July 23, 2007
In Martin Scorsese's hit movie "The Departed," actor Matt Damon plays the part of a mole -- someone who helps his connected mob friends stay a step ahead of the cops by becoming one of the very law enforcement officials assigned to stop them.
A new report published by anti-fraud software maker Actimize on July 23 says a similar ruse is being carried out inside the walls of enterprise financial businesses, with the same employees and IT workers whose responsibility is handling and protecting sensitive information being trained and recruited by organized criminals to steal it.
Based on the New York-based company's research, drawn from interviews with 40 large financial services companies in the United States and the United Kingdom, about 50 percent of those surveyed indicated they believe they have employed workers who have either been trained or recruited by outsiders to carry out fraud.
Eighty-five percent of the respondents have been affected by employee fraud in general, and 65 percent see the threat becoming even more serious in the future, the survey found.
More than 50 percent of participating companies admitted their belief believe that only half, or less, of all employee fraud occurring within their organizations is currently being caught.
And while the test group represents a relatively small cross-section of business, it's worth noting that half of the financial services companies interviewed by Actimize claim assets of over $30 billion.
Actimize executives said that there was little doubt among those surveyed that organized criminals are increasingly working inside firms with large volumes of sensitive information to get first-person access to valuable data that can be used by others to carry out fraud.
"People are getting caught and it's clear that they are representatives of organized crime in some way, we had a lot of people telling us unsolicited that they feel that this is actively happening," said Amir Orad, executive vice president of marketing and business development of Actimize. "It's not a fairytale; it's an established method being used by these groups to carry out significant fraud."
Among the factors contributing to the criminal trend are increased access to technology by rank-and-file employees, as well as poor hiring and screening processes within end user firms, according to the report. Data availability and a lack of dedicated resources for fraud detection technologies were other issues identified by respondents as fueling internal attacks.
More than 75 percent of those companies surveyed said that they expect insider fraud schemes to grow even more sophisticated, with 73 percent charting the financial services industry's preparation for such attacks as only "poor" or "somewhat acceptable."
About half of the companies involved in the research said that they have experienced a data theft within the last 12 months, with the cost of the largest such incident within each firm coming in at an average of roughly $875,000 per incident. The largest such incident cited in the Actimize research totaled $6 million in losses.
A lack of automation among the anti-fraud technologies being utilized by the companies is a hallmark of their defeat, Orad said.
"All of these companies have been using data mining for years externally, but less than ten percent told us that they were using it internally to fight fraud, which doesn't make sense," Orad said. "Less than 50 percent said they had any form of automation in place to fight fraud, which tells us, the majority have been using reactive processes or manual reporting to investigate suspected problems, which isn't going to prevent incidents from happening and only addresses the issue after the fact."
Among the types of scams that Actimize was told about by the respondents were instances of self-dealing, skimming, data-theft, embezzlement and collusion.
In the case of one of the most common methods for carrying the schemes out, so-called "identity shielding," through which perpetrators gain access to data using another worker's credentials, only 28 percent of those participating in the survey said they had some manner of stopping or detecting the attacks.
While data-handling regulations such as the Sarbanes-Oxley Act and the Payment Card Industry (PCI) compliance requirement have been proposed by some experts as helping to solve the insider fraud issue, those surveyed by Actimize said that isn't necessarily the case.
An overwhelming 70 percent of respondents said that government regulation or standards regarding employee access to customer accounts and data would actually "hinder" their company's ability to detect or prevent employee fraud.
As with many other types of IT projects, the shortfall in more comprehensive insider fraud protection can be tied largely to a lack of sufficient budgeting for tools such as those his company markets, Orad said.
"We see some visionaries who are making the commitment to buy technology that will help automate the process, and it's a growing group, but it is still a comparatively small minority of all businesses," Orad said. "All of these companies know that they want to keep their names out of the headlines related to fraud, and most recognize that it is a problem they aren't adequately prepared to deal with, but as with a lot of IT issues, the biggest obstacle appears to be a lack of budget."