Combating Internal Fraud - 5 Points You Should Think About

2,152 views

Published on

This presentation outlines five crucial points enterprises need to consider when tackling insider fraud.

Published in: Business, Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,152
On SlideShare
0
From Embeds
0
Number of Embeds
136
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Combating Internal Fraud - 5 Points You Should Think About

  1. 1. Combating Internal Fraud 5 Points You Should Think About© Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  2. 2. Internal Fraud – a Very Real Risk © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  3. 3. Internal Fraud – a Very Real Risk © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  4. 4. Internal Fraud – a Very Real Risk © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  5. 5. Internal Fraud – a Very Real Risk © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  6. 6. 1. Your logs don’t tell the complete story. 2. Be proactive – if the funds are gone it might be too late. 3. How much of your external fraud is actually internal? 4. The breach will happen at the point where your control is the weakest. 5. Avoid wasting time with false 5 positives. POINTS TO THINK ABOUT© Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  7. 7. 1 Your logs don’t tell the complete storyTime and again, we hear the story of organizations that invested millions in internalfraud programs, yet are monitoring only a few key systems and are barely detectingfraud.They are not sure why, and cannot justify further investment to strengtheninternal fraud detection. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  8. 8. 1 Your logs don’t tell the complete storyTime and again, we hear the story of organizations that invested millions in internalfraud programs, yet are monitoring only a few key systems and are barely detectingfraud.They are not sure why, and cannot justify further investment to strengtheninternal fraud detection.Here’s Why:Organizations make the mistake of using log files (text files that record actions users takein the system) to identify fraud. A lot of people we meet assume that log files record everyaction that your employees take. However: Log files usually miss critical data: surprisingly, most log files don’t keep a record of searches, inquiries, and even which fields were changed on a page. Log files are expensive to use: normally these are huge files, and your IT team will be the first to tell you that they’re expensive to store, move and use. Log files are expensive to update: changing the log file process to capture the missing data requires expensive work by the system vendor and IT staff. Often, with homegrown systems, IT staff no longer has the know-how to make changes. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  9. 9. 1 Your logs don’t tell the complete storyExample 1:An employee is looking up high net-worth customers and selling their informationto identity thieves.Most log-file based systemscan’t detect this common crime,as they don’t keep a record ofwhich employees search againstWhich accounts.Make sure that the system youselect or build has the ability toprofile against searches ANDinquiries. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  10. 10. 1 Your logs don’t tell the complete storyExample 2:An employee is preparing to transfer funds from an internal account (e.g., generalledger) to an account they control.Most log-file based systems will detect when the funds move, but that’s usually too late.An employee preparing to steal money will inquire against accounts to get ready for thetheft. Make sure that the system you build or select can profile inquiries against internalaccounts.Example 3:An employee is colluding with an outside criminal to commit check fraud or cardfraud.Most log files don’t have enough information to detect accounts that had fraud and alsohad a high rate of inquiries or searches by the employee that was feeding information tothe external criminal. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  11. 11. Be proactive – if the funds are gone,2 it might be too lateMany fraud systems only watch forfunds or data leaving your institution.That’s too late; the damage is alreadydone by the time you detect it.And even after detection, most casestake more than three months toestablish root cause, and two-thirds ofincidents go unpunished.*To be successful in the fight againstinternal fraud, you must prevent thefraud before it happens.To effectively prevent internal fraud,your monitoring system must be able todetect when an employee starts tobehave unusually.*Source: “The Risk of Insider Fraud”, Dr. Larry Ponemon, Sept. 2011 © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  12. 12. Be proactive – if the funds are gone,2 it might be too late• Many fraud systems only watch for Warning signs that an employee is funds or data leaving your institution. preparing to commit fraud: That’s too late; the damage is already done by the time you detect it. Employees who view high-risk accounts (like high-balance accounts, internal• And even after detection, most cases accounts, dormant accounts) more take more than three months to frequently than their peers establish root cause, and two-thirds of incidents go unpunished.* Employees who behave inappropriately (like making off-hours inquiries, viewing• To be successful in the fight against accounts from other regions, or looking at internal fraud, you must prevent the other department’s accounts) more fraud before it happens. frequently than their peers• To effectively prevent internal fraud, Branch employees who access an unusual your monitoring system must be able to number of accounts without performing detect when an employee starts to financial transaction(s). behave unusually. Employees who search or inquire on an *Source: “The Risk of Insider Fraud”, Dr. Larry Ponemon, Sept. 2011 unusually high number of accounts. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  13. 13. An example of proactive internal fraud monitoring The Credit Card division of a $100 billion international bank was having a problem with employees looking at the spending history of celebrities. Since the Intellinx system focused on detecting inquiries (instead of the loss of data), the bank was able to detect and prevent losses very quickly. 100 Alerts on Celebrity Accounts Snooping Alert# per Week 80 60 40 20 0 1 2 3 4 5 6 7 8 9 10 Weeks Rule Security officers start First employee implemented calling on suspects is laid offs Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  14. 14. An example of proactive internal fraud monitoring The Credit Card division of a $100 billion international bank was having a problem with employees looking at the spending history of celebrities. Since the Intellinx system focused on detecting inquiries (instead of the loss of data), the bank was able to detect and prevent losses very quickly. 100 Alerts on Celebrity Accounts Snooping Alert# per Week 80 60 40 20 0 1 2 3 4 5 6 7 8 9 10 Weeks Rule Security officers start First employee implemented calling on suspects is laid off Intellinx changes employee behavior and significantly increases compliance with corporate policiess Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  15. 15. 3 How much of your external fraud is actually internal?What do you think of the following statistic?Occupational fraud, mostly through employee theft, is agrowing, global problem ... About 5 percent of anorganizations revenue is lost to these fraud incidents…approaching $1 trillion a year. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  16. 16. 3 How much of your external fraud is actually internal?What do you think of the following statistic?Occupational fraud, mostly through employee theft, is agrowing, global problem ... About 5 percent of anorganizations revenue is lost to these fraud incidents…approaching $1 trillion a year.Many banking fraud officers think this statistic is too high. But could it be true?A likely answer: some of your external fraud is actually internal fraud.With organized fraud rings becoming a more prevalent crime force, it’s becomingincreasingly common for bank employees to help external criminals to commit new accountfraud, deposit fraud, check fraud, card fraud, and loan fraud.Collusion of insiders and external fraudsters can be detected by close monitoring ofInsiders’ behavior. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  17. 17. 3 How much of your external fraud is actually internal?How to detect external fraud caused by internal actionExample 1: An employee is looking up customers and selling their check images,signature cards, etc. to a fraud ring that commits check fraud.Make sure that the monitoring system you select can identify employees who are inquiringagainst an unusual number of accounts that later end up having check fraud.Example 2: An employee is colluding with an external party to open fraudulentaccounts that will later be used for first party fraud, money mule schemes, etc.Make sure that the monitoring system you select can identify employees who are openingan unusual number of accounts that later end up having first party fraud.Example 3: An employee is colluding with a customer to defraud the bank.Make sure that the monitoring system you select can identify employees who areperforming an unusual number of transactions (financial or non-financial) for the samecustomer. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  18. 18. 4 A breach will happen at the point where your control is weakestEven the most security conscience organizations have weak points that can beexploited by employees. This problem can be overcome by deploying an anti-fraudsystem that is multi-layered, and combines indicators from multiple sources.Example 1: Society GeneralWhat he did: Jerome Kerviel “borrowed” the login credentials of hiscolleagues to cover his tracks while conducting transactions that ultimatelycaused losses of over seven billion dollars.How he should have been caught: An anti-fraud system that monitorsuser activity at all levels - network, application and transaction - would havecompensated for the weak controls of the trading system. For example, bydetecting: The same user logged in from different workstations at the same time Several users logged in on the same workstation at the same time (or within close proximity) A user logging in to a workstation without scanning their badge through the physical entry system A user logging in for the first time from a new workstation A user who is logging in (or using their badge) during unusual working hours © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  19. 19. 4 A breach will happen at the point where your control is weakestEven the most security conscience organizations have weak points that can beexploited by employees. This problem can be overcome by deploying an anti-fraudsystem that is multi-layered, and combines indicators from multiple sources.Example 1: Society GeneralWhat he did: Jerome Kerviel “borrowed” the login credentials of his 40 percent orcolleagues to cover his tracks while conducting transactions that ultimately organizations say it iscaused losses of over seven billion dollars. likely that a privilegedHow he should have been caught: An anti-fraud system that monitorsuser activity at all levels - network, application and transaction - would have user turns off or alterscompensated for the weak controls of the trading system. For example, bydetecting: application controls in The same user logged in from different workstations at the same time order to access or Several users logged in on the same workstation at the same time (or change sensitive within close proximity) information and then A user logging in to a workstation without scanning their badge through the physical entry system resets the controls to A user logging in for the first time from a new workstation cover his or her tracks. A user who is logging in (or using their badge) during unusual working hours Source: “The Risk of Insider Fraud”, Dr. Larry Ponemon, Sept. 2011 © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  20. 20. 5 Minimize false positives and waste less timeFalse positive alerts generated by anti-fraud systems are massive time wasters:analysts spend countless hours researching “alerts” that amount to nothing.There are several key steps to minimizing false positives: Work with a vendor that can provide a set of pre-defined rules; you can learn a lot from the experience of other organizations. After you implement the system, make sure that it’s someone’s job to periodically analyze and tweak the rules that are providing the best results. The system you select or build should have a reporting engine that makes it easy to analyze rule effectiveness. Select a system with a scoring model that you can easily update on your own. Even if you have all the right rules, weighting them properly is the key to minimizing false positives, and you need to have this capability in-house. Make sure your system has a way for your analysts to write and deploy their own rules. New patterns of fraud emerge all of the time, and you need to make sure that the ability to create new rules is something your staff can do. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  21. 21. 5 Minimize false positives and waste less time Pre-Defined Rules: Common Internal Fraud Schemes Taking Over Money Theft Other Accounts Schemes• Identity theft by • Stealing money from • Personal expenses on manipulating account customers via: corporate card account. data. • Cash • Performing transactions for • Check personal use.• Opening accounts for • Card • Stealing customer money mules/ deposit • Transfer information. fraud schemes. • ACH/Wire • Performing unauthorized claims, rebates, reversals. • Stealing money from • Targeting the elderly.• Opening accounts for internal accounts via: • Collusion between multiple non-existent or • Cash employees. unqualified customers in • Transfer • Violation of policy/ errors. order to meet quotas/ • ACH/Wire • Trying to avoid detection. incentives. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  22. 22. Five Facts about the Intellinx EnterpriseFraud Solution1. Intellinx offers the only true end-to-end insider fraud solution: Based on real-time sniffing of your corporate network, providing immediate alerts on suspicious activity. Captures and analyzes all user activity including user queries. The result: Intellinx detects fraudsters who are preparing to commit or have already committed illegal activity.2. Intellinx uniquely combines real-time data from the network with other data sources, to create superior visibility into user activity. The data captured through network sniffing includes user queries and incomplete transactions not typically found in log files.3. The Intellinx analytic engine profiles genuine human behavior in order to detect anomalies. Data from various channels, including both internal and external (customers) activity, is correlated in order to detect collusion. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  23. 23. Five Facts about the Intellinx EnterpriseFraud Solution4. Intellinx prevents employee fraud and data theft by improving policy compliance: Holding each employee accountable for his/her actions, through continuous monitoring with full audit trail of every activity. Creating deterrence by detecting and responding to suspicious behavior in real-time.5. Intellinx saves time by minimizing false positive alerts through: Analysis based on comprehensive data, reflecting true user activity. A highly flexible scoring mechanism that weighs various behavior indicators for each entity (account, employee, customer, etc.), to produce accurate alerts. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  24. 24. Five Facts about the Intellinx EnterpriseFraud Solution4. Intellinx prevents employee fraud and data theft by improving policy compliance: Holding each employee accountable for his/her actions, through continuous monitoring with full audit trail of every activity. Creating deterrence by detecting and responding to suspicious behavior in real-time.5. Intellinx saves time by minimizing false positive alerts through: Analysis based on comprehensive data, reflecting true user activity. A highly flexible scoring mechanism that weighs various behavior indicators for each entity (account, employee, customer, etc.), to produce accurate alerts. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  25. 25. Your Reputation is aCritical Asset It takes 20 years to build areputation and five minutesto ruin it. If you think aboutthat, youll do thingsdifferentlyWarren Buffet 25 © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12
  26. 26. Thank you© Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved 29-Apr-12

×