Site icon Easy Prey Podcast

3 Types of Insider Fraud with Claire Maillet

Easy Prey
“Insider fraud is a type of fraud that isn’t really well known right now. It is under researched and underestimated.” - Claire Maillet Share on X

In this episode, we’re shining a light on a pervasive threat that often lurks in the shadows of corporate environments: insider fraud. We’ll explore the insidious nature of insider threats, the various forms they can take, and most importantly, how organizations can arm themselves with knowledge and strategies to mitigate these risks effectively.

Today’s guest is Claire Mailet. Claire is an award-winning financial crime prevention expert and has worked in the field for over ten years. In her spare time, Claire assists universities in the UK to support staff and students who stammer and she’s currently undertaking a part-time Ph.D at the University of Portsmouth, looking at internal fraud in FinTechs.

“When people think about fraud, they think about the customer. They will very rarely think about people on the inside. This perception needs to be more equal and balanced.” - Claire Maillet Share on X

Show Notes:

“The only thing that costs more than compliance is non-compliance.” - Claire Maillet Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Claire, thank you so much for coming on the Easy Prey Podcast today.

Thank you for having me.

Can you give myself and the audience a little bit of background about who you are and what you do?

Yeah, of course. As you can probably tell by the accent, I'm from the UK. I have been working in the counter-fraud space for 10 years. Normally, within financial services; most recently, I was the director of financial crime operations in a small fintech company.

Alongside my practitioner experience, I'm also in academics. I'm currently studying towards a PhD, which looks at insider fraud. In my spare time, because I love to be busy, I am also doing a podcast. I also assist universities in the UK to better support their staff and students who stammer as well.

That's awesome. How did you get into this field? Not that you commit fraud, but anti-fraud. How did you get into the anti-fraud space?

My degree back in the day when I graduated in 2014, I did a French degree. I knew that I didn't want to go into teaching because I haven't got the patience. I didn't really want to go into translation or interpreting because that's what all of my friends wanted to do. I wanted to do something a bit different.

I wasn't sure what I wanted to do, but I knew what I didn't want to do, which probably wasn't that helpful. I was referred by a contact of mine for a job at Amazon, where they basically wanted people who spoke foreign languages to work in their fraud investigations team.

I didn't know anything about fraud back then. This was back in 2014. Fraud wasn't really a well-known concept. It wasn't really that spoken about. I didn't even know what it was. But at that time, I had just graduated, I needed a job, so I thought I'll give it a go.

I learned all of the anti-fraud stuff on the job, and I just completely fell in love with it. I just found it so interesting. I felt like a spy because I was actively looking for fraud that Amazon customers were placing. For me, I felt like a spy. That added to the appeal, I guess.

People would ask me what I do. I would say that I worked in counter-fraud and then you go, “Oh, that sounds so cool.” I'm like, “Yeah, it is.” Since then, I've just been hooked. I've always stayed in the counter-fraud space and worked my way up from there.

I like the way you call it the counter-fraud spaces. It sounds more cloak-and-dagger.

I'm always worried that if I say that I work in fraud, people think that I'm like the head of an OCG. I need to very, very clearly specify that it's counter-fraud that I do.

I'm going to have to update all my bios to say counter-fraud as opposed to actual fraud.

Exactly.

This is not how to commit fraud.

That's a different podcast altogether.

Yes, very different. That's the one that you find on the dark web.

Absolutely.

I find it interesting, I think there's been a lot in my mind in the last couple years of the growth of counter-fraud in academia. It's now something that people are studying for their PhDs when it used to maybe be a fringe thing. Maybe you're more studying criminals, but now it seems to be more studying, why do we fall for fraud and how do we not fall for it? Is that what you're working on in your PhD?

Yeah. My thesis in particular fills a gap in the research markets, as it were. Insider fraud is a type of fraud that's not really that well known at the moment. It's under-researched, it's underestimated, particularly within the fintech space. Any existing research inside a fraud will either focus on how it's perpetrated against your larger companies, such as banks, or it's about the psychology of the fraudster. What are they thinking? Why are they doing the fraud specifically?

I've not found any research that's very in-depth that covers why businesses are essentially vulnerable to this. Looking at it from the perspective of a practitioner and based on my experience in that space, I would want to know what can my employer do to ensure that it has all of the controls that it can do in order to be in the best position to protect itself from insider fraud.

My thesis is very much concentrating on the operational side and the strategic side. It's like a guide for businesses, as it were. It's trying to shine a light on insider fraud specifically, which has become more spoken about since Covid and the cost of living crisis in the UK. But I feel like it needs more attention being given to it, especially because, understandably, when people think about fraud, they'll think about the customer. They will very rarely think about people on the inside. I think that that perception needs to be more equal in terms of the balance between the amount of publicity external fraud gets in comparison to internal fraud.

Let's talk about what is your definition of insider fraud?

Insider fraud, in my eyes, is a fraud that can be perpetrated by anyone against a prospective employer, a current employer, or a previous employer. -Claire Maillet Share on X

Insider fraud, in my eyes, is a fraud that can be perpetrated by anyone against a prospective employer, a current employer, or a previous employer. The reason why I've got those three aspects of it is because people are of the understanding that insider fraud is only committed once you're in the door. It's when you're at your desk or with your laptop and is stealing customer data.

What people don't realize is if you lie on your CV in order to get a job that's better paid or a better position, if you lie on your CV, or you don't disclose certain information on your CV or a job application, that is fraud. I think people just think that it's slightly stretching the truth, or it's a little white lie. No, it's actually fraud.

After someone leaves a business, some companies will just take them off the HR system and take them off the payroll, but then not remove them from the internal systems or make sure that all of their access has been revoked. You hear stories in the news about how staff who have been sacked or let go have been disgruntled, and therefore they commit that fraud as an act of revenge. It doesn't necessarily have to be about the financial gain; it's because they're cheesed off.

I think the other aim of my PhD thesis is to raise people's awareness of insider fraud, because if you have the rather staggering discrepancy between someone thinking that they're stretching the truth on their CV, but actually an employer sees it as fraud, that's a massive gap. That can lead to detrimental consequences. It's about trying to educate the public, educate businesses. I think that's a key area that academics are working on at the moment. It's the education side of things.

Yeah. There's a probably worldwide well-known story of a politician here in the US from New York, who pretty much everything on his resume was a lie or embellishment. His answer was, “Everybody embellishes.” But I think everybody else aside from him felt like, no, that wasn't embellishment saying you're a top person at a company when you're maybe the top 60% as opposed to the top 1%. It's a little bit different than saying, “I was in the top 1% of this company” when you actually never worked in that industry, let alone that company.

Yes, exactly.

A little bit of difference. Let's talk about the future employer issues, current and former employee issues. We'll work through it. How can employers figure out whether or not someone is, using your terms, committing fraud on their CV?

I would say that having vetting measures at the onboarding stage is absolutely key. In the interview process, you can do tests, psychometric testing, and all that kind of thing to see if the person's personality and ethics fit into the company culture. But at the end of the day, anyone can lie on those things. Anyone can give an answer that they don't necessarily think, but they think it would look better to the employer. Therefore, I'm going to choose that answer because I think that they want to know.

Even though you can have those sorts of psychological testings, I do wonder about how useful they are. With regards to testing of the skills, that's one that I use if I hire staff. But I want to see an example of their work during that process, because again, anyone can say on their CV that they have certain skills, but I want to see proof of that. If that's a key part of their role, I don't want to waste time, efforts, and money going through the interview process, going through the vetting process, getting that person through the door, having them trained up to then find, “Oh, hang on a minute. They don't have the skills that I thought that they were going to do.”

Having those tests in the interview process, I think, is really key. The vetting is something that every company should have. There are varying levels of this. When I've joined companies, I've gone through vetting stages where I know that they've screened me against some fraud and databases, and that's fine.

There are others who have asked to see photos of my certificates, for my academic and qualifications. They've asked for references from every single employer that I've had over the last 10 years. They've asked for financial evidence that I'm not bankrupt. There are definitely varying levels of how in depth you can go. The more in-depth you go, the better protected you're going to be.

Even though it might seem like an absolute pain in the neck, I actually prefer those companies because it shows that they care. It shows that they acknowledge that insider fraud is a risk.

Do you know whether they actually looked at what you provided, or was it just the process of asking?

Absolutely no idea. No, they could have just not cared. But the fact that they ask in itself is a deterrent. I think that also in job and descriptions online that you see at some job adverts, at the bottom, it asks you to tick a box to confirm that all of the information that you've provided is up to date and accurate. Some will ask you to acknowledge that your information will be screened against certain databases to check for fraudulent activity.

Even if you don't have the prevention and the detection measures, people forget about deterrence as a key tool. I think people tend to focus so much on the prevention side of things that deterrence gets lost. -Claire Maillet Share on X

Even if you don't have the prevention and the detection measures, people forget about deterrence as a key tool. I think people tend to focus so much on the prevention side of things that deterrence gets lost. I think that there's a lot to be said for having those warnings at every stage of the process in writing, because that will turn away a lot of people who think that they can go unnoticed.

For companies that aren't doing extensive vetting, why are they not doing it?

Cost is a main one, unfortunately. I've been a practitioner in the counter-fraud space for 10 years, as I said. The fight to get senior staff to give a damn about fraud is just the most exhausting thing I've ever done. It's so tiring. I know that people in the financial crime and the risk and compliance spaces will hopefully all be nodding along.

If you have people on the exec, in senior leadership, on the board, whose pure focus is to bring customers in to make money, to expand the company, as soon as you say, “Yeah, but you might want to put some fraud controls in place, but they will lower your customer base, they will cause customer friction, and they are going to cause you a rather large expense,” they're going to go, “Absolutely not, because you're getting in my way.” Cost is a real issue, I think.

The only thing that's more expensive than compliance is non-compliance. I love that quote so much. I love the quote; that's one of the best I've ever seen. If you have the choice of implementing a system or working with a vendor that's going to cost you £100,000 a year, if that's going to be the way that you detect and stop a £500,000 fraud, which one would you rather have?

The only thing that's more expensive than compliance is non-compliance. -Claire Maillet Share on X

Would you rather put in the controls up front and know that you're in a much better position, or would you rather lose five, 10, 15, 20 times the amount of money to a fraud, plus the extra costs of having to go through disciplinary hearings, potentially call the police, get legal people involved, sacking someone, hiring someone again, etc., etc., plus the reputational damage? All of a sudden, that £100,000 looks very, very appetizing.

I think that there's this fear that we as an industry are of the understanding that companies will only take action when things go wrong. That as a concept, as a culture within business, has to change. We can't wait for things to go wrong before senior staff go, “Oh, we should have listened to you.”

We can't wait for things to go wrong before senior staff go, “Oh, we should have listened to you.” -Claire Maillet Share on X

It's probably one of the most frustrating things about working in this space. You can shout about fraud until you're blue in the face, and I do it on LinkedIn. I waffle about fraud every day. Those in the industry tend to agree with me, but other people will think, “Yeah, but I've got to grow my customer base. I've got to make money. I've got to do this. I've got to do that.” But we will always be seen as the profit police until something goes horribly wrong.

The department of no.

I love that. The department of no. Yes, that is so true. That is so true. After things go wrong, say a company didn't have things in place that it needed to, and then it suffered a huge attack. Who are the people to blame? It's going to be the fraud guys because they didn't spot it. If they don't have the tools to do their job, then there's no hope, really.

I think it's about a culture shift, and that's not going to be easy. I'm not saying that it can be changed like that, but I think companies need to start getting on board with the idea that it's best to have things in place and not have to use them to their fullest extent, but to know that you have that protection there.

Yeah, that's really good. Let's switch over to risks of current employees. What are insider fraud risks of current employees? Who's committing the fraud? Why are they committing the fraud? How are they committing the fraud?

Anyone within a company can commit insider fraud. It could be the founder, it could be the CEO, it could be the board, it could be contractors, it could be junior staff, it could be anyone. -Claire Maillet Share on X

That's a lot of questions in one go. I think there's a misconception that insider fraud is only perpetrated by people in the finance teams because they have access to the money. They have access to the customer money, the staff money, the company money. That's not the case. Anyone within a company can commit insider fraud. It could be the founder, it could be the CEO, it could be the board, it could be contractors, it could be junior staff, it could be anyone.

I think that that again is a myth that needs to be debunked. I think if you narrow your thinking into, “Well, it's only the finance teams that can commit fraud,” then actually all of your controls and risk management are going to be so focused in one area. You are exposing the rest of the business to so much fraud.

Also, it isn't just the money that people are after now, it's data. Data is very valuable. Obviously in some cases, the money to some people is going to be much more beneficial, but the data that you can access now from your laptop when working from home is incredible, because you haven't got your boss sat next to you in the office looking over your shoulder all the time, and people aren't going to notice if you send emails to yourself on the company system that contain company data and customer data.

I think if you narrow your thinking into, “Well, it's only the finance teams that can commit fraud,” then actually all of your controls and risk management are going to be so focused in one area. You are exposing the rest of the… Share on X

From a data perspective, that's a huge concern for businesses. Also, simple things, like if you have teams who use test accounts to test products. Say your product teams and tech teams, they will often create dummy accounts and test products to test things before they go live to customers.

What controls do you have in place? If they're being used for tests, you could easily send some money to yourself, but it's just a test, so it's fine. But actually, no, that's not the case here. It's thinking about all of the areas that you could be vulnerable too, but then you also have things like expenses, claims. You can have falsifying time sheets.

It isn't just the stuff online. It can be paper-based things as well. The possibilities are endless. Especially in a hybrid or remote working world, all of a sudden now, all the people that I live with can now have access to the work that I do. They can hear conversations, they can walk in on meetings, or if I have spreadsheets open. But in the office, if you were to leave your desk, you would have to lock your screen. How many people do that at home? I'd say not very many.

It's about trying to replicate to the best extent that you can, the measures that you would have in the office, but also having them at home. Yes, you can take it to a very hawk eye, kind of big brother extent where you're always being watched. That turns into micromanagement, which nobody likes. There is an element of trust there, but trust can be exploited.

It's about finding that balance, which again, it's absolutely not easy to do. But I think people will understandably be in some sense of denial that their staff might be committing fraud. No one wants to admit it. These are people who are your friends, and you work with them for eight hours a day every day. No one wants to admit that their best friend could be doing this thing. It doesn't matter how ethical you are, it doesn't matter how good you are. Everyone has that breaking point.

Is the risk of insider fraud bigger or higher likelihood at large companies versus really small companies, the mom-and-pop business?

This is one that's really interesting because the research that looks at the larger organizations, the older organizations will say that it's easier to do because your systems are older, you've got more stuff that you can hide behind, and you've got the archaic technology and that sort of thing. There is this understanding within the industry that if you work for an older organization or a larger organization, then it's much easier to commit to insider fraud. However, the research that I'm doing also suggests that the risk is exactly the same within a smaller company but for different reasons.

Specifically in a startup, everyone's trying to get their company off the ground. They're trying to engage in quick growth and to expand their customer base. Everyone will be chipping into different teams doing different bits of work that people across the whole business would normally be doing in their silos in a larger organization.

In a startup that I used to work in, I did some tech, I did some product, I did some customer service. You only have a company of 10 people, so everyone has to do a bit of everything. But once that work's been done, actually, I now have an understanding of how certain parts of that business works. If I've designed the processes, or if I've helped to write the rules that tech have built for certain activities that the staff might do or that the customers might do, I now have a lot more knowledge than someone in a larger company might have.

For example, in a team of 50 people, because I've been there from the beginning, I now have all of this insider knowledge that other people might not have. I think with the startup culture as well, there's a lot of nepotism there. People want to get their best mates on board because it's fun, and it'll be a good laugh. When you have those who are closest to you involved, that's when the risk of corruption just goes through the roof. That's really dangerous.

It's really dangerous, because I've worked in previous companies where people will just hire their best friends over the people who can actually do the damn job properly. Yes, it makes the working day better because your best mates are working with you, but actually when it comes to managing the risk, are you actually making the right decision?

There are many key areas there where people might think, “Yeah, but that's not a risk. It's just me trying to make my working life better or to make my company more successful.” But again, I don't think people think of that. That's where it goes wrong.

Why are the people committing the fraud, though? What are their motivations? I'm sure it's not purely just dollars necessarily, there's some other pressure somewhere else on them.

Yeah. The motivations can vary hugely, and academic research into fraud over the last 50 years or so has demonstrated that. There are so many reasons, but for insider fraud specifically, there's a large focus on how Covid-19 as well as the cost of living crisis has impacted the need for, as I said, even the most ethical of individuals to commit fraud.

Some of it comes from people not being able to pay for food or to pay their bills because of costs going up. It could be because during Covid, people's family situations change. Their economic situations change because of redundancies, furloughs, the individuals being ill, and people losing their jobs.

All of a sudden, if you're going from a stable home life to suddenly having those financial pressures, people may feel like perpetrating fraud is the only option that they've got. Again, if we look at Covid-19 and addictions to alcohol, to drugs, to gambling, they all increased dramatically during the pandemic. Those addictions have to fund themselves.

Again, I think it's people reaching that breaking point. But then it isn't necessarily because people feel the need to, it could be because people get a thrill from it. It could be because people just want to see if they can get passed the system.

If you work for a company that makes a huge profit, they feel like they haven't treated you well, or they feel like the company benefits aren't that good, they might think, “Well, actually, I know that these systems are a bit naff, therefore I know that I can actually steal some money and the people won't notice.” It isn't always because people need the extra money. It could just be because they have the opportunity, they feel like they can, they feel like they deserve it, or just because they are a bit cocky.

I can definitely see the motivation being, “Well, gosh. I've been here this long, I should be making more money, and the owners are making this incredible amount of money. I should get mine too.” That mentality could definitely seep in.

Yeah, absolutely.

Has the research borne out that the combination of work from home and Covid has reduced insider fraud?

It's actually led to an increase because you don't have your boss sitting next to you. You don't have other people watching you. There's that element of trust. When I manage teams from home, I have to have a certain element of trust that they're going to do their job and that the work will get done. However, there's no guarantee that 50% of the time, they could be doing other things around the house. They could be working other jobs.

There's an increase in individuals who are working multiple jobs because if you're working from home, you can easily hide that. If you're in an office, you obviously can't. Not being in the same room, in the same area as your colleagues actually makes it an awful lot easier.

What are some of the ways that people are committing the insider fraud? I seem to remember a case where there was a family. One of the family members set up fake companies to do work for the company and was effectively, “Oh, yeah, we're having this contract company doing work for us,” but there was no work being done. It was a company that he owns. He was just pocketing all the money. What are some of the other ways that they're actually committing the fraud aside from, I guess, just directly stealing money out of the bank accounts?

You've got the falsified time sheets and expenses. If you were to, for example, add an extra hour to every shift that you worked as overtime, are people going to be checking that you've done that? Obviously, if you're in the office and you're going to have CCTV, but also passes that you check in and check out from, I would estimate from a pessimistic point of view that companies aren't actively tracking when their staff log on and log off. Even though that might seem a bit hawk eye-ish and a bit invasive, actually, there's nothing to stop staff members from falsifying overtime sheets if they know that companies aren't going to check.

When it comes to expenses, again, receipts have to be submitted, or they should be at least. But having more than one person in that line to oversee and to verify the information. For example, if I were to have a boss who needed to sign off on my expenses, but they were completely snowed under with work, it's possible that they would just approve everything that I send but not actually look at it, because, actually, this is a really small task compared to all of the other more important things that I need to do. Actually, are they going to check it properly? Probably not.

For every risk and for every way that someone could perpetrate fraud, you need to have the controls in place. The possibilities for perpetrating fraud internally are endless because it depends on the company, it depends on the product, it depends on the controls, the risks, the tech.

For every risk and for every way that someone could perpetrate fraud, you need to have the controls in place. -Claire Maillet Share on X

From a business perspective, the owner or the managers really need to think through. Let's have a round table and think of all the different ways people can commit fraud against your organization. How do we put things in place to prevent those without being draconian?

Absolutely. If you're able to do so, get some pen testers in to be able to essentially go through every team that you have within the business and get them to try to perpetrate fraud. Every single team's going to have its own risks. I think that if you were to ask the CEO to list all of the insider fraud, potential methodologies that could be used, they aren't going to know. Especially if you're the CEO of a huge company, you are just not going to be close enough to the ground to be able to identify all of those risks.

Actually, it's more the junior staff who are the most knowledgeable in that space because they see the day-to-day work, and they use the systems every day. It's definitely a company-wide effort. It can't be something that's done by one person, one team. It needs to be the whole business that gets involved in that.

Again, that can add to the cultural piece and the deterrence side of things. If you were to tell everyone in your company, “Oh, we need to identify all of the ways in which that staff could potentially perpetrate fraud,” that to me, as someone who could perpetrate insider fraud, is going to make me think, “Ah, that they're actually taking this seriously. They're going to do everything that they can to put the controls in place. Therefore, it's probably best that I don't have a go.”

Have you heard of companies running contests, so to speak, within the organization of if you find a way to commit fraud or you find a weakness in the system, we'll give an internal reward?

You know what, I've not, but that did come up as a suggestion in one of the interviews that I carried out for my PhD. Should companies be rewarding people for finding these potential gaps? Even though I think there is the need for an incentive there, because you're asking people to actively look for those things, and whilst I think that is a company need in itself, I don't think it should be incentivized because that should be part of your day job anyway.

I think people are of the understanding that if you don't have the word fraud in your job title, then you don't need to worry about it. That's absolute nonsense. Every single employee needs to understand the basics of fraud.… Share on X

I think people are of the understanding that if you don't have the word fraud in your job title, then you don't need to worry about it. That's absolute nonsense. Every single employee needs to understand the basics of fraud. If I know of a risk as to how someone could perpetrate fraud, it should be my responsibility, it should be in my company goals, it should be in my job description, it should be in my objectives for that year, it should be just part of my contract of being employed by this company that. In order to do my bit to make the company better, I should be able to identify those risks and proactively sound them out.

I suspect it's a bit of a corporate culture thing that if people, when they bring up, “Hey, I noticed that this system is vulnerable,” if they're like, “No,” company comes back and, “No, that's not important,” or, “Hey, stop messing around and things that aren't your department,” that shuts them down as opposed to, “Oh, wow. Thank you. We appreciate you finding this. We’re going to do something about it.”

Yes. If you do raise something and the response is, “That's not a huge concern. It isn't a priority right now because I've got to go and make the app look sexy for our customers,” then that staff member might think, “Oh, well, I could easily commit some fraud now, because I've said that that's a risk and no one's listened to me.” If anything, you're exposing yourself to even more risk by openly saying, “That's not our problem.”

Got you. That's great. This has been a great discussion on insider fraud. Are there any specific resources that you have available to the listeners?

My LinkedIn page is just a word vomit of fraud. It's all I talk about. If you want to read about fraud every day, follow me on there and connect with me at your own risk because I don't talk about anything else. I have a podcast called Fraudible, which I started in January of this year. It's available on YouTube and also Spotify.

The aim of the podcast is to bring together academics and practitioners to discuss fraud topics. They've been in their own separate worlds for too long, and I'm trying to bring them together to help to fight fraud in a more effective way. In May and June, I'm also hosting a webinar series called Fight the Fraud, Feel a Fraud, where I will be joined by people in the counter-fraud industry to openly discuss imposter syndrome and mental wellbeing in the counter-fraud industry, specifically.

Those are awesome. For the listeners, we'll make sure to link to all of those in the show notes. Thank you so much for coming on the podcast today, Claire.

Thank you for having me. It's been great.

 

Exit mobile version