people in background

Forensic Fundamentals

Highlighting fraud, cybercrime and forensic accounting issues from the fundamentals to advanced.
Jim Gee
Jim Gee, Partner, National Head of Forensic Services
Our regular updates will cover the basics through to advanced insights into cybercrime, fraud, bribery and corruption and forensic accounting issues impacting both individuals and businesses today. 

We will also share a number of real life case studies highlighting common problems so you are better placed to protect yourself and organisation.

Click below to find out more on the topics you may need insight on. 

This week's fundamental topic

Friday 10 September 2021
Increase in cyber-attacks on supply chains

Cyber-attacks on supply chains are expected to increase fourfold in 2021. Many companies rely on third-party suppliers to provide services and software that are essential for the functioning of everyday operations within the business. As a consequence of this dependency, suppliers can be trusted with an abundance of confidential and sensitive customer information, making supply chains an attractive target to cybercriminals. Supply chain attacks are also low risk high reward for cybercriminals, as a single attack can lead to a series of additional networks to compromise. 

How do hackers exploit third party systems?

Many hackers use malware, with 62% of attacks being carried out using this method. Malware is a blanket term for viruses, trojans, worms and other harmful software that will disrupt systems and networks. Hackers will look for unsecure networks or unprotected servers and hide malware within the services or software deployed to the supplier’s customers. The malware can also be spread through infected weblinks, email attachments or corrupted media. Once the hacker has infiltrated a supplier’s system, they can have access to confidential and sensitive customer data, which can be stolen and used for criminal purposes. Additionally, malware has the ability to not only extract information, but also delete data that is critical to both the supplier and the customer.

What can your company do?

  • Identify the volume and types of information that your company shares with its suppliers; 
  • Understand how data is shared between your company and its suppliers;
  • Ensure supplier contracts include cyber-specific clauses to ensure that company data is well-protected;
  • Review your supplier’s cyber and information security policies and procedures;
  • Ask your suppliers how they meet their contractual obligations, for example relevant data protection legislation; and
  • Ensure that your company has comprehensive incident response and business continuity plans in place to effectively manage a cyber-incident at one of your suppliers. 

How we can help

We offer a variety of services that can help your company review the cyber resilience of your third-party suppliers. We can also help your company develop incident response and business continuity plans in the event of a cyber-incident at one of your suppliers. If you would like to know more about how we can help your company, please contact Jim Gee.

Did you know…

Over half of organisations have experienced a data breach caused by third-parties that led to the misuse of sensitive or confidential information.

Why are cybercrime rates exploding upwards? 

The latest figures from the Office for National Statistics for England and Wales show a 92% increase in cybercrime incidents between March and September 2020. But what explains this huge increase?

The pandemic and changing patterns of criminal behaviour 

Most of our commercial and private lives moved online as a result of the pandemic restrictions, but that alone does not explain what is happening in the world of cybercrime. 

It used to be the case that cybercriminals had to be technically proficient to undertake cybercrime but not anymore. Cybercriminals can now avail of ‘Cybercrime-as-a-Service’ (CaaS) where one group of criminals sell or lend hacking tools and services to another group of criminals. There are a wide variety of ‘kits’ available to buy or borrow that include software to launch a phishing or ransomware attack, and ‘fraud packs’ with stolen personal information.  This means that the tools are available to a much wider group of criminals, not just those with the technical expertise. 

The new ‘business model’ has massively increased the range and impact of cybercrime. CaaS enterprises operate much like a regular business, with management hierarchies, software developers, engineers, and technical support representatives to provide customer support and demonstrations of how the tools work. CaaS enterprises make money from the profit on the products sold or commissions on the ransoms paid by victims. The CaaS model enables the reinvestment of profits into research and development of newer and better tools and techniques.  

CaaS and the explosion in cybercrime 

The CaaS model is behind the huge increase in the official cybercrime figures. There is a ‘virtuous circle’: the better the cybercriminals do the more money there is to invest, and the increased investment improves the cybercriminals’ profits, providing more money for reinvestment. The investment has created tools like automated vulnerability scanners, a topic for another post, that have made it easier and quicker to identify potential victims.  

What can you do?

Organisations need to ensure they are protected. After a successful attack an organisation’s spokesperson will nearly always say it was a ‘very sophisticated attack’, but most attacks start by exploiting very basic vulnerabilities.  

  • Change default settings on systems, for example Office 365.
  • Use multi-factor authentication, at least on administration / high-privilege accounts. 
  • Encourage employees to use a password manager. 
  • Keep your software up to date. 
  • Make sure your DMARC and SPF settings are configured correctly to prevent successful spoofed emails.
  • Have a decent ‘Managed Detection and Response’ (MDR) system in place.
  • Train your employees properly to help them understand their role in protecting the organisation. 
  • Get a pentest at least annually. 

How we can help

We offer a range of services to help protect your organisation. A good place to start is its external vulnerability assessment (EVA) that identifies vulnerabilities that could be exploited by cybercriminals. This includes many of the most commonly exploited vulnerabilities like open ports, unpatched software, email domains that can be spoofed.

We also offer a threat intelligence service to keep your organisation up-to-date with the latest and emerging cyber threats.

If you would like more information on the rise in cybercrime, click here to watch our latest webinar. For more information on the services we offer, please contact Jim Gee

Did you know…

The estimated global cost of ransomware, including business interruption and ransom payments in 2020, was a minimum of $42 billion USD and a maximum of $170 billion.

Think like a cybercriminal: How to protect your business

A July 2019 Crowe report calculated that fraud is likely to cost individuals and businesses US$5.1 trillion a year, with losses rising by 56% in the past decade. To gain an understanding of where your business’ vulnerabilities lie, you must think like a cyber criminal to identify where there is opportunity to take advantage, whether it be internal or external. 

At Crowe, our approach to cyber protection is to step into the shoes of an attacker. We will assess a business’s current cyber security measures through the lens of a potential attacker. External vulnerability reviews are used to look at vulnerabilities in an organisation that are visible to cybercriminals. These reveal  the extent and types of vulnerabilities that help a cybercriminal to decide on whether they should spend time attacking one particular business over another. Alongside an external analysis, we also investigate with an internal vulnerability check. Similar to the initial stages of penetration testing and authorised cyber-attacks, but without exploiting the weaknesses identified inside the business.

Additionally, access to dark web markets and forums allows us to look for evidence of discussions taking place about attacking particular organisations, and for any compromised emails and passwords. For expert tips on cyber security, read Six Steps To Better Cyber Hygiene. The article has been written as part of ‘The Art of Smart’ alongside other useful insights which look at the challenges around corporate decision-making in the current uncertain environment. 

It is business essential that organisations ensure their defences against cybercrime and fraud are up to the mark. Cyberattacks are ranked first among global human-caused risks, according to the World Economic Forum Global Risks Report 2020, costing businesses up to US$11.4 million every minute in 2021.

COVID-19 has seen a significant increase in cybercrime, and it’s not a question of if an organisation will be attacked but when. For an organisation to maintain an effective response, the following three points must be understood:

  1. Technology needs to be used to protect an organisation as well as possible. However, we also need to be prepared to manage an attack if it happens. A comprehensive approach also involves being able to recover and mitigate any damage that has been caused.
  2. Those carrying out attacks are essentially cybercrime businesses, operating as such and making business decisions about which organisations are the best to attack in terms of resources needed and the potential benefits that could be claimed.
  3. Cybercrime is not like other phenomena that we seek to manage as risks. Cybercrime is not static, it is extremely dynamic, continuously developing and evolving – similar to a medical virus. This means that organisations’ responses and protective measures must evolve to reflect the latest manifestations of the problem.

If you would like further information on the services listed in this article or advice on any other cyber protection matter, please get in touch with Jim Gee.

Did you know…

Through ‘The Art of Smart’ we share expert opinion from inside and outside of the Crowe Global network to provide vital and actionable insight to leaders, wherever they do business.

Pension schemes and cyber security

The pension sector reported approximately two data breaches a month relating to cybercrime, between June 2018 and April 2020. Security breaches were the most commonly reported cybercrime, accounting for 63% of reports, with phishing attacks being the second most common breach, accounting for 30% of reports. Despite this, our research has found that over a quarter of pension schemes do not have an adequate cybercrime breach plan in place. 

The figures listed above are prior to the influence that COVID-19 has had on cybercrime. The latest Office for National Statistics Crime Statistics for England and Wales has shown a 92% increase in cybercrime incidents between year ending in March 2020 (876,000 incidents) and year ending in September 2020 (1,679,000 incidents) suggesting that the actual number of attacks on the pension sector is higher.

What are the threats to pension schemes? 

Pension schemes are an attractive target to cyber criminals due to the extensive data that are held concerning beneficiaries, in addition to the potential funds that can be accessed. The Pensions Regulator defines the cyber risked posed to pension schemes as ‘the risk of loss, disruption or damage to a scheme or its members as a result of the failure of its information technology systems and processes.’ Cyber criminals have a plethora of techniques that can be used to deceive individuals into providing confidential data, or disrupting systems to retrieve information. Techniques can range from ransomware attacks, phishing campaigns, hacking, malware, domain spoofing to rogue employees.

Failing to prevent cybercrime or data breaches can result in a pension scheme suffering reputational damage, financial loss, public embarrassment as well as a fine from the ICO.

Responsibility of the Trustee

Trustees are accountable for ensuring a pension scheme is running efficiently for the benefit of its members’ interests, and as such must identify, assess and manage risks. Therefore, it is the Trustees responsibility to ensure that the schemes’ regulatory and legislative requirements are fulfilled. Trustees must also ensure that third parties, including the sponsor company/employer have the required cybercrime and data protection arrangements in place as many will also hold or have access to confidential information.

The Pensions Administration Standards Association (PASA) states that Trustees should always prepared for when a cyber attack will happen, as opposed to if. A cyber security policy should be in place, outlining the administrator’s approach to cyber security, and its ongoing plans to monitor and update procedures if and when necessary.

In addition, preventive measures must be implemented, that may include, but are not limited to:

  • Regulating who has authority to access confidential information;
  • Correctly configuring firewalls;
  • Protecting networks with relevant security arrangements; and
  • Using awareness campaigns to make sure employees are aware of the nature and scale of the threat.

How we can help

We offer many services to help pension schemes with cyber protection. Some of these services are listed online. Our Pension Funds Cyber Vulnerability Survey, and our report on The Nature a Extent of Pensions Fraud are also valuable resources. If you would like further information on how our Forensic Services can help your pension scheme, please get in touch with Jim Gee or Eoghan Daly.

Did you know…

Only 40% of pension schemes have an Incident Response plan. We recommend having an incident response plan that has been tested to supplement other cyber security measures that are in place. Doing so will identify areas of weakness that need to be remedied.

Independent Schools: Top three cyber threats 

Research undertaken in 2019 found that 61% of UK Independent Schools have been targeted for cyber attacks in the last five years. This figure is likely to be higher now, due to the 92% increase in cybercrime incidents since April 2020 and the shift to online educational provision. The sudden adoption of online learning for students and remote working for teachers and staff may have introduced new vulnerabilities for cybercriminals to exploit. Failing to address the additional risks and implement effective measures would leave a school in a vulnerable position. The shift to online learning and remote access requires a proactive approach to monitor and prevent vulnerabilities being exploited.  

Independent Schools are responsible for holding special category data and other sensitive information on students, their families, and teachers. Such information can include ethnicity, religious beliefs, health information, addresses, financial information, among others identifying factors. If this data is stolen, it can both be used against individuals and to facilitate additional crime such as extortion, identity theft and fraud.

The consequences of a cyber-attack can result in financial loss, file encryption or deletion, reputational damage, in addition to potentially damaging a student and their families.

What are the biggest cyber threats to Independent Schools?


Ransomware is a type of malware (malicious software) that infiltrates a network. It is usually disguised as an attachment or download. Once this is opened, access to files critical for the operation of the school’s systems can be encrypted and rendered unusable. The cybercriminal will often threaten the establishment if the ransom is not met. Such threats can include making the attack public (to damage the school’s reputation) or selling the stolen data on the Dark Web.


Phishing consists of tailored, malicious emails sent to individuals that appear to come from a trusted sender. Attackers will often ‘spoof’ their emails, meaning the email will look extremely similar to how it would appear when sent from a reputable individual or company. The content of the emails will usually contain either a malicious attachment, or a malicious link to a website. 
Phishing Emails can purport to come from a member of staff and be sent to parents requesting sensitive information, or to request that fee payments are made to a bank account not known to the school.

Man in the middle (MITM) attack

A man in the middle attack is where a cybercriminal has interjected themselves into the communication process. The attacker can either be a passive listener, by stealing information sent between others, or an active participant, altering messages or impersonating an individual in correspondence.

A MITM attack can be carried out in several ways, it can be by:

  • Poisoning the Address Resolution Protocol (ARP) Cache
  • Poisoning the Domain Name System (DNS) Cache
  • Connecting to a public or unsecured Wi-Fi network
  • Session hijacking (by stealing a session cookie)
  • Hypertext Transfer Protocol Secure (HTTPS) spoofing

If you would like to find out more on how to address the most common cyber vulnerabilities, download our full report on Fraud and Cybercrime Vulnerabilities in Independent schools, or get in contact with Eoghan Daly for more information.  

Did you know…

Over half of ransomware victims do not recover their files after an attack. This is because the attacker either fails to deliver the promised decryption keys, or have poorly implemented the encryption/decryption algorithms. We are aware of one firm who paid the ransom five times, each time in the vain hope that their data would be decrypted. 

Phishing attacks: what you need to know

In 2019, 88% of organisations globally, experienced a phishing attempt. Phishing is continuously used by cybercriminals as it accounts for 90% of successful cyberattacks. Over recent years, phishing attacks have become much more sophisticated, with adaptations of the traditional form of email phishing being created.

So what is phishing, and why is it more successful than other forms of cybercrime?

Phishing is an attack vector, consisting of tailored, malicious emails sent to individuals that appear to be from a trusted sender. Attackers will often ‘spoof’ their emails, in order to make it look like it has been sent from a reputable individual or company. Spoofing emails consists of falsifying company information from an official company website to ensure the email looks believable. The content of the emails will usually contain either a malicious attachment, or a malicious link to a website. 

Why should organisations be concerned?

Regardless of how aware an organisation may be in terms of cybersecurity, it will only be as strong as its weakest link. If a phishing email does get through the cybersecurity measures in place, the only defence left is the employee that has received the phishing email. CybSafe carried out an analysis on data from the UK’s Information Commissioners Office (ICO), revealing that human error was the cause of 90% of cyber data breaches in 2019, with phishing being the main cause. Phishing accounted for almost half of all reports to the ICO in 2019. The research also found that there had been a significant increase in end user mistakes from the two years prior, rising from 61%, to 87% to now 90%.

Variations of phishing attacks

Below are variations of the traditional phishing attack:

Variation  Definition
Spear phishing Spear phishing is a targeted campaign, when an attacker is looking for something specific or a specific individual. A targeted attack may use employee information in attempt to seem persuasive and realistic to the recipient.
Whaling Whaling is a form of spear phishing that targets senior employees or celebrities. Attacking high profile individuals is much more worthwhile for a cybercriminal business as it provides a greater level of access to greater rewards. 
Smishing Smishing is the same concept as a phishing email, but uses text messaging services. A message will be sent to the victims’ mobile containing a malicious link or a phone number to call. 
Vishing is carried out through voice call. Social engineering is an important component to vishing as the attacker will usually instil fear in the victim in attempt to gain sensitive information over the phone. The sound of a human voice has the tendency to gain victims’ trust more so than other variations.

Tips to prevent falling victim to a phishing scam

  • Inspect URL’s by hovering over the link before clicking on it.
  • Inspect the senders’ email. Legitimate companies will have domain emails that include the company name, as opposed to using an email provider such as Gmail or Outlook, for example.
  • Inspect language and grammar used in message content. It is likely there will be spelling or other errors.
  • Call colleagues/suppliers to verify emails requesting sensitive information or urgent requests. Attackers will often put time pressure on the victim to instil panic and ensure a task is carried out promptly.
  • Remain up to date on the latest phishing trends.

If you would like more information on how Crowe can help your organisation and its employees fight against phishing scams, please contact a member of the Forensic Services team.

Did you know…

According to Google, cybercriminals have been sending over 18 million COVID-19 related emails to Gmail accounts every day since the pandemic began.

Penetration testing: the basics

Cybercrime is rapidly evolving, and businesses need to ensure they keep up with new and emerging threats. Businesses can improve their cybersecurity by performing regular penetration tests to help identify vulnerabilities in their systems. A penetration test, also known as a pen test, is a form of ethical hacking which is performed by an authorised cyber-attacker to evaluate the security of a system. 

Why is penetration testing important? 

Penetration testing is essential for identifying potential or actual vulnerabilities to malicious cyber-attacks launched across a computer network that could threaten the confidentiality, availability and integrity of the information being stored and processed. The results of the assessment help businesses to close the issues in a planned manner and improve the security of their systems. Penetration tests should be performed at least once a year to ensure any new threats that have emerged since the previous test are tackled promptly.

It is recommended that penetration testing is conducted across the entire network. However, if your business is particularly concerned about the security status of certain aspects of the network, such as the internal or external infrastructure, these can be tested independently. An internal penetration test helps identify what an insider attack could achieve, which can be perpetrated by anyone who has access to the inside of your network. 

Perimeter systems 

External penetration testing helps identify vulnerabilities in the internet-facing infrastructure of your business’s network, also known as the perimeter systems. These systems are directly reachable from the Internet, and are often the part of your network that is most regularly attacked by external hackers. In addition to internal and external tests, penetration testing can be performed on web applications to identify security vulnerabilities resulting from the design or coding of your business’s browser-based application.

How can Crowe help?

Crowe offer a range of penetration testing services to help businesses protect themselves against cybercrime. Get in touch with Eoghan Daly, Director of Forensic Services to see how we can help protect your business in 2021.

Introduction to domain spoofing 

According to the FBI, domain spoofing scams have cost over $26 billion (approx. £19 billion) in the last six years. 

What is domain spoofing?

Domain spoofing is when a cybercriminal impersonates a company or one of its employees by creating a website link or email address similar to that of the legitimate company domain. The website or email will be altered slightly by changing only a few characters, so that the link or email will still read and appear to be the same as the original. Visuals and information from company websites are used to ensure the illegitimate domain is convincing. The content of a spoofed website or email, will use company branding and formatting, enticing its victims to follow instructions presented to them.

Email spoofing

Email spoofing deceives the email recipient by posing as a trusted source. Email spoofing is commonly used in phishing and spam campaigns as recipients is unlikely to open emails from unknown senders. 

Website spoofing

Website spoofing is when a fake website is created, impersonating a legitimate website. Website spoofing can be an increasingly sophisticated attack as the spoofed website will capture sensitive information, such as login details or even banking credentials. 

How can Crowe help?

Crowe offer a service that checks whether an organisation’s emails can be spoofed and whether spoofed emails can be received by the organisation. We also offer a service that monitors the web for spoofed websites, and can help to have spoofed websites removed. Contact Eoghan Daly, Director of Forensic Services, for more information or visit our cybercrime services page

Top cyber threats for businesses to look out for in 2021

As we move into 2021 businesses must prepare themselves for the cyber threats that will likely impact them in the coming year. Perhaps unsurprisingly, throughout 2020 there were significant cyber threats that arose as a result of COVID-19, which are likely to continue throughout 2021. From traditional phishing scams that incorporated COVID-19 themes to the steady increase of ransomware attacks, cybercrime is going to be a major threat to businesses this year. 

Increase in frequency and cost of ransomware attacks

Ransomware is a type of malware which encrypts the user’s data and holds it for ransom in exchange for money. Ransomware is a growing area of concern for many businesses, as it can be executed relatively easily and cheaply, while also possessing the potential to cause significant damage to a company’s reputation and finances. A 2020 cyber security report found a global surge in ransomware attacks, with an increase of 50% in the daily average of attacks in Q3 2020. The report also found ransomware attacks in the UK increased by 80% in Q3 compared to Q1 of 2020. 

It is not just the frequency of attacks that has increased, but also the cost of the average pay out for each attack. A security threat report into average ransomware pay outs in 2020 saw a large increase quarter-upon-quarter from Q4 2019 to Q3 in 2020. In Q4 2019, the average ransom pay out in Q3 2019 was $84,116 which increased significantly to $233,817 by Q3 2020, with an increase of 21% in the last quarter. 

The rising trend in frequency of attacks and pay-out costs is likely to continue throughout 2021 due to the ‘small effort big reward’ of conducting ransomware attacks. Our Dark Web report found that various criminal services are available for purchase on the Dark Web for the purpose of attacking businesses, which can include ransomware ‘packs’. In some cases, the cybercriminals even offer customer support on how the victim can pay the hacker to receive their encrypted items back. 

Increase in COVID phishing scams

In April, Google reported that almost a fifth of all phishing emails they blocked every day was related to scam emails that concerned coronavirus. The scams often impersonated authorities, such as the World Health Organisation (WHO), in an attempt to deceive the victim into downloading malware, or inputting their credentials which can be used for criminal purposes. Due to the further disruption that COVID-19 is likely to cause throughout 2021, along with the production of several vaccines, cybercriminals will undoubtedly look to exploit this disruption to commit crime using phishing scams. 

Remote workers will be targeted

A majority of businesses have relied heavily on remote working throughout the pandemic, which is likely to continue particularly through Q1 of 2021. As a consequence, the focus of cybercriminals is likely to shift toward targeting insecure home networks and poorly protected VPN networks. Many individuals who rely upon their home network have never changed their Wi-Fi password, or have created their own passwords, which can be cracked relatively easily by cybercriminals. Some individual’s may also believe that even if their network is compromised, they will be protected by their VPN, however some VPNs are more resilient than others, so it is essential thorough research is conducted into the best service for your business. For example, in July 2019 80% of the top 20 free VPN apps in Apple’s App Store shared user data with third parties, despite Apple’s effort to clamp down on data-sharing apps. 

What can I do to protect myself and my business?

As cybercrime continues to evolve it is essential businesses stay vigilant to the threats. Businesses should provide regular staff training and in particular performing mock phishing tests. It is likely that a majority of the cyber threats next year will be perpetrated through phishing scams, so businesses and employees alike need to ensure they are properly educated and aware of the threats. Business also need to ensure that research has been conducted into their VPN provider to ensure they are adequately protected.

Threat intelligence: Protect your business from emerging threats   

To help protect your business from emerging threats we are offering a weekly threat intelligence report which you can subscribe to on a monthly or annual basis.

The weekly report highlights four areas which may be impacting your business:

  1. physical and business threats
  2. financial crime
  3. cyber threats
  4. technical matters.

Find out more on how our Threat Intelligence service can help you protect your business in 2021.

If you need further information please get in contact with a member of our Forensic Services team.

Want to hear more about the big cyber issues impacting businesses in 2021 and what you can do to protect yourself?

Register now for our free webinar on Wednesday 20 January 2021

Cyber-attacks on large companies are rising

An INTERPOL assessment of the impact of COVID-19 on cybercrime has revealed a significant shift from cyber-attacks on small businesses to major corporations, governments and critical infrastructure. 

High profile cases in 2020

Throughout 2020, there have been several high profile cyber-attacks that have targeted large businesses. In June, car manufacturer Honda suffered a ransomware attack, which affected its operations. The virus spread across multiple plants and various countries, including the UK, North America, Italy, Japan and Turkey. Ransomware is a type of malware that encrypts a user’s data, which results in the cybercriminal requesting a payment from the user to release the data. There have also been other high-profile hacks involving Garmin and Canon, who experienced disruption to their services and theft of data, respectively. Government services are also being targeted, with thousands of Canadian government user accounts hacked as a result of a ‘credential stuffing’ attack in August. ‘Credential stuffing’ is when a criminal uses stolen account credentials to gain unauthorised access to user accounts through large-scale automated login requests. 

Why has the focus changed?

COVID-19 has changed the way many organisations operate, both in the public and private sector. This more remote way of working presents opportunities for cybercriminals to commit crime. For example, as businesses and government bodies have encouraged more remote working, cybercriminals are able to exploit insecure remote networks and systems which have been put in place to support staff working from home. 

This increase in consumer dependence on online services, and the possibility for criminals to commit crime from their own home, has resulted in criminals changing from more ‘traditional’ methods of crime, such as burglary, to cybercrime. Also, the increase in vulnerabilities and the financial reward of targeting larger organisations means there has been a shift in focus from smaller businesses to bigger targets.

Although the primary focus of cybercriminals is currently on major corporations, governments and critical infrastructure, smaller businesses are still vulnerable to many forms of cybercrime and should remain vigilant to cyber-threats. As reported in the Verizon Business 2020 Data Breach Investigations Report, small businesses accounted for almost a third of data breaches in 2020. Despite the current focus on bigger targets, cybercriminals clearly remain a threat to smaller enterprises. 

If you would like information on how to protect your business against cybercrime, please get in contact with a member of the Forensics team. 

The Dark Web: understand the Dark Web, understand the threat

The threat of the Dark Web is real, and it is growing.

A recent study carried out by Dr. Mike McGuire at the University of Surrey revealed that there has been a 20% increase since 2016 in the number of dark net listings that have the potential to directly harm an enterprise, with 4 in 10 dark net vendors selling targeted hacking services aimed at Fortune 500 and FTSE 100 businesses. 

What is it and how does it work?

The Dark Web is a component of the internet that cannot be reached through search engines, as it exists on an overlay of proxy servers. Proxy servers are a gateway between a user and the internet, and act as an intermediary directing online traffic to the requested address. These servers also allow the IP address of a user to remain unidentifiable and untraceable when accessing websites. An IP address is a digital address for your device, however it is subject to change depending on your location. To access the Dark Web, a specific piece of software called Tor is required, which conceals the users IP address and allows access to webpages which cannot be accessed through regular browsers, such as Google Chrome. 

Why is the Dark Web a threat?

The Dark Web has become a marketplace for illegal goods and confidential information. Crowe’s Dark Web: Bad for Business report, in collaboration with the University of Portsmouth, found tools and services designed to defraud or perpetuate cybercrime against 21 of the top 50 UK brands (as identified in the 2017 brand directory league table). The research team found template bank statements, utility bills and passports; bank account numbers and sort codes; advice on phishing and fraud packs containing guidance on how to carry out various forms of fraud. 

The true size of the Dark Web is unknown, but it is thought to form around 5% of the deep web. All content that cannot be found through a search engine is classified as the deep web, which forms part of the World Wide Web. The Dark Web has given way for a plethora of fraud, corruption and cybercrime to occur effecting both organisations and individuals. 

Policing criminal activity on the Dark Web is a particularly difficult challenge as a result of Tor’s complex data encryption, anonymity and hidden services/applications. The Dark Web has become a method favoured by criminals to target organisations, so it is vital that businesses understand the Dark Web, and the threat it poses. 

Crowe offers a low-cost subscription services for organisations interested in monitoring the Dark Web for emerging threats. It can be deployed quickly and provides a regular report of any discussions relevant to the organisation. For more information on how Crowe can help your organisation, please contact Jim Gee.

What is cybercrime?

How big an issue is it?

There is an epidemic of fraud and cybercrime in the UK, growing to represent almost half of all crime in the UK (45%). Cybercriminals target all demographics of individuals and sizes and types of businesses if they can see a weakness which can be exploited.

What constitutes cybercrime?

Cybercrime can be considered an umbrella term for all illegal activity that has used technology to perpetrate a crime. It is transnational, meaning that the borderless realm of the online world can reach and effect all those with an online presence. As technology continues to evolve and adapt, the nature of cybercrime coincides with this notion. Cybercrime continues to rise in scale and complexity affecting essential services, businesses and private individuals alike. 

What are the damages?

Failure to prevent a cyberattack goes beyond physical or digital damage, having the ability to inflict long term repercussions. Businesses in particular can suffer from reputational damage including the loss of customers or clients, loss of sales and a reduction in profits. Subsequently, economic damage is incurred from the attack itself in some instances, the disruption of production lines, and costs that have arisen from the need to resolve and investigate the issue at hand. For example, Honda recently experienced what was believed to be a ransomware attack effecting the company’s ability to access its computer servers and internal systems and hindered its production line in multiple countries.

Prepare for threats

It is essential that businesses ensure that the necessary processes and security measures are in place to protect company and client/customer information, going beyond the companies own measures and assessing any third parties involved in the management and storage of data. If a company is failing to actively take care of sensitive information it may be subject to regulatory sanctions and/or large fines. 

It is essential to remember that no business is exempt from cyber-attacks, and all companies must be prepared for any potential threats. 

Further information on tackling cybercrime can be found here.

Complete our Cybercrime Vulnerability Scorecard for a quick and free assessment of your cyber vulnerabilities.

Threat Intelligence report thumbnail
Our Threat Intelligence reports

Threat Intelligence

Protect your business from emerging threats

In order to help protect your business from threats, Crowe are offering a weekly Threat Intelligence report which can be bought on a monthly or annual basis. 

Bribery Act 2010: Section 7

A few weeks ago, we looked at Deferred Prosecution Agreements (DPAs); what they are, why they were introduced, and when they are offered to companies. An aspect we touched upon was Section 7 of the Bribery Act 2010, which allows organisations to provide a statutory defence being it has adequate procedures in place to prevent anyone associated with the business, whether it be sub-contractors or employees, from committing bribery. This article outlines what procedures that companies should have in place to ensure good practice, encourage an anti-corruption culture, and avoid harsher prosecution.

What is Section 7 of the Bribery Act?

Section 7 of the Bribery Act is titled ‘Failure to Prevent Bribery’ and was established to encourage companies to take liability for corrupt behaviour. Under Section 7, any person associated with the company that bribes another person with intent of obtaining business or business advantage for the company will be found guilty of an offence under section 7. Unless the company can rely on the defence that it has adequate procedures to prevent bribery from occurring, it will be found guilty under Section 7.

What is meant by ‘adequate procedures’?

The UK Government has produced guidelines as to what constitutes ‘adequate procedures’, the guidelines have six principles to follow. We have summarised these below:

  1. Proportionate measures
    Proportionate measures relate to the size, nature, and complexity of the business as these factors will play into how at risk a company is to bribery. Measures include clear and practical documented policies and procedures that the company have implemented and maintained to achieve an anti-bribery culture. To ensure the company has effective policies and procedures in place, it must first identify each area risk can present itself. It is advised that bribery prevention procedures remain separate from any other wider guidance the company has. Policies and procedures should state the commitment the company has taken to prevent bribery, its general approach to mitigate specific risks, and how the company implements its policies.
  2. Top-level commitment
    Top-level commitment refers to the management of a company being dedicated to preventing bribery, this can be the owner of the company, or the board of directors, for example. An executive that has adopted a zero tolerance towards bribery promotes an anti-bribery culture within the company. Management should seek to regularly communicate its anti-bribery stance to its employees, and take an active role in the development of bribery prevention procedures.
  3. Risk assessment
    A company should assess its internal and external risk to bribery. The purpose of risk assessment is to promote risk procedures that are proportionate to the nature and scale of the company, and location that business is carried out in. Risk assessment procedures should seek to accurately identify and prioritise potential risks within the company’s activities, markets and customers. 
  4. Due diligence
    Due diligence checks should be carried out on persons who perform or will perform services for or on behalf of the company to identify any bribery risk before engaging in business activity with said persons. Due diligence relating to bribery can also form part of the company’s wider due diligence processes. Due diligence should be proportionate to the identified risk, and can either be done internally or by external consultants.
  5. Communication
    To ensure bribery prevention policies and procedures are embedded within the company and are understood fully, internal and external communication is essential. This can be done through regular announcements and updates of latest risks and prevention measures, training, and promotion of code of conducts. Doing so will create an awareness for employees and can act as a way of monitoring and evaluation for management.
  6. Monitoring and review
    Anti-bribery procedures that are in place must be monitored and reviewed on a regular basis, with improvements made where necessary. Monitoring is essential as risks of bribery may change over time. The effectiveness of bribery prevention procedures should be reviewed by management on a periodic basis, as well as by its employees through staff surveys and/or questionnaires to gauge how measures can be improved.

How we can help

Our Forensic Services team is experienced in advising companies on how to adopt an anti-bribery culture. The team also undertake due diligence reviews on individuals and organisations. If you would like to know more on how your company can implement the measures listed in this article, please get in touch with Jim Gee.

Did you know…

That only two companies have been prosecuted and convicted under Section 7 of the Bribery Act. The first conviction took place in 2015 against Sweett Group plc, and the first contested prosecution took place in 2018 against Skansen Interiors Ltd.

Corporate liability: Deferred Prosecution Agreements

What are Deferred Prosecution Agreements and are they effective?

Deferred Prosecution Agreements (DPA’s) are a relatively new procedure that are becoming increasingly popular across jurisdictions. They were introduced in the UK in 2014, under the Crime and Courts Act 2013. Their purpose is to encourage large corporate entities to take liability for economic crime, including cases of fraud, bribery and/or money laundering. Since DPA’s were introduced in the UK, a total of 12 have been agreed by the Serious Fraud Office (SFO) with large corporations. In the last month, the SFO has invited three companies to enter DPA’s. As of 1 July 2021, the SFO invited its 10th company, Amec Foster Wheeler Energy, a company that provides engineering and technical services to enter a DPA to settle a case involving historic corruption allegations through the use of middlemen. As of 19 July 2021, the 11th and 12th companies, that have not been named for legal reasons, have been invited to enter a DPA following bribery offences relating to multi-million-pound UK contracts.

However, inviting a company to enter into a DPA has been subject to mixed reviews, as part of the agreement is to avoid harsh prosecution inflicted on corporate entities. Regardless, the Chief Executive at the SFO recently defended the deferred prosecution regime, stating that it is indeed necessary to tackle white collar crime and ensure the executives of companies do not distance themselves from the actions of their companies.

How do DPA’s work and why were they introduced?

DPA’s are used to encourage companies to take liability for economic crime that their employees have committed. It is an agreement that has been reached between the prosecutor and the party that could be prosecuted, under the supervision of a judge. An organisation will only be invited to enter into a DPA if they agree to fully cooperate with the SFO’s investigations and fulfil any other additional terms set out. These may consist of paying compensation, paying a financial penalty, continuing to cooperate in any future prosecutions of individuals and implementation of a compliance program. Once an organisation has been invited to enter a DPA, the proceedings for the criminal offence that was charged are automatically suspended. 

The attributes of a DPA are set out to: 

  • Avoid lengthy, costly and complicated trials.
  • Encourage companies to self-report.
  • Avoid hinderance in business and reputation of companies.
  • Provide the opportunity to minimise damage to third parties (employees, shareholders and victims).
  • Ensure the process is public and transparent.

Even if a DPA has been entered into, individuals involved in the illegal activity can still be prosecuted.

Why is there uncertainty around DPA’s?

There is some controversy that revolves around DPA’s as they enable companies to avoid convictions by paying a financial penalty. On top of a financial penalty, additional fees can also include a compensation order, disgorgement of profits, reparations or donation to charities that support victims of the criminal activity, and a payment to the prosecutors’ costs. It is therefore argued that as a result, DPA’s may be seen as just an additional cost to carry out business, making it an ineffective deterrent. 

A discretionary tool

A DPA is a discretionary tool that is open to the prosecutor to apply – it is not guaranteed to be offered in every case. The circumstances of the case will dictate whether the prosecutor considers that a DPA will be appropriate and, importantly, in the public interest. Factors such as self-reporting, cooperation with the investigation and that fact that positive action had been taken by the company to prevent wrongdoing, will all aid the prosecutor to consider a DPA. The last factor will mirror the actions a company should be taking to support the statutory defence under s.7 of the Bribery Act 2010 and will include things such as training, organisational culture and effective management. 

How we can help

If you would like further information on best practice measures to ensure your company is doing all it can to prevent economic crime, please contact Jim Gee.  

Did you know…

To date, a total of approximately £1,130,739,000 has been, or will be paid in financial penalties by companies that have entered into DPA’s, with the sums being paid to the UK Treasury. *In some cases, organisations will have had to pay additional costs to jurisdictions outside of the UK.

*A breakdown of the financial penalties for the two most recent DPA’s have not yet been disclosed. Between the two companies a total of £2,510,065 will be paid for the disgorgement of profits and financial penalties.

Due diligence: Background checks in business

Due diligence is the first step in preventing fraud or corruption when entering commercial engagements, such as dealing with third-party suppliers or during a merger and acquisition transaction. A blog from the Foreign Corrupt Practices Act (FCPA) stated that around 90% of all enforcement actions involved third party intermediaries, yet over 50% of procurement professionals stated that they do not believe that their existing suppliers had been vetted properly.

What is due diligence?

Due diligence is part of compliance procedures, used when a business is looking to work with any external company. Due diligence goes beyond a “tick box” method – it consists of data collection and analysis. In any commercial relationship, a detailed due diligence process will avoid unnecessary risks and will provide the grounds to make informed decisions.

This can be done through the following:

  • Assessing an organisations financial position;
  • Background checks on the individual’s involved; and,
  • Identifying cyber risks and vulnerabilities. 

Why is due diligence important?

Regardless of whether you are a large organisation or an individual, it is your company’s responsibility to ensure your company as well as its suppliers follow regulatory requirements, such as the UK Bribery Act. Due diligence is especially important if your company carries out business globally, as some countries will have anti-corruption laws in place but do not have the means to enforce them. Therefore, having a knowledge on what your suppliers (and where possible your suppliers’ suppliers) activity is vital.

Failure to carry out adequate due diligence can impact your business by resulting in:

  • Contracts that are prone to collapse
  • Reduced asset value and returns
  • Negative media attention
  • Financial penalties 
  • Trade restrictions
  • Loss of trust from shareholders

Investing in adequate due diligence prior to third party engagements will prevent more significant losses from occurring in the future. Crowe offer Corporate Intelligence services that carry out financial, integrity and cyber due diligence to overcome the possibility of carrying out business with untrustworthy entities. 

If you would like more information on how Crowe can help your organisation, please contact a member of the Forensic Services team.

Introduction to corruption and bribery

Corruption is a form of dishonest behaviour carried out by an individual in a position of authority that abuses their power for illicit gain. Bribery is one of the most common types of corruption. Bribery is the act of providing someone with money, services or even valuable items in return of a favour. Acts of bribery are typically disguised as donations, inflated prices, expenses, commissions or ‘facilitation’ fees. Bribery is difficult to spot and can often go unobserved by organisations and law enforcement. 

Bribery has a negative impact on the businesses involved and other stakeholders. It can result in individuals involved becoming vulnerable to blackmail and extortion, and also leave an organisation vulnerable to local and international anti-bribery legislation. Bribery often compromises an organisation’s ‘social licence’ to operate, and could even result in an organisation being debarred from operating in sectors and jurisdictions. 

Bribery Act 2010

The UK Bribery Act (2010) has extra-territorial reach, meaning that foreign companies that have a presence in the UK, and UK companies that have a presence overseas can be prosecuted if there is failure to comply with the Act. The Act includes four main offences:

  1. To bribe another person;
  2. To be bribed;
  3. To bribe a foreign public official;
  4. Failure by an organisation to prevent bribery.

The Act introduced corporate liability for bribery. The legislation requires that companies implement adequate controls to prevent persons from participating in acts of bribery. If an employee of a company is found to have given or accepted a bribe, having adequate measures in place can be used as a defence by the business affected. 

What can businesses do?

Recent research found that almost a quarter of UK businesses experienced acts of bribery between 2016 and 2018. In Crowe’s experience, there are several ways an organisation can adopt a proactive approach to tackling bribery and corruption, and emphasis should be placed on risk perception and foreseeability of where and when bribery may arise. Ways to reduce the risk of corruption include, but are not limited to the following:

If you would like more information on how to protect your business from risk of corruption and bribery, please get in contact with a member of our Forensics team.



 View our services  
Changes to the financial crime landscape

Recent months have seen movement from the UK authorities to try to address the serious problem of financial crime. Our latest report on the subject, ‘The financial cost of fraud 2021’ shows that the cost to UK businesses and individuals now runs at some £137 billion. With the latest ONS data showing that between March 2020 and March this year there was a 26.3% increase in incidents of fraud and a staggering 99.7% increase in cybercrime, what more incentive could be needed for action to be taken?

The ‘Beating Crime Plan’

On 27 July 2021 the UK Government published its action plan to cut crime. The ‘Beating Crime Plan’ received much media attention, although most of this focussed on there being a named officer for every victim of crime, “chain gangs” as punishment for anti-social behaviour and, league tables for police forces to rank how quickly they answer calls for assistance. However, aspects of the plan designed to counter fraud and cybercrime were not widely reported.

The plan proposes that the national body responsible for receiving reports of fraud, Action Fraud, is scrapped. Many commentators would argue that this is about time, with user feedback from the service describing it as “pointless”, “a waste of time” and with a complete absence of updating and contact. The replacement is vaunted to be an “improved” national fraud and cybercrime reporting system, increasing the intelligence capabilities in the National Crime Agency (NCA) and the national security community. How this will also improve the experience of victims and those who report fraud is unclear but to fail to do so will mean that the system is flawed from the outset.   

What other proposals are in place to tackle fraud and cybercrime?

  • Measures in the Online Safety Bill to require tech companies to tackle fraud, giving firms the responsibility of protecting users from fraud.
  • Increasing law enforcement investigative activity within the City of London Police (the lead force for fraud) and in Regional Organised Crime Units.
  • Creating a new fraud investigative function within the NCA to target the most serious and complex frauds and fraudsters.
  • Improving the experience of fraud victims.

Why is financial crime a problem in the UK?

A report by parliament’s Intelligence and Security Committee, found that the UK “offered ideal mechanisms by which illicit financial finance could be recycled through what has been referred to as the London ‘laundromat’”. The gatekeeper of the UK’s anti-money laundering regime is known as the ‘regulated sector’ – the lawyers, accountants, banks, casinos, money-change bureaus and high-value dealers whose services may be targeted by criminals to launder the proceeds of crime. The Money Laundering Regulations place a burden on the regulated sector to report suspicions of money laundering to the National Crime Agency in the form of a Suspicious Activity Report, commonly referred to as ‘SARs’. Failure to report a suspicion is a criminal offence under the Proceeds of Crime Act but prior to this year there have been relatively few, if any, such prosecutions. This changed in June this year, when self-styled money laundering expert Dominic Thorncroft was convicted of failing to notify the authorities of suspicions of money laundering. Earlier the same month the Crime Prosecution Service (CPS) updated its guidance and policy on prosecuting those working in the regulated sector for failing to submit a Suspicious Activity Report (SAR). It indicates that prosecutions are more likely to take place in cases where there was insufficient evidence to establish that money laundering was planned or has taken place, something that would not have happened previously. Given that over 94% of SARs emanated from banks and other financial institutions in 2019/20, its clear that the CPS feels that others in the regulated sector need to do more to combat money laundering. 

How we can help

If you would like further information on how your company can reduce its exposure to fraud or to ensure that it is doing all it can to identify suspicions of money laundering, please contact Jim Gee.

Did you know…

Our latest ‘The financial cost of fraud’ report shows that fraud is costing businesses and individuals in the UK £137 billion each year. 

The cost of recruitment fraud

Recruitment fraud has the potential to infiltrate all industries and levels of employment, with 80% of CV’s containing discrepancies. Recruitment fraud is when someone lies about their experience, qualifications, employment history or previous integrity to gain employment. It denies genuine candidates’ job roles, denies employers’ staff that successfully carry out their responsibilities and allows fraudsters into an organisation where they can undertake wider fraud and theft. Subsequently, recruitment fraud represents a significant cost, which undermines the financial health of those organisations which are affected.

Recruitment fraud is a worldwide threat. There have been countless incidents of individuals claiming to have experience or qualifications that they do not have. From a serial fraudster using a fraudulent application to become a pilot; to a salesman that managed to run six schools into the ground after lying on his CV. Considering the importance and trust placed in some of these individuals, it is alarming how negligent due diligence can be on such job roles. 

How is recruitment fraud damaging?

Establishing the true cost of recruitment fraud is a difficult phenomenon to quantify. However, we have carried out research that discovered the impact on the UK economy. In 2019, our ‘The real cost of recruitment fraud’ report found that recruitment fraud costs the UK economy approximately £23.9 billion. The same methodology was applied to the potential global cost of recruitment fraud, which costs approximately £559 billion. 

The consequences of recruitment fraud can be significant. It does not only damage an organisations reputation and credibility, but it can have a catastrophic impact on customers, clients and/or patients. An example that illustrates the potential impact it can have comes from the NHS. A former NHS boss was given a two-year suspended jail sentence for lying about his university degree. Peter Knight, the former Chief Information and Digital Officer on a £130,000 salary, lied on his CV about having a Classics degree. Knight was only identified after an anonymous tip, and resigned from his role after two years. Failings in basic security checks of a senior official, who would have otherwise gone undetected, demonstrates how dangerously easy it is to falsify your way to the top. It was fortunate that Knight did not have a clinical role, nor had direct contact with patients. If the NHS is failing to check basic facts about a senior figure, it may be of concern as to what other areas the NHS are failing to check. For example, the academic background of a doctor, potentially resulting in incorrect treatment being provided, or worse, unintentionally facilitating a death of a patient. This case highlights that even the NHS, one of the largest national institutions in the world, fell victim to a simple case of recruitment fraud. 

What can you do to avoid hiring a fraud?

  • Qualification checks.
  • Double check the legitimacy of certificates and documents provided.
  • Ask for references and phone them.
  • General background check (including personal addresses, previous convictions, social media profiles, past employers’ history).

Deterring individuals from carrying out recruitment fraud is not complex or difficult. Effective pre-employment checks are relatively low cost and easy to commission, however, you should always consult with an expert before you act.

How we can help

If you would be interested in strengthening your fraud resilience, or require background checks on individuals or companies, please contact Jim Gee.

Did you know…

The most common type of recruitment fraud that organisations experience is applicants claiming to have qualifications and/or status they do not possess. 

The growing landscape of fraud

Since the global recession in 2008, there has been an 88% increase in average losses from fraud and error (for the period of 2019-2020). Our latest Financial Cost of Fraud report, produced in collaboration with the University of Portsmouth, reveals that the UK’s fraud losses alone equate to £137 billion. This startling figure suggests that organisations are losing significant amounts that could be reinvested back into businesses, public services or charities. 

So why is fraud a growing issue?  

There are several factors that contribute to the increasing prevalence of fraud, however we believe that fraud is a growing issue as a result of two overarching concerns:

1. The digitisation of processes

Most aspects of life are now heavily reliant upon technology. The digitisation of processes proliferates instances of fraud by increasing an organisation’s vulnerability and therefore increasing opportunity to commit fraud. Technology enables organisations to be defrauded both internally and externally, with its methods remaining inconspicuous at first glance. Fraudsters can now go after large amounts of not only money, but also information, and do so repeatedly if an organisation is unsure where its vulnerabilities and weaknesses lie. Technological processes have also removed direct contact with a fraudster’s victims, which may also contribute toward a lack of empathy or fear of being caught.

An internal threat will consist of a dishonest employee. An individual within the organisation has the ability to access and manipulate data and records for their own personal gain, or they may outright steal data. An insider threat can use several methods to defraud their firm. Some examples include misdirecting money by altering bank account details of suppliers, editing and/or duplicating supplier invoices, or stealing confidential information for an advantage to gain employment at another company. 

External threats can range from suppliers to cybercriminals, some of which may even conspire with an employee within the organisation. The ability to access information instantly and deepfake voice technology existing, has enabled fraudsters to pose as other people. Fraudsters can put on a convincing act, and so the difference in whether an organisation is defrauded or not, often boils down to awareness among employees and the avoidance of human error. External threats can include variations of phishing attacks, the provision of false documents, or infiltration of networks through unaddressed weaknesses.

All of the above can be prevented to an extent, if an organisation understands and has an awareness of where and how the opportunity to carry out fraudulent acts arises.

2. Organisations do not consider fraud as an additional business cost

Fraud is a hidden cost and so many deny that it is prevalent within their organisations. Most organisations have only planned a process to react after a fraudulent act has taken place. As a result, the cost of fraud is not being reduced. Yet, evidence has revealed that fraud losses can be reduced by up to 40% within 12 months. The financial cost of fraud can be reduced if loss measurement exercises are carried out and then repeated over time. Research has found that more than two thirds of fraud loss exercises has shown losses to be more than 3% of expenditure. Carrying out regular exercises to monitor the amount being lost to fraud will gradually help reduce this percentage. Accepting that fraud is an inevitable cost will allow you to treat it as any other business cost, one that can be managed and reduced.

How we can help

We offer a range of specialised services for countering fraud that includes our Fraud Resilience Review and Fraud Loss Measurement exercises. If you would like further insight into the latest Financial Cost of Fraud figures, you can access our full report here. If you have any other questions, or would like to enquire about our services, please contact Jim Gee.

Did you know…

A typical fraud case lasts 14 months before it is detected.

Fraud and corruption in the mining sector

Local communities in which mines are situated benefit from the mining industry as they provide a steady source of income to those they employ and develop the local businesses which supply goods and services. As these communities are often in remote and poverty-stricken areas, some seek to exploit the opportunities the mine provides through corrupt behaviour, resulting in both the community and the mine itself suffering the consequences. 

What are the most common types of corruption in mines?

Nepotism and cronyism

Nepotism and cronyism are terms used for when family members or those known to an individual receive preferential treatment, and are awarded jobs and other benefits as a result of favouritism. Nepotism and cronyism are completely unethical; however, both are often embedded within the cultures of local mining communities, and considered the norm. 

In the mining industry, nepotism and cronyism is often evident within the recruitment process. Unfair advantages are provided to individuals who may not be able to carry out a job role efficiently. This hinders the growth of the mining business in several ways:

  • It deters genuine candidates from applying for job roles as the recruitment process is not based on prior knowledge or experience;
  • It demotivates other employees as there is no merit-based system in place;
  • It is unsustainable for the development of the mine; and
  • It denies the mine people with the best skills.

Procurement fraud

The UK National Fraud Authority defines procurement fraud as “A deliberate deception intended to influence any stage of the procure-to-pay lifecycle in order to make a financial gain or cause a loss.” Procurement fraud can be carried out by those external or internal to the organisation. 

From our experience, it can be an internal employee from a mine who creates bid rigging schemes and/or creates ‘ghost’ suppliers. Procurement fraud can arise as a result of many factors, including little or no enforcement of the organisation’s procurement policies, falsification of documents, and collusion by an internal employee with an external supplier. The consequences of this behaviour are:

  • Unnecessary financial loss;
  • Undelivered goods or services; and
  • Failure to achieve the organisations operational objectives.


Bribery is the offering, giving or receiving of any item or service that is of value to an individual in exchange for an unfair advantage or favour. In the mining sector, it is often an external source that bribes an internal employee to gain employment, contracts or financial gain. The damaging impacts on a mine include:

  • The forming of a culture of corruption, with the mine gaining a reputation for bribery;
  • Increased business costs, without any added value; and
  • A weakening of the trust between honest employees and contractors, and the local community.

How we can help

If you would like to find out more on how fraud impacts the mining sector, click here to download our report on countering fraud for competitive advantage in the mining and energy sector. Or, if you would like information on how we can help you reduce the chances of fraud and corruption within your organisation, get in contact with Eoghan Daly.

Did you know…

Crowe UK’s Forensic Services Team have undertaken work for natural resources companies in Central and South East Asia, East and West Africa, Australia, Canada and the United States.

Billions lost to fraudsters through the government’s Bounce Back Loan Scheme

The National Audit Office (NAO) has estimated that the UK Government will spend more than £210 billion on its response to the COVID-19 pandemic. This money has rightly been spent on supporting organisations and individuals across the country in this time of unprecedented economic stress and the vast majority of the money has been legitimately applied for and correctly received. 

However, there is always a dishonest minority and on Wednesday 7 October 2020 the NAO published its report, ‘Investigation into the Bounce Back Loan Scheme’, which has taken a closer look at how the Bounce Back Loan Scheme (BBLS) has been distributed.

How it works

The report notes that the HM Treasury, British Business Bank (the Bank) and Department of Business, Energy and Industrial Strategy (BEIS) developed BBLS provides registered and unregistered businesses with loans of up to £50,000 or a maximum of 25% of their annual turnover. This loan should help to maintain their financial health during the pandemic. The scheme launched on Monday 4 May 2020 and will remain open until Monday 30 November 2020, with the government retaining the right to extend the Scheme. 

The loans are provided by commercial lenders (for example, banks, building societies and peer to peer lenders) directly to businesses, who are expected to repay the debt in full. Failure to do so may have a negative impact on their credit score and may affect their ability to borrow in the future. The government provides lenders a 100% guarantee against the loans (both capital and interest). This means if the borrower does not repay the loan, it will step in and repay the lender. HM Treasury data shows that as of Sunday 6 September 2020, the Scheme delivered more than 1.2 million loans to businesses, totalling £36.9 billion. BEIS and the Bank expect BBLS to have lent between £38 billion to £48 billion by Wednesday 4 November 2020, substantially more than it initially expected.

The opportunity for fraud

The government recognises that the decision to provide funds quickly leaves taxpayers exposed to a significant risk of fraud, including fraud caused by self-certification; multiple applications; lack of legitimate business; impersonation; and organised crime. 

BEIS’s 2019-20 annual report and accounts highlights likely total credit and fraud losses of between 35% and 60%, based on historic losses observed in prior programmes which most closely resemble the Scheme. Assuming the Scheme lends £43 billion, this would imply a potential cost to the government and taxpayers of £15 billion to £26 billion – an enormous sum. 

The nature of the losses are likely to be on a spectrum from high volume, low value opportunistic fraud through multiple fraudulent BBLS applications from fake companies through to high value, low volume fraud by organised crime groups. The number of companies registered each week after the government announced the scheme rose by 285% to a record 21,616 by the end of June 2020.

What can be done?

So, what is to be done? For many years, police resources focussed on fraud have diminished and it is now very hard to persuade them to take on a case of fraud. BEIS and the Bank do not have the counter fraud resources to investigate this scale of fraud. Perhaps it is time for private sector forensic and legal specialists to help tackle this threat – and to ensure that there are clear and visible consequences for the dishonest minority. The government did the right thing in supporting UK business – could specialists from UK business now support the government in identifying and investigating the fraudsters and recovering the losses?

 The impact of ‘ghost patients’ on the NHS 

Fraud can take on many shapes and forms with far reaching impact. It costs the NHS £1.29 billion a year (with independent academic estimates actually putting this figure between £3-£5 billion) and is a good example of how it can touch everyone’s life in the UK in one way or another. That’s enough to pay for over 40,000 staff nurses or purchase 5,000 ambulances. Due to the scale and complexity of the NHS it is affected by lots of types of fraud, one of which is the phenomenon of ‘ghost patients’. Ghost patients are people registered with General Practices who do not actually use the practice because they have moved to a different neighbourhood or have died. 

NHS Digital records showed that in 2018 there were 3.6 million more patients registered with the NHS in England than there were people in England, and a 2018 investigation revealed the imbalance was the result of ‘ghost patients’. NHS General Practitioners (GPs) receive £150 a year for each patient registered with their practice, and with an average of 1,700 registered patients each the payment is a significant proportion of a GP’s income. The investigation revealed £550 million was wrongly allocated to GP’s who, either intentionally or mistakenly, kept ghost patients on their books.

Ghost patients, and the additional payments associated with them, could be the result of poor record keeping rather than intentional dishonesty. Irrespective of the cause the result is similar, less funding available for the NHS to spend on the good work to keep the public healthy and save lives.

Any organisation thinking about where it may be losing money to fraud should always consult an expert before taking action. For more information on tackling fraud and to discuss measures to strengthen your organisation’s security, please contact Eoghan Daly

Fraud investigations

A fraud investigation often reveals a lot more than was originally suspected. Where fraud does take place, it is rarely an isolated incident and so an investigation into its full extent is very important. Investigations - using various techniques - can provide the opportunity to determine who is involved and the fraudsters’ modus operandi, and to identify the process and systems weaknesses which may have allowed the fraud to take place. 

A thorough investigation is the only way to resolve a suspicion of fraud. Following the findings of an investigation, a strategy to devise a proactive approach to reduce the nature and extent of fraud can be adopted, resulting in a long term beneficial impact on businesses’ approaches, company cultures and employees’ and suppliers’ outlooks.

How is an investigation carried out?

An investigation can be carried out using a number of different techniques and these are tailored to each specific investigation. Open source information resources are a common tool to gain insight and background knowledge concerning individuals, businesses, associated persons and assets. Additional methods can include examining (with permission) emails and other data, interviewing employees, and analysing relevant documents. When the relevant data has been identified, it can then be prepared for the most appropriate form of analysis in order to draw conclusions. 

Recent COVID-19 lockdown conditions have limited some face to face aspects of fraud investigations. Nevertheless, Crowe has the capacity to undertake remote investigations using its proprietary technology to remotely image computers and interview witnesses and suspects. This is highly effective.

Where do you start?

The first stages of a fraud investigation can be the most important to get right and we recommend to always seek specialist advice if you suspect a fraud to have taken place. We have compiled a list of ‘dos and don’ts’ if you find yourself in this position.  

A thorough investigation is very important. It doesn’t have to be a lengthy process but the thoroughness is crucial. Not to resolve a suspicion of fraud can be very damaging both to the organisation concerned and to those who are suspected. There is no substitute to a professional, legally compliant investigation in order to do this.

Case study – Non Profits


A global non profit approached us after experiencing a case of invoice fraud as a result of a hack. In total, over £163,000 was transferred to a fraudster’s bank account after a hacker intercepted email communications between the company and its supplier. Our forensic specialists responded quickly by attending the site that same day, determining that the company had been compromised by a phishing email. 

We initiated steps to address the hack and commenced an investigation, which involved the following:

  • an investigation into the circumstances surrounding the invoice fraud affecting the company and a company member
  • a cybercrime vulnerability review to report any weaknesses in cyber resilience and to make relevant recommendations
  • penetration testing of the company’s Wi-Fi and guest network
  • cyber security training for the employees.

The investigation found the email account of a former office manager had been compromised by a phishing email for over a year. Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information. Phishing scams include URL links to malicious sites or attachments that contain malware, and when clicked on by the recipient, can infect their device. The hacker compromised the former manager’s account and manipulated communication between the company and their supplier, resulting in a payment being sent from the supplier to a bank account held by the fraudster. 

How we helped the non profit

We undertook a review of the information held on the account to establish what other data the hacker potentially had access to, which included over 80,000 emails and identified 291 effected individuals. The types of personal data ranged from bank accounts and sort codes, to national insurance numbers and passports. 

To help prevent a similar scenario happening again, we conducted a cybercrime vulnerability review, in addition to providing cyber security training for the employees. In addition to the review, we also performed an internal and external penetration test of the company’s network. A penetration test is an authorised simulated cyberattack on a computer system intended to evaluate the security of the system. Several vulnerabilities were identified, such outdated software, which were reported back to the company to be patched. 

Given the nature and extent of the personal information that the compromised email account contained, the hack was deemed as a data protection issue and was reported to the Information Commissioners Office (ICO). Due to the quality of our findings, the ICO responded saying no further action was required as they were satisfied with the swiftness and quality of the response to the hack. This not only saved the company significant costs from a potential fine, but also prevented the pain of a full-scale investigation from the ICO. 

Further information

You should always consult with an expert before you take action. If you would like further information on how we can help you strengthen your organisation against fraud and cybercrime please contact Eoghan Daly

Did you know…

Phishing can also be perpetrated through SMS messages, also known as ‘smishing’. Fraudsters can make the fraudulent message appear in the same thread as a legitimate chain of messages from your bank, for example. 

Case study - Sports sector

Forensic Accounting in Football: The Big Match

Acting on behalf of a sleeping giant of football, we were involved in a litigation case against an established European giant of football.

The case revolved around the footballing giant breaching confidentiality agreements to trigger a release clause to enable the transfer of a key player that belonged to our footballing client. As a result of the player being unavailable to our client for the remainder of their contract, the losses incurred as a consequence, needed to be quantified. The end figure forecasted, known as the quantum, was hotly contested. Before becoming involved, a strike out application had been made as to whether it was actually possible to quantify any loss. A strike out application is used when the applicant wishes to demonstrate that a case does not have reasonable grounds for bringing it in in the first place.

The case went to the Court of Appeal where concern was expressed as to how difficult it was to quantify the claim, but that this should not stop the case proceeding. The concept of a machine that had eleven working parts which were all working well was introduced - if one of those parts was removed, this would likely result in some sort of impact on the performance of that machine which could, theoretically, be measured – it was at this point we were approached when a robust approach was required to support the Club’s position.

The key question was whether the removal of that player had any impact on team performance and, if so, what was the best way of assessing quantum in that respect. We limited our period of review to 12 months. The issues of foreseeability and remoteness were addressed. Foreseeability and remoteness are the reasonable anticipation of the possible results of an action, and the causation of the loss as a result of a breach of contract or duty. These two factors, and the link with the player’s market value at various dates (as provided by another expert) was pivotal to our approach. 

Every area that our client may have incurred losses was categorised. The legal term for categorising the damages incurred is referred to as ‘heads of loss’. The heads of loss we quantified included:

  • Loss of match day attendance (analysis of season ticket sales; match day sales);
  • Loss of add on sales both match day and non-match day;
  • Impact on performance of the Club and potential ‘but for’ financial returns;
  • Consequential impact on revenue streams, notably tv money;
  • Salary/bonus impacts;
  • Mitigation issues, such as other player purchases.

Where relevant, the principles of the “loss of a chance” were used. For example, on the balance of probability, in how many games would the player have been fit to play, or selected, if they had not left. One key aspect of our report was to forensically analyse the season in which the player represented the Club, ahead of their enforced move. It was clear from the players’ appearances, and the team’s results, that there was a correlation between this players contribution and the success of the team, notwithstanding of course the many other factors that contribute towards a team’s performance. 

Ultimately, further to intense discussion in experts’ meetings (following forensic accounting reports disclosed by ourselves and the other side), the case was settled on the steps of the Court and a pleasingly satisfactory financial outcome for our Client.

Case study – Mining and Energy Sector

Procurement fraud in a mine

A major mining company in Africa approached Crowe in May 2018 about a suspected invoice fraud of in excess of US$300,000. Crowe’s investigation identified a corrupt network involving suppliers, procurement and human resources and the recovery of over $1,000,000 from the supplier involved. 

The mine is located in a remote part of Africa so, rather than send a person to site, Crowe used specialised technology to obtain forensic images of several computers and other electronic data. A forensic image is a direct copy of all the files on a storage device, such as a hard drive.  A forensic image will typically include all files saved on a machine, included deleted documents.  The technology used by Crowe significantly reduces the upfront costs of starting an investigation and enables remote and covert data collection. 

Through the analysis of almost a million files and ten interviews with past and current employees, the investigation revealed the fraud was perpetrated by one employee from the mine and several employees from a supplier. The mine was defrauded through the submission and processing of false invoices. Payments for other goods and services were also concealed, for example the costs of hiring a vehicle were concealed within catering recharges to the mine. The procurement processes were easy to exploit, with a reliance on proof of shipping information rather than proof that the goods were received. In some cases the mine was charged for goods that were never delivered or even ordered in the first place. The individuals involved also committed fraud to obtain goods for their own personal use, including vehicles and expensive food and alcohol.  

The investigation also revealed multiple vulnerabilities in the organisation’s procurement processes, and a lack of any verification on the quantity and quality of goods and services provided by suppliers. In addition to rooting out the corrupt network, the investigation findings were used by the mine to renegotiate several supplier contracts and save significant sums of money. 

Before engaging Crowe the mine had conducted its own internal investigation that quickly hit a dead-end. By applying its expertise Crowe quickly and thoroughly established the truth of what happened and help the mine to put things right. 

You should always consult with an expert before you take action. Get in touch with the Forensics team if you require further information or to discuss our services.

Qualities of an expert witness

There are various traits that are important to possess to enable you to represent your client in expert witness work. More importantly, the skillset is needed to deliver your prime responsibilities to the court, and ultimately lead to a fair assessment upon which the Court can make their judicial decision.  

In years gone by, there was an overwhelming feeling - that ultimately led to reform - that experts were often regarded by those instructing them as ‘hired guns’, making the evidence fit the conclusion that would best assist their clients.

So what does it require to be an expert witness? 

Our overriding duty is to the Court, and not the party instructing or paying us. Ultimately, we must maintain our independence notwithstanding any pressures exerted either from solicitors or lay clients. There have been various cases we have been instructed on where we have had to tell our solicitors – “sorry, but your case can’t be supported on the evidence available”, this is not what the solicitors or client may necessarily want to hear but to avoid such a conversation would be to undermine your own opinion and work.  

At times solicitors may try and put some gentle pressure to change an opinion, or a working, but if you are clear that what you have concluded is (to your mind) correct, then your professional duty is to remain resolute. 

Another quality required is consistency – a Court will not take kindly to an expert changing his mind with the wind, or worse still, expressing one opinion on a specific matter in one case, then at some point later addressing essentially the same matter but adopting a completely contradictory approach (with no good reason to do so). A Court will always accept if you have had access to new evidence which has impacted your opinion, but someone who is willing to change their opinion so easily is not a robust expert witness whose evidence will be accepted by the Judge.

Further, an element of fairness to any report, or verbal evidence given in Court, is key in supporting a crafted argument – if a report is totally weighted towards one’s own client throughout then it can bring into question the independence of the expert. One useful method adopted by many experts is the adoption of a range of conclusions, particularly when there is a monetary aspect, to give the Court an idea of what range the claim may lie within. This may be couched within terms such as if we assume ‘A’ the claim is £Y, but if we assume ‘B’ then £Z may be more appropriate.

An area in which an expert giving evidence at Court can undermine his own case is where the report may be absolutely fine, in fact it may be one of the best reports ever produced. But if that expert has overly relied on his team to prepare the report, and the understanding of its methodology and underlying assumptions is not fully understood or concluded by the expert, then the expert’s evidence will be quickly undermined under cross examination and a perfectly good report potentially made redundant.

It also helps an expert to be a good story teller – not making things up of course – but delivering a report that takes the reader (and the Judge) on a journey, where the issue is set out, and signposts set early on in the report for what is coming later. There is nothing worse for a judge than to have read a report and by the end be completely lost or confused as to what they have had actually just been told – wherever possible, the simpler and less technical the language, the better.

If you would like more information on our expert witness service please click here or contact Chris Hine on 0161 214 7567.

Did you know…

The Academy of Experts help you find a qualified expert witness to assist you on your case and also provide training courses for those who act as expert witnesses. 

What is an ‘Expert Determination’?

One area where we often provide expert support is in the form of Expert Determinations (ED). ED is a procedure which involves a dispute, or difference, between two parties which are submitted to one or more experts who make a determination on the matter presented to it or them. The opinion reached is then binding on the parties, unless they both agree otherwise. 

An ED can be beneficial to the disputing parties as it is less costly than going to Court, a faster process, is usually binding on the parties, and is subject to the opinion of an independent accountant who has no allegiance to either side.

The resulting opinion can take one of two forms – non-speaking or speaking. There are pros and cons associated with each. A non-speaking approach is exactly as it sounds, say a company valuation is being undertaken, the non-speaking opinion will state is that ‘the shares are worth £X’. There are no report details to be challenged and as such it is difficult to challenge the outcome, although one side will invariably be happier with the outcome than the other. 

A speaking valuation is the opposite of a non-speaking valuation and will set out in detail how the value for those shares has been reached in a format more akin to a traditional report disclosed for Court. It has the benefit of covering the issues that may have been in debate between the parties, explaining why the conclusions have been reached. A speaking valuation may also raise matters which the parties wish to challenge that could end up protracting the process (for instance if they think something is factually incorrect). The threshold for challenging a determination on its findings is high, however, as the test is normally whether there has been manifest error. 

We can be instructed either as the expert undertaking the determination or assisting one of the parties in preparing their submissions. If you would like more information on our expert witness service please contact Chris Hine on 0161 214 7567.

What does an expert witness forensic accountant do?

In simple terms, we are the numbers support service to litigious disputes, investigations or advisory work and are frequently instructed to prepare reports for Court on what can be very complex, or hotly disputed, accounting/number issues.  Sometimes our work can be conducted on an urgent basis within a day, but often the work continues over many months, or even years.  Although our clients will always want the best outcome for themselves, our responsibility as an expert witness is to the Court while if we acts as advisors we will present both the strong and weak points of a client’s case, possibly ahead of mediation or consideration of a legal claim.  Our work can take us anywhere within the UK, and across any industry, while we also take on overseas matters due to our well established Crowe Global network of over 750 offices across 130 countries.

Our work is not supported by a portfolio of clients like it might be in audit or tax service line, each year a different set of challenges and scenarios is presented to us as we seek to assist our clients in either their dispute, investigation, or analysis.  While not professing to be the ultimate experts in every field of industry, we need to be sufficiently capable of being able to quickly pick up how various businesses operate, and what are the real issues that will drive the case either at Court, mediation, or in other negotiations.  While we always want to help our clients it is also important that we maintain an independent thought process which sets out the respective merits of a case, both good and bad from our client’s perspective.    

The matters we work on are often diverse and regularly challenging, examples of the range of casework we have been instructed on include:

  • Funding fraud alleged against a middle eastern bank and property developer.
  • Major supermarket contractual disputes with suppliers.
  • Defending an alleged associate of Bernie Madoff.
  • Representing Premier League and Championship clubs in financial matters.
  • Multi-million £/$ claims for wrongful trading.
  • Valuations in partnership and shareholder disputes involving global companies.
  • Reviewing the work of other accountants in professional negligence claims.

If you would like more information on our expert witness service please contact Chris Hine.


Fraud and cybercrime
Focusing broadly on the significant fraud and cybercrime threats facing businesses today. Also discussing the measures that you can take to protect yourself and begin to fight back in 2021.
An introduction to cyber security
Covering the fundamentals of cyber security, including commonly used terms and
Diagnosing the organisa-tion’s vulnerabilities
Covering the steps you can take to diagnose its cyber vulnerabilities, addressing the identification, assessment and understanding of cyber security risks.
Strengthening resilience
Ensuring adequate cyber security requires core issues are actively managed. This sessions will describe what the core issues are and explain why they matter.
Incident response
It is not a question of if there will be a cyber incident, it is a question of when it will happen. We will cover how an organisation should prepare for an incident.
Fraud and international trade
In the current climate, fraud has become more prevalent within international trade, in this webinar Jim Gee, Partner, Head of Forensics and Counter Fraud looks at how to minimise the risk.
Cybercrime: effective protection for SMEs
Covering the best approach for managing your cybercrime protection and the five important stages to consider - Prevent, Protect, Defend, React, Recover.
COVID-19 and fraud 
What you need to do NOW, and in the current situation where face-to-face contact is difficult, and in what capacity,  Crowe can undertake investigations remotely.
COVID-19 and cybercrime
Addressing some immediate areas to think about and focus on e.g. what to look out for in the current pandemic, how to protect yourselves and your employees.
Cybercrime: fix the most common vulnerabilities
Looking at the cybercrime risks facing listed businesses and preventative measures you can put in place.
Fraud and cybercrime
Focusing broadly on the significant fraud and cybercrime threats facing businesses today. Also discussing the measures that you can take to protect yourself and begin to fight back in 2021.
An introduction to cyber security
Covering the fundamentals of cyber security, including commonly used terms and
Diagnosing the organisa-tion’s vulnerabilities
Covering the steps you can take to diagnose its cyber vulnerabilities, addressing the identification, assessment and understanding of cyber security risks.
Strengthening resilience
Ensuring adequate cyber security requires core issues are actively managed. This sessions will describe what the core issues are and explain why they matter.
Incident response
It is not a question of if there will be a cyber incident, it is a question of when it will happen. We will cover how an organisation should prepare for an incident.
Fraud and international trade
In the current climate, fraud has become more prevalent within international trade, in this webinar Jim Gee, Partner, Head of Forensics and Counter Fraud looks at how to minimise the risk.
Cybercrime: effective protection for SMEs
Covering the best approach for managing your cybercrime protection and the five important stages to consider - Prevent, Protect, Defend, React, Recover.
COVID-19 and fraud 
What you need to do NOW, and in the current situation where face-to-face contact is difficult, and in what capacity,  Crowe can undertake investigations remotely.
COVID-19 and cybercrime
Addressing some immediate areas to think about and focus on e.g. what to look out for in the current pandemic, how to protect yourselves and your employees.
Cybercrime: fix the most common vulnerabilities
Looking at the cybercrime risks facing listed businesses and preventative measures you can put in place.

Contact us

Jim Gee
Jim Gee
Partner, National Head of Forensic Services