With the number and frequency of occupational fraud incidents continuing to rise, according to Verizon’s 2014 Global Data Breach Investigation Report, organisations’ top insider threat is staff members taking advantage of their systems’ access privileges to commit nefarious acts. Interestingly, the report indicates that the vast majority of incidents involve employees using their organisations’ corporate LAN systems as the attack vectors. And they’re committing their crimes on company premises.
Occupational fraud is serious business. In addition to the risk of financial loss, reputational damage and losing customers’ trust, corporate victims of occupational fraud can also face increased regulation plus civil and even criminal penalties.
It might be impossible to successfully counter every insider threat. However, companies can and should take proactive steps to identify and address the problem through a combination of strengthened employment policies and data analytics tools. These tools can quickly process and analyse large volumes of data from numerous sources to connect the dots, identify events and relationships of interest plus disrupt insider crime.
First line of defence? Strengthen pre-employment checks.
Many employment recruiters rely on an element of trust. They frequently take job applicants at their word when they check a box declaring that they have nothing to disclose. However, they might be lying outright or by omission — by failing to mention a conviction in another jurisdiction, for example.
Ineffective background checks also comprise a large part of the problem. New employees shouldn’t begin work until organizations have followed up on their references. Do not place a candidate who has “references pending” into any position of trust until you’ve run a check. Your agreements with agencies should clearly state this requirement. Also, agencies should guarantee that they’ll check all references and complete all background checks. Penalise them if they don’t.
Cross-reference applicants against your organization’s internal records. I knew of a case in which the bank had closed a customer’s account because the customer had committed credit card fraud. Unbelievably, within 12 months the ex-customer landed a customer service job with the same bank, gained access to the bank’s systems, stole customers’ personally identifiable information (PII) and passed it to outside conspirators!
Similarly, a criminal team might infiltrate an organization using false backgrounds and lying on job applications. For example, in the ultimate inside job, multiple bank tellers colluded to steal nearly $1 million from hundreds of customers in several branches. The tellers took customers’ PII such as Social Security and account numbers and gave them to others in the ring — who would then make fake IDs, drivers’ licenses and checks.
Others in the ring would take the fake IDs and withdraw money from accounts in the same branches. An internal investigation revealed that the involved employees all were connected; they had used the same reference telephone numbers, lived at the same address and, in some cases, deposited wages into the same bank accounts.
In this case, the bank should have used advanced crime analytics tools to quickly process and analyze mass amounts of information, which would have allowed investigators to detect suspicious links and surface unusual relationships among employees. Managing such data quickly and efficiently can be crucial to finding a rogue employee or stopping an elaborate scheme.
Tackle the threat from the start
Companies, of course, should educate all new employees about fraud protection policies and individual responsibility to report suspicious behavior. Senior management should spread the word not just during orientation sessions but through frequent updates reinforced by supportive messages about organisations’ ethical standards. Companies can highlight messages on screensavers and login pages. They also can place data security enforcement messages on email opening screens.
Organizations also should hold regular meetings to update staff on policies and the law and reiterate to line managers that they should watch for suspicious activities. Organisations should establish communications channels for those who want to blow the whistle but will protect them from negative repercussions. According to the 2014 ACFE Report to the Nations on Occupational Fraud and Abuse (ACFE. com/RTTN), whistleblowing still accounts for the highest level of early identification of occupational fraud.
Fraudsters can ingeniously and effectively employ simple methods to defeat even the most sophisticated internal controls. In one example, strict controls within a call center that handled card transactions prohibited the use of mobile phones, electronic devices and even pen and paper so employees wouldn’t steal card data.
I know of another case in which a call-center employee maneuvered around the controls by regularly playing solitaire with a deck of playing cards during short breaks. With each deck, he would surreptitiously arrange the face cards (king, queen, jack) to signify a type of credit card (MasterCard, Visa, etc.) and the numbered cards (one, two, three, four, etc.) to record credit card numbers and expiry dates. Every night he would take home an arranged deck of cards, and he’d have another stolen credit card.
Strict enforcement of password security is essential. I know of an honest employee who told management that members of a new project team were sharing a single password because the IT department told him it was too busy to create new passwords. He was right to speak up! Sharing passwords makes fraudulent behavior harder to trace and puts other colleagues at risk should a rogue employee breach security. The employee recognized the danger to the business, himself and his colleagues.
Know your employees
What drives occupational fraud? Motivation can include pure intent at the outset (as when a fraudster seeks employment to commit fraud or data theft), general criminal greed or the result of operational failures leading to opportunistic criminal acts.
Most insider fraudsters perpetrate their crimes for financial or personal gain. However, another fast-growing crime — insider espionage, which targets internal data and trade secrets — might pay more dividends for fraud- sters in the long term. You can know your employees better by understanding their motivations.
Knowing and understanding your employees is key to management’s awareness of risk. Management should particularly be cognisant of employees’ behavioral or personality changes, requests for emotional or financial help or uncharacteristic actions that can lead to desperate acts with serious consequences — not just for the employee, but also for the employer.
Sometimes friends or acquaintances might lead unwitting employees to unknowingly provide sensitive infor- mation about the bank’s systems or data to criminals. Fraudsters can be smart. They do their homework. Once they’ve identified potential target employees, they learn about their interests, weaknesses and work history through social media. They use this information to compromise and coerce these employees into participating in criminal activity. The fraudsters’ goal is to motivate employees to steal data for fraud schemes or solicit intellectual property to gain business advantages.
However, if you don’t fully understand the threat or motivation behind an inside attack, then you don’t know what to look for. Data analytics software allows fraud examiners to easily and quickly manage, integrate and analyse complex data and intelligence from disparate sources to pinpoint and highlight suspicious activities, unusual relationships and persons and events of interest.
Mitigate insider-risk early to minimize exposure
Detecting developing threats behind the firewall isn’t easy. In today’s threat landscape, organisations face extremely sophisticated insider intruders who abuse legitimate access rights to manipulate and steal data. They continually upgrade their capabilities and penetration methods. They conceal their work within networks so well that they remain undetected until it’s too late.
Sometimes organisations detect insider misuse in days but more often it takes weeks, months or years. By then, the damage has been done, and sometimes it’s irreparable. Of course, a quickly responding organisation has a much better chance to prevent the compromise or loss of critical information. It now has valuable time to understand a situation, stop the problem from spreading, better protect operations and PII and manage the outcome.
Real-time, 24/7 monitoring analytics can detect suspicious user patterns plus identify and manage internal risk to quickly mitigate potential threats.
As well as being the president and Chairman of the ACFE UK Chapter, ACFE Regent Emeritus Jim Oakes, CFE, CFCI, is the director of financial crime for the Wynyard Group