Skip to main content

      Fraudsters are evolving, and so must our defences. In today's changing business environment, it's essential for Canadian organizations across all sectors, large and small, to enhance their fraud prevention strategies, particularly as technology like generative artificial intelligence (generative AI), and other key factors outlined below transform the fraud risk landscape.

      To stay ahead, organizations must understand their risk exposures, both internal and external, and equip themselves with the right tools, skills, and partnerships to navigate the evolving risk landscape.

      Read ahead for a view into pressing fraud risks and actions organizations can take to better secure their business.

      Enzo Carlucci

      Advisory Managing Partner, Ontario & Atlantic

      KPMG Canada


      Scanning the Canadian fraud landscape

      No industry or organization is immune to internal and external fraud risks. Canada's vast community of small to medium-sized businesses (SMBs) are often more susceptible to fraud due to a lack of awareness and robust controls, making them ill-prepared to fend off attacks. And while larger Canadian organizations may have more fraud prevention resources and controls, their size often makes it challenging to adopt organization-wide strategies and controls to effectively deal with the volume of fraudulent threats.

      In recent years, the rise of generative AI, cryptoassets, digital wallets, and regional payment modernization efforts have opened a number of attack vectors for domestic and international fraudsters. While regulations and best practices around fraud prevention are catching up, they are not evolving fast enough, leaving organizations highly vulnerable to attacks.

      88% of 300 Canadian SMBs victimized by fraud have dealt with internal fraud and 75% with external fraud over the past five years**


      The many faces of fraud

      Fraud, by definition, is the act of deceiving for financial or personal gain. It can be carried out externally by threat actors across the globe or internally via your own employees seeking to take advantage of their access. Moreover, in today’s age of digital currencies, virtual communications and generative AI, the act of fraud itself can take increasingly deceptive forms.

      Consider crypto fraud, for example, where digital con artists are wooing unsuspecting victims into bogus investments (e.g., Romance Scams, rug pulls, pig butchering, etc.). In 2023 alone, US$24.2 billion of funds were received by illicit cryptocurrency actors*. These attacks leave victims with little or no recourse to recover their losses.

      The days of cheque fraud may be fading as fewer consumers use cheques. Nevertheless, online payment frauds (e.g., account takeovers, data theft, chargeback fraud, etc.), social engineering attacks (e.g., phishing, whaling, elder fraud, honey traps), “man-in-the-middle” attacks (e.g., stealing personal and financial data), and other more sophisticated scams are filling the void.

      Environmental, Social and Governance (ESG) fraud is another key area of concern. It occurs when an organization misrepresents its ESG activities and outcomes to satisfy various stakeholders, including investors, customers, partners and regulators (this is sometimes labelled as "greenwashing"). An example of ESG fraud is misrepresenting greenhouse gas emissions. These types of misrepresentations can lead to severe reputational and financial damage. Other types of fraud fall under the ESG umbrella, such as bribery and corruption, money laundering, and other unethical activities.

      The mounting pressure on businesses to meet stakeholder expectations and regulatory requirements can inadvertently lead to ESG fraud if not properly managed. Naturally, this can have a damaging effect, eroding trust among customers, industry partners, regulators, and the broader public.

      With the advent of new regulations like Canada's Fighting Against Forced and Child Labour in Supply Chains Act, it's essential for organizations to accurately gauge risks in their operations, such as sourcing from conflict areas and implement rigorous anti-fraud program and internal controls. These measures ensure reliable ESG disclosures and reporting and can help to mitigate other types of ESG fraud.

      8 in 10 Canadian SMB leaders whose organizations have experienced fraud are concerned about their organization unwittingly committing ESG fraud**


      AI: changing the playing field

      We cannot discuss the fraud landscape without addressing AI and its dualistic role in this space. On one side, AI – and now generative AI, is equipping fraudsters with profound new abilities to circumvent traditional security controls and trick their way into an organization's inner workings. Headlines about fraudsters using deepfake audio or video to "trick" organizations into transferring money or enabling access to vital data and systems are becoming more frequent. At the same time, AI is being used to take age-old scams (e.g., phishing, identity theft, etc.) to new levels.

      On the other hand, AI is fast becoming a staple of fraud prevention. Many large institutions have already been using AI to automate their threat detection, provide real-time alerts, and reduce the time and resources spent on manual monitoring. In fact, 67% of Canadian SMB leaders whose organizations have experienced fraud indicate they're using AI and/or Machine Learning in their anti-fraud defences, demonstrating the growing reliance on these technologies. Partnering with trusted vendors and emerging technology specialists is key to helping to ensure AI models are well-tuned, trustworthy, and aligned with the organization’s security objectives.

      Who am I speaking to? Preventing identity theft

      Accurately verifying and managing digital identities is key to combating many forms of modern fraud. And yet, this is easier said than done because many SMBs lack the resources, specialized skills, and customer identity and access management (CIAM) tools to keep fraudsters at bay, increasing risk for identity theft and account takeover attacks. Larger organizations with these resources might be better equipped but challenged to scale their identity-proofing processes and technologies effectively. 

      Establishing effective CIAM and identity proofing can be daunting, especially as fraudulent actors can come from inside or outside an organization's walls. Fortunately, organizations have access to supports, technologies, and specialists throughout their community who can help in establishing bespoke CIAM solutions, assessing and enhancing data security management, and embedding extra layers of security (e.g., multi-factor authentication or MFA) to fill their security gaps.

      95% of Canadian SMB leaders whose organizations have experienced fraud believe that generative AI and deepfakes have heightened their business' fraud risk**

      Putting fraud in its place

      The Canadian fraud scene may be shifting but organizations can take definitive measures to navigate it effectively. At the core of these efforts should be the continuous education of employees, customers, and other stakeholders, with the aim of creating (and sustaining) a culture of security.

      Beyond this, there are a few other significant steps to consider when developing strong anti-fraud programs, including:

      Assessing your fraud risk exposure

      The first step towards fraud prevention is understanding where you are vulnerable. Conducting a threat assessment will reveal your internal and external risks, define your risk tolerance, identify what’s currently being done to prevent them, and help pinpoint what can be done to fill your fraud prevention gaps.


       

      Optimizing your controls

      Fraudsters will exploit the tiniest cracks in an organization's defence system. For this reason, it is vital that you understand which fraud controls are in place, how well they are performing, and where gaps exist. This begins with an in-depth risk exposure assessment and testing the effectiveness of controls that are in place to manage the risks. It is also important to continue testing and evaluating your controls to make sure they're holding up against the latest threats.

      Advocating for the sharing of information

      In fraud prevention, no one wins by keeping their experiences, insights, and practices in a silo. Purposeful information sharing between functions, offices, industry peers, law enforcement, and the business community at large helps everyone understand new and upcoming threats, as well as hone in on the most effective controls, rules, and best practices.
       

      Assessing your fraud risk exposure

      The first step towards fraud prevention is understanding where you are vulnerable. Conducting a threat assessment will reveal your internal and external risks, define your risk tolerance, identify what’s currently being done to prevent them, and help pinpoint what can be done to fill your fraud prevention gaps.


       

      Optimizing your controls

      Fraudsters will exploit the tiniest cracks in an organization's defence system. For this reason, it is vital that you understand which fraud controls are in place, how well they are performing, and where gaps exist. This begins with an in-depth risk exposure assessment and testing the effectiveness of controls that are in place to manage the risks. It is also important to continue testing and evaluating your controls to make sure they're holding up against the latest threats.

      Advocating for the sharing of information

      In fraud prevention, no one wins by keeping their experiences, insights, and practices in a silo. Purposeful information sharing between functions, offices, industry peers, law enforcement, and the business community at large helps everyone understand new and upcoming threats, as well as hone in on the most effective controls, rules, and best practices.
       

      Strengthen your fraud prevention, detection and response

      As technology advances, fraudulent scams will persistently evolve and become more intricate. KPMG specialists are ready to assist in managing risks and setting up controls to help organizations thrive and be trusted by their stakeholders.

      Our teams consist of specialists in forensic accounting, investigations, generative AI, cybersecurity, law, CIAM, identity access management, compliance, and other related disciplines. Together, we are committed giving organizations the insights, technology, and strategies needed to stay one step ahead of internal and external fraud risks.


      We're here to help

      We’re ready to assist in strengthening your fraud prevention, detection, and response programs with a range of services, from forensic investigations, financial crime risk management, and anti-money laundering measures, to cybersecurity strategies, greenwashing, crypto fraud, and more. Reach out to discuss your organization's needs.


      This article was produced with the valuable input of:

      Marylin Abate, Partner, Forensic & Financial Crimes risk services
      Kunal Bhasin, Partner & Co-Lead, Cryptoassets & Blockchain CoE
      Enzo Carlucci, National Service Line Leader, Forensic
      Conor Chell, Partner, ESG Legal services, KPMG Law

      Amrit Dev, Senior Manager, Forensic risk services
      Nisal Samarakkody, Partner, Cybersecurity services
      Becky Seidler, Partner, Forensic & Dispute Advisory Services
      Serena Tejani, Partner, Customer Identity Access Management services



      Connect with us

      KPMG. Make the Difference.

      We’re here to help your organization thrive.

      building