• Ruud Grotens, Head of CFRM Solutions Consulting at Bottomline


• 31.10.2022 01:00 pm
#banking

Maybe it’s the data analyst that just got divorced. Or maybe it’s the portfolio manager who left to work at a competitor. Or maybe it’s the new kid who just received his or her first corporate laptop and insists on working at home. Any one of these employees will fit the bill as a prime suspect in a fraud vector that is suddenly tearing through UK banks: insider fraud. 

Insider fraud is nothing new and has rivalled Authorised Push Payment (APP) fraud for the most contagious method of data, IP, identity and monetary theft in the UK. However, its explosion among financial institutions has been alarming. There are some numbers to report that we will detail shortly, but on an anecdotal level, the number of banks we see snapping to attention on the insider fraud front has been significant, urgent and quite recent. And what we’re finding is that banks have underestimated the potential havoc an insider can wreak and the methods they can use to steal data and/or money.

On top of that banks in the UK often rely on a plethora of processes (both manual and automated) to detect and prevent insider fraud as the hybrid, decentralized work environment continues to show staying power. The right technology can stop insider fraud in its tracks. But analogue pre-COVID methods will prove to be a potential point of exposure in the post-COVID economy. Current technology solutions often fall short due to data availability and data quality issues. It does little to alleviate suspicion about internal fraud incidents going on and makes it difficult to find the evidence and potential collaboration between internal and external fraud rings.

And before you include “insider fraud” as part of standard issue hacks and breaches, consider that insider fraud has been reported by more than 900 companies – banks among them – since August 1, 2022. Insider fraud can result in your high-net-worth individual database finding its way onto the dark web, and your business customers’ transaction histories placed in the hands of competitors.  It can compromise numerous other data sets or volumes of sensitive information. It is not limited to the stolen money. And with 24% of the UK workforce splitting their time between home and a traditional office setting, ignore insider fraud at the peril of your own reputation, internal security and workforce morale. 

Insider fraud by the numbers 

Before we get to the whys and wherefores of insider fraud for banks, let’s run some numbers. First, specific banking data in the UK for this fraud vector is hard to come by. We know that in the first year of the pandemic, NatWest reported that the banking sector lost £190 million in total fraud losses, 40% of which was stolen by internal staff. The most recent CIFAS Fraudscape report shows that 270 individuals were reported to the UK authorities in 2021, 41% of which involved the theft of cash from the employer. The US has more specific data, thanks to a Carnegie Mellon University study that looked specifically at banking and insider fraud. It found that 26% of all bank fraud in 2021 was an inside job. Where did it come from? Don’t look at the IT department because they were found to be completely innocent. The most likely suspects were non-technical, non-management employees who had been working at the bank for five years or more.

That can certainly help to define the potential threats. But why banks and why now? Well, to paraphrase bank robber Willie Sutton, “banks are where the data is.” Banks have been obsessed with external actors hacking their data and capital and have only now turned inward. External losses can be higher, more public, and therefore more damaging to the reputation and potentially the bank’s market value. Banks have just recently been put on notice that it’s not just money insiders are after, it’s data. Any bank that doesn’t want to see its high-net-worth individual database on the dark web should understand that just because insider fraud is not an immediate or expensive problem, it certainly could be.

COVID and the now-scattered state of office-based employees is probably the main reason for the rise in insider fraud. In a survey from Risk.net, 75 per cent of respondents perceived an increase in insider fraud risk since the pandemic started. Reflecting this trend, Barclays, Lloyds, NatWest Group, Santander UK and Standard Chartered saw internal fraud jump from 22 per cent of all fraud in 2018 to 38 per cent in 2020. The unabated rise in the cost of living has pushed many potential fraudsters into action. According to CIFAS, there’s another less obvious culprit: social media.

“Social media has the potential to affect an employee's behaviour in two key ways. The first is the pressure on individuals to live beyond their means, which may lead to employees committing fraud or theft to maintain their desired lifestyle,” says a recent CIFAS report. “Another way that social media can influence employee behaviour is when employees are approached on social media with offers of expensive gifts or large sums of money in exchange for abusing their position as an employee. Such abuses of the position may include disclosing confidential customer or company information, or even manipulating systems and data.”

Legacy issues

But the biggest issue standing between banks and an effective insider fraud strategy is legacy technology. Without a holistic view of user actions to identify and prevent insider fraud (both data and capital), critical details will be missed, and banks are left to anecdotal evidence. Maybe an employee takes unexplained leave. Or a co-worker reports suspicious behaviour. Or in the best case, log files show suspicious patterns of activity. But they only work after the deed is done. This quite simply relies on chance rather than technology. Anecdotal evidence will not stop data leakage. Content filtering, which runs second to log files in current usage, works well for unintentional data leakages, such as the employee who shares passwords via social media, messaging or email.

There is a new technology that, as mentioned at the beginning, can be quite effective. What’s missing is behavioural monitoring at the application layer. By accessing the application layer, which is between the application server and the employee, technology can prevent misusing authorized access to data. It can detect inconsistent access patterns, data manipulation, or data leakage that may indicate insider fraud at the beginning rather than the end.

Application layer monitoring technology also works in a hybrid environment, i.e., across different applications regardless of their technology (e.g., web-based or mainframe). It can not only anonymously detect suspicious behaviour, but it can also actually capture screens, thereby providing an alert that fraud is happening and creating evidence by providing a screen-by-screen replay of user actions for investigators in the process, and indisputable evidence of what happened.

All of which should raise your legal issue detector. Is it legal to anonymously track employee behaviour in this context? Absolutely. And don’t listen to us on that count. Let’s go the legal source, in this case UK data privacy advocate Information Commissioner’s Office: “You can monitor workers if you do it in a way which is consistent with data protection legislation. Any decision to monitor workers should involve a careful balancing between the business interests of an employer and the workforce’s rights and freedoms in relation to their personal data. If monitoring is done in a way which is unfair, this negatively impacts the trust between you and your workers. It also has an impact on their rights and freedoms under data protection. Just because a form of monitoring is available, does not mean it is the best way to achieve your aims. You must be clear about your purpose and select the least intrusive means to achieve it.”

And you would do well to repeat that last sentence. Insider fraud may be having its moment, but there are legal and ethical technologies to detect, defend and investigate it before it’s too late.