Authored by: Morey J. Haber, Chief Technology Officer, Chief Information Security Officer of BeyondTrust
Friendly fraud is a type of electronic payment theft that occurs when a customer files a dispute or chargeback instead of trying to obtain a credit or refund from a merchant first. This type of fraud is considered “friendly” because authorised cardholders dispute legitimate charges to their credit cards, forcing banks to issue a refund under the pretense that the merchant made a transactional error. While credit card providers and banks can identify patterns of theft by thieving cardholders, well-intentioned customers may accidentally commit friendly fraud because they don't recognise the differences between a conventional return and a bank-issued refund. They assume a chargeback is simply a different way of getting their money back, like a regular return, but in fact the difference lies in who is responsible for the return funds.
While this definition of friendly fraud highlights electronic transitions within the credit card industry, it can also apply to a type of financial theft or malicious privileged activity within your organisation from people that are “friendly” and trusted for a specific task. Unfortunately, these individuals may choose to perform some form of fraud based on that trust delegated by the organisation, and thus the activity is considered friendly fraud.
As background, cyber security threats today can be classified as being sourced from internal or external threat actors. Either location can have friendly fraud based on the role of the individual. Internal friendly fraud can come from employees or contractors and external friendly fraud could be attributed to contractors, vendors, or other trusted sources; but not unknown entities. That would change friendly fraud into the realm of an attacker or hacker. To that end, they are definitely known sources and individuals abusing the system for their own gain.
In order to get started, let us explore the methodology around friendly fraud before we dive into two scenarios for financial or privileged theft. Friendly fraud starts with a trusted or authorised individual making a purchase, conducting a task, or performing a procedure that is within the scope of their role. Fraud occurs when the individual attempts to manipulate the process by performing a task or cancelling a process or transaction that results in an inappropriate gain for the individual. The process for terminating the transaction or performing a rogue task is actually valid but the controls that have been instrumented have a difficult time determining if the change in workflow is valid or not. This is when fraud occurs.
As an example, let’s explore a common form of friendly fraud that occurs within some organisations. An individual, based on their role, is required to travel. They book flights using an approved travel system and submit an expense report. In lieu of actually traveling, they cancel the trip directly through the airline and recover funds as airlines e-credit or directly on their charge card as a chargeback. Finally, they collect expenses and then use the e-credit or refunded money for their own personal gain. While this is a terminal offense within almost every organisation, this type of friendly fraud, and many others that are similar, prove that even trusted individuals can abuse the system and conduct fraud. This is why many companies now require boarding passes be submitted with expenses in order to mitigate this risk and apply an additional control to prove travel is actually being performed.
A second example of friendly fraud involves privileged attack vectors. For organisations that have embraced privileged access management, they have implemented a workflow for checkout, utilizing, and checking in privileged accounts (root or administrator) associated with sensitive systems and data. This workflow allows for an individual, based on their role, to access a system and perform tasks that are assigned to them as an individual. Similar to other friendly fraud, there is no immediate method for determining if the actions they actually conduct are appropriate or not. The only way to determine this is by adding another control. In this case, session monitoring. This allows for the complete recording, keystroke logging, and application usage to be documented to determine if the privileged activity conducted by an individual was actually appropriate. Did they run commands, applications, or view data that was sensitive and could have been used for their own gain? If the intent was to initiate a workflow against a valid task but abuse the session with inappropriate activity, then we have friendly fraud based on an insider threat. Unless you are shoulder surfing their activity, session monitoring (whether textual or graphical) is the only way to determine if that session was not mistreated for fraud.
Friendly fraud is not a new concept in the banking world. It is a new concept however in regular businesses to classify when a trusted individual abuses their power for personal gain. It can apply to threat actors that are internal or external, and always involves abusing an approved process to introduce a malicious step that is hard to detect with current controls. Additional controls are needed to determine if fraud actually did occur, and it is crucially important that someone review those controls and their findings on a periodic basis to determine if they work and if friendly fraud is occurring within your organisation. It is negligent to believe it is not occurring, and even worse to ignore it and wait for an auditor to find it themselves.