How to address the two types of insider threats

“I read about fraud all the time – hackers, online gangs, angry employees, etc.. It seems like it’s on the rise. Why is this so hard to detect and how can we prevent fraud in our organization?”

It is true that fraud is increasing, and it does seem that we read about incidents on an almost daily basis. This is a factor of the rise in the amount of sensitive information that is now online, an increased number of online applications that access this information, and the growing number of users who use online services for financial services. The result is more opportunity for fraud, with less effort, so it’s no surprise criminals have moved their activities online and that insider-led fraud is on the rise.

Let’s look at insider-led fraud first. Insider-led incidents involve a malicious employee or contractor who uses company systems to commit some form of fraud against the company itself. One of the motivations behind the Sarbanes-Oxley regulation was to ensure companies have the proper internal controls to prevent this type of fraud.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

“I read about fraud all the time – hackers, online gangs, angry employees, etc.. It seems like it’s on the rise. Why is this so hard to detect and how can we prevent fraud in our organization?”

It is true that fraud is increasing, and it does seem that we read about incidents on an almost daily basis. This is a factor of the rise in the amount of sensitive information that is now online, an increased number of online applications that access this information, and the growing number of users who use online services for financial services. The result is more opportunity for fraud, with less effort, so it’s no surprise criminals have moved their activities online and that insider-led fraud is on the rise.

Let’s look at insider-led fraud first. Insider-led incidents involve a malicious employee or contractor who uses company systems to commit some form of fraud against the company itself. One of the motivations behind the Sarbanes-Oxley regulation was to ensure companies have the proper internal controls to prevent this type of fraud.

Everyone seems to use the example of an accounting clerk adding her brother-in-law as a new payee, then also cutting a payment to him and splitting the proceeds. This is a common example of a separation-of-duties control to prevent fraud, but there are plenty of others. Consider, for example, quote fraud in the insurance industry, where someone in the insurance company provides details to a rival firm so the rival can outbid and win a contract.

There are many variations on insider-led fraud, and these continue to grow as new applications and business processes come online. Separation of duties control monitoring, and privileged user data access monitoring are two common methods of detecting this type of fraud.

The other type of fraud we read about is led by external criminals against an organization’s customers. This type usually includes some form of account takeover to enter fraudulent transactions and drain the customer’s account.

Account takeover techniques might include phishing, smishing (phishing via SMS text messages) and vishing (phishing using VOIP services such as Skype). Each of these tricks the customer into divulging his account credentials which are then used to steal funds.

These fraudulent techniques can be detected by analyzing items such as geographic location (e.g. the customer is located in London but the wire transfer is being requested from Russia), trend analysis (e.g. the customer never requests transfers over $1,000, but this transfer is for $25,000), or device analysis (e.g. this PC has requested wire transfers from three different accounts today).

Even more insidious is the “Man in the Browser” fraud technique, where malware is installed in a customer’s browser, and during a banking transaction, the malware sends transfer requests or creates bill-payees and payment requests without the customer knowing. The customer doesn’t discover the problem until her monthly statement arrives containing a batch of unauthorized payments, and the money is long gone. This technique is harder to detect, but analysis of Web page requests can be an effective prevention method for this type of fraud.