BBC News
watch One-Minute World News
Last Updated: Tuesday, 17 May 2005, 07:04 GMT 08:04 UK
The enemy within
By Jeremy Scott-Joynt
BBC News business reporter

Sumitomo Mitsui's London offices
Sumitomo Mitsui is a high-profile victim of an insider attack

When police announced earlier this year that the London offices of Sumitomo Bank had been targeted by crooks trying to steal 220m, the case sent shockwaves across the City.

Certainly, the case qualified as one of the biggest attempted frauds of all time. But what really caught everyone's attention that it was the bank's computers and networks which had been compromised.

Hackers, the headlines screamed, were burrowing their way in past firewalls and security systems.

But the warnings were directed at the wrong threat. Sumitomo had been threatened not from the outside, but from within.

Left behind

Certainly, outside computer expertise was necessary to attack Sumitomo.

But without help from people working for the bank, the attempt would have fallen at the first fence.

I'm struggling to think of a fraud case I've ever done which didn't involve an insider. It's not just access that's needed; it's understanding
Dan Morrison, Mishcon de Reya

It was insiders who facilitated the assault, exploiting knowledge of the bank's practices to enable the crooks to install keyloggers on the right machines.

The keyloggers - software which record every keypress to record passwords and map networks - were targetted on the bank's SWIFT systems, set up to control transactions across the universal bank transfer network.

And the same insiders may well have helped design the actual fraud: a string of 10 transfers, each of more than 10m, into accounts at other financial institutions around the world.

The plan was only foiled by a suspicious employee at an Israeli bank who queried one of the transactions. That allowed Sumitomo to lock down its systems, prevent the transfers and equip police to make arrests.

Outside in

It remains unclear how high up the inside help went.

Some experts believe the keylogging could have supplied sufficient information for a financial expert - and organised crime has little difficulty in recruiting such people - to plan the transactions.

Others feel that since every bank's systems are different, detailed inside knowledge would have been needed.

One thing, though, is unchallenged by everyone who investigates financial crime. Far too often companies concentrate on protecting their perimeters, and forget that their biggest problem may already be within their own walls.

Yeron Bolondi was arrested in Israel
Prompt action led to one arrest in Israel
"The biggest risk to corporations isn't hackers, and it's not al-Qaeda. It's their own people and their imaginations," says Dan Morrison, fraud partner at London law firm Mishcon de Reya.

"I'm struggling to think of a fraud case I've ever done which didn't involve an insider. It's not just access that's needed; it's understanding."

In other words, whatever the similarities between how companies operate, the key for the fraudster is to spot the particular loopholes and opportunities a specific target offers.

"It's very difficult to commit a major fraud against a company without internal assistance," says Simon Dawson, head of corporate investigations at the Risk Advisory Group.

More than money

As the Sumitomo case demonstrates, the insider concerned can be at any level.

Rarely - perhaps one time in 10 - organised criminals will infiltrate someone into a company or a financial institution.

Most of the time, according to detective chief superintendent Ken Farrow of the City of London Police, the threat will come either from outsiders subverting existing staff - whether through bribery, blackmail or threats - or staff simply seeing the chance for themselves.

For the insider crook, the really tempting target may not be found in the company's bank account but in its computer system.

An enterprising fraudster can walk out with intellectual property - client lists, new product details, pricing information and more - and deliver them to a new employer with minimal scruples to guarantee a fat raise.

Prevention used to be a hard sell... now it's different
Simon Dawson, Risk Advisory Group

Many companies have no idea how open this kind of asset is to abuse. At a recruitment firm, for instance, the database is the most valuable thing it owns - yet it is the one thing to which everyone has access.

"It's not just about the money," says Simon Janes, a former detective chief inspector and now at forensic investigators Ibas.

"Corporate espionage can make millions, and it's easier because you don't have to launder the money afterwards."

Keeping watch

Not that anyone is pretending that spotting a potential insider crook is an easy task.

For one thing, the contours of the current job market - rapid job mobility, frequent layoffs, and the much-publicised difficulties in the pension business - make the temptation to take your employer for a ride greater than ever.

"If we just put ourselves in the shoes of somebody who suddenly wakes up to the fact that the future's not going to be as rosy as they thought, then it's very easy to imagine," says Ken Farrow.

"And who among us hasn't worked somewhere where we've thought: if I was bent I could exploit this, I could make money off it."

Companies need to take more responsibility for checking what their employees claim when they are hired, he says, and for making sure their security does not stop at the office door.

Prevention is now the name of the game.

"It always used to be a hard sell," says Simon Dawson. "Now it's different. Within the past few months, we've had far more proposals coming through."

But however much effort goes into prevention - and all fraud experts say that side of their work is getting rapidly busier - the reality of fraud is that, like crime in general, it will never go away.

"This kind of thing goes on far more than the general public imagines," says Simon Janes of Ibas.

"That's not an indictment of anyone. It goes on because it always will."

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific