Internal fraud coupled with IT savvy is a killer combination

Internal fraud coupled with IT savvy is a killer combination

Summary: As any auditor knows internal fraud is as old as business. The classic case involves the secretary who is responsible for accounts payable as well as procurement.

TOPICS: IT Employment

As any auditor knows internal fraud is as old as business. The classic case involves the secretary who is responsible for accounts payable as well as procurement. He generates bogus invoices and pays them to bogus companies. I have a friend in Chicago whose business was ruined this way.  A law firm here in Michigan lost millions to the Nigerian 419 scam because their secretary had access to the firm’s funds. ( By the way check out this article. A couple of con artists in Toronto have received jail terms.  Nigerians are not responsible for all advance-fee scams! )

Modern accounting controls are supposed to prevent this kind of fraud. The real danger is that controls are not keeping pace with technology. Since the introduction of the first commercial computer (UNIVAC,  on this date in 1951) computers have been used to make the fraudster’s job easier.   This article mentions three cases of admittedly low tech fraud but involving IT staff. In one case a mid level IT manager at the Canadian Defense Department created bogus orders for Tempest Terminals that were funneled through a supplier, HP, to front companies from which he would get kick backs.  The point is that IT staff are not above sneaking a buck out of the till now and then.  Imagine the consequences if a developer or internal admin monkeys with the workings of your automated billing and receivables software?

What could an insider accomplish with a few simple credentials? Access to the treasury system for instance. Most large organizations swap millions into overnight instruments to take advantage of the best interest rates only to swap them back into their working accounts during the day. Skimming a piece of that transaction could be simple. 

It is probably a good time to review internal controls at your organization. Rolling out a new layer of authentication could cut short any existing fraudulent operations. Strong authentication for any treasury function should be mandated. Monitoring of transactions and data transmissions is another step. And an audit of existing controls, including a test would be good.

Topic: IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Rounding error

    A very clever scam was to move the money that disappeared when a transaction was rounded to cents to a special account. With enough transactions, the account held a substantial amount of money.

    Thieves may not be as clever as idiots (Remember the old saying, Nothing is idiot-proof because the idiots are so damned clever.) but they are just as determined.
    Anton Philidor
    • Hah!

      I used to quip that "there is no Lex Luthor of cybercrime". Now, I am not so sure.

  • This is one thing where IT doesn't matter at all

    ... well, almost doesn't matter. Good authentication and access privilege management are, of course, a must for the IT department in any commercial establishment.

    But they won't be able to solve the problem - after all, someone [b]does[/b] hold the key to the safe, so to say. And this human is [b]the[/b] weakest link in the chain.
    • Disagree

      As someone who thinks technology can solve almost all procedural problems I believe that internal abuse and criminal activity *can* be controlled through IT.

      If someone is being watched they are much less likely to steal. Thus, cameras over the shoulder of the bank teller and web pages that inform someone when they are violating company policy.
      • So?

        So, who's gonna watch the watcher? Ok, we install cameras over the clerk's shoulders. He then takes security officer into accomplice. Or, possibly, officer sees an act of stealing and starts to blackmail the clerk, instead of reporting it to his superiors. Whatever.

        As another poster had said already - its humans who ultimately make decisions about fraudulent activities and act upon it. As long as it stays true - technology won't solve the problem, it will only offer a reasonable deterrent.
        • Checks and balances

          You watch everybody. Then you watch the accounting system, and finally, when your employees start buying condos in the Caymans you check that out to!
      • Bank tellers.

        At a single branch bank, one teller was short by $20 for 4 consecutive Thursdays. Because of the pattern, the tape for each day was reviewed. No indication of how it happened.
        Another teller was $400 short in a single day. There was a careful review of the tapes with no idea how it happened.

        Neither teller was suspected of dishonesty at any time; the intent was to find a successful scam.

        This sort of thing happens all the time. Please don't expect technology, even supplemented by human judgment, ever to be a perfect brake on criminal action.
        Anton Philidor
        • Of course not perfect

          But still, technology can be applied to reduce theft at a cost that pays for itself.
  • real world example

    I just built a single sign on app for our company and it is being deployed enterprise-wide. In it, we use Log4Net as our logging tool. Log4Net allows someone to turn on various logging targets, e.g., I can log to file for certain things, and log to SMTP for others.

    Now if I was really unscrupulous... what is to stop me from logging every username and password to SMTP without anyone ever knowing it was in the code? I could compile an external library, to which nobody else would know what it did, and I could simply say it was a necessary library I downloaded as open source. Now then, I don't do anything until I make an entry in the config file.

    We do monthly release cycles. We build it, then hand it off to production admins-- who do what we tell them. Copy here, copy that, etc. What is to stop me from on, July 1st, activating that SMTP logger for one month, by providing a config file with the right entries, then deactivating next month?

    This is why admins/developers MUST have the highest ethics, and MUST be tested for that sort of thing.

    Furthermore, I would never hire anyone who had been convicted of any crime, regardless of when, nor even accused of anything close to it-- for that very reason.

    Great knowledge in the wrong hands is extremely destructive, and that example above is one scenario that I'm SURE has been realized numerous times by IT folks.

    The even scarier part: there's nothing that can be done about it because at the end of the day, we have to rely on humans, whether its the IT guy or the auditor, or whoever-- is up to another human to decide.
    • Absolutely agree

      I've been working on a large Internet payment system as of late. Specifically, I've developed a library responsible for passing card transactions to appropriate processors. As such, I can access thousands of real-world CC details - I'm positive that I can sneak in a few lines of code that will forward such detail from production system to me in some inconspicous way.

      There're no real technical means to deter me from doing this, save for a full-blown code security audit - and even that won't necessarily find the hole - I know pretty well how such audits are done and will, of course, take necessary precautions.

      But of course I'll never do such a thing - my professional ethics and self-esteem do not allow for such behavior. But I know of several less scrupulous fellows who now make quite a decent living by leaving such backdoors in the systems they develop.
    • Yikes

      Yes scary. But with checks and balances you can at least require the collusion of more than one person to pull off this type of crime.

      When does organized crime get into this? They could *Hire* people to put back doors in ATM software or whatever.
      • Non-negotiable audit trails....

        are required to prevent this. Immutable or tamper resistant auditing of all system users, including the system admin and CSO would mean that no one could get away with this. The audit logs could even be scrutinized by a bonded 3rd party if necessary, at an off-site location unknown to staff if desired.
        • Also....

          Forgot to add that user centric security should be added to the mix as well so that all unauthorized access or use or resources is easily traced and identified. If you are not on the white list, you don't get access, period, making it impossible for organized crime or anyone else to leave backdoors.
  • Not just fraud, retribution

    A few years back when we had a "black monday," one of the IT folks that thought he might be let go took a peek at the HR manager's user directory.
    When he found his name on the "bye-bye" list, he opened up permissions to the directory to all employees as a goodbye present to the company.
    The surprise tap on the back wasn't such a surprise to a lot of people.
  • You need proof and a white knight in a bullet proof vest

    to begin with. Organizations have worked together for years, long before computers, to take advantage of situations and continue to be successful as long as they don't get too greedy. Greed is the downfall of the professional. What is needed is an organization of savy "white knights" that can be trusted with our well being. Sort of like revenoors during prohibition only we need trusted nerd "revenoors". Computer traffic cops; good guy traffic cops.