In a hybrid work environment, employee fraud is harder to detect — and more damaging than ever. Prakash Santhana, partner at Davies, explores how businesses can use advanced analytics and proactive monitoring to safeguard against fraud risks and build a resilient remote workforce.
Occupational fraud remains a significant issue. According to a 2023 report on occupational fraud by the Association of Certified Fraud Examiners (ACFE), global losses reached $42 billion, with a median loss of $150,000. While executives and leaders would love to assume their hybrid- or remote-working employees are not a fraud risk vector, logic dictates the opposite.
While there is yet to be a proven direct correlation between remote working and a rise in occupational fraud, in a hybrid working model remote employees arguably have more opportunities to exploit consumer data without the traditional physical controls of an office environment.
Additionally, where organizations operate a BYOD (bring your own device) policy, devices may not be monitored or protected as stringently as other company-owned devices. Consequently, in this new age of hybrid working, organizations need to be aware of the additional risks and adapt their approach to ensure hybrid and remote working works for both the employer and employee.
Because it is lesser-known and doesn’t typically result in such large monetary losses as external fraud, employee fraud does not tend to get the same attention. However, the impact can come in multiple forms and have far-reaching effects:
- Financial impact: The most obvious result of employee fraud is lost money. Where this occurs, it is typically a large amount because the employee has identified the gap within the system and exploits it as much as possible as quickly as possible while remaining undetected.
- Regulatory breaches: Organizations are required to put measures in place to protect against cyber breaches, including those as a result of employee fraud. Depending on which sector they operate in, organizations that fail to detect and respond to breaches can be hit with significant penalties, including fines.
- Reputational damage: Following regulatory penalties, organizations may find themselves named and shamed by regulators and could experience damage to their brand as a result.
What hybrid-work fraud looks like
Let’s explore what employee fraud can look like in a hybrid workforce. It occurs when rogue employees:
- Use their legitimate access through their provisioned or BYOD device to doctor a consumer’s profile and associate it with another device and email that they possess. These are then used to gain access to consumer accounts or facilitate fund transfers.
- Use information gathered about a consumer account and direct unauthorized payments or transfers to themselves using other employee accounts.
- Use BYOD devices to access customer records and take pictures of sensitive information displayed on the screen and transmit the data via encrypted messaging apps or personal email accounts.
Most organizations will likely rely on standard vendor solutions to protect their organizations against network intrusion. These systems detect when a user exceeds the level of access they have been given to data, by looking at the user ID and the stated policies and permissions. However, in the world of hybrid working and BYOD, this is no longer enough. For example, if an organization’s employee steals a colleague’s password and credentials, they can complete a transaction from their own device using those credentials. To a standard vendor solution, this is not a breach because ostensibly, the user has permission to carry out that action.
Warning Signs of Embezzlement & Practical Internal Controls
No system is foolproof, but knowing the signals can help
Read moreDetailsAdvanced solutions
More sophisticated techniques and technologies are available to assist with the detection of such breaches. These broader solutions look at shared resources across systems and identify intrusion where multiple credentials have been compromised.
This is achieved by first consolidating data from a number of sources, including things like application server logs, endpoint telemetry, consumer portal access logs, transaction data, device data and more.
Once data has been gathered, graph analytics can map relationships between employees, devices, consumer accounts and actions. They can identify clusters with unusual activity or links and flag abnormal access or unusual interactions, such as customer profile changes or payment initiations by employees. User IDs, device digital certificates, device types (BYOD vs provisioned) and IP addresses can be correlated.
Similarly, consumer transactions on unknown devices originating from the same or proximal IP addresses as those associated with employees can also be identified.
At the same time, temporal analysis can review the sequence of events to identify where profile changes were followed by unauthorized access. Anomalies like systems being accessed outside of normal working hours, unusual usage patterns of network connections, frequent changes to consumer information across accounts and use of unknown devices on consumer accounts related to an employee can all be examined.
By collating and analysing the multiple data points mentioned, alerts can be generated based on the analysis. These include:
- Anomalous customer profile modifications by employees or significant deviations from normal work patterns.
- Unusual modifications to the same sensitive data across customers.
- Unauthorized attempts on consumer accounts from IP addresses not associated with the consumer account following employee modifications to customer profiles; proximity of IP addresses used to access consumer accounts with known IP addresses associated with employees.
- Multiple password reset requests from consumer accounts after employee modifications.
- Devices used for business activity connected to unusual IP addresses.
- High-risk employee activities outside normal business hours.
- Elevated access or privilege escalation attempts by employees.
- Role-based access control (RBAC) or attribute-based access control (ABAC) policy violations at the user, device and IP address level.
The aim of having a more sophisticated detection solution is always the same — to identify anomalies before fraud has occurred so the organization can be notified of potential issues and can investigate accordingly. By using this multitude of data points and techniques, the technology can build a picture of what’s occurred, arming the organization with all the required information to take the next steps. What’s more, organizations can run the analysis as frequently as needed, either constantly in the background or intermittently.
Hybrid working device diversity means organizations need to re-evaluate how they manage their cybersecurity. Because the restrictions and checks on employees created by a physical office space no longer apply, solutions that focus solely on employees’ permissions and whether these have been exceeded are no longer sophisticated enough to guard against potential fraudulent activity.