Protect Your Business from Insider Fraud: Key Strategies
A threat lurks in the shadows of every company and organization. That sounds dramatic, but it’s true. And that threat is insider fraud. It comes in various forms and can be difficult to spot or stop if you’re not on the watch for it and don’t have protections in place. And worse, many people don’t even know what it is. This lack of knowledge makes businesses even more vulnerable to this threat.
See 3 Types of Insider Fraud with Claire Maillet for a complete transcript of the Easy Prey podcast episode.
Claire Maillet is a financial crime prevention expert who has been working in counter-fraud for a decade. Most of her experience has been within financial services; most recently, she has been the director of financial crime operations at a small financial technology (fintech) company. She is also studying for a PhD, and her thesis takes a look at insider fraud. In her spare time, she also hosts the Fraudible podcast, as well as helping universities in the UK support staff and students who stammer.
Claire never intended to work in counter-fraud. In fact, she graduated college with a degree in French and no idea what she wanted to do with it. She didn’t want to teach, do translation, or be an interpreter – she wanted to do something different. Someone in her network referred her to a job at Amazon. They wanted people who spoke multiple languages to work on their fraud investigations team. She didn’t know anything about fraud, but she did need a job. But she also found a passion. Claire found counter-fraud work fascinating, and she’s been working to combat fraud ever since.
What is Insider Fraud?
Insider fraud is a type of fraud that many people don’t know anything about. When people think of fraud, they think of customers or scammers, not people on the inside. Insider fraud is under-researched, and it’s also underestimated, especially within fintech. Existing research focuses on large companies, like banks, or the psychology of the fraudsters. There’s not a lot of in-depth research about how and why businesses are vulnerable. As someone who works in counter-fraud, Claire focuses on raising awareness and sharing what an employer can do to best protect themselves.
Insider fraud is a type of fraud that’s not that well known … it’s under-researched and it’s underestimated.
Claire Maillet
Claire defines “insider fraud” as “fraud that can be perpetrated by anyone against a prospective, current, or previous employer.” That’s a broad definition, and that’s because the types of insider fraud out there are varied. And most people don’t think about committing fraud against future or past employers. Many assume that you can only commit fraud once you’re in. But that’s not true at all.
Insider Fraud Against Prospective Employers
If you lie on your resume or CV to get a better position or better pay, that’s fraud. If you don’t disclose certain information on your resume or CV, that’s fraud. Most people think of it as stretching the truth or a “little white lie,” but it’s actually committing fraud against that potential employer. That gap between the perception of stretching the truth and the reality that you’re defrauding the business can have terrible consequences.
If you lie on your CV or you don’t disclose certain information on your CV or a job application, that is fraud.
Claire Maillet
Employers can protect themselves from this kind of fraud by having vetting measures during interviews and onboarding. Many companies do personality tests to see if a person’s personality and work ethic fit into the company culture. But anyone can answer those with what they think you want to hear, not necessarily what they really think. Testing skills is more useful. Ask to see examples of their work during the process, or have them do a small sample assignment. Anyone can say on their resume that they have skills, but the last thing you want is to waste the time, effort, and money of hiring and training someone to find they don’t really have the skills you need.
There are varying levels of vetting. Some companies Claire has seen just screened applicants against some fraud databases. Others ask for proof of certificates and academic qualifications, references from multiple past employers, and financial evidence that they’re not bankrupt. This more serious vetting can seem like a pain, but Claire prefers it. It shows the company knows insider fraud is a risk and they’re taking steps to protect themselves.
The Benefits of Deterrence
When it comes to vetting potential employees, the more in-depth you go, the safer you will be. With some of the companies Claire has seen with more strict vetting, there’s no guarantee that anyone actually looked at the information. It could have been part of a process that was set up a long time ago and sent to a database that nobody saw. But even the fact that they ask for it is a deterrent.
People often underestimate the value of deterrence. Some online job applications ask applicants to click a box to confirm that the information they provided is up-to-date and accurate. Some ask them to acknowledge they will be screened against fraud databases. People sometimes focus on prevention so much that they forget they can take steps to deter potential fraudsters from committing insider fraud in the first place. There’s a lot to be said for having warnings in writing at every step of the process. If your processes look like you’re screening for potential fraud, most people will think twice before submitting fraudulent information.
People tend to focus so much on the prevention side of things that deterrence gets lost.
Claire Maillet
Insider Fraud Against Current Employers
There’s a misconception that insider fraud can only be done by people in finance teams who have access to money. That’s not the case. Anyone in a company at any level can commit insider fraud. That includes the founder, the CEO, the board, contractors, junior staff, even janitorial or maintenance staff. If you think only finance people can commit it, your risk management will be focused in that one area. It will leave you vulnerable everywhere else.
Anyone within a company can commit insider fraud.
Claire Maillet
It’s not just money people are after now, either. Data is incredibly valuable. In some cases, it’s actually more valuable than just stealing money. Customer data or company data can be sold or used in a variety of ways. Some teams use test accounts to trial new products and processes before they launch to the customer. But even these test environments can be used to siphon off real company money or data.
Embezzlement or stealing data aren’t the only ways current employees can commit insider fraud, either. Falsified time sheets and falsified expense reports are a common type. Often the business has some responsibility in these. If an employee is adding an extra half hour of overtime onto every shift and nobody is taking the time to check when they actually logged in, or if people are submitting receipts with their expense reports but those responsible are signing off without checking them, fraud can easily slip through.
The methods of perpetrating internal fraud are endless because they depend on the company, the product, the controls in place, and the tech being used. These types of small checks on simple issues often feel tedious and unnecessary. But being diligent can help companies catch insider fraud.
Insider Fraud Risk in Work-from-Home Environments
In a world of hybrid and fully remote working environments, there are even more risks for insider fraud. If someone can access a bunch of company or customer data from a laptop at home, they don’t have a boss or coworkers looking over their shoulder. Will anyone really notice if they email some of that data to their personal email? The temptation becomes stronger because they feel like there’s less risk of getting caught.
There is an element of trust [in remote and hybrid work], but trust can be exploited.
Claire Maillet
Hybrid and remote working arrangements also open up the possibility of insider fraud by someone who isn’t the employee. A large proportion of working adults live with someone else, whether that’s a partner, a parent, or a roommate. These people could overhear conversations, walk in on virtual meetings, or see things on a screen over the employee’s shoulders. In an office, when you have to leave your desk, you lock your screen, but many people don’t do the same at home.
Different Companies, Different Risks
Research that looks at larger and older organizations says it’s easier to commit insider fraud in those kinds of companies. The systems are older, and there’s more stuff to hide behind. People in the industry generally understand that as true. But the research Claire is doing suggests the risk of insider fraud is the same in smaller companies, but for different reasons.
In a startup, for example, everybody is working hard to get the company off the ground. They need quick growth and quick customer base expansion. Everyone is chipping in to different teams. If you’re in marketing, in most companies you would only do marketing things. But in a startup, you may also do some customer service, and some HR, and some operations management. Everyone is doing all kinds of work across the company. Once the work is done, these people understand how a large portion of the business works, which means they have a lot more knowledge they could exploit.
Startup culture also has a lot of nepotism. People want to get their friends involved because it’s fun. But that drives the risk of corruption through the roof. There’s the potential to hire people you know over people who can actually do the job. Many people think they’re just trying to make the work better. After all, it’s more fun to work with your friends. But they aren’t thinking about whether or not they’re making the right decision. And they often aren’t thinking about fraud, either. That’s where they go wrong.
Insider Fraud Against Past Employers
Insider fraud against past employers is usually less complex. People who are no longer with a company have less opportunity to commit fraud in general. But it is still possible. In some companies, when employees leave, they are just removed from the HR lists and from payroll. But sometimes their accounts are still available in the internal systems, their access is still active, and they could still log in if they tried.
There have been stories in the news of employees who were fired or laid off and felt disgruntled about it. They then committed insider fraud as revenge. They might be able to do this just with the knowledge that they have. But if they still have access to the company’s systems, the damage can be so much worse. They could steal company data, customer data, or even the company’s money, depending on what they have access to. It isn’t always about financial gain. In many of these cases, it’s a form of revenge because the former employee is angry at the company.
Why Some People Commit Insider Fraud
Research over the past fifty years has shown that people’s motivations for committing fraud vary widely. For insider fraud specifically, research has focused on how the coronavirus pandemic and the cost of living crisis in the UK made even ethical people feel like they had to commit fraud. The motivation there is financial. Family situations change, and people got sick or lost their jobs. They can’t pay the bills, they can’t buy food, and costs are going up. If people suddenly go from a stable home and economic situation to extreme financial pressure, fraud may feel like the only option.
During the pandemic, additions to alcohol, drugs, and gambling increased dramatically. And addictions need funding. The increase in work-from-home arrangements also increased insider fraud. When there is no boss or coworkers next to you, it feels easier to get away with. There are people who get a thrill from it. There are people who just want to see if they could. And there are those who feel like they haven’t been treated well by their company and they deserve to take what the company isn’t giving them.
It isn’t always because people need the extra money. It could just be because they have the opportunity, they feel like they can, they feel like they deserve it, or just because they are a bit cocky.
Claire Maillet
Why Some Companies Are Leaving Themselves Vulnerable
Many companies don’t have the fraud protection measures they should have in place. One big reason for that is cost. Claire has been in counter-fraud for ten years, and the fight to get executives to care about fraud is exhausting. If you’re on the executive board or you’re senior leadership, your focus is bringing customers in, making money, and expanding the company. Then the counter-fraud team comes in and says you need to put in fraud controls. These will cause friction with customers and are going to be expensive. The immediate response is almost always no, because friction and expense are the exact opposite of your goals.
But as the old saying goes, the only thing more expensive than compliance is non-compliance. If your choice is implementing a fraud prevention system that will cost you $100,000 or losing $500,000 to fraud (not to mention the costs of disciplinary hearings, the lost time and productivity of firing someone and hiring and training someone new, and potential reputation damage), the choice seems pretty obvious. It’s much better to spend the money and put in the controls up front than incur huge costs because you weren’t protected.
We [in counter-fraud] will always be seen as the profit police until something goes horribly wrong.
Claire Maillet
One of the most frustrating things Claire has found about working in counter-fraud is that many companies only take action when something goes wrong. Companies don’t want to invest in fraud prevention because they prioritize getting customers and growing the businesses. But when things go wrong, they blame the fraud people for not doing their jobs even without the necessary tools. We need a culture shift, and it’s not going to be easy. Companies need to get on board with having protection in place in advance.
Steps to Protect an Organization from Insider Fraud
In order to protect a company from insider fraud, owners and managers need to think through the different ways someone could commit it. If possible, hire a penetration testing team to go through every team and try to commit fraud with that access. Every team will have its own risks.
Insider fraud prevention is a company-wide effort. It can’t be done by just one person or one team. There should also be a culture component. Tell everyone in the company that you’re trying to identify all the ways staff could potentially commit fraud, and they should report anything they find. This also works towards deterrence. If your employees know you’re taking it seriously and putting controls in place, they’re less likely to attempt insider fraud.
People are of the understanding that if you don’t have the word “fraud” in your job title, then you don’t need to worry about it. That’s absolute nonsense.
Claire Maillet
The company response to these reports also matters. If someone reports a potential fraud avenue and the response is that it’s not a huge concern or that the company is prioritizing something else, that person will realize that they can easily commit fraud that way. The company has already said they aren’t watching there, so it could be tempting to try. If anything, you’d be exposing yourself to more risk by openly saying you don’t care.
If you want to read more about fraud, connect with Claire on LinkedIn – she doesn’t talk about anything else. You can also find her podcast, Fraudible, on YouTube and Spotify, where she brings together academics and counter-fraud experts to discuss fraud topics.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Don’t Let Hackers Invade Your Router
Hacking isn’t just something that happens to phones, computers, or big business networks. A router is one…
[Read More]Identify Deception Online and In Real Life by Knowing What to Look For
So much of our communication these days is digital. And with text-based mediums like texting, email, social…
[Read More]Proton VPN
Several VPN reviewers give Proton VPN the highest marks available based on this combination of factors: A...
[Read More]VPN Leak Test: How to Prevent IP Leaks With Your VPN
One of the primary reasons people use a Virtual Private Network (VPN) is to hide or disguise…
[Read More]AirTags Are Tracking People and Cars—Here’s How You Can Find Hidden Apple AirTags in Your Car
People are finding a lot of uses for Apple’s AirTags, including tracking pets, luggage, and camping gear….
[Read More]The CrowdStrike Outage Proves Why Security and Risk Management are So Essential
Many businesses rely on software made by other companies to function. But as the CrowdStrike outage this…
[Read More]