How hard is it to steal from an organisation?

There are a number of software products that can help you protect your network from both internal and external attacks. Protecting the network with these tools is, relatively speaking, the easy part. The hard part is to design security policies and ensure these are followed by your employees.

The human element in security is always the tricky part. But how hard is it really for a malicious person to steal from an organization? Unfortunately, at times it is not hard at all. The story of publication company, Conde Nast is a good example.

It all started with Andy Surface who registered a business called Quad Graph and opened a bank account for this business. Andy then allegedly sent an email to Conde Nast who used Quad/Graphics Inc for its printing service to start sending payments to Quad Graph’s bank account instead, together with an EPA (Electronic Payment Authorization).

The person who got the email didn’t think there was anything amiss with the email and processed the instructions provided, filled the EPA and faxed it back to the number specified on the form. This deception went unnoticed until Quad/Graphics complained that over a month had passed since it received payment from Conde Nast. By then eight million dollars had been sent to the scammer.

Another interesting story is that of XYZ Corp. in Miami. An ex-employee of XYZ Corp., who was in charge of paying the credit card company’s balances for those credit cards used by employees who left the company and failed to pay back their remaining balance, abused his position in order to get paid for personal expenses.

To do this, Jerry used to pay for his personal expenses using his company credit card. At the end of the month, he would send a request to accounts payable with fictitious requests to cover fake balances for people who had left the company but did not have any real pending balance on their card.

Jerry would request that the checks be sent directly to him. He would then issue the check with his credit card number which would in fact cover his own personal expenses rather than the fictitious cases he fabricated. Using this scheme, Jerry made over $88,000. He would have probably got away with the scam if he had not been greedy. After he left the company he wanted one last payout and tried to get reimbursed for a conference he had booked but not paid for before he left.

In both cases, the perpetrator did not have to employ complex network attacks or go to great lengths to scam the companies – and very little effort was needed. These scams were possible because of inadequate security policies. If the companies had policies which required separation of duties and proper validation, such attacks would most likely not have been possible!

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Emmanuel Carabott CISSP heads security research at GFI Software. He has over 12 years’ experience in the security field and is a regular contributor to several websites and blogs. For more information about the benefits of using email usage reporting.