Insider Fraud: Are You at Risk?

Job Cuts Make Institutions Vulnerable to Insider Crimes
Insider Fraud: Are You at Risk?
The downtrodden economy is pushing banks to make tough decisions - and putting the institutions at heightened risk of insider crimes.

Earlier this month, reports began circulating about Bank of America's plans to cut 3,500 jobs. Those cuts will be an addition to layoffs BofA announced earlier this year, when BofA said it would be shaving 1,500 staffers from its home-loan business - the result of lax mortgage lending.

BofA is not alone. Banks around the world are cutting jobs and salaries as a result of lost revenue and unstable stock prices. UBS, Citigroup, ABN Amro, Barclays, Credit Suisse, Goldman Sachs, HSBC, Lloyds, and Wells Fargo have each announced similar plans to reduce expenses by cutting staff.

Even for those employees who survive job cuts, salaries will be impacted. Banks are expected to eliminate bonuses, and compensation for traders could fall anywhere from 15 percent to 30 percent, according to industry projections.

But are these decisions aimed at reducing expenses actually prepping the kitchen for a recipe of disaster? In some ways, yes. Economic pressures coupled with anticipated layoffs and salary reductions always lead to increases in insider or internal fraud. Employees who under normal conditions are deemed loyal could be swayed by a disgruntled atmosphere and pressures to cover personal expenses.

"Fraud threats always rise during times of economic downturn, where people do things they wouldn't ordinarily do due to financial duress," says Aite financial fraud analyst Julie McNelley. "To that extent, the internal fraud threat will be elevated as the economic downturn persists."

Banks are aware of those risks, McNelley says, and often structure their layoff practices in ways that prevent disgruntled employees from retaliating. "Systems and physical plant access is terminated when notifications are given," she says.

But it's not always so simple, says financial fraud expert and consultant George Tubin, and that's what makes internal compromises so damaging.

"A few things happen for employees to commit fraud," he says. "One, they have to have some kind of financial pressure; and if you think you might get laid off, there's pressure there. Secondly, there has to be some kind of rationalization. So, if they aren't being treated right and they don't think leaders at the bank are running the bank correctly, they can rationalize committing fraud. And that's what makes times like these perfect opportunities for disgruntled employees to turn."

Dissuading Internal Fraud

Opportunity is the catalyst. Banking institutions must have clear policies about what constitutes internal fraud, and the policies have to be enforced. "When someone goes outside the controls, you can't overlook it," Tubin says. "You have to enforce it and set an example, when someone is caught."

Pinpointing the fraud is the problem. Even though banks have steps and technology in place, it's easy for insiders to get around some of this. "In some cases, there has been fraud that's gone on for 20 years," Tubin says.

Identifying the psychology or profile of an internal fraudster is challenging, too, though certain red flags, such as an employee who is living beyond his means, should be warning signs.

Living beyond his means is what eventually led to the June arrest of former Citi employee Gary Foster, who is suspected of carrying out an intricate yet relatively simple ACH and wire scheme. Foster, who allegedly embezzled more than $19 million from Citi and its customers, was able to pull his scam undetected for more than six months.

Shirley Inscoe, author of "Insidious: How Trusted Employees Steal Millions and Why It's So hard for Banks to Stop Them," says most banks have done a poor job of keeping up with internal threats. [See Database Security Policies Needed.]

"With the economic downturn, I think many banks have cut back on their internal controls and fraud detection because of very tight budgets," Inscoe says. "Any other bank could have just as easily been victimized."

Internal compromises also have taken on new forms. Rather than embezzling, some insiders merely steal and sell valuable accountholder information to underground networks. "There's a lot of value now just for customer information," Tubin says. "So, just having the ability to get a hold of customer account numbers, without having to directly take funds out, is valuable, and we're seeing more of that. ... With the underground outlet, employees see an opportunity."

The value of accountholder information led to the internal breach at Bank of America, which the bank said in May had led to the compromise of numerous BofA customer accounts. The now former BofA employee was accused of leaking customer names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances to a ring of criminals. With the information, the crime ring reportedly hijacked e-mail addresses, cell phone numbers and possibly more to open accounts and order checks under stolen identities.

"If an employee can grab all of this information and sell it, that's more of a problem now than it was in a past," Tubin says.

What Institutions Can Do

Basing internal threats on psychology or a change in behavior or lifestyle is tricky. It's not very accurate and you can't always catch everything. And that's where automated or system-level monitoring comes in.

"From a technology standpoint, you can monitor what data and systems your internal staff is accessing," Tubin says. "If somebody grabs a file with a lot of customer information on it, let's find out why they accessed it. And what about storage? If information is pulled, is it being printed out, or is it being saved to a USB drive? Those are things to look for."

Bank investments in monitoring technology are increasing, but the investments are not solely dedicated toward thwarting internal fraud. Banks are incorporating controls and detection systems into their overall enterprise monitoring solutions.

"It's not that different from implementing fraud monitoring solutions for customer accounts," Tubin says. "You're looking for things that are out of the norm. It's just putting in behavioral monitoring technology so that you can start to pinpoint when things don't look quite right."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.