Fraud Risk Assessment

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This document is the annual Fraud Risk Assessment required by the AICPA Trust Services Criteria CC3.3 (consideration of the potential for fraud in assessing risks to the achievement of objectives) and aligned with the COSO 2013 fraud-risk principle. It identifies the categories of fraud risk applicable to Glassbreak, evaluates each against likelihood and impact, summarises current controls, and records the residual risk and treatment decision.

It operates within the boundaries of the ISMS Scope, references the controls catalogued in the Statement of Applicability, and feeds the Risk Treatment Plan.

2. Scope

This assessment covers fraud risk against:

  • Glassbreak (the organisation) — as a victim, including financial fraud and theft of intellectual property;
  • Customers — through misuse of the platform by Glassbreak workforce, by attackers, or by sub-processors;
  • Third parties — through Glassbreak being used as a vector in fraud directed at others (for example, account impersonation, business-email-compromise pathways).

It does not cover customer-side fraud risk (the customer's own organisation using the platform fraudulently); that is the customer's own ISMS scope and is addressed in the Acceptable Use expectations and the Terms.

3. Methodology

The assessment uses the same qualitative likelihood × impact methodology as the Risk Treatment Plan (sections 2.3–2.5). For each fraud category, the assessment records:

  • The fraud vector (how it might happen).
  • The motivation (financial gain, espionage, sabotage, personal).
  • Inherent likelihood and impact (before current controls).
  • Current controls.
  • Residual likelihood and impact (with controls operating).
  • Treatment decision (mitigate, accept, transfer, avoid).
  • Owner and target date.

4. Fraud risk categories

4.1 F-01 — Insider misuse of administrative access

  • Vector. A workforce member with legitimate administrative access uses that access for an unauthorised purpose — curiosity-driven access to customer metadata, sale of access information, fabrication or modification of audit log entries to conceal a prior action, or use of administrative interfaces for personal gain.
  • Motivation. Financial, personal, or coerced.
  • Inherent rating. L3 × I4 = High.
  • Current controls.
    • Cryptographic design: customer plaintext is encrypted on the data subject's device, so the workforce cannot read it under any circumstance.
    • Least-privilege admin grants in the access register; quarterly access review.
    • MFA on every admin action; admin actions logged in the admin-action audit log.
    • Background-check requirement for production access roles per /policies/onboarding §3.2.
    • Sanctions procedure at /policies/sanctions with explicit Gross-category coverage of deliberate unauthorised access, audit-log tampering, and misrepresentation.
    • Daily security-posture probes verify admin-control invariants.
    • Tamper-evident audit chain on the Q4 2026 plan (RTP R-05).
  • Residual rating. L2 × I3 = Moderate.
  • Treatment. Mitigate. Operationalise just-in-time elevation and close known gaps in admin impersonation logging (RTP R-04).
  • Owner. Security Officer.
  • Target. Q3 2026 for the impersonation log hardening; continuous for the standing controls.

4.2 F-02 — Social engineering of workforce

  • Vector. A workforce member is targeted by phishing, vishing (voice call), pretexting, or business-email-compromise techniques to extract credentials, secrets, or to perform an unauthorised action under instruction (a fraudulent payment, an unauthorised access grant, a credential rotation that benefits the attacker).
  • Motivation. Financial (gain access to a valuable downstream target), espionage, or sabotage.
  • Inherent rating. L4 × I4 = High to Severe.
  • Current controls.
    • Hardware-key (WebAuthn) MFA where available; phishing-resistant by design.
    • Annual security awareness training plus role-specific training per /policies/onboarding §§4.3, 5, 8.
    • Two-person approval for high-blast-radius operational actions (production credential rotation, customer-data disclosure outside the documented data-subject rights path).
    • Acceptable Use Standard prohibits credential sharing, forwarding, or storage in personal channels.
    • Workforce members are explicitly instructed that no Glassbreak leader will ever request a password, an MFA code, a hardware-key removal, or a credential rotation via chat or SMS.
    • Suspected social-engineering attempts are reported to security@glassbreak.io and handled under the Incident Response Policy.
  • Residual rating. L3 × I3 = Moderate.
  • Treatment. Mitigate. Phishing simulation on the annual training cycle (RTP R-11); reduce remaining surface area on accounts that still rely on TOTP rather than WebAuthn.
  • Owner. Security Officer.
  • Target. Q4 2026.

4.3 F-03 — Sub-processor compromise

  • Vector.A sub-processor with access to Glassbreak material is compromised (internally, by an attacker, or through its own sub-processor) and the attacker uses that access either to read Glassbreak data or to deliver fraudulent content into Glassbreak's operational surface (a malicious email through the transactional email provider, a fraudulent payment notice through the payments provider, a poisoned CI artefact through the registry).
  • Motivation. Variable; often opportunistic monetisation of stolen access.
  • Inherent rating. L3 × I4 = High.
  • Current controls.
    • Cryptographic design: customer plaintext is unreadable to sub-processors by virtue of not holding the keys.
    • Two independent compute and storage stacks with no shared queue; sub-processor failure in one stack does not propagate to the other.
    • Sub-processor list at /legal/sub-processorswith declared role and jurisdiction; lifecycle documented in the Supply Chain Risk Management Plan.
    • Webhooks from financial sub-processors are signature-verified at the receiving boundary.
    • Transactional email is sent on dedicated domains with SPF, DKIM, and DMARC alignment to limit spoofing.
    • CI artefacts are built reproducibly from source; third-party Actions are pinned to commit hashes.
    • Sub-processor security advisories monitored; the Incident Response Policy treats sub-processor compromise as an in-scope incident.
  • Residual rating. L2 × I3 = Moderate.
  • Treatment. Mitigate. Annual sub-processor re-attestation cycle (RTP R-10); SBOM generation on the Q3 2026 plan (RTP R-06).
  • Owner. Security Officer.
  • Target. Annual cycle; Q3 2026 for SBOM.

4.4 F-04 — Financial fraud against the company

  • Vector. Fraudulent payment requests, invoice fraud, payroll fraud, expense fraud, fraudulent refund requests, fraudulent procurement, or business-email-compromise pathways aimed at diverting company funds.
  • Motivation. Financial.
  • Inherent rating. L3 × I3 = Moderate to High.
  • Current controls.
    • Segregation of payment authorisation from payment execution; payments above defined thresholds require two approvers.
    • Bank-account changes for sub-processors and other counter-parties are verified through an out-of-band channel before the next payment is released.
    • Standing payment relationships are reviewed quarterly; lapsed counter-parties are removed.
    • Expense submissions are reviewed against policy.
    • Card data is held by Stripe; Glassbreak does not store payment-card data.
    • Anti-fraud controls in Stripe (3-D Secure, risk-scored authorisation) protect inbound transactions; chargeback monitoring detects fraudulent purchase patterns.
    • Inbound payment-instruction emails are treated with the same scrutiny as social-engineering attempts (F-02).
  • Residual rating. L2 × I3 = Moderate.
  • Treatment. Mitigate. Document the standard counter-party verification procedure as a controlled Standard during the SOC 2 readiness work.
  • Owner. Security Officer (with leadership).
  • Target. Continuous; documented Standard Q3 2026.

4.5 F-05 — Use of the platform as a fraud vector against third parties

  • Vector.An attacker uses Glassbreak as a distribution mechanism for fraud — for example, takeover of a customer organisation owner account to send fraudulent break-glass share invitations under the organisation's identity, or use of the platform's notification surface to phish a third-party recipient.
  • Motivation. Financial, espionage.
  • Inherent rating. L3 × I3 = Moderate.
  • Current controls.
    • Account-takeover controls per F-02 above and RTP R-07 (Argon2id, TOTP/WebAuthn, refresh-token family-based reuse detection, rate limiting).
    • Outbound notifications carry the organisation identifier and the action so recipients can verify legitimacy through context.
    • Abuse-report channel at abuse@glassbreak.io handled with documented turnaround.
    • Suspicious outbound patterns (volume, recipient mismatch) trigger rate-limit and review.
  • Residual rating. L2 × I3 = Moderate.
  • Treatment. Mitigate. Make MFA enforcement a tenant-level requirement that customer admins can mandate for their members; expand step-up authentication on high-blast-radius actions.
  • Owner. Engineering.
  • Target. Continuous; tenant-level MFA enforcement tooling on product roadmap.

4.6 F-06 — Misrepresentation of security posture

  • Vector.Glassbreak (or a workforce member) overstates the platform's certification status, control coverage, or incident history to a customer, an auditor, an investor, or a supervisory authority.
  • Motivation. Financial (close a sale, secure investment), reputational.
  • Inherent rating. L3 × I4 = High.
  • Current controls.
    • Published gap-assessment pages at /trust/soc-2, /trust/iso-27001, /trust/hipaa, and /trust/fedramp state exactly what is held and what is not.
    • The live trust page publishes only controls measured green for 30+ consecutive days; the measurement is independent of marketing assertion.
    • Knowing misrepresentation of security posture is an explicit Gross-category violation in /policies/sanctions §3.3.
    • Security-relevant external statements are reviewed by the Security Officer before publication.
    • Sales collateral references the published trust pages rather than asserting compliance standalone.
  • Residual rating. L1 × I4 = Moderate.
  • Treatment. Mitigate. Continuous review of external assertions; the published trust pages remain the single source of truth.
  • Owner. Security Officer.
  • Target. Continuous.

4.7 F-07 — Collusion

  • Vector. Two or more workforce members collude to bypass a control that depends on segregation of duties — for example, joint approval of a fraudulent payment, or joint suppression of an incident from the register.
  • Motivation. Financial, personal.
  • Inherent rating. L1 × I4 = Moderate.
  • Current controls.
    • Daily security-posture snapshot is automated and external to any individual approval flow; it cannot be suppressed by approval-stage collusion.
    • Audit log replication out of the application plane to Grafana Cloud limits the success of in-place tampering.
    • Public trust-page publication is gated on the automated snapshot, not on internal sign-off.
    • External assessments (penetration test, SOC 2 auditor, ISO 27001 certifier in the future) provide independent observation that detects collusion patterns.
    • Whistleblower channel — workforce members may raise concerns to the Security Officer or, where the concern relates to the Security Officer or leadership, to the independent contact identified in the workforce handbook (see /policies/sanctions§8). Retaliation is prohibited.
  • Residual rating. L1 × I3 = Low.
  • Treatment. Accept (continue to monitor). Treatment is mitigation through the standing controls; further investment is disproportionate at current scale.
  • Owner. Security Officer.
  • Target. Continuous review at the annual cycle.

5. Summary

Of the seven categories assessed, all are treated by mitigation. F-07 (collusion) is in the lowest residual band and relies on the standing controls; the other six are treated with continuous mitigation plus identified workstreams in the Risk Treatment Plan.

No fraud category carries a residual rating of High or above. If a category moves into that band at any quarterly review, it is escalated to leadership and remains an active workstream until reduced.

6. Records

  • This assessment is published with version control under web/src/app/(landing)/policies/fraud-risk-assessment/.
  • Quarterly review notes are recorded against the operational risk register.
  • Fraud-relevant incidents are recorded in the incident register; suspected-fraud incidents are tagged accordingly for trend analysis.
  • Records are retained for at least 5 years.

7. Review

This assessment is reviewed at least annually and after any suspected-fraud incident regardless of category. The next scheduled review is 27 May 2027.

8. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.