Insiders and EFT fraud in SA: The Cape Argus, The Sunday Indepedent

Crooked work colleagues could be costing the South African economy R150 billion each year.

Steven Powell, head of forensics at law firm Edward Nathan Sonnenbergs, said electronic funds transfer (EFT) fraud - accessing a colleague's password and then matching it with one entrusted to you to unlock funds from public or business accounts - is one of the most dramatic growth areas in commercial criminal activity in the country today.

"White-collar crime is costing the South African economy an estimated R150bn a year," he said.

The scam circumvents security measures requiring two or more passwords - supposedly kept secret from one another - to siphon off money by electronic transfer into the fraudster's accounts.

In one Mpumalanga municipality, an EFT fraud syndicate, having earlier accessed the password entrusted to two employees, stole R3.2 million at the Easter weekend. The syndicate created 62 false accounts and made as many transfers in a few days. Powell's forensic team recovered just more than R2m by freezing the fraudulent accounts.

Powell's assessment of the threat posed by this type of fraud is backed up by the latest police crime statistics released on Thursday. These show that the number of reported cases of commercial crime - including fraud, forgery and uttering, misappropriations and embezzlement - has increased across the country by 56 percent since 2006.

Powell said: "EFT fraud where employees divert supplier payments to their own accounts is the most rampant form of white-collar crime."

Police statistics showed that the economic hub of Gauteng was worst hit by commercial crime, followed by the Western Cape. What made this type of fraud particularly difficult to detect, investigators said, was that it was usually committed by the most trusted employees in an organisation.

"I believe companies spend a disproportionate effort on preventing outsiders gaining access to IT systems," said Charlie Stewart , the founder of security consultancy SuperVision Biometric Systems.

"While outsiders clearly pose a threat, research shows that it's much easier for an insider to steal from his or her company. "Organisations need to realise that, like murder victims, they're far more likely to be violated by someone they know than by a complete stranger."

Powell said that for EFT fraud to be committed, at least two employees had to enter their passwords into the system at the same time. The system is designed to prevent employees from accessing financial accounts without colleagues keeping tabs - and, in theory, to keep them honest.

But, said Powell, in practice, employees often shared passwords willingly because exercising control involves extra work, and sometimes passwords were stolen.

One fraudster described getting a password as "as easy as pie", Powell said. The man said he simply stood behind his boss and looked over his shoulder as the password was typed.

In other cases, Powell said, the password holder had made the mistake of writing the password down."The first place to look is the top drawer, or the front page of diaries."

And then the sky is the limit - whether the fraudster is in the private or the public sector. Powell recalled the case of a respected Cape Town businessman, the financial director of a multinational packaging company.

The businessman, then aged 45 and a trusted senior employee at the company, filed a bogus complaint from head office about the company's vendor data base, and pretended that it needed urgent attention - the kind that would demand working at the weekend. But he would need the password of his junior colleague to log into the system to sort out the database.

The same password, together with his own, would give him access to the company's accounts. Trusting her director, the junior employee acceded to the request and went off for the weekend, leaving her boss hours to plunder the company's accounts.

He substituted his wife's bank account number for those of several large service providers to which his company owed thousands of rands. He then made several payments, ranging from R200 000 to R400 000, into his wife's account.

In little less than a year, he took R2.4m from the company.

Without invoices or supporting documents, it was difficult to spot the illegal transfers. With some extra cash to spend, the businessman bought, among other things, a 4x4, a luxury house, and a three-week holiday to Disneyland for his family.

He also spent R40 000 a month at a local casino. All were later repossessed and he served five years in Malmesbury Prison.

Powell said there were many reasons to commit this type of fraud, even if you were a successful and trusted employee. "We've seen an increase now with the recession. Being under financial pressure was a motivation to commit fraud."

"People feared retrenchment during tough times, and so attempted to build up a nest egg by defrauding their employers. "It's so easy, and once you start, it's hard to stop."

The Ernst & Young 12th annual Global Information Security Survey reported a13 percent increase in internally perpetrated fraud across the world.

The latest crime statistics in South Africa show insider fraud is increasing in every province.

Stewart said: "Companies are spending billions of dollars a year enhancing security, yet most of it's being spent making sure the outsiders stay outside."

"This is the equivalent of installing an expensive security gate and putting up burglar bars, only to find that the thief's already inside the house."

http://www.iol.co.za/index.php?set_id=1&click_id=13&art_id=vn20100912071149366C570855&singlepage=1