Of Boiling Frogs and the Myth of Sisyphus

Of Boiling Frogs and the Myth of Sisyphus

Why our response to financial fraud is always slow, and doomed to stay that way 

A version of this article was previously published in Payments Quarterly, Page 34. 

The story goes like this. 

Place a frog in a saucepan of scalding hot water, and it does the sensible thing and rockets out immediately. However, place a frog in a pan of tepid water, slowly bring the water to a boil, and the poor critter, oblivious of rising risk, simply cooks to death.

The Boiling Frog story is an apocryphal one – but the fable is neatly representative of our attitudes in towards rising risks in life and work. And about emerging financial and payment fraud.

Why are we – individuals and enterprises – so slow to react to abundantly reported incidents of fraud?

Payments fraud is a problem that nearly everyone is painfully aware of, and it appears that far from getting addressed, the problem just keeps getting worse!

According to J.P. Morgan and the Association of Financial Professionals, a staggering 73 percent of companies were targets of payments fraud in 2015, up from 62 percent in 2014. And even scarier, most payments fraud occurs right here in the U.S. In fact, a recent study by Barclays found that the U.S. is responsible for 47 percent of the world’s payments fraud, despite only accounting for 24 percent of total worldwide payment volume.

In just the past few years, there have been a slew of high profile data breaches at major retailers. The Home Depot attack will be a difficult one to forget, especially if your credit card was one of the 56 million that were stolen. Target's breach was just as bad, with 40 million credit card numbers stolen, along with 70 million email addresses, phone numbers and other pieces of personal data.

For businesses, things aren’t looking much better. The FBI reported that instances of Business E-mail Compromise (BEC) scams were responsible for $1.2 billion in fraud globally in just the past couple of years. Technology firm Ubiquity Networks reported that it lost $46.7 million to such a scam. And it took months for commodities trader The Scoular Co. to even realize that one of its executives was wiring money to a Chinese bank after being “instructed” to do so.

Breaking the Cycle of Apathy and Overreaction

Elizabeth Kübler-Ross, studied death in terminally ill patients and wrote in her famous book On Death and Dying, that survivors of a loved one’s death go through distinct emotions: denial, anger, bargaining, depression, and acceptance.

Fraud is not on par with death as a form of loss. However human beings at institutions – banks, businesses, and even homes – follow similar patterns of emotion when it comes to managing fraud risk:

  • Denial – “It’s not happening at our organization…”
  • Under Investment – “Well it’s not as big as they make it out to be…”
  • Explosive loss – “I guess I better do something about it…”
  • Threat of Regulation – “Please, Congress, I promise I’ll self regulate.”

The problem is that banks and businesses have trouble making the decision to proactively invest in fraud detection technology. It is really difficult to justify spending money to mitigate fraud when there appears to be scant evidence of it from emerging schemes. As recent history suggests, every organization will ultimately suffer a breach and loss. Not shockingly, it is inevitable that just about every organization is affected either directly or indirectly by financial fraud. And, after a potentially explosive loss, implementing fraud mitigation technology and controls is wise, but not without feelings of self-reproach.

Success Breeds Overconfidence

When investments are made in fraud detection, they always follow a negative yield curve. First, investments always lag because of the prevailing emotion of denial, and are justified against known or demonstrable loss. When fraud mitigation efforts start to effectively reduce known losses, the “yield” from the investments in fraud detection begins to look less attractive.

In fact, it may well transpire that the cost of fraud mitigation outstrips the cost of fraud loss!

After all, why continue to invest in fraud mitigation when the losses are low? This question, of course, is a rhetorical one. We all know the answer, but we also know the incredible competition for scarce resources – and risk mitigation efforts (unless required by regulation, contract, or fiat) generally lose out to revenue enhancement.

In summary, when organizations are successful in implementing fraud detection technology (even if later than ideal), success is demonstrated only through the absence of fraud. Which is a really hard thing to get your head around. Are the investments really working, or is the quantity of attacks down?

The Good Guys Incur Costs, the Bad Guys Reap Profits

The very rationale for investments on either side of the transaction is so fundamentally different that this too is worth pondering.

To fraudsters – the bad guys – investments in fraud produces revenue. For banks and businesses – the good guys – investments in fraud mitigation are a cost.

Here’s a frightening truth: fraudsters are investing more in fraud than banks and businesses are investing in fraud detection. Yes, banks and businesses are trying to prevent fraud, but they want to do it at the lowest possible cost. Remember, the upside of investing in preventing fraud can’t be measured; it’s only possible to measure the downside.

Fraudsters, on the other hand, are constantly trying to maximize their yield, and they’ll stop at nothing in order to derive new forms of revenue. Case in point? The Home Depot breach occurred thanks to a sophisticated, custom strain of malware that Home Depot’s security team had never seen before, and as a result, the bad guys were able to remain unnoticed for five whole months.

So what are banks and businesses to do? Will they ever break out of the cycle of Apathy and Overreaction: this cycle of denial, under investment, explosive loss and threat of regulation?

We have seen scant evidence that they will. When forced to do so – our august institutions will, indeed do the right thing. Grudgingly.

In the Myth of Sisyphus, Albert Camus writes about the absurd heroics of Sisyphus. The gods condemned Sisyphus to ceaselessly push a rock up the mountain, only to have it roll back down under its own weight.

Banks and businesses are absurd heroes in the theater of fraud management. They are doomed to react late, doomed to question investments, doomed to reduce their investment, and doomed to then watch the rock of fraud roll back down the hill. And doomed to start over.

And, like Sisyphus, the myth is tragic, but the hero is real and conscious. We must celebrate the efforts of banks and businesses, but we must also lament their absurd task.

Seth N. Cazares

Merchant Center of Excellence, VP, Corporate Relationship Manager at JPMorgan Chase & Co.

6y

Enjoyed the article...very clever hook.

Like
Reply
Ned Myers

Marketing, Sales, & Product Executive -SaaS / Data / Blockchain / AI & Advanced Analytics

7y

Great hook in the title...nice way to convey an important topic

Like
Reply
Dmitri Krasik

Optimize AP 🎯 | Run 👟 | Calisthenics 🏋🏻♀️

7y

Great article BC, love how to weave in great literature and business.

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics