Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here
What We Do
Since 1989, Bottomline has been modernizing global business payments with connected solutions for more than 800,000 financial institutions and businesses in 92 countries.
AP Automation AP Automation For Real Estate Payments Hub
Payouts Automation Payments Processing Receivables Automation Payments Hub
Paymode Pay Vendors Receive Payments Partner With Us
Connectivity Services Message Transformation & Enrichment Message Vault Risk Solutions
Connectivity Services Message Transformation & Enrichment Message Vault Payments Verification Payments Verification for Businesses
Global Cash Management Hub Digital Banking
Global Cash Management Hub
Who We Serve
Empower your bank with Bottomline's digital banking, B2B payments, and cash management solutions and own the primary customer relationship.
Our Company
All Resources
Expand your knowledge and stay up-to-date on the latest industry news with helpful white papers, datasheets, industry reports, learning articles, and more.
Episode Transcript
Welcome to The Payments Podcast. I'm your host, Bottomline managing editor, Owen McDonald. The industry recently observed National Insider Threat Awareness Month (#NITAM), and we are now on the cusp of International Fraud Awareness Week (#FraudWeek). Why the intense focus?
Because financial fraud demands constant vigilance. The fact is that insider fraud is causing great havoc, so he had no choice. We called in the CIA, sort of. We are truly excited to have with us Erin O'Loughlin, senior director of training at the Association of Certified Financial Crime Specialists. Erin spent ten years in CIA ops, and she understands cybercrime like a profiler. We couldn't ask for a better fraud expert. Erin O'Loughlin, welcome to The Payments Podcast.
Erin O'Loughlin: Thank you so much for letting me be here.
Owen McDonald: We're so glad you could be. It's a real treat to have someone with your background on the show, Erin. Trained by the CIA, a frontline operative. I can only imagine and watch a lot of Netflix to sort of put myself there. But seriously, Erin, what parts of your training and experience translate directly to insider threat detection in banks and financial institutions?
How has national intelligence training shaped your approach to financial fraud and risk?
Erin O'Loughlin: That's a really good question, so I appreciate that one. I can't fully say how the agency teaches us because, again, that's sources and methods, so I can't get give you all the secret sauce. However, I can point your listeners to Hollywood. There are plenty of movies that do have hints, and about 10% of what we really did and what those operatives still do, which is being tuned in to the sources and the people they're working with.
It's an easy transfer to any company or any industry even to know how to be tuned into your employees and your coworkers. Basically, doing what your parents taught you if you were raised in, the type of home that they said pay attention, or look people in the eye, or compliment them on what they're wearing, those sorts of things to be nice in civil society. That's basically kind of what it was, and I know I've come forth saying it's kind of boring, but it's a lot of basic realizing of other human behaviors.
So, picking up on out of the ordinary wealth someone's displaying or being in tune with a coworker's stress levels, have they been acting withdrawn? Are they displaying outbursts of anger? Are they calling out sick a lot? Do they have a new love interest? Who is this love interest? Why? Recent divorce, recent split up, lots of different things can happen in a person or a coworker or employee's life that you could know - just to say, ‘hey, happy marriage’, or ‘happy new time in your life’ - to experience that with them.
It also helps to say, oh, something's not right and out of the ordinary. And when I say your listeners can point to Hollywood, one actual movie does come to mind! It's Avengers. No. I'm not saying that I learned how to be like Black Widow and do all the physical things that she could. Obviously not.
But there's a scene where she's talking to Loki, where he's caught, and she asks him certain pinpointed questions, and he does not give himself away, but she instantly figured out what he was going after, what he wanted, what his motivation was. She turned around, said ‘thanks a lot’, and she walks out. She used tradecraft to be able to get what she needed from that, and she picked up on his cues and what he didn't say. So that actually reminded me a lot of what you just asked about.
Owen McDonald: I love that. I love that. But then, you know, you just raised a couple of interesting points. It's fair to wonder who actually counts as an insider threat today. Certainly, it includes employees, but what about contractors?
What about vendors, privileged users, all of the above? And how has the risk surface changed with remote work and all of the third-party access I just mentioned? In fairness to you, that's two questions, but go ahead, Erin.
Erin O'Loughlin: I'll give it to you. Alright. So, let's talk about that. Who actually counts as an insider? And that's a whole array, a group of people that wasn't there before, right? ‘Before’ meaning, what, 20, 30, 40 years ago. An insider is anyone now-days that has trusted access to our systems or data - that is employees (just what you mentioned), full time employees, contractors, temps, interns even.
I was a summer intern the agency when I was in college. So that meant I had a secret clearance. So, I worked every summer and every Christmas where I picked up phones, answered phones for them. I ran papers all around, stuff like that, just getting used to things. Well, I had access to and saw people's faces. I may have known their names, but I had a trust. They put a trust in me at a very young age. There's also vendors. Oh, gosh. Vendors are a big one here on this one, and third-party vendors.
So ‘remote work’, that's the second part of the question that you asked. It means the ‘inside’ now lives on home networks and partner environments. And while I'm not, literally a huge tech expert, I’m more of a people expert, but the tech part of it fascinates me because I know enough just to be dangerous and say, ‘hey, you guys should get more information or education over there.’ Remote work does mean that the inside now lives on home networks and partner environments, and they're with wider, often more persistent privileges.
What does privileges mean? Meaning, accesses to databases. Do you still have them two years later, after you don't need them? Because you've been working at home, maybe your IT department didn't know to take you off those privileges.
Most incidents aren't malicious mole’ stories, meaning they actually went out to the Russians to try to give information to them and work clandestinely. Now those incidents are not what we mostly see, especially when its insider risk. They are compromised or careless accounts.
So, they sometimes belong to a vendor [where] careless access for a vendor can become an attacker's foothold. Meaning, if there is a person who's no longer at your company, but there's access, or a common vulnerability exploit is still there. Or access is there through their email, and an attacker gets into their email, they can get in through your database, and they're in your company. Just simply because the IT department didn't know enough. I'm not saying they're negligent. It's just that it happens. They didn't realize this person left because it's remote work, that sort of thing.
Owen McDonald: And a moment ago, you said something interesting that you are more on the people side of it. And so, tell us about early warning indicators that matter most, Erin, of all varieties. You have behavioral signals like the ones you were just sort of alluding to, unusual access patterns and things like that, database signals like suspicious change requests. How do you separate real signals from noise without over-surveilling staff?
Erin O'Loughlin: That's a really good one. So, I would honestly start with access anomalies. What does that mean? That means the privilege uses that are maybe outside of the scope of a role. The off-hours that you access these databases/these privileges, that's also a good one to look at.
You've got, repeated multifactor authentication push denials for a particular access. That's going to be more than likely your first look and your first clue as to what's going on here. Who is this privilege tied to? Whose account is this? And you're going to start looking at the account. Who's the person? Okay. What's going on with this person? And you kind of start going down that rabbit hole. Why are they doing the things they're doing?
In financial institutions, you have ‘know your customer’ (KYC), right? When you're looking at what is normal for your customer, why the spikes or withdrawals, and cash or transactions or wires coming in and out. - You're kind of doing the same thing with your own employees, but you're looking at their usage of their accesses to your servers. Right? Doing the same thing, but almost in reverse. You're going to look at data movement spikes, meaning how many downloads there have been of certain bits of information, records that they've accessed, all those different things. - And then change signals, meaning other sudden privilege escalations happening to certain databases and why. - And then you're going to separate the signal from the noise. You're going to baseline your peer group and your system. Meaning, why is this person or these groups of people getting these certain accesses? And to keep it privacy-safe, you need to collect the minimum of what's happening, and then escalate to your management to say, are we looking at the rules the correct way? Then do we need to limit retention? And when do we put HR and legal oversight into the loop on this? And that's going to be the policies and procedures of your firm. That's kind of the early indicators.
Again, if you are finding more information based on all these three things that you're doing, then you need to look at the person as a whole. What do we know about them?
Or maybe there are groups of people, a group of people. Maybe there is a certain branch, say, for the financial institution side of it. Is this all coming from one branch? Are there four people that are getting access to these things? Is there one?
So, you have got to ask those questions so that you make sure that you're not over-surveilling. You need to find those types of evidence that are inside your firm first. Access is going to be your biggest key.
Owen McDonald: Wow. So, it's very telling. It seems that training is a prime lever for banks and FIs here. If that is so, Erin, what does effective role-specific training look like for frontline operations, for tech roles, for payments managers? What makes cybersecurity training stick?
For example, when we spoke recently, you mentioned, and I quote, scenarios, simulations, and just in time nudges. What do you mean by that, and how do you measure its impact?
Erin O'Loughlin: That's a multifaceted question. So, I'm gonna start with the role-specific that you talked about, and then I'll do the sticking point, right?
So, with the role-specific, you want to go frontline first. Well, obviously - they're your frontline, right? They're your operations officers. You have got to teach them the red flags and how to recognize those red flags and when to escalate.
And how would they know that without training? Are you going to escalate just the suspicious activity in the cash transactions you're looking at for the customers outside of your bank? And how would people know? And how would, say, managers or your IT folks know how to escalate red flag recognition when you're looking at your own people? So, that's all about training in frontline to say, ‘my job is X - I am being trained on X’, and not ‘my job is X - I'm being trained on A through F’. So, making sure that it's to the role of which you're in.
And for managers, in terms of insider threat risk particularly, I would honestly suggest running leadership courses. They can help instill a better understanding of a manager's team, and these leadership courses can be virtual or in person. I would suggest both. If you are a virtual company, at least try to get together a couple times a year. Again, that's a fiscal question. But if you are a virtual company, these meetings that you have and these types of courses that you can put together, make sure the cameras are on so you can see people's faces and [see] if they're in distress, if they're having a hard time, or if they're happy, which is great.
You want to see your people happy. Right? And you're having these courses, and you can get a better understanding of where they are in their personal life, how they're feeling, if there's anything you could do to help them from a human level.
When you ask, when you're helping them from a human level, you're also helping your firm to maybe, on a very tangential level, maybe preventing an insider threat or risk because you've actually taken the time to care about someone.
That goes a long way. Big, big time - a long way a lot of times, especially in the espionage world.
Erin O'Loughlin: There are several reasons why someone would sell secrets - either trade secrets from a company or secrets of your government. And most of that is money. You want financial [gain]. It might be revenge because you're unhappy or you missed that particular promotion and can't believe that that man/woman did that to me.
They are angry, or there's a vulnerability inside their families, or they just want to be seen and recognized, heard, and have a friend in that. Oh, they get money on the side too… what does that hurt? There's lots of different reasons why you should be able to have a virtual or real touch point with your employees and to make it stick. That's another thing you mentioned.
The scenarios and the simulations, tabletop exercises, especially for the IT experts and the IT departments. There's groups called pen testers, penetration testers, and they fascinate me because they actually try to break the systems. And that is so cool to me. As a non-tech person, I actually sat at Western Union in the San Francisco office with almost all the pen testers, in the digital spaces, and I learn I just try to sit there and listen to them. They were saying things like, I'm gonna break this, or how did you move this?
And there's so many tech words that I didn't understand, but I kept asking, but what are you actually saying? And they said, oh, we're just trying to break the system to figure out how to how to protect it. If you're a pen tester, you're breaking things and you're conducting a war game all day every day. So, tabletop exercises for folks both in leadership courses, you can have tabletop exercises.
You can do a choose your own incident drill. Like, a lot of what the IT folks do, they'll have drills tied to your systems to say, what if What if this happens? What if that happens? Then you'll have a playbook on how to actually work to prevent it if it actually does happen in real life.
And the just in time nudges, those are tool prompts when someone shares wide or grants long lived access or downloads at volume. Meaning, it's kind of like, ‘hey, are you using this anymore? Are you using that anymore? You've had access to this for a while.’ Let's figure out what's going on here. Sort of a nudge on that one.
And then refresh. You can either do these in micro, drills, say, monthly or weekly, depending on what you need to do. It all is tailored to your firm, to your role, to the policies and procedures of your particular company, and not annual marathons, but maybe that's what your company needs. You need an annual quote ‘marathon’ to refresh your training on this, but more than likely, you're going to need more than that.
It's the probably monthly micro drills or, you know, quarterly trainings, to see, ‘hey, I got to remember, insider threat is real. And my colleague next to me, the frontline teller, is really acting weird, and I don't understand. I just think maybe they're going through a lot. Oh, I just realized they're having such financial distress because of a gambling addiction. Oh my gosh. How do I help them as a human?’ You could also be helping them, in the firm, and helping them to avoid possible jail time for being arrested for insider fraud, embezzlement, that sort of thing.
So, it goes a long way in baselining and recognizing your colleagues, having your managers recognizing and seeing, and truly understanding, and knowing their employees, and all of the tech footprints that are left inside a firm to be able to read those, bring them up. Do that first, and then say, okay, gosh, we've really fallen behind on noticing and knowing what our people are going through because we can see it here. It's laid out.
Owen McDonald: If you see something, say something is ringing in my head. Last question, and this is a hypothetical. If a mid-size bank wants to reduce insider risk in the next 30 days, Erin, what are the top three actions you'd advise them to take?
Erin O'Loughlin: Well, you actually took the words out of my mouth. See something, say something. That was, that's actually running in my head now, or speak up fast. You know, you could run a campaign of that. Say, we're going to do a 30 day campaign of see something, say something, speak up fast, culture of compliance - that's another thing you can throw out there for these catchy terms for your employees to understand.
You can have manager scripts daily to have managers train their employees to say, ‘hey, this happened. We need to understand how it happened and not make it happen again.’ It's a campaign, as you can call it one.
You can have different things, more phishing tests for from the IT department to the employees to say, as a reminder, and test them and see if they keep clicking on things depending on the situation.
You can tailor these 30-day campaigns to whatever the situation was, or you want to make it broader and say, this incident happened [so] we need to train them on all incidents. It's up to you.
You can also, again, I talked earlier about the standing privileges of certain databases, again, do that baseline, quick. As you're trying to patch the vulnerability and realize the attack or realize the person you just caught, did do certain things and took money and embezzled and were arrested. Anything that you've got, you've got your team that acts against that to say, hey, we have to react to this. Then you should also have a group of people who go great.
Start from beginning. What's the baseline? What do we know? How do we continue to teach our folks that this should not happen in the future? And those are the biggest things I can think of.
Owen McDonald: Okay. Ponemon Institute found that insider fraud alone will cost companies $17,400,000 on average in 2025, but that figure drops dramatically if fraud is discovered within the first 30 days. To sum up, payments need better protection. As we learned from our amazing guest, Erin O'Loughlin, senior director of training at the Association of Certified Financial Crime Specialists. To our audience, the smartest people in B2B payments, thanks for listening.
Hit subscribe. Catch us again on your favorite podcast platforms, including Apple, Spotify, Blubrry, iHeartRadio, and YouTube. Bye for now.
The Payments Podcast, from Bottomline.
Securely communicate financial transactions within and between businesses, globally and locally, while easily managing payment compliance and mitigating risk.
Make and receive secure digital payments conveniently through Paymode, the market leading B2B payments network trusted by over 600,000 verified businesses.
Own the primary customer relationship and grow business value with the only all-in-one platform for payments, cash management, treasury management, and a B2B payments network.
