Employees and IT workers whose responsibility is handling and protecting sensitive information are being trained and recruited by organised criminals to steal it says a new report published by antifraud software maker.
Based on the New York-based company’s research, drawn from interviews with 40 large financial services companies in the US and the UK, about 50%n of those surveyed indicated they believe they have employed workers who have either been trained or recruited by outsiders to carry out fraud.
Around 85% of the respondents have been affected by employee fraud in general, and 65% see the threat becoming even more serious in the future, the survey found.
More than 50% of participating companies admitted their belief believe that only half, or less, of all employee fraud occurring within their organisations is currently being caught.
And while the test group represents a relatively small cross-section of business, it’s worth noting that half of the financial services companies interviewed by Actimize claim assets of over $30 billion (£14.55bn).
Actimize executives said that there was little doubt among those surveyed that organized criminals are increasingly working inside firms with large volumes of sensitive information to get first-person access to valuable data that can be used by others to carry out fraud.
“People are getting caught and it’s clear that they are representatives of organized crime in some way, we had a lot of people telling us unsolicited that they feel that this is actively happening,” said Amir Orad, executive vice-president of marketing and business development of Actimize. “It’s not a fairytale; it’s an established method being used by these groups to carry out significant fraud.”
Among the factors contributing to the criminal trend are increased access to technology by rank-and-file employees, as well as poor hiring and screening processes within end user firms, according to the report. Data availability and a lack of dedicated resources for fraud detection technologies were other issues identified by respondents as fuelling internal attacks.
More than 75% of those companies surveyed said that they expect insider fraud schemes to grow even more sophisticated, with 73% charting the financial services industry's preparation for such attacks as only “poor” or “somewhat acceptable”.
About half of the companies involved in the research said that they have experienced a data theft within the last 12 months, with the cost of the largest such incident within each firm coming in at an average of roughly $875,000 (£424,524) per incident. The largest such incident cited in the Actimize research totalled $6 million (£2.9m)in losses.
A lack of automation among the anti-fraud technologies being utilised by the companies is a hallmark of their defeat, Orad said.
“All of these companies have been using data mining for years externally, but less than 10% told us that they were using it internally to fight fraud, which doesn’t make sense,” Orad said. “Less than 50% said they had any form of automation in place to fight fraud, which tells us, the majority have been using reactive processes or manual reporting to investigate suspected problems, which isn’t going to prevent incidents from happening and only addresses the issue after the fact.”
Among the types of scams that Actimize was told about by the respondents were instances of self-dealing, skimming, data-theft, embezzlement and collusion.
In the case of one of the most common methods for carrying the schemes out, so-called “identity shielding”, through which perpetrators gain access to data using another worker’s credentials, only 28% of those participating in the survey said they had some manner of stopping or detecting the attacks.
While data-handling regulations such as the Sarbanes-Oxley Act and the Payment Card Industry (PCI) compliance requirement have been proposed by some experts as helping to solve the insider fraud issue, those surveyed by Actimize said that isn’t necessarily the case.
An overwhelming 70% of respondents said that government regulation or standards regarding employee access to customer accounts and data would actually “hinder” their company's ability to detect or prevent employee fraud.
As with many other types of IT projects, the shortfall in more comprehensive insider fraud protection can be tied largely to a lack of sufficient budgeting for tools such as those his company markets, Orad said.
“We see some visionaries who are making the commitment to buy technology that will help automate the process, and it’s a growing group, but it is still a comparatively small minority of all businesses,” Orad said. “All of these companies know that they want to keep their names out of the headlines related to fraud, and most recognise that it is a problem they aren’t adequately prepared to deal with, but as with a lot of IT issues, the biggest obstacle appears to be a lack of budget.”