that a “passive” revenue assurance system is blind to.  Here’s a discussion on the test call RA  process, over-the-air calls versus core call injection, and test call networks in global roaming RA.
  • The Revenue Assurance Game: How the Rules Change in the Era of IoT & Mobile Broadband interview with Rene Felber & Gadi Solotorevsky — Revenue assurance is perhaps the hardest of telecom functions to define because the term is used in so many different senses.  This discussion on the evolving role of revenue assurance was catalyzed by a survey of experts in the profession.
  • Day in the Life of a Revenue Assurance Analyst interview with Michael Lazarou — Revenue assurance is much more than a software category.  It’s individual analysts struggling to help their larger organizations get a handle on system errors and coordination problems.  In this interview, an analyst reveals the many challenges of getting the revenue assurance job done at a small GSM operator in Europe.
  • Revenue Assurance: History and New Beginnings in RA Maturity interview with Daniela Giacomantonio & Gadi Solotorevsky — The Roman Forum was the center of commercial life in ancient Rome.  Now, two millennia later, the Forum lives on in the exchange of ideas across countless professions and  media.  In this interview, two Revenue Assurance experts discuss both the new RA Maturity initiative of the TM Forum and the value of telco/solution vendor collaboration.
  • Migrating systems or launching LTE next year?  Don‘t forget transformation assurance & optimisation by Efrat Nissimov — System transformations and network migrations are major  revenue impacting events and they should raise a big red flag.  Why?  Because data integrity issues are bound to crop up as CSPs move vital data from a legacy system to something new.  It’s time for transformation assurance.
  • How can Cable/DSL Internet Providers Meet the Usage-Based Billing Mandate? interview with Ryan Guthrie — The popularity of YouTube, Netflix, and Hulu other video outlets has turned the tables on service profitability for cable/DSL service providers.  Many are moving to usage-based billing, but that largely unprepared for the revenue assurance aspects of this move.  This interview explains the technical challenge and points to solutions in billing, speed caps, and traffic revenue monitoring.
  • CABS Revenue Assurance: How Rural LECs can Recover $284 Million in Revenue Shortfalls interview with Kelly Cannon & Darrell Merschak — Independent rural LECs in the U.S. still rely on the AMA/EMI billing formats for CABS billing, even as that format has proven to be highly inaccurate as a source of inter-carrier records.  This interview includes an analysis and discussion of revenue recovery techniques ILECs can use by leveraging SS7 probes.  Also discussed are billing strategies, traffic dumping threats, and the possible fallout from the FCC’s bill-and-keep mandate.
  • Make Business Assurance Progress Every Day: How to Set Goals, Automate, and Energize Your Team interview with Kathleen Romano — Business assurance (BA) skills have wide applicability outside the revenue assurance and fraud mangement domains.  In this article, a telecom executive explains how she’s applying her BA skills in the Payments area.  In addition to discussing the key operational challenges in Payments, the interview also provides keen insights on setting goals in business assurance, leading a team, and making critical decisions.
  • LTE Rollout: Make it a Smashing Success with Risk Assessment, Controls, and Marketing Offer Analytics by Gadi Solotorevsky — LTE brings splendid new capabilities to mobile users.  But like 2G and 3G deployments before, operators can only make money if they successfuly plan, coordinate, deploy fast, and pay attention to pricing plans and the customer experience.  This article lays out a 3-phase tactical guide on  how revenue analytics professionals can add value in LTE service risk assessment, controls, and marketing offer analytics.
  • RA Prevention: How to Manage Revenue Risks and Communicate RA’s Value to Senior Execs by Shaul Moav — The era of revenue assurance prevention and risk assessment is here.  Several of the mature operators of the world have developed their own methodologies and tools.  Using firefighting and fire prevention as a metaphor, the article details a new commercial software approach explaining the goals, method of risk evaluation, and senior executive dashboards developed for the process.
  • Precision Clockworks: How Revenue Assurance Synchronizes with the Business at Swisscom interview with Marco Pollinger — An expert revenue assurance department is one whose work dovetails well with the lines of businesses it supports.  In this interview you’ll learn how Swisscom manages its revenue assurance function for maximum effect.  The article discusses: the operator’s innovative RA organization, the screening and RA approval of new services, its pre-production bill audits, and its coordination with corporate risk management.
  • Versatile, Portable & Corrections-Savvy: Quest for the Swiss Army Knife of Revenue Assurance Software by Mark Yelland — Revenue assurance maturity models are not cast in stone.  Since  best practices will change over time, it’s healthy to explore moving maturity models forward.  For example, great gains have been made in leakage detection, but RA corrections has been harder to master.  The author dreams about seven functions that should ideally come together in a single all-purpose revenue assurance software tool.
  • Bringing Strategic Planning & Value Engineering to Revenue Assurance interview with Maged Fawzy — Engineering and architectural techniques have a role in revenue assurance.  This interview with a top Egyptian RA consultant explains how continuous risk assessment and long range — yet flexible — RA planning can sharpen a carrier’s RA program and lead to better use of revenue assurance software and integration services.
  • Forensic Fossils: Is Your Revenue Assurance Shop Fit for Display at a Natural History Museum? interview with Jim Marsh — Without the continuous guiding light of seasoned revenue assurance leaders, even the best teams of RA professionals, technology, and business processes can fossilize and lose their vitality.
  • Revenue Assurance: The Magical Market Cap Multiplier by Van Howard & Curtis Mills — Many operators today consider revenue assurance yesterday’s opportunity.  But this article shows why significant revenue and cost leakage can still go undetected, even in companies with dedicated RA departments.  Also discussed are the benefits of a broader or more “forensic” approach to revenue assurance, an approach that boosts the bottom line regardless of the automated tools already in place.
  • From Risk to Robust: Turning the Big Picture Into a Real Agenda for Change in Telecoms by Eric Priezkalns — Inspired by a Financial Times article written by Nassim Taleb, author of “The Black Swan”, here is an insightful and entertaining primer on telecom risk management.  The article takes ten risk management lessons from Taleb and applies them specifically to the communications industry.  You’ll learn about the value of small scale trials, organization accountability, cures for a blame culture, incentives that work, the power of simplicity, and more.
  • Synthesizing the Telecom Business Assurance Practice With the Analytics World by Dan Baker — Business assurance is a wrapper term that allows you to draw a circle around various telecom assurance, control, and optimization activities.  This article maps business assurance as a subset of telecom analytics, constrasting it with marketing analytics while a diagram shows where biz assurance fits in the larger B/OSS world.
  • CABS Revenue Assurance Disputes: May the Carrier With the Best Data Win by Cheryl Smith Rardin & David West — Revenue assurance innovation is far easier when partners cooperate to make it happen.  This articles shows how a U.S. operator, software vendor, and consultant teamed to develop a breakthrough in Carrier Access Billing (CABS) assurance.  Learn about: the dispute resolution data gap that needed to be filled, the partnering strategy, the implementation challenges, and payback results.
  • Revenue Assurance vs.  Business Assurance: Who’s the Rightful King of Controls Software? interview with Sergio Luis Silvestre — Business controls software, originally developed for RA, is finding application in other areas of the business such as internal audit, collections, security and risk management.  This article argues that “business assurance” is the best term to describe this broader set of  controls software that can find a home in numerous departments or functions of a CSP’s business.
  • PwC on the Business of Revenue Assurance Consulting & Mentoring interview with Tim Banks & Dan Stevens — Revenue assurance consulting firms offer a broad range of services to clients these days.  The article explains the practice of mentoring RA mangers and providing a CFO with visibility on the status of an operator’s business controls.  Perspective is also offered on the value of RA software and the opportunity to broaden the RA practice scope.
  • Robots for Hire: Verifying Accuracy In the Age of Complex Mobile Billing/Charging interview with Xavier Lesage — As real-time charging and complex lifestyle calling plans gain credence across the globe in wireless, billing quality issues will rise in importance.  This article discusses a unique managed services approach to invoice testing and roaming fraud protection that checks results against advertised or published source data for the utmost accuracy.
  • Ericsson: Revenue Assurance Consulting With an NGN Flavor interview with Thomas Steagall — Helping operators detect billing and provisioning problem is merely table stakes in the RA services business these days.  The article discuss why operators need to ramp up their RA function with service experience and group-wide financial health monitoring.  Advise is also offered on: key RA maturity questions, risk-and-reward contracts, and how to extract greater value from software investments.
  • Do-It-Yourself RA for Small Operators and MVNOs interview with Mark Yelland — Budget-minded small operators and MVNOs are no longer hamstrung in RA capability anymore.  This article offers high-leverage strategies for operators who cannot afford expensive RA software tools.  With  data access, brains, and a DIY philosophy, any small operator can map a  path to greater RA savings, maturity, and program growth.
  • Revenue Assurance Maturity: Report From the Arena interview with Eric Nelson — Revenue assurance maturity can‘t be easily computed.  How do you  compare the KPIs of Comcast billing with that of mobile money RA in Western Africa?  Even still, this article offers some universal RA wisdom from a straight-shooting veteran of carriers large and small.  Topics discussed include: dashboard or process, COTS vs. inhouse solutions, and tips on gaining internal support for the RA practice.