One of the most significant reports on insider fraud has recently been published by the Association of Certified Fraud Examiners (ACFE).
The information in the 2012 Report to the Nations on Occupational Fraud and Abuse is based on 1 388 fraud cases investigated by Certified Fraud Examiners between January 2010 and December 2011. These cases span 96 countries and the report provides a rare insight into the nature and scale of insider fraud.
In all but nine of the reported cases, the total loss from the fraud was recorded by the investigating fraud examiner. The median loss suffered by the victim was $140 000 (R1.82-million), but in over 20% of the cases the losses exceeded at least $1 million (R13 million).
As if these real-world figures aren’t worrying enough, what makes matters even worse is that in half of the all the cases investigated, none of the losses had been recovered. Trusted, talented and tenured: the biggest insider villains are usually above suspicion.
The Report says that the longer a fraudster has worked for an organisation, the higher the losses they cause. For example, perpetrators who had been employed for over ten years’ caused a median loss of $229,000 (R3 million).
By comparison, the loss caused by insiders who committed fraud in their first year on the job was only about 10% of that figure. And almost 90% of all fraudsters had no history at all of any fraud-related conduct.
To underline this point about insiders who appear to be above suspicion, the former UK chief of fraud and security for digital banking at Lloyds Banking Group was charged in May this year with allegedly stealing nearly £2.5m (R32 million) from the bank over four years. The charges are apparently based on the security chiefs’ falsification of invoices and it seems that the money was not stolen from customers but from the bank itself.
The fact that this particular case appears to have spanned four years, highlights another typical characteristic of the insider fraudster: the ones that get caught have been stealing from their employers over fairly long periods of time.
The ACFE study shows that insider frauds lasted a median of 18 months before being detected. However, some frauds take a great deal longer to detect, particularly those involving an organisation’s payroll. The report says that payroll frauds have the longest life-span of all, with a median of 36 months between when they start and when they come to light.
A local indication of just how long these frauds can last came about in 2009 when a former salaries accountant at South African firm, Omnia Holdings, was charged with stealing over R23 million from the company over an eight year period. Given the nature of the fraudster’s work, it’s probably fair to assume that the money was coming out of the payroll system.
They’re getting away with it because we’re hopeless at catching them
In terms of how insiders get caught, it must surely come as a surprise that tip-offs and whistle-blowing by fellow employees are by far the most common way in which frauds are discovered, accounting for detection in over 40% of cases.
What’s worrying about this is that more structured and obviously far more costly mechanisms to detect insider fraud don’t seem to be working.
For example, the report states that formal fraud prevention processes such as account reconciliation; monitoring and surveillance; external audits; and document examination only resulted in discovering 14% of these frauds. That’s pretty alarming given that 7% of the cases were detected completely by accident – for free.
To make matters worse, in one-fifth of all cases, the insider had overridden whatever controls there may have been in order to carry out their crime and remain undetected. However, because so many business processes are now dependent on IT systems, what is really disturbing is that of the almost 1 400 cases investigated for the ACFE Report, only 1.1% were uncovered by IT controls. That’s just 15 cases.
Since the use of IT systems extends into almost all areas of an organisation, the damage caused by unauthorised access and activity can obviously come in many shapes and sizes. It certainly extends beyond people using a colleague’s IT access card or password to make fraudulent EFT payments.
In fact, IT systems create a treasure trove of fraudulent opportunities for the crooked insider. Altering invoices, delivery notes and credit notes are some fairly obvious ones, as are fiddling stock-control records and then moving goods through the proverbial back door. But the more authority and knowledge an insider possesses, the more damage they can cause while covering their tracks and avoiding detection.
Accurate identity monitoring with affordable fingerprint technology
It may be an inconvenient truth, but the exploitation of traditional access credentials such as cards, PINs and passwords - or CPPs - lies at the heart of most IT-based corporate crime. The reason for this is alarmingly simply: anyone can use your card, your PIN and your password. And you can use theirs.
As a barrier against unauthorised access to corporate IT systems and fraudulent activity within them, these traditional credentials are hopelessly inadequate because they do not identify their user. And this fundamental weakness is being routinely exploited by insiders to perpetrate their frauds.
The abuse of CPPs is not only simple, it also provides the fraudster with all the authority they need to get into systems and change whatever data they need to carry out their crime. They can even enter their own credentials and simply claim that someone else must have used their card, PIN or password.
But there is a solution to this almost universal problem. Replacing CPPs with highly accurate fingerprint-based identification of IT users is not some sci-fi dream. The technology is already extensively used in South Africa to control workplace access and attendance at thousands of local companies. In fact, it’s currently used to manage these particular forms of security for over 2.5 million people across southern Africa in environments ranging from mines to retailers.
Right now, the technology also exists to replace CPPs with fingerprint scanners in order to reinforce IT security. Instead of using a PIN, card or password to access systems and transact within them, users simply place their finger on a small, USB-connected fingerprint scanner. It’s fast, convenient and, above all else, the technology automatically tracks all of the users’ activity by logging who did what, where and when.
As the ACFE Report says, the ‘perception of detection’ is known to be the most potent deterrent to insider fraud. And that perception certainly looms large if fraudsters know they are undeniably linked to their IT activities by their fingerprints.
The 2012 Report to the Nations on Occupational Fraud and Abuse can be downloaded here or from the ACFE website: www.acfe.com
SuperVision Biometric Systems (Pty) Ltd
mark@supervision.co.za
