Insider Fraud Criminal on the Job for Five Years and Commits Crime for Three
Pittsburgh, Pa., July 31, 2012—When it comes to preventing insider fraud, financial organizations would do well to more closely monitor experienced, mid-level employees with years on the job, according to a new study conducted by the CERT Insider Threat Center of Carnegie Mellon University's Software Engineering Institute (SEI) in collaboration with U.S. Secret Service (USSS). The study found that, on average, insiders are on the job for more than five years before they start committing fraud and that it takes nearly three years for their employers to detect their crimes.
The Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector study, funded by the U.S. Department of Homeland Security Science and Technology Directorate, examined technical and behavioral patterns from 80 fraud cases that occurred between 2005 and 2012. The study found that those committing fraud are taking a "low and slow" approach, escaping detection for long periods of time and costing targeted organizations an average of $382,000 or more, depending on how long the crime goes undetected. Managers and accountants cause the most damage from insider fraud and evade detection longer.
"We also found that nearly 93 percent of fraud incidents were carried out by someone who did not hold a technical position within the organization or have privileged access to organizational systems," said Randy Trzeciak, technical lead of the Insider Threat Research Team.
A reason that these crimes are going undetected may be linked to the fact that technology has played a minimal role in enabling victim organizations to detect insider fraud activity. "Many people think that insider crimes can be addressed solely by technical controls, but the most effective way to prevent and detect insider crimes is to make it an enterprise-wide effort to master both the technical and behavioral aspects of the problem," said Trzeciak.
The study highlights the following findings, which provide insight into how the crimes were committed and the type of people within organizations who committed them:
- Criminals who executed a "low and slow" approach caused more damage and escaped detection for a longer period of time.
- Insiders' methods lacked technical sophistication.
- Fraud by managers differed substantially from fraud by non-managers in terms of the extent of damage and duration.
- Most incidents did not involve collusion.
- Most incidents were detected through an audit, customer complaint, or co-worker suspicion.
- Personally identifiable information (PII) was a prominent target of those committing fraud.
The CERT Insider Threat research team and the USSS will be presenting the findings from this study and strategies for prevention, detection, and response to insider fraud crimes at several upcoming Electronic Crimes Task Force (ECTF) meetings. These meetings are open to ECTF partners from public and private sector organizations as well as law enforcement. The following ECTF meetings will be held:
- NY/NJ ECTF Quarterly August 1, 2012
- DC ECTF Quarterly August 10, 2012
- Los Angeles ECTF Quarterly August 17, 2012
- Chicago ECTF Quarterly November 8, 2012
- Dallas ECTF Quarterly November 14, 2012
- Miami ECTF Quarterly December 6, 2012
"This study was an important step in analyzing the problem and developing models of how the crime evolves overtime. We look forward to working with organizations in the financial services sector to develop innovative technical and non-technical solutions to combat the problem of fraud," stated Andrew Moore, lead researcher of the SEI CERT Insider Threat Center.
The Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector study is available for download now on the SEI website at http://www.sei.cmu.edu/library/abstracts/reports/12sr004.cfm.
About the Carnegie Mellon Software Engineering Institute and the CERT Program
The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University. The SEI helps organizations make measurable improvements in their software engineering capabilities by providing technical leadership to advance the practice of software engineering. For more information, visit the SEI website at http://www.sei.cmu.edu. The CERT Program serves as a center of enterprise and network security research, analysis, and training within the Software Engineering Institute. For more information, visit the CERT website at http://www.cert.org.