Hands in handcuffs using laptop showing how technology has transformed insider fraud and yet being used in fighting back
How Technology Transformed Insider Fraud – and How New Technology Is Fighting Back by Mus Huseyin, Head of UK and EU at nsKnox

How Technology Transformed Insider Fraud – and How New Technology Is Fighting Back

In criminal cases, investigators home in on suspects by ascertaining who had the means, motive, and opportunity to perpetrate the crime. By that tripartite standard, it shouldn’t be surprising that occupational fraud – fraud carried out by company employees, executives, and other insiders – outranks virtually all other forms of fraud faced by modern organizations.

While they may share the same motives as most other fraudsters – financial gain or sabotage, for instance – company insiders have greater means of committing fraud than outsiders do. Meanwhile, the proliferation of technology has presented unprecedented opportunities for attack – and in today’s rapidly evolving technological landscape, the minute a company learns how to detect and thwart one form of fraud, another invariably springs up.

Technology may be one of the great enablers of insider fraud – but paradoxically, it’s also indispensable to combating it.

Here’s a look at how insider fraud has evolved, and how technology has guided its evolution.

From Padded Payrolls to Crime in the Suites

In the go-go years of the 1980s and 1990s, fraud tended to be fairly analog. Forged checks, the siphoning of investor money through fictitious companies, the approval of loans without due diligence, and so on – these were among the favored means of the era’s fraudsters.

Advances in desktop publishing in the 1990s brought about a new age of cyber-fraud. Retailers were particularly hard hit, with crooks counterfeiting corporate checks, depositing them into bank accounts, and then drawing on them. Employees conducted “padded payroll” or similar schemes – and while businesses initially succeeded in shifting the losses to banks in such cases, revisions to U.S. criminal law in the late 1990s officially shifted the burden from banks to businesses. This provided a powerful incentive for businesses to tighten their internal controls and improve employee supervision, especially in the accounts receivable area, where check fraud had been remarkably easy to perpetrate and difficult to detect.

Amid a wave of corporate fraud scandals – Enron, WorldCom, Xerox, and many others – the 2000s saw a renewed focus on how company insiders, even those at the highest levels, could employ sophisticated means to defraud businesses and evade notice.

The Sarbanes-Oxley Act, signed into law in 2002 following the exposure of massive frauds like the Enron case, instituted whistleblower protections and held managers responsible for maintaining an “adequate internal control structure and procedures for financial reporting.” Under the law, auditors were required to attest to management’s implementation of these controls and to disclose any weaknesses in proper oversight.

Hailed as a giant leap forward in corporate governance law, Sarbanes-Oxley undoubtedly represented progress in the fight against fraud, not least because of its robust reporting and auditing requirements. But with insider fraud still a multibillion-dollar industry dilemma, it’s exceedingly difficult to deny that nearly a generation on, much work remains to be done.

Fraud in the Digital Age: Connectivity and Vulnerability

Although calculating the full cost of insider fraud is a highly complex undertaking, the Association of Certified Fraud Examiners’ (ACFE) survey of 2,000 CFEs offers revealing insights. These experts estimate that five percent of organizations’ annual revenues are lost to fraud. As the ACFE notes, extrapolating that figure to the Gross World Product of $79.6 trillion in 2017 would translate to a staggering $4 trillion in fraud worldwide.

At any rate, the cost to individual businesses hit by insider fraud can be potentially devastating. In its study of 2,690 occupational fraud cases, the ACFE found that the average loss was $2.75 million, while the median loss was $130,000. What’s more, the organization notes, the average internal fraud event lasts well over a year before it’s detected –reducing the likelihood of recovering financial assets, if and when the fraudster is caught.

Further complicating matters, businesses’ embrace of digitization to better serve their always-connected customers has resulted in the emergence of new threats. Fileless malware enables easier, harder-to-detect access to sensitive customer information. The rapid transmission of information through hyper-efficient online payment methods creates openings for insiders to gain unauthorized access to funds – underscoring the need for real-time transaction monitoring.

Given that insider attackers are taking advantage of their trusted access to data – and not trying to hack into databases and file shares – it’s all the more essential for companies to deploy autonomous anti-fraud technologies that act against any internal threats in cases when controls are sidestepped and privileged access is abused. By monitoring and securing payments along the entire length of their transaction journey, these technologies protect businesses’ sensitive customer data and finances allowing organizations to gain in-depth visibility into the security and vulnerability of their assets. These technologies help organizations pre-emptively stop fraudsters in their tracks – rather than suffering through months or even years of revenue loss and internal subversion.

Technology may have helped facilitate the so-called ‘insider threat’, but it is undoubtably essential to fighting employee crime and other types of cyber-enabled fraud. With that said, for anti-fraud technologies to truly serve their purpose, organizations must first acknowledge an uncomfortable truth: their greatest threats are often inside the company. Company insiders have a powerful mix of means, motive, and opportunity to commit fraud, and organizations remain exposed to this material and escalating risk unless they invest in technology to help keep their security one step ahead of the threats they face.