Alarming results from mega-study of real-world insider frauds. Typically costs 5% of revenue.
Published in May this year by the Association of Certified Fraud Examiners (ACFE), the 2012 Report to the Nations on Occupational Fraud and Abuse is the world’s largest study of insider fraud. Since 1996, the ACFE has produced seven of these reports, the previous one being in 2010.
Based on investigations into almost 1400 cases of occupational fraud that occurred in 94 countries between January 2010 and December 2011, the 2012 report provides a rare insight into the nature of insider fraud and the scale of the losses it is causing.
In all but nine of the 1388 cases investigated, the total loss from each fraud was recorded by the investigating Certified Fraud Examiner. The median loss was $140 000 or about R1.15m, but in over 20% of the cases the losses exceeded $1m – over R8 million.
As if these real-world figures aren’t worrying enough, what makes matters even worse is that in half of the all the cases investigated, none of the losses had been recovered.
Trusted, talented and tenured
The report says that the longer a fraudster has been employed, the higher the losses they cause. For example, perpetrators who had been employed for over 10 years caused a median loss of $229 000 or almost R1.9 million. That’s about 60% more than the median loss across the cases investigated for the ACFE report.
In comparison to long-serving insiders, the loss caused by employees who committed fraud in their first year on the job was only about 10% of that figure. And almost 90% of all fraudsters in the cases investigated had no history at all of any fraud-related conduct, further reinforcing their trusted status.
To underline this point about long-serving, trusted insiders who appear to be above suspicion, the former UK head of fraud and security for digital banking at Lloyds Banking Group was charged in May this year with allegedly stealing nearly £2.5m (R32m) from the bank over four years. The security chief had worked at Lloyds since 2000.
Moreover, in June, a senior manager at American bank, Citigroup, was convicted in New York of stealing $22 million – about R180m – from his employer between 2003 and 2011.
The fact that this particular case appears to have spanned eight years, highlights another typical characteristic of the insider fraudster: the ones that are caught have been stealing from their employers over fairly long periods of time. The ACFE study shows that investigated frauds lasted a median of 18 months before being detected.
However, some frauds take a great deal longer to detect, particularly those involving an organisation’s payroll. The report says that payroll frauds typically have the longest life span of all, with a median of 36 months between when they start and when they come to light.
A local indication of just how long these particular frauds can last came in 2009 when a former salaries accountant at SA firm, Omnia Holdings, was charged with stealing over R23m from the company over an eight-year period. Given the nature of the fraudster’s position, it’s probably fair to assume that the money was coming out of payroll.
Another characteristic of insider fraud is the ability of the perpetrators to cover their tracks – they’re talented at concealing their deception. The Citigroup fraud apparently relied on the insider being able to make various false accounting entries that created an illusion of legitimacy around the transactions that eventually ended up in his own account.
Corporate fraud detection. Effective?
In terms of how insiders get caught, it must surely come as a surprise that tip-offs and whistle-blowing by fellow employees are by far the most common way in which frauds are discovered, accounting for detection in over 40% of the cases on which the report is based. What’s surprising about this is that more structured and obviously far more costly mechanisms to detect insider fraud don’t seem to be working.
For example, the report states that a combination of formal processes such as account reconciliation; monitoring and surveillance; external audits; and document examination only resulted in discovering 14% of these frauds. That’s alarming given that 7% of the cases were detected completely by accident – and completely for free.
Internal audits fared a bit better in terms of fraud-detection rates, but even so, this measure only uncovered just over 14% of the cases investigated for the report. To make matters worse, in one-fifth of all cases, the insider had overridden whatever controls there may have been in order to carry out their crime and conceal their deception.
However, because so many business processes are now dependent on IT systems, what is disturbing is that of the almost 1400 cases investigated for the ACFE Report, only 1,1% were uncovered by IT controls. That’s just 15 cases.
The deceptive appearance of corporate IT security
Since the use of IT systems extends into almost all areas of a modern organisation, the damage caused by unauthorised IT access and activity can obviously come in many shapes and sizes. It certainly extends beyond people using a colleague’s IT access card or password to make fraudulent EFT payments.
That’s not to say that this form of insider fraud is not causing immense losses all on its own. At the beginning of 2012, Postbank announced a cyber theft of R42m through fraudulent transfers made by insiders who appear to have used the IT access credentials of fellow employees. And that was followed in February by the conviction of an FNB insider who used a keylogger to steal the access passwords and PINs of colleagues in order to fraudulently transfer R27.3m from the account of Amalgamated Beverage Industries.
You don’t need to be a professional fraud investigator to recognise that IT systems create a treasure trove of fraudulent opportunities for the crooked insider. In addition to well-publicised examples of EFT fraud, the insider has enormous potential to abuse IT systems in order to commit their crimes. Altering invoices, delivery notes and credit notes are some obvious ones, as are fiddling stock-control records and then moving goods through the proverbial back door.
But the more authority and knowledge an insider possesses, the more damage they can cause while covering their tracks in order to avoid detection. Consider, for example, the scale of the damage resulting from the theft of corporate secrets concerning matters such as production processes, R&D, source code, formulae, M&A activity, partnerships and alliances, geological surveys, product roll-outs, marketing and sales initiatives, financing arrangements, contract bids and deal negotiations, pricing structures, legal activities and financial forecasts and results.
A real-world example of the enormous damage this type of theft can cause was provided in June by Jonathan Davis, head of MI5. “One major London listed company with which we have worked estimates that it incurred revenue losses of some £800m as a result of hostile state cyber attack – not just through intellectual property loss, but also from commercial disadvantage in contractual negotiations. They will not be the only corporate victim of these problems.”
IT security is the insider’s biggest ally
The fact that IT controls only detected 15 out of the 1388 real-life insider frauds investigated for the ACFE’s report surely has to be a major cause for concern. Although it may be an inconvenient truth, what’s equally concerning is the fact that the exploitation of traditional access credentials such as cards, PINs and passwords – or CPPs – lies at the heart of most IT-based corporate crime. The reason for this is alarmingly simple: anyone can use your card, your PIN and your password. And you can use theirs.
The risks caused by CPPs – and the consequences of their exploitation – have been repeatedly highlighted. For example, in the past eight years, research into over 1700 corporate cybercrimes has featured in the Data Breach Investigation Reports (DBIR) from Verizon. The last three reports were based on investigations into real cybercrimes by Verizon and the US Secret Service – an agency tasked with protecting America’s financial infrastructure and payment systems as well as guarding the President.
The 2010 report said, “The use of stolen access credentials was the number one hacking type in the data breaches that were investigated by Verizon and the Secret Service. It might be hard to believe, but stolen IT access credentials were the commonest way attackers gained access to enterprise systems.”
But the credentials were rarely stolen using methods such as key-logging, social engineering or phishing. According to Bryan Sartin, Verizon’s director of investigative response, “Most of what we saw was simple exploitation of guessable passwords. These were not very sophisticated hacks at all.
“Stolen credentials offer an attacker many advantages, not the least of which is the ability to disguise himself as a legitimate user. Authenticated activity is much less likely to trigger IDS (intrusion detection systems) alerts or be noticed by other detection mechanisms.”
In its preview of the 2012 DBIR, Verizon said, “It is abundantly clear that cybercriminals seek to overcome or undermine access control mechanisms in the process of locating and removing sensitive data.” As in previous DBIRs, the exploitation of credentials is cited as by far the leading ‘threat-action’ in corporate cybercrimes.
Acquiring IT identity credentials is an obvious way for internal and external cyber villains to masquerade as legitimate, authorised users in order to perpetrate their crimes. Governing IT access and activity with nothing more than CPPs is bound to create major risks: anyone can use yours and you can use theirs. As a barrier against unauthorised access to corporate IT systems and fraudulent activity within them, CPPs are hopelessly inadequate because they do not identify their users. And this fundamental weakness is being routinely exploited by insiders to commit their frauds.
The abuse of CPPs is not only simple, it also provides the fraudster with all the authority they need to get into systems and change whatever data they need to carry out their crime. They can even enter their own credentials and simply claim that someone else must have used their card, PIN or password.
Marius Coetzee of Ideco Biometric Security Solutions says that fingerprint technology is extensively used at thousands of SA companies within their physical security systems – mainly to control access and attendance. He points out that replacing CPPs with highly accurate fingerprint-based identification of IT users is not some sci-fi dream. “Right now, CPPs can be replaced with fingerprint scanners to dramatically strengthen IT security. Instead of using a PIN, card or password to access systems and transact within them, users simply scan their fingerprint on a small, USB-connected fingerprint reader.”
“It’s fast, convenient and, above all else, the controlling software automatically tracks all of the IT users’ activity by logging who did what, where and when. It creates a real-time audit trail that links user activity to their fingerprints.”
In terms of this biometric audit trail of IT activity, Coetzee says it is vital to use fingerprint technology that can provide evidence that is accepted in our courts and lead to convictions. “There are only certain biometric technologies that comply with the requirements of law enforcement agencies for digital fingerprint recognition. “It’s therefore essential for organisations to select appropriately compliant technologies. The evidence of a link between an insider’s fingerprint and their criminal activity must be based on a technology that is acceptable in court.”
The ACFE Report says that the ‘perception of detection’ is known to be the most potent deterrent to insider fraud. And that perception certainly looms large if fraudsters know they are undeniably linked to their IT activities by their fingerprints.
The 2012 Report to the Nations on Occupational Fraud and Abuse can be downloaded here or from the ACFE website: www.acfe.com
© Technews Publishing (Pty) Ltd | All Rights Reserved