How Organized Crime Groups Infiltrate Financial Institutions
Bank employees have a tremendous amount of data at their fingertips. Depending on the size of a customer’s relationship with the bank, employees typically have access to a customer’s home address, spending habits, investment balances, employer information and more.
This mountain of personal data makes the financial institution an enticing target for organized crime. As well as launching attacks to steal data from customers’ computers, organized criminals also attack bank servers directly. Once they have the information in their possession, they either broker the data within the criminal community or use it for their own purposes.
An equally troublesome problem may exist within the very walls of the bank. In order to gain access to customer information, organized criminal groups occasionally recruit bank employees to steal data on their behalf. Alternatively, organized crime may also instruct a member of the syndicate to seek employment with a financial institution. In either situation, the activity of “rogue” employees can be difficult to detect.
Consider the following questions that may indicate either the presence of organized crime or an environment that is vulnerable to it:
- Do bank employees frequently share their computer access passwords? Alternatively, is it an accepted practice that employees in the branch routinely perform transactions under another employee’s login?
- Do employees spend their downtime reviewing the bank’s customer databases? They may provide seemingly plausible reasons about why they are doing so but they may also be identifying customer data to be stolen.
- Does an employee consume more printer paper than others. Does he or she regularly print large volumes of data, yet their workspace is devoid of paper?
- Do certain employees appear overly focused on where certain types of customer data are stored? Have they asked for access to systems that they typically don’t need to perform their job functions?
- Does an employee often carry a larger-than-average briefcase each day? For example, the person could come in with a large gym bag that appears to be empty at the beginning of the day and full at the end.
Many of these warning signs appear to be indications of data theft and, therefore, they would conceivably be easy to spot in the workplace. However, given the amount of activity that can take place in today’s bank branches and back offices, it is not surprising that skilled criminals can either hide their activity or offer believable explanations for seemingly odd behavior.
In fact, it is not unusual for an employee working with organized crime to be extremely friendly and outgoing. The stereotypical image of a criminal as a sullen individual would raise a red flag that is too noticeable. Criminals placed by organized crime are highly trained in their craft and are often able to conduct fraud in plain sight, with no one noticing.
How Can an Organized Crime Plant Be Unmasked?
The following steps may help your bank uncover a member of organized crime before significant damage is done. Better yet, consider taking these eight steps regardless of a potential threat posed by organized crime because they are “best practices:”
1. Meet with the bank’s technology department to determine if your IT pros have the ability to track employee activity within each of the customer data warehouses. If such reporting exists, consider stratifying the report by job title and reviewing outlying activity.
2. Determine if your technology department has the ability to track employees’ printing activity. Specifically, can they record the date, time and records that employees print?
3. If the bank’s facilities have a card access system, review employee access outside of normal business hours. The access may correlate with an employee’s printing activity or they may also be using the company’s email system during off hours to steal data.
4. Review email activity to ensure that employees are not sending customer information to their personal email accounts. Consult with your attorney before undertaking such efforts to ensure that the employee’s legal rights are not infringed upon during the process.
5. Unless approved by a member of senior management during special circumstances (for example, a national disaster), ban the use of flash or thumb drives by all staff members (including executives). Although convenient, thumb drives can be used to store huge amounts of data. Some companies actually add glue to USB ports to make the use of thumb drives impossible. Banning the use, and then disabling the appropriate ports should suffice and not violate the terms of any bank computer lease agreements.
6. Engage an accountant to review the bank’s information technology access policies and procedures. For example, access to highly sensitive customer information may be granted too easily and too often. Your accountant can review and provide advice on practices that will facilitate business, yet secure your bank’s most precious asset — customer data.
7. Expressly prohibit employees from sharing their login and password information with each other. Further, consider implementing “time out” functionality that automatically logs the employee out of a system after a predefined period of inactivity.
8. Ensure that your bank’s code of ethics clearly details the ramifications of data theft as well as the its focus on preventing it. The “perception of detection” is a valuable tool in the war against fraud. If employees perceive that fraudulent activity may be uncovered, they may decide not to commit it in the first place.
When conducted by a highly trained criminal, data fraud can be difficult to detect and leave few fingerprints. In partnership with an appropriately experienced accountant, banks can dramatically reduce the probability that data will walk out the door with employees.