The threat from within: how to prevent employee collusion

The majority of insider fraud losses are cased by collusion of two or more employees, accord to the latest study of ACFE (Association of Certified Fraud Examiners) organisations. This is despite the fact that only 45% of the incidents are attributed to collusion.

Businesses lose close to 5% of their revenues each year due to insider fraud, which is eroding their data integrity and security, consumer confidence, and bottom line.

Employee collusion is posing threats to businesses because it involves larger damages and is more difficult to detect. When more employees are involved there are more opportunities to commit fraud and it is easier to circumvent anti-fraud controls and conceal the fraud longer.

>See also: How to create the perfect insider threat programme

Employees who attempt to commit fraud are typically familiar with the controls that have been put in place, and can try to circumvent them. For example, when companies require certain transactions to be authorized by a second employee, the fraudsters can work together to ensure that fraudulent activities are approved.

Bank employees that know the size of transactions that will set a red flag for suspicious activity can siphon off smaller amounts of money over a longer periods of time to avoid detection.

When businesses segregate functions between roles to lower the opportunities for employees to commit fraud, employees can work together to bypass these restrictions.

For example, typically in banks, only administrative personnel using back office systems can reactivate a dormant account, while only bank tellers can transfer funds. If administrative personal and bank tellers work together these constraints can be easily overcome.

How can collusion be avoided?

In order to detect potential insider fraud, businesses need to monitor and recognise unusual employee behavior. This can include things like sudden extravagant purchases, or not taking vacations in order to perpetuate the crime and prevent detection.

Using monitoring systems to track when employees perform unusual changes to information systems can also detect suspicious behavior. However, in all of these cases, fraud can be detected only after damages have been incurred.

An even better way to prevent fraud is to monitor data searches in order to detect when employee are planning fraud. For example, if a bank employee is attempting to deplete a dormant account, the first step is to perform inquiries to find inactive accounts with high balances.

By monitoring user queries, investigators can identify where employees are looking for potential targets before a dormant account is re-activated or money is transferred.

Another approach is to compare an individual’s behavior with the relevant peer group. An analytic engine that learns the normal behavior of individuals, and can compare it with normal behaviour of other employees with similar roles in the same department or in other departments, can be more accurate at identifying fraud attempts.

For example, when a back office employee makes a query to discover accounts that have been inactive for eight to nine months – just before they are automatically flagged as dormant – this behavior can be flagged as suspicious, when compared with typical queries conducted by his peers.

Also, when multiple employees perform suspicious transactions on the same accounts, this can be a clear indication that collusion is occurring. For example, if a back office employee and a bank teller are consistently viewing the same accounts, this can be an indication that they are working together to take over the account.  

>See also: The cyber enemy within: Rise of the insider threat

Visual link analysis can uncover sophisticated scenarios that are difficult to uncover using traditional representations such as tables and charts. Tools that can cluster events and identify trends with a visual display speeds up investigation and resolution.

By monitoring and analysing all employees’ activity, and looking for signs of collaboration, organisations can detect suspicious activity before any funds are lost or their reputation is tarnished.

 

Sourced from Hagai Schaffer, Bottomline 

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics