Insider threats: the top ways to detect and prevent when employees go rogue

Financial institutions are spending more than ever creating physical and virtual barriers to prevent criminals, fraudsters and cyberhackers from penetrating their defenses and gaining access to dollars, account details and card data, but in some cases that is simply not enough.

That’s because, at times, the most insidious and malicious masterminds trying to pilfer and profit from this information are already inside the gates: the rising risk of rogue insiders. They can be just as dangerous and damaging as their more sophisticated criminal counterparts because they don’t have to exert nearly as much effort to get access to terabytes of tempting information.

They are only limited by opportunity, circumstances and moral qualms, or lack thereof.

But there are warning signs that an employee could engage in committing a fraudulent act, or has already started, including stealing money directly from a company or customer account, copying credit card details to buy desired or needed items or to sell on the black market or even – purposely or accidentally – introducing malware into a system to aid a hacking group.

Some of these precursors that could precipitate an employee’s downfall include financial or other stresses, exacerbated by possibly being passed up for a promotion or being downgraded to a lower paying position or employees accessing company records, systems or databases that are out of their job description or at times when they would normally be off the clock, say experts.

Warning Signs Tied to Employee Behavior and Personality

Behavior changes: Has the employee’s attitude visibly or noticeably changed at work and do they seem more depressed, stressed or angry? Do they seem to be having family or financial problems or is a relative going through a major illness? Have they taken out a hard-luck loan from their 401-k or asked for funds to be covered before a formal pay period.

Do they appear to be battling an addiction of some kind and has their work performance fallen as a result? These individuals are at a higher risk to engage in fraud to help themselves out of challenging times.

Lifestyle changes: Conversely, is an employee typically on the lower end of the pay scale now showing off fancy new clothes, jewelry, watches or car? Did they buy a new car or are planning expensive or exotic trips that appear to be incongruent with their income. That could be a red flag they are padding their income at the company’s expense.

Clandestine activities: Does the employee appear to be engaging in secretive behavior patterns such as:

  • Always needing to know where any boss or supervisor is and quickly changing screens if a coworker comes over unannounced. They also seem to be keeping something hidden in a drawer, purse, or pocket.
  • Are they walking around in areas of the company typically out of their job description or are they accessing company files not needed in their normal day-to-day functions.
  • Are they bringing in record devices to work, such as flash drives that can hold company or customer information, databases or proprietary software or are they accessing file sharing sites that can move large amounts of data. Have they been seen taking pictures of confidential company documents?
  • Do they spend more time than is necessary at the copier or fax machine than their job requires and are they very secretive or possessive about the current projects or documents they working or appear to be taking significantly longer than needed on seemingly simple tasks.

Examples in recent years have spanned a range of crimes and entry points, from the low ranking and low tech to the brazen at the top brass level, including a teller stealing customer data for an identity theft ring, or a back office worker issuing fraudulent checks or sending wire transfers to themselves or adding a fictitious person or vendor to a payroll system to funnel funds to a company under their control.

In some instances, rogue employees, such as traders, have costs banks billions of dollars in losses or fines, but even one employee can siphon hundreds of thousands, or even millions, of dollars from smaller firms, usually in less obvious, bite size chunks and over a period of many years.

Critical is for a company to “be proactive and preventive,” said Jodi Pratt, co-founder of, a free site to help consumers learn how to lessen their own fraud risks and also a consultant on fraud and bank operations issues.

“Management should have already thought through creating an anti-fraud culture, including a code of ethics and acceptable practices for every new employee brought on board. It must also be clear if employees do not follow that, they will be terminated immediately” and potentially even prosecuted, she said.

But even if a company properly “sets the proper tone at the beginning, we all have some point or level to reach to be compromised,” Pratt said, noting that some individuals with weak moral fortitude may not even take a job with a strong stance against breaching internal rules.

But for others, they don’t “take a job thinking they will defraud the company when they get in here,” she said, but can occur when many disparate factors converge, such as financial problems, weak controls and the moment when they are left without someone physically or digitally watching over their shoulder, even after working at a company for several years.

Proactive Safeguards for Organizations

Risk rating: Similar to the AML context, companies should risk rate employees for insider fraud based on their level of authority and access. The general rule: the higher the access and power, the higher the risk for fraud.

The rating, for example, can go from 1 to 10, with higher risk figures getting more attention and audits to determine what sites and files they are accessing and does that correspond with any customer or business accounts they have access. Also, know what company assets could be a target for insiders and inculcate more strict monitoring or passwords.

Password protection: Don’t shirk on ensuring strict password and account management policies, or even using biometrics to make it harder for one person to log in with other person’s credentials. Make sure to separate duties among different groups with higher and lower privileges to ensure individuals newer to the company don’t have the keys to the kingdom.

Training, awareness: Weave in threat awareness with periodic security or financial crime training for employees. Also, be sure to log who does and does not attend physical and virtual meetings and training systems or which individuals are routinely late in updating any required professional or other certifications. These kinds of algorithms can evince future fraudulent conduct.

System changes: Keep track of employees on the information technology and systems sides who have access to a broad range of systems and be sure these operations have records of when changes are made.

In some cases, IT personal have gone in, stolen money from accounts, and then deleted the records and histories the changes occurred, making it harder for company officials and auditors to track the changes. The users much have more strict access controls and monitoring.

The risk of insider fraud rises depending on where they are at in the company or if one, or a very small elite few, are charged with reconciling the financials of a financial institution, branch or department.

Statistics reveal that senior managers are just as likely as staff on the lower rungs of the corporate ladder to commit insider fraud, but their schemes are usually significantly more expensive.

To better counter this threat, institutions need to take both a personal as well as analytical approach to monitor if employees seem more nervous, secretive or frustrated.

They should also use technology to risk rate employees depending on their level of company authority and breadth of operations and customer systems access to better gauge who would need more diligent oversight at the outset of a relationship.

Technology and Information Security Measures

Cloud storage: Because so much data is held not on company servers, but in cloud facilities, companies must also engage in third-party monitoring by defining in detail the security agreements for the cloud service and what individuals have access and monitoring capabilities for the company’s information.

Event management: If fiscally or technologically possible, companies should invest in a security information and event management system, or a log correlation engine, that can log, monitor and audit employee actions. Some software and hardware can actually record not just software or transaction changes, but what is taking place on an employee’s screen.

Remote access: Extend the same safeguards for internal company computers to all system entry and end points that grant remote access, including laptops and other mobile devices. If possible, don’t have just one wireless password, but require individualized passwords for in-office wireless.

Termination procedures: Realize that employees closer to termination are more likely to try to steal company information. So develop a more comprehensive procedure that gives more scrutiny to employees struggling, on a performance program, or prevents them from accessing certain company or customer accounts.

Network security: Beyond looking for external attacks that could be indicative of a cybersecurity breach, establish a baseline of what could be considered normal network device behavior. That will help see spikes in a more real-time fashion if someone is trying to download a large amount of data onto a personal storage device or upload information to an outside site.

Social media: Keep social media in mind. Even if an employee seems outwardly normal, they could be complaining about a company on social media sites, Facebook, Twitter or their own personal blogs or even sites that rank the company. The individual may even brag about being on the way out and will plan to steal, or have already stolen, details about the company they could gain a later financial benefit.

Beyond that, throughout the lifecycle of employees, firms should audit online, internal network and transactional histories of the accounts they have access to in order to look for abnormalities, similar to how analysts using anti-money laundering (AML) transaction monitoring systems scour for aberrant, out of scope behavior that could be indicative of a financial crime.

What companies are doing to safeguard themselves from insider attacks is also on the minds of government investigative agencies.

In September, the Federal Bureau of Investigation and the Department of Homeland Security touched on the issue of insider fraud, releasing a public warning stating the agencies had seen an increase in computer network exploitation and disruption by disgruntled or former employees.

The individuals posed a “significant cyber threat to US businesses due to their authorized access to sensitive information and the networks businesses rely on,” the agencies said in the statement.

Sources and additional resources:

Software Engineering Institute report:

Insider report on financial services:

CERT Insider Threat Center: