The study found that, on average, insiders are on the job for more than five years before they start committing fraud and that it takes nearly three years for their employers to detect their crimes.
The Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector study, funded by the U.S. Department of Homeland Security Science and Technology Directorate, examined technical and behavioral patterns from 80 fraud cases that occurred between 2005 and 2012.
The study found that those committing fraud are taking a "low and slow" approach, escaping detection for long periods of time and costing targeted organizations an average of $382,000 or more, depending on how long the crime goes undetected. Managers and accountants cause the most damage from insider fraud and evade detection longer.
"We also found that nearly 93 percent of fraud incidents were carried out by someone who did not hold a technical position within the organization or have privileged access to organizational systems," said Randy Trzeciak, technical lead of the Insider Threat Research Team.
A reason that these crimes are going undetected may be linked to the fact that technology has played a minimal role in enabling victim organizations to detect insider fraud activity. "Many people think that insider crimes can be addressed solely by technical controls, but the most effective way to prevent and detect insider crimes is to make it an enterprise-wide effort to master both the technical and behavioral aspects of the problem," said Trzeciak.
The study highlights the following findings, which provide insight into how the crimes were committed and the type of people within organizations who committed them:
- Criminals who executed a "low and slow" approach caused more damage and escaped detection for a longer period of time.
- Insiders' methods lacked technical sophistication.
- Fraud by managers differed substantially from fraud by non-managers in terms of the extent of damage and duration.
- Most incidents did not involve collusion.
- Most incidents were detected through an audit, customer complaint, or co-worker suspicion.
- Personally identifiable information (PII) was a prominent target of those committing fraud.