The report examines 80 cases of fraud in the finance sector since 2005: 67 cases of insider fraud, and 13 external fraud cases. The external fraud cases were included “to facilitate an informal comparison with the insider cases.” All but one of the insider cases resulted in a conviction – the 67th was ‘declined for prosecution’.
One of the most surprising findings is the length of time over which fraud is perpetrated. While on average an employee is employed for more than five years before turning to fraud, the fraud itself continues for 32 months before being detected. “Long and slow” is more damaging and goes on for longer. Fraud detected in less than the 32-month average has an average monetary impact of $382,750, while that which continues beyond 32 months has an average impact of $479,000.
Most fraud is perpetrated by business staff rather than technical staff – often facilitated by inadequate de-provisioning on job changes. Generally speaking, fraud by managers lasts longer and causes more damage than fraud by non-managers. Nevertheless, says the report, “accountants cause the most damage from insider fraud ($472,096 on average) and evade detection for the longest amount of time (41 months).”
There is a surprising lack of collusion in insider fraud. Only 16% of the fraud incidents involved some type of collusion, and this was almost always with outsiders. “Only 1 case involved collusion with other insiders.”
The report also shows that personal information “is a prominent target of those committing fraud,” especially by younger, non-management employees. Worryingly for the security industry, however, “Only 6 percent of the cases were known to involve the use of software and systems to detect the fraudulent activity.” Routine and impromptu auditing together with staff whistle-blowing was the most common way a fraud was discovered.
The main recommendations of the report are consequently not to install this or that security software, but rather to concentrate on enforcing policies and controls, to institute security awareness training and to protect personally identifiable information. But it also recommends staff monitoring, watching staff for ‘unexplained financial gain,’ logging and auditing employee online actions, and paying “special attention to those in special positions of trust and authority with relatively easy ability to perpetrate high value crimes (e.g., accountants and managers).”