One of the key issues on the agenda during International Fraud Awareness Week (IFAW) is insider fraud, more specifically insider fraud at financial institutions. And one of the emerging experts in this space is Sarah Miller, whose work as an insider threat researcher for the CERT Division of the Software Engineering Institute, based at Carnegie Mellon University, includes the December 2021 report “Spotlight on Insider Fraud in the Financial Services Industry”. The report collected over 1600 analyzed insider threat incidents. The result was a detailed body of evidence showing that 25% of all reported insider threat cases come from the financial service industry. We connected with her for a special IFAW Q&A.
Q: We’ve done a lot of research as a company and a lot of case work, but your report on insider fraud and banks was among the most impressive work that we’ve seen. So how did this all come about? How did you pick insider fraud? And how did you pick banks?
Miller: When I was working at Carnegie Mellon University, I was the steward of the National Insider Threat Center (NITC), insider threat incident corpus, which is a long way of saying that the NTIC collects data on insider threat incidents at the US federal level for analysis and eventually to produce reports like the one I was involved in. At the center, I was responsible for making sure that we added good information and that we were analyzing it actively. My work also built on the excellent foundation of research from Randy Trzeciac, Dawn Capelli and Andy Moore. It’s important to mention them here because they built the NITC.
Q: What did you find that was unique about banks and insider fraud?
Miller: A couple of things. One of those is the intermingling of the incidents. We see cases of stolen identity refund fraud schemes, which can involve a number of types of individuals and organizations. In some cases multiple banks were involved and included a group of between 10 and 30 different people, all working to steal information and money from banks. Then they essentially launder it through check cashing facilities and other methods. You can see just how interconnected these banks are and that these employees have connections to one another, even if they're working in different organizations.
Q: Was there a persona that surprised you about the insider fraud profiles?
Miller: First, let me say that there is no one profile. That’s one of the things that’s unique here. It fascinated me that we saw employees that aren't just tenured but also in some sort of management position. And obviously with those positions of authority comes certain privileges and a level of trust. There was a case I read about recently, just in my own research, where somebody at a credit union intentionally implemented a faulty bank secrecy program so that they could engage in money laundering. And I've seen other cases where an executive intentionally misled their direct reports to manipulate a situation or further a scheme. That’s not something commonly seen in other sectors.
Q: Let's say I'm the CEO or even the Chief Human Resources Officer at a financial services company. We don't want to create a culture of fear. But we do want to create a culture of safety. How does that get communicated? Have you seen anybody do it well? Have you seen anybody do it poorly?
Miller: Have I seen anyone do it poorly? That's a little easier to answer. I've heard of cases where people name and shame departing employees that maybe didn't follow all of the policies, rules and regulations. That can be very scary to a workforce. But you can’t go wrong when insider security is part of the conversation that you have with employees. It's not just something that happens during National Insider Threat Awareness Month, or National Cybersecurity Month. I've seen organizations do it well by rewarding employees with actual awards and certificates, and by celebrating people that do a good job of completing their training, identifying phishing emails or participating in security awareness events.
Q: So the collusion number in your report absolutely blew us away (31% of all insider fraud is due to collusion among one or more employees). Did it surprise you? And did you have a sense as to whether or not it's collusion internally or with an outside actor?
Miller: I've been interested in that because at one level insider fraud because fraud can be such a simple process of “I take the money out of the tail and go about my day.” But if you don't want to be caught, it requires a lot of healthy resources that an employee might not have access to. And I would say again, something else that makes finance so interesting is that it's not just working with peers, it's working with those outside actors, including other financial institutions. What's scary is that it's not just other insiders, especially with those stolen identity refund fraud schemes which can be hard to detect. Organizations might not find out about it until law enforcement comes knocking.
Q: The report ends with 21 best practices for fighting insider fraud. Are there a couple of things from that paper that you think are particularly relevant now?
Miller: The new one that I advocated for is learning from past insider incidents. And I would say the sort of overreaching kind of message of that paper and some of the best practices is that you don't have to reinvent the wheel. There are others in the community of insiders, fraud practitioners and investigators that want to help each other that you can connect with that have learned from past incidents and want to share and collaborate. I would encourage people to seek those colleagues out. Insider threat detection is a relatively small community within security, which is already a small community. There are other people in organizations that you have already done business with that have already done the hard work of identifying what your critical assets are. You don't have to start from scratch. There are people within and outside of your organization that want to help you do a better job of preventing insider fraud.
Nick Griffin, global go to market manager for CFRM, has worked in the FinTech space for over a decade with experience in B2B payments and fraud and financial crime prevention. In his current role, he drives the global go-to-market strategy for Bottomline’s Fraud and Financial Crime business.