Threat Management, Threat Management

The inside job: financial institution struggle to address bad actors inside their ranks

People walk past a TD Bank in the Brooklyn borough of New York City. Earlier this month, a federal grand jury indicted three men for their alleged role in a business email compromise scam, including a former employee of both TD Bank and Bank of America. (Photo by Drew Angerer/Getty Images)

When it comes to criminal activities, having someone on the inside can be invaluable. In cybercriminal activities, the value of that insider is magnified.

Earlier this month, a federal grand jury indicted three men for their alleged role in a business email compromise scam. One of these men, charged with money laundering and “aggravated identity theft” committed between January 2018 and March 2020 was a former employee of both TD Bank and Bank of America. These scams typically targeted employee accounts and business customers, with at least five businesses losing more than $1 million apiece to these fraudulent acts.

Onyewuchi Ibeh of Bowie, Maryland, Jason Joyner of Washington, D.C., and Mouaaz Elkhebri of Alexandria, Virginia, were all charged with money laundering and aggravated identity theft, according to the recent federal indictment. After using phishing scams to worn their way into employee accounts, these men allegedly conducted months of research and preparation before stepping to present fraudulent business invoices and falsely request payment.

The case offers a high profile case study of the struggles many financial institutions face with managing the insider threat. Two-thirds of organizations, in fact, consider malicious insider attacks more likely than those from external bad actors, according to recent research from TechJury. And, over the past two years, insider-connected attacks have jumped up by 47 percent. Brett King, a financial technology expert and author of “The Rise of Techno-Socialism," points out that most of the “big-ticket fraud" is related to an insider.

“Banks have been woefully ineffective in preventing financial crimes,” King said. Yet he does not see any over-arching flaw in financial services recruitment that would allow (or encourage) the enlistment of potential bad actors as FSI employees. Nor are they ignoring the problem. Financial crime compliance costs shot up 33% last year to more than $35 billion in the United States, with some forecasts estimating the cost of financial crime compliance as high as $10,000 per employee.

Still, the cost of cyberattacks driven by malicious bank insiders jumped 15% in 2019 to reach $1.6 million per organization, according to Accenture. Employees can be lured, and cybercriminals target those in markets that promise big payouts.

Jim Mortensen, strategic adviser for Aite Group, said he's seen “a lot of activity around business email compromise” in recent months — and increasingly, there may be an inside banker involved, who can understand the corporate payment protocols.

While most financial service institution will conduct a background and criminal history check before onboarding a new employee, there’s always the potential that bad actors will recruit from within. Indeed, compliance efforts are expected to eradicate less than 1 percent of worldwide financial crime, according to McKinsey.

Hence, even with appropriate vetting, gathering references and conducting a thorough interview, an employee may turn to the dark side. This spotlights the need for ongoing training for employees.

“There’s always that risk,” Mortensen says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.