Our Views:
Investigating Fraud in New Zealand
“Fraud” is an activity where the perpetrator deceives the victim in order to obtain a benefit. According to the Association of Certified Fraud Examiners (ACFE) and Black’s Law Dictionary, fraud becomes a crime when it is a “knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment”. In other words, if you lie in order to deprive a person or organisation of their money or property, you’re committing fraud.
Due to the increasing prevalence of technology in every aspect of our lives, a significant amount of fraud is now committed using the internet, and New Zealand Police figures report that up to 97% of “cyber-enabled” crimes are fraud. Examples of fraud include fraudulent online trading, online agency fraud, relationship scams, identity theft, credit card/EFTPOS fraud, amongst others.
Fraud is a significant issue in New Zealand, with 8% of all New Zealand adults being a victim of fraud or deception in 2021. This is higher than any other offence type reported. Unfortunately, fraud is also significantly underreported compared to all other offences, so this 8% is likely to be the tip of the iceberg. Therefore, while the scale of the known issue is concerning, the possible scale of the full problem is even worse. The Police Financial Crimes Unit has estimated that between 20 and 30 million dollars per year are lost by New Zealanders alone because of scams.
Fraud is a criminal offence in New Zealand, with the Crimes Act 1961 outlining the offences that relate to deception, dishonesty, forgery and crimes involving computers. However, despite criminal legislation existing to combat fraud, there are current concerns that this issue is not being investigated or prosecuted effectively in New Zealand, and victims are not well supported. As a result of receiving 52 complaints between 2018-2020 from the public about the police in response to fraud, in 2022 the Independent Police Conduct Authority (IPCA) conducted a review of the police management of fraud allegations and concluded there are systemic issues preventing an effective response.
One of the numerous example complaints investigated in the review involves a situation whereby two company directors reported to the police that the third co-director had defrauded the company of around $150,000. The police initially advised the complainants to try to negotiate with the offender and get the money back. When unsuccessful the complainants sought a formal prosecution. They were again advised by the police that they needed to gain the evidence themselves. Two years later, the investigation had not made any progress, and the police once again informed the complainants to gather further evidence themselves. Uncomfortable with making the enquiries required to gain this evidence, the complainants were informed the case would be closed. Once a complaint was laid, the police reopened the case however despite this crime being first reported in 2017; it was only in June 2022 that the complainant’s statements were completed.
Issues that prevent effective investigation of these crimes raised in the IPCA’s reviews report include:
A pervasive and incorrect perception that fraud is of low importance and has little impact
The impact of fraud can be existential on businesses, and the perception that these crimes are not important within both the Police and society in general must change, or we will face increasing amounts of loss driven by the complacency of investigation and continued criminal success in this area.
Variable processes for receiving, categorising, and prioritising fraud investigations
Variable processes exist to report fraud which leads to inconsistency and an unknown amount of fraud offences never being captured by the system. Fraud offences that are reported along with computer crime are automatically categorised as category four cases meaning they receive the lowest priority for investigation. Finally, once categorised, the cases undergo an initial file assessment derived from a series of weighted factors that indicate the solvability of the crime. This process results in a “solvability” score being assigned to the case. If the score is under 7 then early case closure or no investigation is recommended. Unfortunately, the weighted factors to derive this score do not reflect the nature of electronic fraud today. Electronic crime means it is rare for a victim to be able to identify or provide a description of the offender lowering the score assigned. Additionally, the use of a vehicle lifts the score, which is highly unlikely in any online fraud attempt. Factors that could be used to provide evidence in an investigation of electronic fraud are not included in the scoring system, such as the presence of a digital footprint used by an offender. This process results in fraud being handled and categorised as low priority regardless of whether it involves substantial amounts of money or has significant victim impact.
Inconsistent and inadequate investigation structures
There is no national Police coordinator for fraud leading to a lack of investigative information sharing and consistency across New Zealand regions.
Lack of a victim focus
As fraud is often miscategorised as unimportant or low priority the victims of fraud are currently not receiving adequate attention and support. Fraud victims report serious stress-related illness, and underestimating the impact of this crime is hurting society.
Inadequate expertise and training
The IPCC report highlights the lack of specialist fraud training that the New Zealand Police receive. Often these cases require specialist forensic accounting or digital forensic expertise, which is currently also not always available and puts the investigation of these crimes in the “too hard” basket too frequently.
Despite an increasing number of fraud cases being reported to the police between 2016 and 2020, the proportion of these leading to charges significantly decreased. Fundamentally the way we think about fraud and the way we investigate fraud must change to keep up with the avalanche of this type of crime. This problem is not unique to New Zealand, with the Police Foundation in England and Wales stating that “40% of all crime is now fraud, most of which is cyber-enabled. Yet we are tackling crime and disorder of the digital age with an analogue policing approach”.
Recommendations
It is our view that until the findings from the IPCC report are accepted and its recommendations implemented it is unlikely that you will receive an adequate level of advice, follow-up, or action from the appropriate authorities alone when your business suffers fraud. We, therefore, recommend that if you suspect fraud, you consider engaging additional assistance to investigate, procure evidence, and provide expertise and advice on steps you can take in addition to reporting this crime through police channels.
There are a range of fraud prevention strategies you can apply to reduce the risk of falling victim. Several examples include:
- Keep abreast of Fraud Risk Management, the New Zealand Government provides a helpful list of resources here.
- If not already, implement a set of Cyber Security Controls. One such example is the CIS Controls.
- Implement a third party whistleblowing platform to encourage people to report instances of fraud.
- Consider having an incident response and forensic technology provider on retainer.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 