Behind Closed Doors: Building Resilience Against Insider Fraud

At financial institutions, insider threats and internal fraud are serious issues. Globally, the Association of Certified Fraud Examiners estimates that fraud costs organizations about 5% of their annual revenue, amounting to a staggering $5 trillion per year.

Insider fraud is believed to account for up to 40% of these costs around $2 trillion annually. The average cost per incident is $412,000, making this type of fraud not only widespread but also extremely damaging.

Insider fraud is defined as "the deliberate misuse or misappropriation of the employing organization’s resources or assets for personal benefit." It’s committed by a malicious insider, such as a current or former employee, contractor, or partner, who uses their authorized access to compromise sensitive systems or data. These actions pose serious risks to confidentiality, integrity, and trust.

Financial institutions are especially vulnerable due to

• High transaction volumes, allowing malicious actions to be hidden in the noise
• Sensitive financial operations
• Complex application landscapes
• Pressure to maintain compliance and avoid reputational damage

More broadly, insider threats come in many forms:

• Negligent behavior, i.e. employees unintentionally exposing the institution to risk, e.g. reusing passwords, writing them down, using insecure devices, falling for phishing scams…​.
• Manipulated employees, i.e. employees unintentionally tricked into thinking they’re helping the company, e.g. in CEO fraud or authorized push payment scams.
• Malicious insiders, i.e. employees intentionally committing fraud, e.g. selling data, altering contact details, initiating unauthorized payments, colluding on approval of loans…​

This blog focuses on the third category: intentional internal fraud.

While many institutions claim insider fraud is under control or non-existent, the reality is that most face it at some point. The consequences are serious:

• High financial losses
• Full liability, with customers typically not at fault
• Complex detection due to insider knowledge and ability to bypass controls
• Reputational damage, undermining trust and credibility
• Cultural harm, impacting morale and stakeholder confidence

This type of fraud is also highly prevalent, especially in digital environments with little physical trace. It ranges from minor infractions to full-blown criminal activity.

Examples of smaller, yet problematic infractions are

• Offering friends or family better rates on loans
• Using office supplies for personal reasons
• Accessing confidential data out of curiosity

Examples of mid-level insider fraud include

• Insider trading
• Approving borderline loan applications
• Overpaying insurance claims
• Covering up bad trades or decisions

Examples of severe criminal activity include

• Aiding in money laundering
• Stealing funds
• Selling sensitive data
• Blackmail
• Facilitating cyberattacks or ransomware

Preventing insider threats is challenging. Too many controls hurt employee autonomy and efficiency, too few open the door to catastrophic fraud, even bankruptcy.

Therefore a three step approach is required.

Step 1: Prevention - Identify & Prevent Risk Behavior

This phase focuses on preventing insider fraud through training, support, screening, and monitoring. It typically involves HR, IT, Audit, and other departments.
Important here is to make employees aware these measures exist, as a strong deterrent.

Key elements include:

• Employee screening before and after hiring
• Employee behavioral monitoring, e.g. social media activity, performance, emotional shifts, signs of employee having an unrealistic living standard..
• Support employee financial wellbeing, as financial stress and hardship can lead to rationalizing fraud. Companies can mitigate this risk by offering financial wellbeing support, including confidential counseling, financial education, salary advance mechanisms, and other tools aimed at improving financial health.
• Monitor for addictions, such as alcohol, drugs, or gambling. Research has shown that gambling addiction, in particular, is a major contributor to insider fraud.
• Boost staff happiness, as layoffs, poor compensation, or stalled careers increase the risk of internal fraud. Companies should therefore ensure fair compensation, meaningful career development programs, regular evaluations and coaching, and effective wellbeing initiatives.
• Mandatory leave policies, such as requiring employees to take at least two consecutive weeks off annually to help expose irregularities.
• Risk and security awareness training should be mandatory, with attendance tracked and outcomes verified through real-world testing.
• Robust system security, including multi-factor authentication for all applications, four-eyes or even six-eyes principles for sensitive processes (with sufficient approver rotation), and complete logging and audit trails for all system activities.
• Protect all workstations using disk encryption, anti-malware and antivirus protection, website restrictions, and data extraction monitoring.
• Monitor employee activity by logging actions, tracking behavioral indicators (e.g. mouse movements, file copying, screen recordings), and detecting abnormal access patterns (e.g. off-hours building entry, unusual workstation access, workstation hopping).
• Apply strict access controls by limiting privileges to the minimum required for effective work. Regularly review access rights to prevent the accumulation of privileges over time due to project shifts, departmental changes, or evolving roles.

Step 2: Detection

Early detection of insider fraud patterns is crucial to minimize potential impact.

Detection should focus on:

• Unusual patterns of employee behavior, such as sudden behavior changes, privilege modifications, differences in behavior compared to peers in similar roles, repeated collaboration between two users (e.g. employees continuously working together for input and approval), login anomalies (such as accessing a different workstation, logging in from an unusual location, or during abnormal hours), unusual frequency or type of transactions accessed (e.g. viewing unfamiliar customer segments or payment types), sudden increases in search activity…​
• Data loss detection: monitoring for large or unauthorized data transfers via email, USB, file transfers, or downloads. Red flags include unusually high download volumes in a short time or the downloading of confidential/sensitive data.
• Unusual transaction patterns: Analyze transactions introduced by an employee and the typical payment behavior of the debited customer. Look for unusual transaction volumes or values, suspicious counterparties, employees initiating payments for customers they don’t typically serve, repeated payments to the same counterparty (creditor) on behalf of multiple customers, transactions submitted just before cut-off times, payments bypassing expected controls
• Monitor high-risk account activity: Monitor accounts such as dormant, silent, or blocked accounts, accounts belonging to deceased individuals or accounts where reference data was recently modified. These accounts often lack immediate customer oversight, making them more vulnerable to exploitation.
• Integrity and Data Lineage Checks: Ensure transactions are not altered, suppressed, or injected during their lifecycle, by tracking each transactions through its life-cycle. Verify that each step in the transaction chain is consistent, logically structured, and chronologically traceable.

To support all of the above, it is essential to build behavioral baselines and trigger real-time alerts when deviations or suspicious patterns occur.

In addition, conduct regular internal audits that combine statistical controls with targeted spot checks. These not only help detect anomalies but also act as a strong deterrent against insider fraud.

Step 3. Investigation & Resolution

Financial institutions must be committed to:

• Thoroughly investigating all insider fraud suspicions
• Implementing an incident response plan, shared only with trained team members
• Learning from past incidents to continuously improve fraud prevention strategies
• Recovering losses and minimizing further exposure in ongoing cases

Insider threats pose a significant risk with potentially devastating consequences for financial institutions. Striking the right balance between employee empowerment and robust controls is essential.

Mitigating this risk requires a holistic approach, spanning prevention, cultural awareness, technical monitoring, and rapid response. With the right strategy in place, financial institutions can reduce the threat of insider fraud and safeguard their most valuable assets: trust and reputation.