The Fraud Blog with Tracy Kitten

Insiders: Primary Points of Compromise

Financial Fraud Fighting Needs Internal Attention

Last week's arrest of Gary Foster, the former Citi exec who's been accused of embezzling more than $19 million through wire transfers, has left the industry a little dumbfounded. [See Citi Case Exposes Insider Risks.]

How could a mid-level executive in the bank's treasury department manage to fraudulently push that much money through legitimate transfers? If true, it all happened right under the bank's nose, and it took almost a year to detect.

Sure. Foster is believed to have done a little shuffling to cover his tracks. Investigators brought charges against him after reportedly tracing movement of $900,000 from Citi's interest expense account and $14.4 million from the bank's debt adjustment account to the cash account.

After that, however, it seems the alleged scam was easy to pull off. From the interest expense and debt adjustment accounts, Foster is accused of scheduled eight separate wire transfers to deposit funds in an outside, personal account with his name on it.

Shirley Inscoe, director of financial services solutions at Memento and a former risk management executive at Wachovia who co-authored "Insidious: How Trusted Employees Steal Millions and Why It's So hard for Banks to Stop Them," says the Citi incident is hard to understand.

"It's such a classic case of insider fraud, how did he go so long without being caught?" she asks. "Many banks monitor their employees to detect various types of fraud. I'm pretty sure Citi did not have that kind of monitoring in place. They must have not had anything like that in place, because he would have been caught."

Sadly, as outrageous as it seems that an employee like Foster could allegedly get away with a multimillion dollar scheme that so blatantly abused the bank's legitimate transaction channels, it's not a problem that's unique to Citi. In fact, most banking institutions, from large to small, have done a poor job of keeping up with internal threats.

Let's take the internal breach at Bank of America as a second example. A now former BofA employee was charged last month with leaking customer names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances to a ring of criminals. The crime ring reportedly used the information to hijack e-mail addresses, cell phone numbers and possibly more to open accounts and order checks under stolen identities.

"I think many banks have cut back on their internal controls and fraud detection because of very tight budgets," Inscoe says. "I have seen and heard that several times over the last two to three years. Banks saying, 'If we had not cut back on this or that, we would have caught this sooner.'"

It's clearly an issue, in more ways than you might assume. This week, another connection to insider compromises was brought to my attention - the link between insiders and increasing attacks waged against lobby and branch-based ATMs.

Over the last year, a handful of reports about skimming devices being attached to ATMs located right inside bank branches or vestibule located outside bank lobbies, has revealed a certain criminal brazenness. These criminals are so bold; they don't care about compromising ATMs right in front of branch staff.

But Mike Lee, CEO of the ATM Industry Association, says bankers should not overlook the possibility that many of these recent attacks have an inside connection. "We wrote best practices for prevention of insider fraud, because we know there are sometimes forms of collusion," he says. [See Insider Threats: Great and Growing .]

When it comes to internal fraud and the damage it causes, banks and credit unions often fail in three critical areas, Inscoe says:

  • Internal fraud is misclassified;
  • Institutions underestimate how reports of internal fraud breed mistrust among consumers; and
  • Not catching and stopping internal schemes quickly adversely affects consumers, who often fall victim to identity theft.
Inscoe adds that banks and credit unions can address internal fraud by using more transaction and behavioral monitoring. But most financial institutions aren't willing to make the investment. Perhaps recent events will change their minds.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.