How insider fraud can be detected and avoided in the enterprise
IT sabotage and insider threats can put an organization at great risk. Guest expert Peter Sullivan details preventative measures to take and employee training techniques.
The CERT/CC defines insider fraud as "an insider's use of IT for the unauthorized modification, addition or deletion of an organization's data (not programs or systems) for personal gain or the theft of information that leads to an identity crime." The U.S. Secret Service defines identity crime as "the misuse of personal or financial identifiers in order to gain something of value and/or facilitate some other criminal activity."
Information targeted for fraud covers a wide range of personal data, including personal identification data, such as driver's licenses, medical identities, criminal histories and immigration applications; personal financial data, such as credit cards, credit histories, utility bills and food stamp applications; and personal medical data, such as medical records and disability claims.
Understanding the insider threat requires understanding what motivates people to behave, whether that behavior is positive or negative. Personal financial gain is a common reason for committing insider fraud.
Insiders who commit fraud are generally employees with good access to data as part of their jobs. Similar to insider theft of intellectual property (IP), insider fraud is usually committed by employees doing the same kinds of activities that they do as part of their day-to-day jobs. Most insider fraud occurs during normal working hours, while the insider is on-site and able to use their access. Given these factors, it can be difficult to detect malicious insider behavior. In contrast to IT sabotage and IP theft, insider fraud is often carried out by employees in lower-level, nonprofessional, nontechnical jobs who have access to customer records and billing data.
In any discussion of patterns and behavioral characteristics, it is important to remind ourselves of why we are looking to discover the characteristics of insider fraud. Detecting one or more patterns of fraud does not mean that a malicious insider has been detected. Rather, understanding these risk indicators can be used to protect the organization and its employees against insider attacks, not to trap employees. Risk indicators should be used as input into a risk-based analysis of job positions at risk for insider fraud, to understand the organizational elements that influence insiders to carry out fraud and, most importantly, to develop and implement protection and mitigation strategies to protect an organization and its employees from malicious insider attacks of any kind.
Patterns in insider fraud
Any discussion of fraud needs to include American criminologist Donald Cressey's theory of the "fraud triangle" developed in the mid-20th century. Cressey studied why people violate trust and came up with three factors that must be present for a person to commit fraud:
Pressure to commit fraud may come from a financial problem, drug addiction, gambling losses, significant medical bills, collusion with outsiders or simple greed. Cressey observed that the problem or need that drove fraud was often "nonsharable," meaning that the problem must be resolved in secret due to extreme embarrassment or that sharing it might expose illegal or illicit activity that the insider wishes to conceal.
Opportunity refers to the ability to commit fraud or a set of conditions that allows fraud and a violation of trust to occur. For insider fraud, "opportunity" means that the insider has access to information that can be used fraudulently. The access required to commit the fraud may have been granted to the insider as part of their job, or access may be made possible by a lack of effective access controls. Another element of opportunity is the perceived probability of getting caught. A low perceived probability enhances the opportunity for fraud, while a high perceived probability of being caught diminishes the opportunity in the eyes of the insider.
Rationalization refers to the insider's justification for committing fraud and the process of making the insider's dishonest behavior somehow fit within the insider's personal ethical code. Low personal integrity or a flexible ethical code aids in rationalization.
According to the fraud triangle theory, all three elements must exist to drive an individual to commit fraud. Having these elements present, however, does not mean that everyone will commit fraud given the same pressures and opportunity. An insider's predisposition, and perhaps history, of committing theft and fraud is a critical element. Given the same pressures and opportunities, there are some insiders who, due to high personal integrity, will not commit fraud where other insiders will give in.
Ongoing crime
There are significant differences among insider fraud, insider sabotage of IT and theft of IP.
There are significant differences among insider fraud, insider sabotage of IT and theft of IP. Unlike other kinds of insider threat activity, insider fraud is usually a long and ongoing kind of crime. Insider IT sabotage and IP theft tend to be one-time events: explosive in nature and, often, occurring when the malicious insider leaves the organization.
In contrast, insider fraud activity typically continues for more than a year. During that time, the insider steals or modifies small pieces of information, such as credit card numbers, Social Security numbers and credit history information, where each fraudulent act brings some financial benefit and each act has a relatively small chance of being caught -- making it is easy to rationalize continuing the fraud. Due to the ease of committing fraud, some insiders continue their fraudulent activity even after the initial motivation or pressure to commit it disappears. In almost half of insider fraud cases studied by CERT/CC, fraud was able to be carried out for an extended period of time due to nonexistent or ineffective monitoring of business processes.
Institutionalized fraud: Fraud that benefits the organization
There is another type of insider fraud that may actually benefit the organization, at least for a while. Sometimes, the pressure, rationalization and opportunity to commit insider fraud are provided by the organization itself to its employees.
In 2016, a fraudulent account scandal erupted when Wells Fargo employees were discovered to have opened as many as 3.5 million fraudulent customer accounts. The scandal came to light when the Consumer Financial Protection Bureau assessed Wells Fargo a fine of $185 million as a result of illegal activity.
The drivers for this massive fraud were supplied by Wells Fargo itself. Former Wells Fargo sales employees reported that they all faced a company-mandated quota to sign up new accounts as salespeople who met the quotas received bonuses and those who did not meet quotas were fired -- the penalty for not meeting quotas provided the rationalization sales reps needed for committing fraud. This activity eventually became institutionalized as Wells Fargo provided employees with the ongoing opportunity to commit fraud.
It appears that Wells Fargo provided all elements of the fraud triangle from as early as 2002 to late 2016, affecting millions of customers.
What to do: Insider fraud
Insider fraud can be difficult to detect, especially since it is committed by employees doing the same activities they do as part of their day-to-day jobs. Given the difficulty of detection, a reasonable approach may be to reduce or eliminate opportunities to commit fraud -- or to anticipate the pressures to commit fraud.
Combating insider fraud starts with the identification of the types of information that may be -- or have been -- fraudulently used and the users who have access to it. An employee population may be at risk for fraud, deserving additional awareness, such as enrollment of employees into an employee reliability program, increased monitoring of information access and checks on how information is used.
Other steps organizations can take to protect against insider fraud include the creation or improvement of the auditing of critical business processes and verification modification of critical data, customer financial information and employee records. Organizations should also conduct background checks for potential employees, contractors and subcontractors that look for undisclosed criminal history or any history of financial difficulties that may provide the motive for fraud. To further help, employees should be provided with assistance programs if they are experiencing financial problems in order to head off fraud as a method of solving financial problems. Access privileges should be reviewed to prevent the accumulation of excess privileges and role-based access control should be used. Duties dealing with automatic enforcement should be separated, and organizations should consider temporarily disabling access when insiders travel outside the country, take a leave of absence or go on vacation.
