« Appropriate Blame Placement Response | Main | VT Day of Mourning »

KPMG Publishes "Profile of a Fraudster"

Ok, time to get back to an infosec focus here... :) KPMG UK has published a report that describes "fraudsters" (non-technical term describing a white collar criminal) based on analysis of 360 cases in Europe, South Africa, and the Middle East.

Below are some selected stats from the Executive Summary (section 3). If you find this interesting, I encouraging reading the whole story. It's interesting to see reinforcement of the old school notion that the vast majority of incidents are from internals. Reinforces the need to protect the company against its own personnel, though without treat people as criminals. The old phrase "it's behind the firewall" is once again proved ridiculous.

This first quoted section here describes what average fraudsters look like. Given that the workplace is still generally male-dominated (probably especially so in places like the Middle East), this profile is generally unsurprising. Note: red color font is my addition.

Personal details
  • 70 percent of fraudsters were between the ages of 36 and 55 years old.

  • 85 percent of perpetrators were male.

  • In 68 percent of profiles the perpetrator acted independently.

  • In 89 percent of profiles the fraudsters were employees committing fraudulent acts against their own employer, whereas 20 percent involved complicity with an external perpetrator, resulting in the conclusion that in only 11 percent of all profiles the companies were attacked purely by externals.

  • Members of senior management (including board members) represent 60 percent of all fraudsters. An additional 26 percent of profiles involve management level persons bringing the total to 86 percent of profiles involving management. This result highlights a risk that every company faces: executives are entrusted with sensitive company information and yet are also often in a position to override internal controls.

  • In 36 percent of profiles the perpetrator worked for their company for 2-5 years before committing fraud. In 22 percent of profiles the fraudulent employees registered more than 10 years of service at the victim’s organization. In just 13 percent of profiles the fraudster was with the company for less than 2 years prior to committing fraudulent acts.

  • The internal fraudster most often works in the finance department followed by operations /sales or as the CEO.

  • This second quoted section describes what types of fraud are perpetrated. If nothing else, this should give some good ideas of the kinds of things to consider when performing audits, defining security requirements, etc. It highlights the need for controls on all financial systems to ensure that no one person has the access necessary to create, process, clear, and hide transactions. Any time you can force a criminal to seek an ally/partner, you increase the likelihood that they'll mess, that someone will say something, and so on. It also increases the complexity of the operation, increasing the likelihood that they'll mess up.

    Fraud details
  • Misappropriation of money was revealed as the most common type of fraud.

  • In 83 percent of profiles the fraudsters acted nationally and not internationally.

  • 91 percent of perpetrators did not stop at one single fraudulent transaction but rather performed multiple fraudulent transactions; every third perpetrator acted more than 50 times.

  • A total loss of 1 million EUR and more per fraudster and profile was caused by every second fraudster in Europe, by almost every third perpetrator in South
    Africa and by every fourth offender in India and the Middle East.

  • In 24 percent of profiles the timeframe for perpetrating fraudulent acts was less than 1 year. In 67 percent of profiles fraudsters acted within a timeframe between 1 year and 5 years until they were exposed or stopped their fraudulent activities. This result generates questions concerning the effectiveness and the quality of existing internal controls: why were they not able to discover or stop fraudulent acts within the recurring standard controls in more than two thirds of all profiles?

  • TrackBack

    TrackBack URL for this entry:

    Post a comment


    This page contains a single entry from the blog posted on April 19, 2007 8:37 PM.

    The previous post in this blog was Appropriate Blame Placement Response.

    The next post in this blog is VT Day of Mourning.

    Many more can be found on the main index page or by looking through the archives.

    Creative Commons License
    This weblog is licensed under a Creative Commons License.