Recent news that a China Mobile executive had been tracked down and detained by the company after going missing with hundreds of millions of yuan and at Magyar Telekom in Hungary that four consulting contracts entered into in 2005 were later found to serve ‘improper objectives’ raises concerns about a little discussed topic – internal fraud.
In the China Mobile case, the executive, Li Xiangdong, was based in the southwestern Sichuan province and he was the in charge of China Mobile’s centralized wireless music platform. It has still not been revealed how Li siphoned the money away from the company. However, it has been alleged that the most likely source was kickbacks from service providers and content providers doing business with China Mobile.
In one well-researched industry report dating back to 2005, it was assessed that internal fraud represented 8.2% of all fraud incidences but generated a whopping 40.3% of value lost. This was equal in value to all other types of fraud combined: roaming (11.4%), pre-paid (10.8%), subscription (11.6%) and premium (13.2%). The report also stated that motivation for such a fraud was caused by companies not prosecuting when discoveries were made, shady management accounting practices, unrealistic performance targets, few checks and balances, and disgruntled employees. (Source: Waveright Securit Whitepaper, 2005)
Most external fraudulent activity can be sourced and corrected because the fraudulent customer account can be identified or the usage activity can be monitored. However, what keeps management up at night is internal employee fraud that can be disguised by altering internal network and system configurations. Only through fundamentally solid security policy and practices can this risk be mitigated.
The primary culprit is usually an employee using internal information of known system vulnerabilities to commit fraud. This threat, weighed against the company’s risk, enable the company to adequately allocate the proper attention and resources to protect their network.
System controls are used to protect network resources. A control can be classified as being pervasive, specific, or monitoring. A pervasive control prevents an employee from compromising the system before even considering an attack. A specific control prevents an employee from physically or logically or physically compromising a system. Monitoring controls are the final type of protection. They are used to notify administrators when an attack is in progress or create a record of a successful compromise so that the weakness can be corrected and the fraudster identified.
Any security policy without consequences for violation is a dog without teeth. Any policy, if it is to act as a deterrent, must be easy to understand and have clearly defined disciplinary consequences. Without this area clearly defined, the company may be opening itself up to unnecessary litigation from disgruntled employees who feel they are being unjustly disciplined.
The newer telecom value chains add many extra fraud vulnerabilities, both internal and external. Employees at times provide additional services at the network level, thereby avoiding billing or selling confidential information. Most of the frauds are focused on avoiding payments in some way—obtaining fraudulent credits, bypassing international gateway by using VoIP resulting in theft as well, call back fraud which deprives the operator of revenue from outgoing international calls, etc.
Tracking internal fraud is critical, of course, but that is often easier said than done. Concentration of efforts in the areas of external fraud and revenue assurance may be opening up greater opportunities for internal fraud activities. When combined with poor controls, management in denial and low morale the incidence of internal fraud increases proportionally. Recent down-sizing and cost-cutting activities by operators are likely to place increased load and stress on the remaining work force, creating ideal environment for internal fraud to fester. Is your operation prepared?