Just as hackers are one step ahead of cyber-security experts in leveraging technology, corporate fraudsters are one step ahead of companies in using technology to work their internal deceits.

KPMG’s latest global report providing a profile of the typical fraudster says perpetrators are gaining an edge over corporate anti-fraud controls by making better use of technology than the companies they route. The 2016 report says weak controls were a factor in 61 percent of frauds through 2016, based on interviews with 750 fraudsters. That’s up from 54 percent in 2013. Three years ago, 18 percent of fraudsters said they purposely exploited weak controls to gain their illicit access to the corporate jewels, and that grew to 27 percent in 2105.

In fact, technology led to detection of fraud in only 3 percent of cases, KPMG reported, while technology enabled the fraud in 24 percent of cases. In North America, 29 percent of frauds were somehow enabled by technology, the report says.

Whistleblower tips proved the most common means of detecting frauds, representing 43 percent of discoveries. Management reviews detected the frauds 22 percent of the time, and 14 percent of frauds were discovered purely by accident.

KPMG’s study encompasses fraud incidents that the firm has investigated from all over the world. The report provides a view into who is most apt to engage in a fraud scheme and why. The most common perpetrators are male (although the incidents involving women are rising), age 36-55, and employed by the company in an executive position. They are typically well respected and colluding with others.

“Technology is being used to enable fraud,” says Phillip Ostwalt, global leader of KPMG investigations service network. “In North America, a number of the frauds we studied were significantly enabled by technology whereas proactive data analytics was never the primary means of fraud detection. That’s one of the headlines out of this.”

The use of technology to prevent and detect fraud is a big topic of discussion in fraud risk management circles, says Ostwalt. “How do you effectively deploy analytic solutions and where should you be pointing them?” he says. “That’s the critical question right now.”

Anecdotally, Ostwalt says he sees companies making some investment in analytics but not getting immediate return. “The tools are capable,” he says. “Its how the tools are being deployed.”

Even more critical, says Ostwalt, is doubling down on internal controls. “It’s difficult for companies to maintain a proper internal control structure in a world where so much is changing,” he says.