Tag Archives: Fraud

Channel stuffing fraud – a distribution problem

Posted on by

Paul Curwell, CPP, CFE, CISSP

8 minutes

What is Channel Stuffing?

Channel Stuffing is also known as ‘trade loading’, and is where sales teams sell an abnormally large quantity of product to distributors at one time. These sales are usually at a significant discount, or on generous payment terms making it both attractive and financially viable to the buyer. Channel Stuffing increases earnings in the short-term, but you are effectively front-loading the next quarter’s sales, which makes it harder to achieve future sales targets.

Sometimes, Channel Stuffing can be fraudulent, such as where a sales person engages in Channel Stuffing to get a higher short term incentive (bonus) or commission knowing they intend to resign before the next quarter. In some cases, the buyer (e.g. retailer) is forced or coerced by the Distributor to purchase the extra inventory. This can damage the relationship and even impact the retailer’s financial viability.

To make it more attractive to sourcing and procurement teams in the retailer, the sales person attemping Channel Stuffing may offer bribes or kickbacks to the retailer’s staff to complete the Channel Stuffing transaction, or distributor sales staff and retailer procurement staff may be acting in collusion to perpetrate the scheme. An illustration of how Channel Stuffing works is shown below:

Companies that don’t have proper controls in place are likely to fall victim here – it’s worth pointing out that Channel Stuffing is an internal fraud, a type of insider threat which occurs in the distribution stage of the supply chain.

man operating silver machine for silver steel kegs
Photo by ELEVATE on Pexels.com

What industries are most exposed?

Industries most at risk of Channel Stuffing are those with high margins, because high margins can be discounted without overly impacting revenue. Those most likely to be impacted include:

  • Consumer Electronics
  • Tobacco
  • Automotive Industry
  • Pharmaceuticals
  • Fast Moving Consumer Goods (FMCG)
  • Technology, including software providers
  • Fashion and apparel
  • Industrial equipment
  • Alcohol and Distilled Spirits

As with many supply chain and distribution fraud schemes, it is hard to find reliable statistics on incident data so I have replaced a graph of losses with a more uplifting pic of something I enjoy – getting outdoors!

people riding on inflatable raft
Photo by Hilmi Işılak on Pexels.com

Who are the victims in Channel Stuffing?

There are two victims in channel stuffing fraud – that is, parties who incur a loss. First is the distributor (channel partner) itself which employs the sales team. This is commonly the case in fraud perpetrated by one or a small group of disaffected sales leads who are trying to engineer a good bonus and intend to resign in the near future to avoid any repercussions.

Where sales people have fraudulently engineered sales, the channel partner may need to engage legal support to claw back bonuses, and may also be subject to financial penalties from the manufacturer under the Distribution Agreement for having inadequate controls which allowed Channel Stuffing to happen.

The second victim is the manufacturer or business which creates its products and sells them to customers via its channel partners. This company is dependent on third party channel partners to execute the distribution agreements as agreed.

Impacts of Channel Stuffing include:

  • Financial: Depending on scale and materiality, Channel Stuffing will likely impact a manufacturer’s actual revenue against plan (forecast), artificially inflating revenues in the short term. For publicly listed companies or companies with Private Equity investors, if not detected material cases of Channel Stuffing could be misleading to investors and have regulatory impacts.
  • Customer Satisfaction: Customers of the distributor (i.e. retailers) may be forced or coerced to take on additional inventory, which can impact customer satisfaction, brand and reputation. Where products are easily substituted for a rivals, retailers may even stop offering a product and switch to selling other brands.
  • Inventory distortions: A large volume of unexpected sales (through Channel Stuffing) will result in excess inventory at a retailer, which could take months to clear and may even need to be discounted. This situation can also trigger a manufacturer to build more product, believing that market demand for their product is high. When Channel Stuffing is discovered, one or more parties will be left holding excess inventory, with all the associated implications.
  • Misrpresentation of sales and marketing campaign effectiveness: If a large incidence of Channel Stuffing occurs during a sales campaign or when A|B testing is underway, this may give a wrong impression that the sales are driven by marketing or advertising when they are actually fraudulent. This can cause manufacturers to spend thousands of dollars on marketing and advertising which isn’t actually working.
  • Returns: Some purchasing terms may include provisions for retailers to return excess inventory for a refund a few months after the sale was completed. Sales teams may walk away with a larger bonus, but the manufacturer will be left to unexpectedly refund some or all of the sale, and accept the additional inventory or alternately agree to the inventory being sold at a heavy discount to end users or offloaded onto the resale market. Either way, the manufacturer loses.
man falling carton boxes with negative words

How can you identify Channel Stuffing and what are the indicators?

Identifying frauds and insider threats like Channel Stuffing is really an intelligence and analytics problem. In order to detect fraud, we need to know what we are looking for. The most effective way of doing this is to build one or more typologies that captures how the fraud scheme would actually work in your business, and what to look for. If you’ve never heard of a typology, have a read of my previous article.

Typologies demystified – what are they and why are they important?

If you read Forewarnedblog.com regularly, you will know I frequently talk about the importance of keeping data on incidents – such as through an incident register. Use the details of a previous case (or public cases involving your competitors or similar industries) for Comparative Case Analysis which allows you to develop detailed fraud detection typologies.

Comparative Case Analysis: A powerful tool for typology development

Detecting any type of threat in your data involves identifying the patterns (behaviours, indicators), anomalies (unusual activity), and signatures (unique offender characteristics associated with how they perpetrate the fraud). Indicators of Channel Stuffing to look for in the data includes:

  1. Unusually High Sales Volumes: Look for anomalies and spikes in sales figures, especially towards the end of reporting periods or bonus periods
  2. Rising inventory: setting aside seasonable flutuations and sales trends, can inventory increases be reliably explained?
  3. Extended Payment Terms: Do unusual sales volumes correlate with issuing of extended payment periods or more favourable return policies for retailers?
  4. Excessive Discounts or Incentives: Is your business offering unusually high discounts, rebates, or incentives to distributors or retailers?
  5. Returns and Chargebacks: (lagging indicator) Can abnormal rates of returns, chargebacks, or unsold inventory be observed in a period after indicators 1-4 were identified?
  6. Abnormal Sales Patterns: Are there any anomalies such as consistently high sales in the last week of a reporting period?
  7. Increased Distributor or Retailer Complaints: Are partners reporting concerns about pressure to accept more inventory than they can reasonably sell?
  8. Unrealistic Sales Targets: Are they realistic, or are they impossible which encourages sales staff to resort to Channel Stuffing (especially where sales team compensation is commission-based)?

By paying attention to these indicators, you can help businesses detect and prevent channel stuffing, ultimately safeguarding their financial integrity and long-term relationships with distributors and retailers. Additionally, offering guidance on transparent and ethical sales practices will contribute to sustainable business growth.

Four things businesses can do to minimise Channel Stuffing risk

With an understanding of what Channel Stuffing is and the ways it can be identified, there are four key things businesses can do to mitigate the risk:

  • Develop typologies and use data analytics to continuously monitor for, and proactively detect Channel Stuffing
  • Implement transparent, detailed reporting that ensures visibilty of emerging trends and issues that allows early management intervention
  • Ensure appropriate reporting and audit rights are included as part of any distributor compliance program forming part of Distribution Agreements. Channel Managers need to consider this in the Channel Management strategy.
  • Implement programs to perform market surveillance and obtain customer (end user) feedback to understand what is actually happening and who is buying your product. This helps validate observations in data analytics

As with all fraud schemes, paying attention to your data and having a good understanding of your business can help deter and detect frauds early. The bottom lime is that proactively looking for Channel Stuffing can avoid significant downstream pain!

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Often overlooked, Product Security is fundamental to Product Management

Posted on by

Paul Curwell, CPP, CFE, CISSP

7 minutes

Products are core to modern business strategy

If you read Ellen Merryweather’s (of Product School.com) post of January this year (refer Further Reading), you may get the sense that product management is coming of age. A focus on products for businesses can provide stickier customers, unlock access to non-traditional markets, and generate annuity revenue rather than single transactions. These days, I find there are two main categories of products:

  • Products in their own right – such as medicines, or items of clothing and auto parts (e.g. tyres)
  • Products that are bundled with services – we see this with cloud-based software solutions, as well as products connected to the Internet of Things (IoT)

Increasingly, physical products are incorporating connections to the IoT to provide after-sales services such as device updates or performance monitoring. Unlike services which are transactional, products have a finite lifespan both in terms of their operations (how many times they can be used, or will last) and from a market perspective before they are imitated by competitors, superseeded, or in the case of patented products when the patent expires. This means there is a target window in which to generate Return on Investment.

vehicle headrest monitor
Photo by Mike Bird on Pexels.com

Product security and integrity risks are varied

There are a range of fraud, security and integrity risks which impact products, many of which are specific to products and indusries. If not properly managed, product risks can have material implications on profitability and reputation, including:

  • Revenue loss or margin shrinkage due to theft, fraud and abuse by customers, staff and suppliers
  • Consumer safety / law issues including product safety and product recall
  • IP risks including patent, trademark (counterfeiting) and copyright infringements, and the tort of ‘passing off’
  • Commercial risks arising from brand damage, competition etc
  • Geopolitical risks – such as trade embargoes, disruptions and material shortages
  • Information and cyber risks – data theft, privacy breaches, cyber attacks, malware
  • Supply chain and distribution risks – including end user fraud, distributor fraud, and product diversion
  • After market risks – such as parallel imports, grey market products, resold products etc.

Despite this risk landscape, I find it’s rare to see product management or product strategy frameworks that clearly articulate the importance of product risk management and the role of product managers in this. Contemporary product protection programs need to address cybersecurity, fraud, insider threats, supply chain security, and product integrity issues such has tampering to mitigate these and other fraud and security threats.

lake with mountain view
Photo by Ian Beckley on Pexels.com

Inherent risks mean security & integrity has a place in product development

When they materialise, fraud and security threats can have a range of direct and indirect impacts which affect product manufacturers, their suppliers and distributors, and customers (end users). Examples here include unplanned losses which erode product margin, sales or resales by unauthorised distributors which financially impact and poison relationships with authorised suppliers, and warranty and returns frauds by customers which compounds financial loss with additional expenses such as staff handling time.

Consideration of security related issues is fundamental to realising both the return on investment into designing and releasing a product, and to maintaining the confidence of regulators and consumers that a product does what it says it will.

To properly consider and mitigate these problems, I would argue that starting with a product risk assessment is an essential first step. Product managers need to assess and quantify fraud, security and integrity risks during the New Product Development (NPD) process. What is NPD? This is a 6-stage process that runs from concept to design, prototyping, and market, as illustrated below:

The C-I-A triad of information security provides three risk categories that can be used as a starting point for product risk identification irrespective of whether the product is tangible (e.g. a computer chip or bottle of wine) or intangible (e.g. software):

  • Confidentiality – has the ability to keep sensitive information secret
  • Integrity – making sure your product is trustworthy, has not been tampered with, and is authentic, conforming, and reliable
  • Availability – making sure the product servicable as and when expected

When we think about integrity and products I almost find it easier to think about it from two perspectives: seller and buyer. Supply Chain Integrity, which focuses on Provenance, Authenticity, and Traceability, is increasingly important for buyers where there are consumer safety or critical infrastructure protection considerations. In regulated industries, sellers (manufacturers) may need to consider how their products (and supply chains) may be compromised in order to make their products more attractive to buyers:

Supply chain integrity and security: what are the risks? (Part I)

Product Security and Integrity is more than cybersecurity

In my experience, it is common to see product security programs focus exclusively on cybersecurity; however, this one-dimensional approach fails to understand the true nature of security threats. Security theory relies upon the concept of ‘security in depth’ – the use of multiple, complementary controls of many types (e.g. system, people, financial, physical security) which are mutually reinforcing and provide layers of redundancy to protect the asset.

Focusing on one layer (e.g. cybersecurity) at the expense of all others just encourages criminals to achieve the same objective via other means. Examples of the varied security programs required at different stages of NPD include information protection programs and prototype security:

Prototype product protection: a step by step guide

Security and integrity risks need to factor in pricing decisions

Understanding how to factor security and integrity risks into product pricing requires an understanding of how products are priced. Typically, a product is priced using a method which calculates total cost of inputs to create (and sell) your product, plus a profit margin – the article from Shopify (referenced in Further Reading below) provides a great introduction to product pricing and strategy.

Importantly, calculating the cost to produce and sell a product differs from your pricing strategy – for example, you may have a product which is cheap to product but can be sold at a very high margin, either because of some unique factor, market demand, or limited supply. Conversely, you may wish to quickly gain a large market share for first mover advantage or to displace competitors, in which case you may be prepared to cut your margin.

So what sort of security and integrity programs might you need to cost?

  • Product security and integrity controls including anti-counterfeit packaging, tamper evident features and anti-theft measures
  • Cybersecurity features such as Identity and Access Management, data encryption, network security and cyber threat intelligence, particularly if connected to the Internet of Things
  • Fraud protection features to mitigate the way opportunistic and organised fraudsters can abuse your product, such as via warranty fraud
  • Supply chain integrity and security including distribution frauds, product diversion and returns fraud. Whilst not product security per se, this add to the costs of goods sold
  • Market Surveillance to consider security threats such as counterfeiting and gray market activity as well as consumer safety and quality issues
black dslr camera on white surface
Photo by Pixabay on Pexels.com

Some product managers include an additional ‘charge’ for fraud or security issues in the product cost. This effectively acts as an insurance mechanism, with the aggregated charges on sales not affected by fraud or security underwriting those that are. Obviously the ability to do this depends on many supply demand factors in the market.

If you didn’t appreciate the importance of managing security and integrity risks inherent in product development and product management, hopefully you will now. As you can see, product risk has brings material considerations that need to be a feature of any product management framework.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Prototype product protection: a step by step guide

Posted on by

Paul Curwell, CPP, CFE, CISSP

What is prototyping?

A prototype is a draft version of a product that allows you to explore your ideas and show the intention behind a feature or the overall design concept to users before investing time and money into development” (usability.gov). Prototyping is an essential step in product development as it provides an opportunity to qualify feedback from potential customers, size the market, inform investment and financial decisions, and support go/no-go decisions.

Photo by Karol D on Pexels.com

Not every product idea will be a commercial success, meaning innovators can spend a lot of money on new product development without financial return. Prototyping helps minimise this risk by regular and repeated feedback. The generic product development process begins with the idea (ideation), which leads to development of a Product Definition prior to prototyping. Usability.gov identifies two categories of prototype:

  • Low-fidelity prototypes are often paper-based and without user interactions. They are prepared quickly and are cheaper than high-fidelity prototypes whilst helping potential users understand the product concept and how it might benefit them. Feedback collected from user interviews (customer interviews) should be incorporated into the iterative new product development process to inform the Minimal Viable Product (MVP).
  • High-fidelity prototypes are effectively early models of the future product. They are as realistic as possible with working components, meaning they are often expensive to produce and may require support from the product developer’s supply chain to design and build custom components. The need for custom components may require suppliers to develop their own prototypes and perform custom R&D as a prerequisite for being able to produce their customer’s new product, adding to development timelines and commercial complexity. There may be multiple iterations of high-fidelity prototypes, with latter models being closer to the model which will go into production and on to a product launch for sale.
Photo by Andrea Piacquadio on Pexels.com

How are prototypes vulnerable? What are the risks?

Part of the challenge with protecting prototypes is the need to balance secrecy with feedback. Failure to provide adquate secrecy or protection could mean innovators lose commercial advantage or are usurped by competitors who are faster, more agile and better resourced. However, the flip side of any product is that it needs to be tested and product developers need as much real life feedback as possible, both from customers on whether the product meets their needs and also real-life applications on whether the product solves the problem as intended under realistic conditions.

The inherent risks associated with a prototype are a reflection of how advanced the prototyping activity actually is. At the early stages, risks are primarily associated with information security and personnel security, where leaks or compromises can occur which tip-off the market to what is under development. As prototypes are produced and tested, these risks remain but new risks including physical theft or loss and third party or supplier risks also come into play. The spectrum of risks is illustrating in the following figure and overlaid on the reseach and development process:

(c) Paul Curwell (2022). Prototype Product Protection illustrated: Security risks aligned to the R&D process

Taking steps to ensure legal protections for your Intellectual Property, such as Patents, Copyright or Design Rights are addressed is an important step in prototype protection, but these legal protections are not the sole actions required. Litigation cases can turn into a ‘war of attrition’ with the winner having the deepest pockets, so reliance on a purely legal strategy may not be prudent. Selected security and fraud risks which also need consideration include:

  • Physical theft of the prototype – which can occur during storage, production, transport and field trials.
  • Theft of test data, plans or designs – arising through virtual (cyber) and physical (e.g. paper, human) vectors.
  • Theft or disclosure of pricing and commercial data – this is likely of particular interest to competitors and ‘fast followers’, but potentially also to industry media and investors.
  • Contract Manufacturer agreements – outsourcing may confer less control over your information and who has acess to it. Additionally, there are many examples of contract manufacturers with undeclared conflicts of interest or a lack of integrity who disclose this information to third parties or competitors irrespective of any legal agreements in place.
  • Theft or unauthorised use of tooling, molds etc for production – parts of your supply chain, including contract manufacturers, may use your custom tooling or manufacturing molds intended for developing the prototype for unauthorised manufacturing activities during periods of factory downtime. Tooling agreements which specify ownership of IP, and access control associated with tooling, are essential to manage product diversion risk.
  • Third Parties – many businesses will need to involve their suppliers in prototyping and new product development. This requires providing information, access to designs or prototypes, and go to market plans and timelines, all of which are commercially valuable and potentially market sensitive if the company is publicly listed. Use of external experts including product development specialists, product engineers, graphic or industrial designers, product quality consultants, computer-aided design (CAD) specialists can increase the chance of success. However, the more people ‘in the know’ the greater the opportunity for compromise.
  • Data Management and Information Protection – ideally, much of your product development information will be online rather than paper-based to provider greater control over access, versions, and dissemination. A data management plan incorporating risk-based data security and information protection is essential, and being able to evidence appropriate security and protections can give greater confidence to business angel, venture capital and private equity investors to fund product development.

In addition to these inherent risks, two contextual factors influence your risk exposure, being time and the number of people who are in the know. As with anything you want to keep under wraps, the longer the time you need to keep something secret the more effort required. The quicker you go from ideation to commercialisation, the less the chance of compromise or accidental disclosure. Related to time is the number of people ‘in the know’. Typically, longer product development timeframes mean more people in the know. There is presumably a relationship between the number of people who know and the likelihood of intentional or unintential compromise.

Photo by Senne Hoekman on Pexels.com

Most importantly with prototype protection is that it’s not just the prototype itself which needs protecting: it’s also information pertaining to it, as well as any externally-facing indicators of what you are doing that can tip off competitors which need to be carefully managed.

The prototype threat and risk assessment

Some industries are much more competitive and cut-throat than others, with competition arising not just from business competitors but also nation states. Innovators, research managers and commercialisation teams are often reluctant to talk about security, but according to ‘The report of the Commission on the theft of American Intellectual Property’ (2013), the cost of IP theft in the USA alone is likely to exceed US$300 billion.

The ongoing theft of IP is “the greatest transfer of wealth in history.”

GENERAL KEITH ALEXANDER, Commander of the United States Cyber Command and Director of the National Security Agency

Industries with commercially lucrative or national security applications at the cutting edge of science, technology, engineering and mathematics and some consumer sectors are most likely to be targeted, with targets ranging from applied research through to trade secrets, prototypes and commercial information. Understanding who might be interested in obtaining information about your prototype (‘threat actors’), such as competitors, competitive intelligence collectors, media, and foreign governments, is a crucial first step. A threat assessment can help identify these actors, understand their tactics and level of sophistication (their capability and intent), and provide insights on how they are most likely to target your R&D.

A Risk Assessment complements the Threat Assessment. Risk Assessments look inward and focus on what can go wrong (risks) and what is present to prevent this (internal controls), whilst threat assessments focus on the outside looking in. The bottom line is that every material risk should have adequate control coverage, with the most critical assets (including people, information and physical items) having multiple redundant layers of protection. Threat and Risk Assessments provide a strong foundation for a Prototype Protection Plan.

Photo by Pixabay on Pexels.com

Developing the Prototype Protection Plan

The Prototype Protection Plan (PPP) documents what steps a business will take to protect prototype versions associated with a given new product development project. This plan considers the threats and risks identified through the assessment process (above), and outlines the ‘who, what, when, where, why and how’ of each risk treatment option. The PPP should cover the full spectrum of risks – physical, cyber, information/ IP, personnel (insider threats) and supply chain.

Better practice involves assigning a dedicated security manager for the duration of the project (either full or part-time), whose role includes not only coordinating the overall PPP program but is also able to assess, investigate, evaluate and respond to incidents and potential compromises. Industries where products have rapid product life and profit cycles may also undertake a variety of counterintelligence practices given the level of ongoing scruitiny performed by competitors.

In summary, as outlined in this article protecting your prototype takes effort, however in many cases the benefits from doing so exceed the costs. Failure to properly identify, understand and manage these risks can lead to a loss of market share, future revenue, shareholder returns and brand damage, whilst being overzealous with security can mean your business never gets out of the starting blocks in its product development race. This balance must be carefully managed in prototype security.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Product security risk assessments for tangible goods

Posted on by

Author: Paul Curwell

State of art – managing fraud and security risk in relation to products

It makes sense that out of the universe of products on the market globally some products are more attractive to thieves and criminals, including trusted insiders, than others. Whilst working through my holiday reading I came across some research undertaken in 1999 by Ronald Clarke, a leading criminologist.

Photo by Gabriel Freytez on Pexels.com

I’ve been interested in what makes a product vulnerable to security and fraud risks for at least ten years. Take a moment to think about what we do with products: whether a passport or airplane part, we manufacture them before ultimately selling them to consumers, most of whom are free to use them and resell them at will on the secondary market. This means they need some protection against fraud and security threats, especially if your reputation or commercial revenue model is linked to the product’s ongoing integrity.

Whilst working in banking my team would undertake product fraud and security threat and risk assessments, at that stage primarily on the bank’s new fleet of Automatic Teller Machines (ATMs). ATMs are targeted in a number of ways, both physically and virtually, through attack vectors such as ram raids, Plofkraak attacks, and cyber hacking to ultimately access the cash contained inside. More recently, I provided expert review of threat and risk assessments for a suite of financial services and identification products (including digital identities) for another client.

To my knowledge, there is no formal threat and risk assessment methodology for products per se, but Clarke’s methodology seems a good starting point.

What satisifies a criminals cravings?

In his research, Clarke found that products commonly targeted by shop lifters in a retail exhibited six attributes which spell the acronym CRAVED, as follows:

  • Concealable – this is relative to the situation. Shoplifters might target small items they can easily conceal in clothing (eg watches) over a large TV, but sometimes it’s easier to walk out with something large. I previously did some work with a client involved in international air freight, and one of their risks was that trusted insiders could smuggle large items concealed in something else out of the airport through a legitimate freight shipment.
  • Removable – to target a product, you need to be able to pick it up and move it. Unlike services, products are generally transportable.
  • Available – there are two elements to this – products that are widely available, and those that are readily accessible (i.e. not kept in a locked cabinet with inventory or stock in store). Audit logs and access control measures, amongst others, should protect more valuable items.
  • Valuable – whether trusted insiders or organised fraud rings, criminals generally don’t steal things which are not of value to them. Value is also contextual – whilst a high demand product such as consumer electronics is seen as valuable to a large potential market, some products might be valuable to an individual for a specific purpose. We can reasonably expect the former might be targeted multiple times by one or more actors, whilst the latter category might be targeted only once.
  • Enjoyable – Clarke’s work looked at products most commonly associated with shoplifting, so there is an element of consumer desire (i.e wants & needs) here. But if our COVID crisis has taught us anything about supply chains, its that Maslow’s hierarchy of needs also plays a role (the repeated hoarding of toilet paper by consumers comes to mind).
  • Disposable – attractive products are those easily sold, or resold, either for cash or another form of value transfer. There is more demand, hence more of a market, for some products than others. Think of how easy it is to dispose of a second hand (or stolen) fridge over a passport.

Readers will note that CRAVED really applies to security related threats, such as theft, much more than fraud. I’m not aware of any formal product fraud risk assessment methodology.

How can we apply the CRAVED construct to manage product risk?

Clarke’s research was performed in 1999, so it is somewhat dated but the principles likely remain valid. Also, the research focused on retail and is not representative of other industries. Nevertheless, we can use the principles outlined by Clarke to inform the design of any product specific risk assessment methodology: CRAVED provides a starting point.

Based on my experience assessing product risk for fraud and security threats, I offer three tips to consider when designing and / or executing a product risk assessment to address fraud and security threats:

Tip 1: Analyse your historical incidents

Collecting detailed incident data is a foundational element of any fraud, security or risk function. Ideally, you want to capture as much detail as you can at the time of the incident, even if it may not seem relevant now. It may be much harder, or even impossible, to capture some data in the future.

TIP: If you are not doing this already, you should start. Ideally, try to collect as much historical data for say the past 12-24 months as you can, even if it is not complete, and put in place processes and tools to collect rich incident data going forward.

As you start to analyse your historical incident data, ask yourself the following questions:

  • Which product(s) are most commonly targeted? Assuming the Pareto Principle (’80:20 rule’) applies, a small number of your product models will be targeted more commonly than others. You need to identify these and assign a higher likelihood score during your risk assessment.
  • Are there any geographical aspects to these incidents? E.g. do they commonly occur in specific locations? This might indicate that some products are more likely to be stolen or attacked in a specific geographical area. The logical follow up question here is why…
  • Are there specific dates or times when most incidents occurred? In some forms of fraud, it is common to see spikes in fraud incidents in summer and a significant decline in winter. Additionally, some forms of crime are more likely to happen at night. Perhaps you might identify an unusual pattern, such as high rates of theft on a weekend when your business is closed, suggesting a potential insider threat.
  • How do these incidents occur? You need to get a good understanding of the criminal’s business process, particularly if there is a specific pattern or series of steps that are commonly undertaken which you might be able to disrupt using internal controls (mitigations). You can use a variety of analytical methods here including business process mapping, red teaming and analysis of competing hypothesis to achieve this.
  • Who is the perpetrator? Even if you can’t identify the perpetrator by name (which is unlikely), try to categorise perpetrators into groups such as opportunistic individuals, organised criminals, organised crime (eg mafia), trusted insiders etc. Over time, as you develop richer data sources and a deeper understanding of your data, you might be able to distinguish groups or sub-categories based on the groups specific behaviours (i.e. their Modus Operandi [MO] or Tactics, Techniques and Procedures [TTPs], such as a specific organised fraud ring.
  • Why do you think specific products are being targeted? You may need to do some critical thinking here, or alternately comparative case analysis methods would be helpful. You need to understand whether the products that are mainly being targeted (e.g. the 20% – assuming the 80:20 rule applies to your data) are being targeted for a reason. Ask yourself, do they share common attributes (such as the CRAVED attributes identified by Clarke)?

Tip 2: Identify any design attributes which could be modified to reduce the product’s attractiveness to criminals

Sometimes there are design attributes to a product, or even a service (e.g. a business process) that makes one manufacturer’s product more likely to be targeted than a competitor. Additionally, sometimes the design of a product makes it more likely to be targeted – an example could be not having branding or a serial number readily visible, which might allow criminals to ‘rebadge’ it as it is being sold. Repackaging is another area of risk here. Understanding these factors means you can work with product managers and design engineers to modify your product and make it less attractive to criminals, which means it is less likely to be targeted.

Ultimately, your goals here are revenue and brand protection. If you can design your product to be a ‘harder target’ (i.e. less attractive), you might save on downstream fraud and security costs. Alternately, some products are readily counterfeited, with sometimes lethal consequences for unsuspecting consumers. Aside from potentially tragic impacts to consumer’s lives, your organisation’s brand and reputation might be adversely impacted simply because your product design was easy to counterfeit and commercially attractive to counterfeiters.

In this case, the cost of the reputatation or brand damage (such as by consumer boycotts, lost sales) may far exceed the costs of product redesign or implementing additional security measures. Product managers need to know if anything specific makes their product overly attractive to criminals, and if so, do something about it in the design phase.

Tip 3: Understand where the product is most likely to be attacked or compromised

For example, if a product is more at risk during shipment, can better cargo security measures be implemented? If a product is at risk of counterfeiting, product authentication measures such as security packaging and traceability programs could be the solution.

It is very uncommon to encounter situations where managers have unlimited resources – a well-designed product risk assessment methodology can be used to identify those products requiring increased protection based on likelihood and consequence, and those requiring less protection. These insights can be used to efficiently allocate your limited risk management resources, as well as helping product managers understand why their product is at risk.

Further reading:

  • Clark, Ronald V., and John E. Eck. 2016. Crime Analysis for Problem Solvers in 60 Small Steps. Washington, DC: Office of Community Oriented Policing Services. https://cops.usdoj.gov/RIC/Publications/cops-w0047-pub.pdf
  • Clarke, Ronald. 1999. Hot Products: Understanding, anticipating and reducing demand for stolen goods. No. 112 in Police Research Series. London: Home Office. www.popcenter.org

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.