The Exploiter
The Exploiter uses something for a wrongful purpose to dishonestly gain personal benefits.
This might involve misusing their position or privileges, or dishonestly exploiting a vulnerability for personal gain.
Examples:
- An individual steals money or assets placed in their trust.
- A staff member exploits their access to systems or information to commit fraud.
Case studies
A Queensland doctor was found guilty of defrauding Medicare out of more than $360,000. He used Medicare’s online system to lodge almost 4,000 false claims for providing services to patients who had died or on dates when he was overseas. The doctor owned four bulk-billing medical practices in Queensland at the time of the fraud. The man was sentenced to 4 years in prison. He was suspended from medical practice and might be deregistered or banned in the future.
A Sydney man pretended to be a tax agent to more than 1,000 people and charged them $100 for his services. He also stole $12,866.62 worth of tax refunds from several people by changing their myGov account details to direct the funds to his account. The man received a 2.5 year prison sentence to be served in the Community. He had his assets seized and was also ordered to pay compensation to the Australian Taxation Office and his victims.
Countermeasures
Counter the Exploiter using measures that support people, process and system integrity, oversight and deterrence:
A positive workplace culture can encourage ethical and supportive behaviours while discouraging fraudulent or corrupt activities. Staff will be less able to rationalise fraudulent or corrupt activities where a positive workplace culture exists. A culture built on honesty, transparency and integrity is a key organisational strength that can serve to reduce the risk of fraud. If weak countermeasures are the fuel, a bad culture can be the spark that ignites fraud and corruption.
Make sure a manager, independent person or expert oversees actions and decisions. Multiple people being involved in actions and decisions increases transparency and reduces the opportunity for fraud.
Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.
Rotate staff and contractors in and out of roles to avoid familiarity. Staff and contractors can become too familiar with processes, customers or vendors, which can lead to insider threats.
Limit access to systems, data, information, physical documents, offices and assets.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs such as making high-risk functions limited to specialised users.
Limit access to sensitive information and records.
Separate duties by spreading tasks and associated privileges for a business process among multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Strong separation of duties controls are enforced by systems. It is also known as segregation of duties.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Put protections in place to prevent data from being manipulated or misused.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Make sure sensitive or official information cannot leave your entity's network without authority or detection.
Train and support staff to identify red flags to detect fraud, know what to do if they suspect fraud and know how to report it. Fraudsters can take advantage if staff and contractors are not aware of what constitutes fraud and corruption.
Conduct internal or external audits or reviews to evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal, or expected and may indicate fraud or corruption.