The fraud landscape is rapidly shifting with the emergence of 'fraud as a service', AI deepfakes, and the sale of fraud kits on the dark web, a fraud specialist has warned.

Organisations and accounting professionals have been cautioned on some of the newer fraud risks arising for businesses as criminals look to exploit developments in AI.

Speaking in a recent webinar, Roger Darvall-Stevens, partner and head of forensic services at RSM Australia, said while the classic fraud schemes that have always been used to target businesses haven't changed, the types of technology used by fraudsters to carry out those schemes is rapidly changing.

"So it [used to be] paper based or manual attempts to commit fraud but now with technology including AI, there's a heightened risk of all those traditional types of fraud being committed through that technology," Darvall-Stevens said, speaking in a recent webinar with ApprovalMax.

"This is where fraud control intersects with cyber security."

Darvall-Stevens said in some instances, cyber criminals will monitor the LinkedIn or other social media sites of chief financial officers and other senior finance professionals of a company to identify opportunities to defraud that company.

"They'll look at LinkedIn or Facebook and they'll notice that the CFO is on holidays in Fiji, posting some great pictures and telling everyone 'I'm enjoying a break from work'. [The criminals] will then go onto the website of the organisation and extract whatever data they can to impersonate the CFO and send a request that's urgent, usually via email to someone in the finance team."

"[The request will say something like] 'I'm on holidays, this urgent situation has come up and if we don't change this destination bank account for this vendor to this different account or if we don't make this payment, something drastic is going to happen to the business'."

Darvall-Stevens said while they could call the CFO and ask if it's genuine, that doesn't always happen.

"They then become victims of business email compromise or identity theft and fraud," he said.

Advancements in AI are also leading to the proliferation of deepfake scams, where the AI is used to impersonate other people to commit fraud.

"You've got fraudsters who are now using AI to write code to steal data and install backdoor access on software. They're also using it to write encryption and decryption code which fraudsters can then use for ransomeware and theft of protected or encrypted data."

"They're also using AI or bots to maintain multiple profiles to commit all sorts of fraud, including romance scams for individuals, and of course business scams as well."

He also warned that the emergence of 'fraud as a service' had created a new breed of fraudsters.

"Fraudsters are able to go onto the dark web and actually buy kits to commit fraud. You pay for it and they provide 24/7 support and you can ask questions and all the rest of it."

"What that is doing is changing the landscape where people with no or little IT knowledge can actually commit fraud so the fraudster profile of someone 36 to 46 is now potentially changing to teenagers and young adults who are doing this and committing fraud such as high profile data breaches and financial crimes and distributed denial of service attacks and ransomeware by using some of these kits."

Darvall-Stevens said organisations should ensure they have an AI policy from their information security management system or chief technology officer and that there is also awareness training on these issues.

He also offered a range of other tips on what organisations should do to mitigate fraud risks, including undertaking fraud and corruption risk assessments.

"Know what risks you're mitigating against because you're putting effort, time and money into it," Darvall-Stevens said.

Controls testing is another critical part of any fraud protection strategy, he added.

"You may or may not be large enough to have an internal audit function that helps with that, whether that's internal, co-sourced or outsourced. If not, use a controls testing program," he said.

The Commonwealth Fraud Prevention Centre website has a pressure testing guide which can be downloaded, and organisations should also look at how they can automate their controls in order to mitigate the risks of fraud, he explained.

Darvall-Stevens said it is also critical to ensure that whistleblower programs are in place and working effectively and that businesses have a fraud and corruption control framework.