Combating Internal Fraud - 5 Points You Should Think About

Combating Internal Fraud
5 Points You Should Think About
© Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12

Internal Fraud – a Very Real Risk


1. Your logs don’t tell the
complete story.
2. Be proactive – if the funds
are gone it might be too late.
3. How much of your external
fraud is actually internal?
4. The breach will happen at
the point where your control
is the weakest.
5. Avoid wasting time with false

5
positives.

POINTS TO THINK ABOUT

1 Your logs don’t tell the complete story
Time and again, we hear the story of organizations that invested millions in internal
fraud programs, yet are monitoring only a few key systems and are barely detecting
fraud.
They are not sure why, and cannot justify further investment to strengthen
internal fraud detection.


Time and again, we hear the story of organizations that invested millions in internal
fraud programs, yet are monitoring only a few key systems and are barely detecting
fraud.
They are not sure why, and cannot justify further investment to strengthen
internal fraud detection.
Here’s Why:
Organizations make the mistake of using log files (text files that record actions users take
in the system) to identify fraud. A lot of people we meet assume that log files record every
action that your employees take. However:
Log files usually miss critical data: surprisingly, most log files don’t keep a record of
searches, inquiries, and even which fields were changed on a page.
Log files are expensive to use: normally these are huge files, and your IT team will be
the first to tell you that they’re expensive to store, move and use.
Log files are expensive to update: changing the log file process to capture the
missing data requires expensive work by the system vendor and IT staff. Often, with
homegrown systems, IT staff no longer has the know-how to make changes.


Example 1:
An employee is looking up high net-worth customers and selling their information
to identity thieves.
Most log-file based systems
can’t detect this common crime,
as they don’t keep a record of
which employees search against
Which accounts.

Make sure that the system you
select or build has the ability to
profile against searches AND
inquiries.


Example 2:
An employee is preparing to transfer funds from an internal account (e.g., general
ledger) to an account they control.
Most log-file based systems will detect when the funds move, but that’s usually too late.
An employee preparing to steal money will inquire against accounts to get ready for the
theft. Make sure that the system you build or select can profile inquiries against internal
accounts.

Example 3:
An employee is colluding with an outside criminal to commit check fraud or card
fraud.
Most log files don’t have enough information to detect accounts that had fraud and also
had a high rate of inquiries or searches by the employee that was feeding information to
the external criminal.


Be proactive – if the funds are gone,
2 it might be too late
Many fraud systems only watch for
funds or data leaving your institution.
That’s too late; the damage is already
done by the time you detect it.
And even after detection, most cases
take more than three months to
establish root cause, and two-thirds of
incidents go unpunished.*
To be successful in the fight against
internal fraud, you must prevent the
fraud before it happens.
To effectively prevent internal fraud,
your monitoring system must be able to
detect when an employee starts to
behave unusually.
*Source: “The Risk of Insider Fraud”, Dr. Larry Ponemon, Sept. 2011


Be proactive – if the funds are gone,
2 it might be too late
• Many fraud systems only watch for Warning signs that an employee is
funds or data leaving your institution. preparing to commit fraud:
That’s too late; the damage is already
done by the time you detect it. Employees who view high-risk accounts
(like high-balance accounts, internal
• And even after detection, most cases accounts, dormant accounts) more
take more than three months to frequently than their peers
establish root cause, and two-thirds of
incidents go unpunished.* Employees who behave inappropriately
(like making off-hours inquiries, viewing
• To be successful in the fight against accounts from other regions, or looking at
internal fraud, you must prevent the other department’s accounts) more
fraud before it happens. frequently than their peers
• To effectively prevent internal fraud, Branch employees who access an unusual
your monitoring system must be able to number of accounts without performing
detect when an employee starts to financial transaction(s).
behave unusually.
Employees who search or inquire on an
*Source: “The Risk of Insider Fraud”, Dr. Larry Ponemon, Sept. 2011 unusually high number of accounts.


An example of proactive internal fraud monitoring
The Credit Card division of a $100 billion international bank was having a problem
with employees looking at the spending history of celebrities. Since the Intellinx
system focused on detecting inquiries (instead of the loss of data), the bank was
able to detect and prevent losses very quickly.

100

Alerts on Celebrity Accounts Snooping
Alert# per Week

80

60

40

20

0
1 2 3 4 5 6 7 8 9 10

Weeks
Rule Security officers start First employee
implemented calling on suspects is laid off

s Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12

An example of proactive internal fraud monitoring
The Credit Card division of a $100 billion international bank was having a problem
with employees looking at the spending history of celebrities. Since the Intellinx
system focused on detecting inquiries (instead of the loss of data), the bank was
able to detect and prevent losses very quickly.

100

Alerts on Celebrity Accounts Snooping
Alert# per Week

80

60

40

20

0
1 2 3 4 5 6 7 8 9 10

Weeks
Rule Security officers start First employee
implemented calling on suspects is laid off

Intellinx changes employee behavior and significantly increases
compliance with corporate policies
s Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12

3 How much of your external fraud is
actually internal?
What do you think of the following statistic?

Occupational fraud, mostly through employee theft, is a
growing, global problem ... About 5 percent of an
organization's revenue is lost to these fraud incidents…
approaching $1 trillion a year.


actually internal?
What do you think of the following statistic?

Occupational fraud, mostly through employee theft, is a
growing, global problem ... About 5 percent of an
organization's revenue is lost to these fraud incidents…
approaching $1 trillion a year.
Many banking fraud officers think this statistic is too high. But could it be true?
A likely answer: some of your external fraud is actually internal fraud.
With organized fraud rings becoming a more prevalent crime force, it’s becoming
increasingly common for bank employees to help external criminals to commit new account
fraud, deposit fraud, check fraud, card fraud, and loan fraud.
Collusion of insiders and external fraudsters can be detected by close monitoring of
Insiders’ behavior.


actually internal?
How to detect external fraud caused by internal action
Example 1: An employee is looking up customers and selling their check images,
signature cards, etc. to a fraud ring that commits check fraud.
Make sure that the monitoring system you select can identify employees who are inquiring
against an unusual number of accounts that later end up having check fraud.

Example 2: An employee is colluding with an external party to open fraudulent
accounts that will later be used for first party fraud, money mule schemes, etc.
Make sure that the monitoring system you select can identify employees who are opening
an unusual number of accounts that later end up having first party fraud.

Example 3: An employee is colluding with a customer to defraud the bank.
Make sure that the monitoring system you select can identify employees who are
performing an unusual number of transactions (financial or non-financial) for the same
customer.


4 A breach will happen at the point where
your control is weakest
Even the most security conscience organizations have weak points that can be
exploited by employees. This problem can be overcome by deploying an anti-fraud
system that is multi-layered, and combines indicators from multiple sources.

Example 1: Society General
What he did: Jerome Kerviel “borrowed” the login credentials of his
colleagues to cover his tracks while conducting transactions that ultimately
caused losses of over seven billion dollars.

How he should have been caught: An anti-fraud system that monitors
user activity at all levels - network, application and transaction - would have
compensated for the weak controls of the trading system. For example, by
detecting:
The same user logged in from different workstations at the same time
Several users logged in on the same workstation at the same time (or
within close proximity)
A user logging in to a workstation without scanning their badge through
the physical entry system
A user logging in for the first time from a new workstation
A user who is logging in (or using their badge) during unusual working hours


4 A breach will happen at the point where
your control is weakest
Even the most security conscience organizations have weak points that can be
exploited by employees. This problem can be overcome by deploying an anti-fraud
system that is multi-layered, and combines indicators from multiple sources.

Example 1: Society General
What he did: Jerome Kerviel “borrowed” the login credentials of his
40 percent or
colleagues to cover his tracks while conducting transactions that ultimately organizations say it is
caused losses of over seven billion dollars.
likely that a privileged
How he should have been caught: An anti-fraud system that monitors
user activity at all levels - network, application and transaction - would have user turns off or alters
compensated for the weak controls of the trading system. For example, by
detecting:
application controls in
The same user logged in from different workstations at the same time
order to access or
Several users logged in on the same workstation at the same time (or change sensitive
within close proximity)
information and then
A user logging in to a workstation without scanning their badge through
the physical entry system resets the controls to
A user logging in for the first time from a new workstation cover his or her tracks.
A user who is logging in (or using their badge) during unusual working hours Source: “The Risk of Insider Fraud”,
Dr. Larry Ponemon, Sept. 2011


5 Minimize false positives and waste less time
False positive alerts generated by anti-fraud systems are massive time wasters:
analysts spend countless hours researching “alerts” that amount to nothing.

There are several key steps to minimizing false positives:
Work with a vendor that can provide a set of pre-defined rules; you can learn a
lot from the experience of other organizations.
After you implement the system, make sure that it’s someone’s job to periodically
analyze and tweak the rules that are providing the best results. The system you
select or build should have a reporting engine that makes it easy to analyze rule
effectiveness.
Select a system with a scoring model that you can easily update on your own.
Even if you have all the right rules, weighting them properly is the key to minimizing
false positives, and you need to have this capability in-house.
Make sure your system has a way for your analysts to write and deploy their own
rules. New patterns of fraud emerge all of the time, and you need to make sure
that the ability to create new rules is something your staff can do.


5 Minimize false positives and waste less time
Pre-Defined Rules: Common Internal Fraud Schemes

Taking Over Money Theft Other
Accounts Schemes
• Identity theft by • Stealing money from • Personal expenses on
manipulating account customers via: corporate card account.
data. • Cash • Performing transactions for
• Check personal use.
• Opening accounts for • Card • Stealing customer
money mules/ deposit • Transfer information.
fraud schemes. • ACH/Wire • Performing unauthorized
claims, rebates, reversals.
• Stealing money from • Targeting the elderly.
• Opening accounts for
internal accounts via: • Collusion between multiple
non-existent or
• Cash employees.
unqualified customers in
• Transfer • Violation of policy/ errors.
order to meet quotas/
• ACH/Wire • Trying to avoid detection.
incentives.


Five Facts about the Intellinx Enterprise
Fraud Solution
1. Intellinx offers the only true end-to-end insider fraud solution:
Based on real-time sniffing of your corporate network, providing immediate alerts on suspicious activity.
Captures and analyzes all user activity including user queries. The result: Intellinx detects fraudsters who
are preparing to commit or have already committed illegal activity.

2. Intellinx uniquely combines real-time data from the network with other data sources, to
create superior visibility into user activity. The data captured through network sniffing
includes user queries and incomplete transactions not typically found in log files.

3. The Intellinx analytic engine profiles genuine human behavior in order to detect
anomalies. Data from various channels, including both internal and external (customers)
activity, is correlated in order to detect collusion.


Five Facts about the Intellinx Enterprise
Fraud Solution
4. Intellinx prevents employee fraud and data theft by improving policy compliance:
Holding each employee accountable for his/her actions, through continuous monitoring with full
audit trail of every activity.
Creating deterrence by detecting and responding to suspicious behavior in real-time.

5. Intellinx saves time by minimizing false positive alerts through:
Analysis based on comprehensive data, reflecting true user activity.
A highly flexible scoring mechanism that weighs various behavior indicators for each entity (account,
employee, customer, etc.), to produce accurate alerts.


Your Reputation is a
Critical Asset
It takes 20 years to build a
reputation and five minutes
to ruin it. If you think about
that, you'll do things
differently
Warren Buffet

25

Thank you

Combating Internal Fraud - 5 Points You Should Think About

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (18)

Similar a Combating Internal Fraud - 5 Points You Should Think About

Similar a Combating Internal Fraud - 5 Points You Should Think About (20)

Último

Último (20)

Combating Internal Fraud - 5 Points You Should Think About