Insider Fraud: The 'Low, Slow' ApproachNew Study Sheds Light on Fraudsters, Methods
When managers in financial services organizations commit fraud, their schemes tend to cost organizations twice as much as when non-managers instigate these crimes. That's one key finding of a new insider fraud study.
Managers' schemes also tend to last twice as long as those perpetrated by non-managers, says Randy Trzeciak, technical lead of Carnegie Mellon University's CERT Insider Threat Research Team. Trzeciak's team just conducted the Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, with funding and assistance from the U.S. Department of Homeland Security and the U.S. Secret Service.
Among the study's findings: These crimes tend to be low-tech incidents relying on knowledge and access, not cyber tools. And fraud schemes often go undetected for up to 32 months.
The fraudsters also tend to be veteran employees - often managers - who are in the organization for up to five years before they begin committing their crimes.
"So, these were trusted employees within the organization," Trzeciak says in an interview with Information Security Media Group's Tom Field [transcript below]. "Obviously, some of those employees knew what the fraud controls were in place, and that may have facilitated their ability to carry out the crime for such a long period of time."
On average, when a financial services manager commits fraud, the amount of damage totals about $200,000 - twice the $100,000 in damages committed by non-managers. And managers tend to commit fraud over 33 months or more, versus 18 months by non-managers, Trzeciak says.
One commonality between managers and non-managers: They tend to initiate their crimes to relieve financial stress in their lives. But then the fraud often continues even after that stress is eased. "So just because they used the motivation of, 'I'm going to solve a financial problem,' many of them did tend to continue the activity beyond the particular motivation of solving that short-term financial problem," Trzeciak says.
In the interview on this latest insider fraud research, Trzeciak discusses:
- The most common types of crimes committed;
- The characteristics of the fraudsters;
- How to detect and prevent these crimes.
At CERT's Insider Threat Research Team, Trzeciak heads a group focusing on insider threat research; threat analysis and modeling; assessments; and training. He has more than 20 years' experience in software engineering; database design, development, and maintenance; project management; and information security. He also is an adjunct professor at Carnegie Mellon's Heinz College, Graduate School of Information Systems and Management.
Insider Threat Study
TOM FIELD: To start out with, tell us a little bit of the genesis of this new financial services study, please. What was your mission and how did you go about accomplishing this project?
RANDY TRZECIAK: The report that we recently released was a year-long study that was funded by the Department of Homeland Security Science and Technology Directorate and what they wanted us to do was to work with the Unites States Secret Service to allow us to analyze cases that they've investigated to see if there are any patterns of behavior. Really what we were trying to do was to look for if there are any types of indicators that would give some highlights to organizations to help them to develop some insights or some of the risk indicators. Really the goal is to help private industry, government and law enforcement really to look at insider incidents to help from a prevention standpoint, a detection standpoint and a response standpoint.
We did get a great deal of support from the Secret Service. They provided us data on 80 incidents they had investigated. Those particular crimes that they investigated occurred from the years of 2005 through the present, and really it was looking at fraud in the financial services sector. The majority of the cases did include banks and financial institution industries, but also did include other types of organizations that had a financing department, such as automobile dealerships or builders, employee benefit providers, staffing, engineering, home improvement and transportation. We were really trying to look at are there patterns of behavior, both in terms of technical patterns that organizations could observe but also some of the non-technical patterns that may be apparent from an organization's standpoint, to look for those particular ways to identify the insights and indicators to help people try to address insider threats in their organizations.
FIELD: These findings could be relevant to an organization that's not in financial services.
TRZECIAK: Yeah it certainly can. Any type of organization that has a financial component; it was most of the cases that they have investigated, but when we look at fraud from an insider-threat perspective, the Insider Threat Center describes fraud as insiders who add or modify or delete data in a critical system. That particular motivation is someone is paid to do that or there's a personal benefit to the individual. If you think about other types of sectors that could have some type of insider fraud committed, think about organizations that maintain data on customers or their employees. We've had a number of cases that occurred where false identity documents were generated. Someone was paid to generate false identity documents in government-type organizations.
But also think about it from a standpoint if a particular employee could alter customer data to include things such as credit scores or some type of financial, or for example a driver's license or the criminal histories of employees. Really we believe that most organizations are at least at some risk because they do maintain information about customers or employees, and those particular employees could be targeted to be paid for or to obtain some personal benefit from altering data in those critical systems.
FIELD: I've had a chance to go through the report and really found it fascinating. What would you emerge from it with key findings? What stood out to you?
TRZECIAK: We strongly suggest that everyone go to the report. There were six findings and you could certainly go through those. Finding one, which we found interesting, was the low-and-slow approach to criminals who committed these crimes. Typically we found that these crimes tended to go on for a long period of time, that there tended to be lower amounts that were committed for each fraud event, but as they go on for a longer period of time, obviously impact to the organization financially tended to be very large. That was interesting in terms of the low-and-slow approach.
Now some of the things we were hypothesizing on why the low-and-slow approach was taken was obviously organizations have fraud controls in place and they have thresholds and limits that they're looking for to identify potential suspicious transactions. One of the things that we believe, and it's outlined in one of the future findings, is that employees, including the managers as well as the non-managers, knew about what those thresholds were and were intentionally going below the thresholds to avoid detection from the suspicious transactions.
Finding one was interesting from a low-and-slow approach, but if we dig just a bit deeper into that finding, what we found interesting was the amount of time that people were in a position before they started committing their fraud. We have a chart in the report that gives the statistics of, on average, across these 80 cases. From the time the employer was hired in the organization to the time they began their fraud, it was over five years of a period of employment before they started committing their fraud. So it's a significant amount of time, almost 62 months from the time they started with the organization until the time that they started their fraud. At least in these cases, it wasn't people coming in and starting fraud very close to their hiring for the organization. These were trusted employees in the organizations and obviously those employees knew what some of the fraud controls were in place, and that may have facilitated the ability to carry out their crime for that such a long period of time.
Another step that we found interesting was the amount of time from when the fraud started until it was detected by the organization. On average, it was about 32 months, over two and a half years, from the time the fraud started until the time that it was detected. Now if we want to be positive and look at the glass half-full, obviously that's a lot of opportunity for detection, but this low-and-slow approach did go on for a significant amount of time before it was detected by the organization.
Then finally, one other key point related to finding one was when the organization did detect it, if we take a look at the time from detection of the fraud to the time that law enforcement was notified, we found that it was almost five months from the time it was detected until the time that law enforcement was called in. Those were three interesting stats that we pulled out of finding one, which is this low-and-slow approach.
Other findings we could go into more detail as well. Finding two was that the crime typically was not very technical. These people had authorized access to the systems and to the data in the systems and they used the authorized access to commit the crime. They did not need to escalate privileges or they didn't need to use a very technical means to carry out their crimes, so it tended to be not very technical in terms of how they committed their crime. Those were two key findings. I certainly don't want to minimize the other of the six that we outlined in the report, but those were things that were interesting that we found in terms of interesting information that we pulled out of these 80 cases.
Financial Services Insider Fraud
FIELD: I know you've investigated scores of cases over a number of years. What do you find to be unique about insider fraud and financial services?
TRZECIAK: That's an interesting question. We've been doing research into insider threats for going on 12 years now. We've collected over 800 incidents and we've broken those down into patterns of behavior. One of the patterns is fraud. Typically those folks are motivated by financial gain or some personal benefit. Those people typically have authorized access to critical systems, and they add or modify or delete data in the systems. This typically is the pattern which is pretty consistent.
Now what we found different about these particular cases was before we started this study we described people who committed fraud by insiders as typically lower level employees, non-manager employees, and they're paid to modify, delete or affect data in critical systems. Now what we did find interesting about these cases was the significant number of managers that were involved in these crimes, people in positions of trust, such as the vice presidents or bank officers or supervisors. Over 50 percent of these recent cases we found that managers were involved in the commission of the crime. Now that was different from the other fraud cases that we investigated which did include cases outside of the banking and finance sector. That was one of the interesting findings in terms of managers being involved in these fraud cases in the financial services sector cases.
Managers vs. Non-Managers
FIELD: There's something I wanted to ask you about because I noticed in the report that you differentiate between managers who commit fraud and non-managers. What can you tell us about some of the common characteristics of managers for instance?
TRZECIAK: That's a great question in terms of differences between managers and non-managers. What we found interesting was if we focused strictly on the impact, managers tend to cause more damage, almost twice as much damage in terms of the financial impact to the organization. We do quote in the report the amount of damage on average, about $200,000 of fraud incidents committed by a manger, slightly over $100,000 dollars by the non-managers. The impact obviously is greater from a manager perspective.
Also, the duration; we talk about the low-and-slow approach. The managers on average tend to carry out their fraud for over 33 months, whereas the non-managers it's about 18 months, so about double the amount of time managers were able to carry out their fraud.
There are a couple of other interesting points that differentiate the people who commit fraud who are managers. The managers tended to have subordinates contribute, many times unknowingly, to the fraud activity. They basically had people involved in the fraud without them knowing it. One example that we had was a vice president at a particular bank. Basically, what he was doing was committing fraud and the way he was able to get away with that was to change the address of one of the accounts for one of the particular customers, and what he was able to convince one of the subordinates to do was to give him the statements that were to be delivered via U.S. mail. He convinced them to hand deliver them or that he was going to hand deliver those. He convinced the subordinates - with the change of address - to give him the statements and he promised to deliver those in the sake of giving better customer service and more personalized attention to customers. So it's not that subordinates were always knowingly involved, but many times the particular managers unwittingly or unknowingly included other folks into that particular fraud activity.
Managers and non-managers typically both were motivated by some type of financial gain, and similarities between the two were that many of the times it was to try to resolve some type of financial or personal problem. There was some type of financial stressor that was impacting these individuals. Now what was interesting between these particular cases of managers and non-managers was once the financial situation was resolved from a perception standpoint, they tended to continue the activity. So just because they used the motivation of, "I'm going to solve a financial problem," many of them did tend to continue the activity beyond the particular motivation of solving that short-term financial problem.
What was interesting also was that as we investigated these cases, the number of individuals did not commit the fraud as the motivation to buy a second house, a dream house or a luxury item. It was interesting the number of these individuals that tended to use the money just to solve day-to-day financial problems. We had a number of folks who were just paying bills or paying debt, or loaning money to someone else who had a medical problem or some other financial situation. The vast majority of these individuals did not have a wealth of money when detected or large luxury items that they used the money for. There are some similarities between managers and non-managers, but also some differences as well.
FIELD: How do you find that organizations can do a better job detecting these types of crimes before they do cause significant damage?
TRZECIAK: One of the things that we do in this report is we give seven recommendations, things that organizations can do to prevent or detect these particular crimes. One of the recommendations that we have outlined here was organizations need to continue to vet employees to determine trust when employees come into an organization. Many times organizations do criminal or civil background checks. They do things such as credit histories that would identify things such as previous bankruptcies.
Obviously that does need to continue, but if we use the statistic that says that people are employed for, on average, five years before they start the fraud, we're certainly recommending that organizations consider the reinvestigation of employees from the time they start throughout their career with an organization. You might have a chance of identifying people who might have some of those financial issues or financial stressors if you do continual reinvestigations from the time people are hired until the time that they leave an organization. That would be certainly one of the things that we would suggest from a recommendation standpoint.
Another recommendation we have is considering the online activity and monitoring of online activity. Certainly that needs to continue and many organizations do use monitoring software. One of the suggestions we might have is that organizations should consider things that would be more of the impromptu auditing of transactions, or if they're able to alter the limits of what those thresholds are for suspicious activity. If employees know what you're looking for, they might take steps to avoid detection by those fraud controls. So if organizations have the ability to increase or decrease what they're looking for, what they consider suspicious transactions, you might have a better chance of identifying what potentially could be a suspicious transaction that should be investigated. But consistent online monitoring is something that needs to be done. But if we have the ability to increase or decrease or make some of the routine audits not as routine, maybe have some sporadic or some non-routine audits. Again, if employees know what they're looking for, they might take steps to be able to avoid detection.
FIELD: And don't let your managers make house calls?
TRZECIAK: Possibly, yes. And that was one case where a manager did make a house call. Again, trust but verify is the consistent message that we have at CERT. Certainly trust your employees absolutely, but verify what they're doing with data and with systems, and there needs to be a constant or continual investigation of what could potentially be suspicious activity.
FIELD: Where can people learn more? Where can they get a copy of the report?
TRZECIAK: They can certainly go to our website to get more information about the report. Go to www.cert.org/insider_threat. That's our insider threat main page. On that page we have a wealth of information about all of our years of research, but specifically related to this report on the website we have a long, detailed version of the report that's 80 pages and goes into all the findings, all the stats and all the information about what the report found and information about the report.
In addition to that, there's a short version, an executive summary version. It's a shorter number of pages, about 20 pages, but it does go through the detailed information. The long report is titled Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector. The short page report is Insider Fraud in Financial Services. That's the executive summary, 20-page version.