Vero Screening Ltd, Princes House, Brighton www.veroscreening.com +44 (0)1273 840 800

Catch me if you can..Protecting your organisation from the rogue insider

Rupert Emson – CEO (remson@veroscreening.com)

NHS Administrator jailed

‘F1’ fraudster

Recruitment consultant faked CV’s

‘Walter Mitty’ lawyer faked qualifications

Olympic torches made

by ‘illegal immigrants’

Financial Controller jailed

Legal secretary faces jail

Former finance director jailed

- Frank William Abignale Jnr- Pan Am Airline Pilot- posed as a Secret Service Agent- Doctor- Lawyer- Cashed almost $4m of counterfeit cheques

- How?- Spotted the opportunity- Exploited the gaps- Deception through credibility- ‘Social Engineering’

Fraud: activities involving dishonesty and deception that can drain value from a business, directly or indirectly

There are two basic requirements which must be met before offence can be charged

Each of the three subsections of the offence carries a maximum sentence of 10 years:

1)  It’s an offence to commit fraud by false representation

2)  It’s an offence for a person to fail to disclose information

3)  It’s an offence to commit fraud by abuse of one’s position

-  More than 5m people in the UK have had custodial sentences c.20% of the working population

-  (Major frauds) c.87% of fraudsters are men – KPMG 2011 ‘Who is the typical fraudster?’

-  c.82% of ‘insiders’ are male, just c18% female – CPNI ‘Insider Data Collection Study’ (April 2013)

-  The majority of insider acts carried out by permanent staff (88%). Only 7% of cases involved contractors, and only 5% involved agency or temp staff - CPNI

-  The more senior, the higher the losses

-  Threat now shifting down the organisational hierarchy

CPNI ‘Insider Data Collection Study’ (April 2013)-  Immature -  Low self-esteem -  Amoral and unethical -  Superficial -  Prone to fantasizing -  Restless and impulsive -  Lacks conscientiousness -  Manipulative -  Emotionally unstable -  Evidence of psychological or personality disorders

-  Tending to have a sense of entitlement, seeking admiration, attention, prestige and status. Machiavellian, manipulative, charming and highly ambitious. Stressed at the time of fraud

– University of Leicester

(PWC Global Economic Crime Survey 2016);

- Opportunity/ability

- Pressure

- Rationalisation

- Social engineering

-  Asset misappropriation-  Cybercrime-  Bribery & corruption-  Procurement fraud-  Accounting fraud-  HR fraud-  Money laundering-  IP infringement-  Staff fraud (aka employee fraud, insider fraud, workplace fraud)

-  Unlawful obtaining or disclosure of personal/commercial data-  Account fraud-  Dishonest action by staff to obtain benefit by theft or deception-  Employment application fraud

CIFAS Employee Fraudscape (2015) results show that 63% (ie 473 cases) of all recorded internal fraud in ‘14 (751 cases) related to fraudulent job applications, an increase of 46% on 2013

-  Use of a false identity-  Impersonation of an innocent party-  False immigration status-  False educational qualifications-  False references-  Concealed employment history / gaps -  Concealed employment record-  False professional qualifications & memberships-  Concealed unspent criminal convictions-  Concealed adverse financial / credit history

“Karen Carberry, former Finance Director at Reed, has been jailed for stealing more than £300,000”

“The top City lawyer whose glittering CV boasts of three Oxford degrees and a Harvard Masters…but was filled with lies”

The false claims advanced by him were as follows:-

-  that he attended Radley College-  that he obtained a Bachelor of Laws (First Class) degree from the University of East Anglia -  that he obtained a Bachelor of Arts (First Class) degree from Oxford University -  that he obtained a Bachelor of Civil Law (First Class) degree from Oxford University-  that he obtained a Doctorate of Philosophy from Oxford University -  that he had been awarded the Eldon Scholarship by Oxford University-  that he obtained a Masters degree in Law from Harvard University -  that he was a member of the New York Bar -  that he was a member of the Irish Bar

None of the claims was true: -  he holds only the one degree from the University of East Anglia -  while he had studied at Oxford University for a Doctorate of Philosophy, he had never completed his

studies there

“How legal secretary’s theft cost 36 jobs”

“Former PwC tax consultant jailed for stealing from firm” (2007) “Bride Gabriella Saunders steals £22,000 from City colleagues to pay for "lavish" wedding and honeymoon” (2015)

c36% of organisations have experienced economic crime in the last 24 months:(PWC Global Economic Crime Survey 2016 – 6,000 respondents)

Impact, in order of prevalence – (CIFAS Employee Fraudscape 2015);

-  Employee morale (PWC ‘16 - 44% respondents report damage to morale as most significant outcome) -  Reputation / brand strength (PWC ‘16 - 32%)

-  Business relations

-  Cost

The ability to perceive and avoid risks is essential to organizations in order to survive

-  OSN’s – targeting through Facebook, Linkedin, Twitter

-  Social Engineering - http://www.social-engineer.org/about/

-  New threat – (Tony Sales)

-  Marketing tool

-  Disciplinary/grievance investigation tool

-  Monitoring during and post employment

-  When recruiting and screening new employees:

-  Help verify identity-  Help evaluate an individual’s lifestyle choices-  Determine a candidate’s honesty & integrity-  Either confirm or negate any suspicions -  Establish how security aware the individual is -  Investigate whether they have an ulterior motive-  Assess whether engaging in any illegal activities online-  Determine whether attitudes may conflict with firm’s culture

a new

Microsoft sponsored survey; ‘Online Reputation in a Connected World’

-  41% of UK employers have rejected a candidate for information they found online-  Vs 70% of US employers

- CIPD: 40% of employers look at job applicants' online activity or profiles at the recruitment stage

Recruiters and HR professionals who have rejected candidates based on data found online vs. consumers who think online data affected their job search

No specific legal constraint regarding searching of open source information online. Public domain, therefore publicly accessible. However there is the potential for:

- Contravention of The Equality Act / Employment Law: Discrimination on grounds of: age, race, gender, sexual orientation, religious or philosophical belief, disability

- Breach of the Human Rights Act: Article 8: right to respect for private and family life

- Breach of the Data Protection Act: People handling personal data must comply with specific principles

+-  Correct verification of applicant identity-  3rd party views and opinions-  Your own personal opinion-  Time constraints

-  Pre-employment screening -  Identity-  Right to work-  Residency-  Credit / bankruptcy-  Education-  Professional qualifications & memberships-  Employment history-  Verification of gaps-  Directorships-  Driving licence checks-  Criminal record checks-  CV comparison-  Third party checks

-  Disaffection-  Effects of drugs-  Support for extremist views-  Sudden change of religious practice-  Major, unexplained changes in lifestyle-  Sudden changes in expenditure-  Sudden loss of interest in work-  Excessively emotional behaviour-  Changes in working patterns-  Unusual interest in security measures-  Frequent, unexplained absences-  Repeated failure to follow security procedures-  Not taking regular holiday

Employee screening is the first line of defence in reducing people-related risk, but it is particularly effective when used hand in glove with other measures that work with a company’s culture Workplace conditions are a major factor in predicting fraud and employers must bear some responsibility for the level of engagement, or disengagement, of their employees. Areas for HR to consider;

Creating an anti-fraud internal culture where compliance is hard-wired to values;

- Instill clear processes and principles for employees- Code of conduct / business ethics- Promote honesty, openness, integrity & vigilance- Consider an EAP / independent helpline to help employees with personal issues- Whistleblowing policy- Zero tolerance attitude to fraud- Staff fraud training at induction- Balance ‘get-tough’ approach to performance mgt which can create a climate of fear which in

turn leads to unethical behaviour