The Threat Within. Spotting and Arresting Insider Fraud

Insider fraud, mostly through employee theft, is a growing, global problem and the 2 sectors most impacted are ironically 2 of the most regulated – banking/financial services and government/public administration.

Insider or occupational fraud, both offline and online, is an employee’s misuse or misappropriation of an employer’s resources or assets for personal gain.

About 5% of an organization’s revenue is lost to insider fraud. This translates to a potential total loss approaching $3 trillion a year, according to a new report by the Association of Certified Fraud Examiners (ACFE).

Incidentally, insider fraud caused a whopping $169 million loss to financial institutions in 2018. An analysis by the American Bankers Association concluded that 65% to 70% of fraud dollar losses in banks are associated with insider fraud.

The impact of insider fraud can be severely damaging as most incidents take 18 months to uncover–long enough to put a small/ mid-sized business out of business and/ or erode a bank’s reputation and employee morale. Conventional controls to detect and combat various types of fraud, such as internal audits, are not very effective when it comes to catching insider frauds that must be detected as they are brewing.

Vital therefore to first spot the warning signs of internal fraud schemes. Also, despite generally being viewed as an act of mistrust of employees,implementing a technology solution to monitor employee and transaction activity can expose suspicious behaviour.

The signs

The same qualities that help employees perform well can also help them perpetrate fraud. In four of the most common schemes (GL fraud, Identity theft, ATO and Collusion) insiders devise ways to stay under the radar for years by taking advantage of internal vulnerabilities.

  • General Ledger Fraud: Insiders exploit the fact that while most employees have working knowledge of the accounts they access daily, they are often unfamiliar with other parts of the GL accounts. Certain insiders may have exclusive access to accounts payable or suspense accounts, which are used to temporarily record items such as loans in process, interdepartmental transfers, or currency in transit. This makes it easier for insiders to move funds between accounts. An employee who has the authority to create an accounts payable record for a vendor, could very well create a fake company in the system and issue payments to that company.

True cases of incidents where employees abused their authority and access –


    • A personal banker opened both fictitious accounts and accounts with the names and identifying information of bank customers. He used these accounts to funnel money from the GL accounts.


    • An accounting clerk made deposits into a personal savings account from suspense accounts. He used different tellers’ computers, after the tellers had logged into the system, to transfer the funds.


    • A senior banker was indicted for transferring more than $4 million from GL accounts to her own accounts over 8 years and concealing the money in the GL. Since she was in charge of the GL and the corresponding accounts, she handled the journal entries and reconciliations. To execute the scheme, she fudged the information in her monthly reports to the board and gave false information to examiners. This case had 2 critical internal control weaknesses: lack of segregated duties and lack of oversight through continuous, automated monitoring of journal entries.


    • Identity theft: Stealing customers’ identity data is another internal fraud that is on the rise. One of the schemes of a fraud ring recently discovered had certain bank employees using stolen customer identities to create bank and credit accounts. The ring members recruited people to assume stolen identities and withdraw funds because they knew that their target banks did not have sufficient technological capability to safeguard customer information.


    • ATO: A bank employee opens a deposit account for a customer and later sets up online banking on the account without the customer’s knowledge. The employee then makes unauthorised withdrawals from the account or gives the online credentials to an external fraudster, who can use them to siphon money out of the account. The employee may also sell a customer’s PIN and account number to an external fraudster, change the address for the account and request a new debit card.


    • Collusion: One of the more devastating internal fraud schemes, especially for credit unions and community banks, is when bank insiders collude with external fraudsters.For example, a loan officer may apply for a real estate loan under a phony customer name and work with an appraiser, who will submit an inflated appraisal on a property. The employee will then take the funds, making it look like the “customer” absconded with them, and feign ignorance of the situation.


Organized fraud rings are highly sophisticated and plant their members in positions within a bank. A fraud ring may place its member in Human Resources, for instance, to make it easier to get members hired as loan officers, tellers or even loss prevention officers.

Knowing that the collections department has a weak background screening process and broad access to customer information, a fraud ring can place one of its members there to steal customer data.

More elaborate schemes can involve large-scale fraud across multiple departments and branches.

Since internal fraud is not easy to detect, it is important to watch for certain behavioural and transactional indicators –

      • Employees attempting to disguise asset misappropriations can find plenty of places to do so within the GL. They may manipulate records and find other methods of exploiting weak internal controls. In particular, insiders who are responsible for both making journal entries and reconciling accounts require comprehensive oversight.
        Other signs to watch for include insiders, or their interests, frequently appearing on transaction suspense item listings, but not on the ‘updated’ version that is presented to the board of directors or to examiners; GL entries with incomplete transaction descriptions; Bank account reconcilements that are not current or that fail to describe the status of outstanding items.


      • Employees who have access to customer information may be tempted to steal it for their own purposes, to obtain credit and debit cards and open bank accounts. Or they may sell it to outsiders for a profit.
        Warning signs include after-hours logins to customer accounts; frequent or excessive access to high-net-worth or VIP accounts; employees accessing accounts that are unusual for the scope of their job.


      • Employees requesting full control of an account, where they or an outsider can make withdrawals or transfers from that account, may be involved in an ATO scheme.Unusual or frequent changes to a customer account are good indicators of this type of fraud and could be an employee changing account statement mailing frequency to a longer period; an employee not from the team handling the customer has changed a customer address; an employee changing a customer attribute and then changing it back within a specific time period (i.e. one month); an employee searching for several dormant customer accounts; an employee browsing dormant bank accounts and then transferring money from a dormant account.


Besides being clued in to the warning signs, it is vital to monitor internal fraud risks in certain roles more closely than others and limit access to data such as Social Security numbers or PAN or Aadhar details. The more credentials and account access privileges an employee has for customer and employee accounts, the bigger the risk they pose.

For example–

      • Call center customer service staff are targets for fraudsters and fraud rings because they have access to the bank’s database of customers and their identities. If the call center is outsourced, it is even more vulnerable.


      • The IT department could also be susceptible to fraud. An expert fraudster in the IT department can divert money from customer accounts to dummy accounts, or commit identify theft by accessing customers’ or employees’ personal information. In one sensational case, an IT staff member stole the identities of other bank employees to open accounts at other financial institutions.


Also, despite knowing that it is a risky practice, sharing of login credentials is quite common and carries the risk of suspicious activity.

Given the high-risk potential in customer or employee data theft, employees should be allowed only privileged access to view just the information they need to do their job, and their behaviour must be monitored closely against the warning signs.

Monitoring and preventing

The need of the hour is a framework for timely detection of insider fraud and proactive action.
Besides internal controls and audit, staff awareness and whistle-blowing, the most vital element of identifying internal fraud is real-time knowledge.Also, distributed accountability is more efficient than having a single individual responsible for highly sensitive roles.

Restricting access to customer data can help prevent not just identity theft, but also associated fraud such as ATO. Continuous monitoring of employee behaviour and transactional activity helps uncover warning signs of internal fraud.

Also, deterrence plays a key role. When staff know they are being monitored, they usually don’t attempt violations. It helps the bank send a signal that internal operations are under surveillance.

If an employee is accessing information that is not relevant to his or her job function, a good real-time technology can help link that activity to new deposit or loan activity that has been initiated by that employee. Rules can be updated frequently as the bank fine-tunes its internal fraud prevention program.

Interestingly, most insider fraud prevention solutions are targeted towards the largest population of employees and typically lower-level employees (tellers, customer service reps, lenders, call center reps, etc.). They don’t focus as much on middle/senior managers, and senior executives, who have more authority and can potentially steal much more.

Even banks that rely on anomaly detection to identify insider schemes often fail to catch fraud at the executive level, because there is no class of employees in these senior-level positions to compare to, to determine what is normal.

To increase the efficiency of monitoring efforts, a good real-time technology solution automates the time and labor – intensive process of manual fraud detection. By capturing and recording data across a network, an automated, cross-channel approach can alert a bank to threats and create an audit trail of flagged activity to streamline investigation and loss mitigation.

A critical aspect of this type of monitoring is ensuring that it is in real-time. Post-fact monitoring helps in certain cases, but it cannot prevent significant losses.

Besides accelerating the detection of suspicious activity, a good technology solution can also record internal user activity across the bank that can be used later for investigation. By prioritizing probable fraudulent activity and centralizing case management, it can also help the bank’s fraud investigation team quickly identify, gather, and close cases when an activity is flagged.

Smart AI-based real-time monitoring systems dovetail well with other banking systems such a score banking systems, CRM and HRMS to synthesize cross system intelligence and help identify suspect behaviours, target fraud at the source and enables the bank to stop fraudulent behaviour before it starts.

These solutions include customizable business rules, which can be preset to automatically stop transactions or flag them for further investigation. Rules can also be set for expected employee behaviour .They also have hierarchical case management capabilities for accelerating investigation and closures.

When employees (who could be potential fraudsters) operate in a manner that is inconsistent with their behavioural profile, the bank is automatically and immediately alerted. This helps pinpoint activities such as redundant account changes, excessive password changes, and demand drafts.

By watching out for internal fraud schemes as they happen,real-time technology helps banks respond to threats faster, prevent financial losses and reputational damage.

Internal fraud is becoming more complex, and implementing an intelligent technology solution as part of a bank’s enterprise-wide fraud monitoring and prevention framework helps reduce fraud risks vastly. With the capability to watch more closely and guard areas that are likely to be targeted, quickly pick up on warning signs, and strengthen internal controls, a bank can not only combat immediate threats, but also keep future internal fraud at bay.


      • Insider fraud preventing the attack from inside – Huntswood
      • Biggest bank frauds – Business Insider
      • Cost of Insider Threat – Ponemon Institute
      • Insider Threat Statistics: 2018 Research Reports and Surveys – IT Security Central
      • Insider Threat Study – Carnegie Mellon Software Engineering Institute


Like this article? Share it!


About the author


Naresh Kurup

Chief Brand Officer
Naresh drives marketing and brand communication for the category-leading banking fraud management product company Clari5.