Insider Fraud: What to MonitorCases Showcase Risks Posed by Trusted Employees
Two recently resolved insider fraud schemes at banking institutions in Ohio and New York highlight the unique challenges organizations face when it comes to detecting crimes by trusted employees.
See Also: Key Cybercrime Trends in 2016
On Jan. 10, a district court in Ohio sentenced Zrino Jukic of Cleveland to 37 months in prison and ordered him to pay nearly $1.7 million in restitution for a loan fraud and money laundering scheme that involved a banking officer and contributed to the April 2010 collapse of St. Paul Croatian Federal Credit Union. Jukic had previously pleaded guilty to charges stemming from the scheme.
The scheme was just one of many the credit union's former chief operating officer, Anthony Raguz, helped to facilitate before he finally was caught, investigators say (see Banking Exec Sentenced for Fraud Scheme).
And on Jan. 2, in a district court in New York, a former bank teller and a former branch manager of Chemung Canal Trust Company Bank pleaded guilty to bank embezzlement charges that cost the bank at least $325,000 in a scheme that took nearly seven years to detect.
Both cases involved trusted employees with access to funds and authority to approve transactions - a dangerous combination, says Randy Trzeciak, the technical team lead of insider threat research for the CERT Program, part of the Software Engineering Institute at Carnegie Mellon University.
According to CERT's most recent insider threat research, studies of cases investigated by the Secret Service reveal that more than 50 percent of insider schemes involve employees in trusted positions, such as managers. And these crimes tend to go on under the radar, over extended periods of time, proving especially difficult to detect.
"These are usually trusted individuals in an organization," Trzeciak says. "Organizations struggle with implementing controls that are effective without adversely affecting employees' ability to do their jobs."
Organizations can implement automated or technical controls to restrict or limit access for certain individuals. But because most of these trusted individuals have logins and passwords to enter certain systems that manage those controls, they can override the technical measures put in place to detect insider schemes.
"Defense in depth is the recommendation," Trzeciak says. "That includes IT controls and manual controls, like an audit process, to pick up on suspicious activity."
In the Ohio case, Jukic was a co-owner of a small investment firm, the Zlato Group, along with Raguz, who also served as the defunct St. Paul Croatian Federal Credit Union's chief operating officer. Jukic defrauded the credit union by providing false information in connection with approximately 11 loan applications, according to court records. The proceeds from the bad loans allowed Jukic and Raguz to invest in certain business ventures through their company.
Authorities say Jukic laundered the money by transferring fraudulently obtained funds from a Zlato Group bank account to his own bank account to conceal the crime.
In November of 2012, Raguz was sentenced to 14 years in prison and ordered to pay more than $72.5 million in restitution for the role he played in the scheme with Jukic and others. Raguz' loan fraud schemes spanned 10 years and involved 1,000 fraudulent loans totaling more than $70 million to more than 300 account holders. He also accepted more than $1 million worth of bribes, kickbacks and gifts in exchange for the fraudulent loans he issued, investigators say.
In the end, Raguz' schemes led to one of the largest credit union failures in U.S. history, federal authorities say.
In the New York case, Megan Horton, a former branch manager, and Gwenn Gooding, a former head teller, pleaded guilty to embezzling $300,000 from Chemung Canal Trust Company Bank. A third conspirator and former teller of the bank, Shannon Moore, in December pleaded guilty to similar charges linked to her embezzlement of $25,000.
The scheme, which began in December 2004, wasn't uncovered until September 2011 when it was revealed by an audit related to disaster recovery efforts.
Horton, Gooding and Moore now each face maximum sentences of up to 30 years in prison and fines of up to $1 million.
Stronger Detection Needed
Schemes such as these are challenging to detect because the perpetrators don't have behaviors that raise flags, Trzeciak says.
"The amount of time the person is in the position before they commit fraud, on average, is five years, based on research from the Secret Service," he says. "That allows the individuals to develop some form of trust," so their actions aren't questioned, even when they should be.
Although the investment can be cost-prohibitive for some organizations, Trzeciak recommends non-predictable auditing practices. "It is a challenge, and it can be costly to implement some of that unpredictability," he says. "But it's best if you can put an auditing process in place that not everyone knows. The thresholds, for instance, are not known by everyone in the organization."
Other basic steps that all organizations, including financial institutions, should take, Trzeciak says, include:
- Invest in data loss prevention tools. If organizations can identify in their systems what their critical assets are, then they can tag those assets and monitor them, he says. So, when those assets leave the network, organizations have technology in place that sends a notification.
- Have technical controls and manual reviews to "check" the checker. "Improve the process you use to audit and review those people involved in the fraud controls themselves," he says. Monitor access to fraud detection systems as well as setting changes.
- Monitor for fraud motivations. "If there is a downsizing, that might be a motivator. Or, are people coming in and working at odd hours? You need IT controls, but you need more than IT," he says. "If you have those controls and some perspective about motivations, you have a better chance of detecting suspicious activity."
Identifying someone under stress could be an example of a non-technical indicator, Trzeciak says.
- Be mindful of departing employees. "When it comes to people who steal intellectual property ... over 70 percent of them steal the information within 30 days of announcing they are going to leave the organization," he says. It's a good practice to have human resources notify the IT department when an employee gives notice, Trzeciak says. From there, IT can monitor activity and make note of USB downloads or e-mail exchanges, for instance.
- Report suspicious activity. Many organizations do not report all insider schemes, only the ones they are mandated by law or regulation to report, Trzeciak says. "More reporting helps," he says. "If one individual is fired for insider fraud, you don't want him hired elsewhere in a similar role."