Does the Fraud Triangle properly address Cyber-Fraud?

Years ago when I started my career in fraud investigation I was quite pleased with the quality of fraud resources available to anti-fraud professionals. As a cornerstone to help fraud professionals understand the how, why or when fraud occurs, the Fraud Triangle was developed by Dr. Donald Cressey. This has been a great tool to understand why generally good persons – cross the line – to do bad things. However, over the past few years I have seen a drastic change in the fraud landscape as it pertains to the rise in Cyber-Fraud. Now seems to be the right time to question whether the Fraud Triangle is still the best tool to properly address this shift in fraud.

Historically anti-fraud professionals have looked at fraud from the perspective that most cases of fraud were being done by organization “insiders”. Typically this fit well into the ACFE Fraud Tree major categories of; Asset Misappropriation, Financial Statement Fraud and Bribery & Corruption, where embezzlement, inflated revenues or kick-backs were occurring. We relied on the Fraud Triangle to explain the pressures, rationalization and opportunity that motivated and allowed the fraudster to perpetrate the act. In most instances the Fraud Triangle fits like a glove and is a very useful tool. It is flexible enough to fit into almost any type of organization at any level. It helps us to understand the emotional and psychological motives of fraudsters to identify not only gaps in a control framework, but also guides us to consider other aspects of the organization, such as its ethical culture.

However, with the dramatic rise of Cyber-Fraud over the past 18-24 months, organizations are finding themselves under attack not only from “insiders” but more and more likely from external fraudsters. Fraudsters who do not fit into the classic fraud triangle, due to the fact that they are not “trusted employees” or other traditional insiders who have veered into an ethical dilemma. From what we know, Cyber-Fraudsters can be located anywhere in the world that has an internet connection. They do not share the same language, culture or even legal systems that we do. For some it is simply a job. They are young and free and sometimes are just having fun. It is more about risk and reward than rationalization. Of course, there are also organized crime syndicates involved, or even a foreign government or two. However, none of these variations represent the traditional fraudster as described by the fraud triangle. What our profession now needs is to adapt to the changing fraud landscape. Who’s up for the challenge ?