According to a survey of fraud and product executives at US financial institutions, more than half of their financial firms attribute at least 5% of their total fraud losses to internal fraud, costing firms hundreds of millions of dollars.
Because most financial firms are reluctant to admit internal fraud, this figure might be low. Reflecting this reticence, 35% of respondents said that their firms prosecuted 10% or less of confirmed internal fraud cases.
The term “internal fraud” applies to a variety of criminal behavior perpetrated by a firm’s own employees or contractors. It generally falls into three categories: theft from customers, theft from the firm, and abuse of position.
Aite advised financial service firms to use a layered approach of collaborative and analytic fraud mitigation techniques to lessen the risk from internal fraud.
One of the firms that provides analytic fraud mitigation techniques is Detica. Richard Colven, head of US operations at Detica NetReveal, told Infosecurity that insider fraud is becoming more prevalent at financial institutions.
“Insider fraud is like other types of fraud; it’s all about deception. People try to hide their activities within the data because the scale of the data is so big and they imagine [the fraud] won’t get noticed”, Colven said.
Even with perimeter defenses designed to prevent fraudsters from getting access to the financial firm’s systems, people who initially pass the defenses may become fraudsters because of changes in their circumstances. “So you have to have strong capabilities to look at all of their activities”, he said.
There are patterns to this fraudulent behavior that can be discovered. Colven explained his company’s NetReveal link analysis tool enables financial institutions to discover these patterns so that fraudsters cannot hide in the data.
Internal fraud can be carried out by bank employees or vendors. Fraud is carried out by “a person who is in a trusted position who has been through the screening process in order to gain access to these systems. In that sense, there isn’t any practical difference between an employee or vendor”, he said.
Detica’s parent company, BAE Systems, recently announced that it is acquiring Norkom, a Dublin, Ireland-based provider of financial fraud prevention products, for around $344 million. This acquisition will complement Detica’s offerings in the financial fraud space, Colven said.