Beyond the Hack (Some Tips on Protecting Yourself from Inside Fraud)

Share This on Linked In

Editor’s Note: This is Norman Katz‘s second post as a regular contributor on Sourcing Innovation. Norman, who has published dozens of articles on the subject, is a supply chain fraud and supply chain risk expert and will be covering these topics in his new column, which is indexed and archived here.

Let’s start by taking a look at a real-life fraud story:

An accounting clerk who worked for Broward County (FL) workforce development agency perpetrated fraud that enabled her to walk away with $2.4M. Let’s learn a little bit about our fraudster:

  • She had worked at this government agency for over 10 years
  • She was hired with a criminal background (multiple convictions) but lied on her application
  • She did not have more than a high school education
  • She did not make more than $32,000 per year
  • She was living, with her property-manager husband, in an $840,000 house, and owned another house plus several apartments

I want to be very clear that this fraud was not perpetrated by hacking the agency’s network infrastructure; these breaches get lots of airplay in the media typically because they are associated with stolen credit card information. This fraud did not require the use of viruses or other network penetration hacking techniques. This fraud did not require extensive technical knowledge or programming skills of any kind. This fraud was perpetrated from inside and within: inside the organization (by an employee) and within the protected network infrastructure.

How was this fraud perpetrated? The fraudster wrote checks to herself. Yes, that’s it. The accounting clerk simply wrote herself checks. The check amounts varied from $12,000 to $20,000 during the course of approximately 6 years.

(The fraud was discovered by a bank teller; fortunately for the agency, the fraudster banked at the same financial institution as the agency did. The agency’s management admitted that a failure — or rather, lack — of internal controls and monitoring enabled this employee to perpetrate the fraud.)

In fairness, this fraud likely found its way into the news because it was done at a government agency; there are plenty of serious frauds that occur at private and public companies that never see the light of day due to the reputation damage they could cause. As such, too many fraudsters are not prosecuted to keep the organization’s name out of the news spotlight; these perpetrators are simply let go and can move on to other organizations to exploit their gaps.

While it’s very important to protect your network infrastructure, too many companies fail to address risks from the inside. Reasons given for top management’s unwillingness to take a serious look at internal risks range from an assumed trust in their employees to a lack of belief that it could happen at “my company”.

When users have extended or unrestricted rights within a business software application, especially when such broad authority permits bypassing or exceeding controls, there is a (greater) chance of fraud perpetration. Typically, such employees are performing multiple tasks that would better be separated across multiple employees.

A good starting point would be to review your employee handbook. Does the employee handbook contain sections that educate the employee as to what is and is not acceptable behavior? Are the penalties for breaches of conduct clearly stated? (And is the organization willing to back up words with action?) I’m pretty certain that even if the employee handbook had included such information, this agency employee would still have perpetrated the fraud. But this is just a starting point on what needs to be a continuous journey to bring integrity into the workplace for people, operations, and software applications.

Norman Katz, Katzscan