Inside Jobs

You think fraudsters have packed up and moved on? What about the ones masquerading as your employees?

Dave Daniels has seen so many cases of employee fraud in the wireless industry, he has difficulty pinpointing only one to use as an example. He's a certified communications-security professional who spent 35 years investigating fraud for various agencies. A few months ago, he retired after working as AirTouch's fraud-prevention director for 10 years. The types of cases that stand out in Daniels' mind are employees stealing customers' credit-card information, CSRs fraudulently crediting the accounts of friends and family members, and staffers sharing computer passwords with unauthorized people.

One of his most memorable cases took place in 1996. A competitor's employee tried to sell 60,000 subscriber profiles to an AirTouch salesperson for $3 a profile. The salesperson contacted the company's legal department, which referred the matter to Daniels. He called the competitor and set up a sting operation. In the end, AirTouch caught the perpetrator, but only because it got lucky. Under different circumstances, the crook could have gotten away with the crime indefinitely.

Daniels' story illustrates how coincidental fraud detection can be.

"Most of the time, it's almost like a freak accident that someone comes across (employee fraud)," Daniels said. That's why he recommends that service providers put controls in place to prevent inside jobs. But he understands why service providers often overlook fraud-management programs.

"At the early stages of any industry, it's common to focus on sales and marketing," he said. "And we're still in a crazy growth mode in this industry."

The rapid changes in technology and intense competition are only part of the reason for inattention to employee fraud. Some insiders credit a lack of understanding of recent industry statistics.

Deciphering the Stats
Fraud is way down, according to the latest CTIA figures. The association reported wireless-fraud losses cut into only 0.38% of the industry's revenues last year, compared with fraud losses that consumed 3.9% of revenues in 1995. However, Rick Kemper, CTIA director of the total fraud-management team, admitted these calculations don't add employee fraud to the equation. Employee fraud often goes undetected. Even when it's discovered, tallying the losses can be difficult. As Kemper put it, "How can you value the loss of customer lists or account information?"

Lex Wilkinson, a certified fraud examiner, said the significant drop in airtime charges during the past four to five years may account for the decrease in revenue lost as a result of fraud. Wireless-telecom fraud usually involves someone making calls and not paying for them, which means the service provider must write off those charges. For example, a service provider may have charged $1 or more a minute for roaming in a specific market in 1995 compared with 10 cents a minute for the same call in 1999. So the revenue written off as a result would have been much heftier in 1995.

Linda Toner, Lightbridge senior consultant — fraud-management group, painted a more menacing face on employee fraud. She suggested that internal fraud is growing at a rate of 5.5% to 6% each year.

Shapes of Fraud
As founder of the Wireless Fraud Association and vice president of investigations for the Professional Security Bureau Investigations & Consulting Division, Wilkinson identified four types of fraud most frequently perpetrated by wireless employees: submission of phony applications to collect commissions, illegal use of customers' credit-card numbers, illegal crediting of accounts, and use of demo accounts to provide free service to friends and family members.

In some of these scams, the thieves use the service providers' own marketing tools against them. For instance, many service providers have enabled remote activations to simplify subscription. Subscribers can go online and sign up for services or fax applications into regional operations centers. Unfortunately, this convenience simplifies an old subscription-fraud scheme. Here's how the scam works: A salesperson takes an existing customer's account, changes it slightly, submits it as a new-customer application and then collects a commission check for signing up a "new" customer.

Another scam is the misuse of demo accounts. Service providers set up these accounts to allow customers to use the service for two or three days on a trial basis.

"In the real world, there are probably hundreds of demo accounts that aren't being used by potential customers," Wilkinson said. "They're being used by the friends and family of employees."

Then there are employees who illegally credit the accounts of friends or associates. Wilkinson recalled a case in Tulsa, OK, in which a CSR credited the accounts of gang members. She did this for an entire year before getting caught. Her employer lost $300,000 as a result.

Less common types of employee fraud can be more costly. Simon Williams, Nortel Networks vice president of global sales and marketing-fraud solutions, gave the example of two engineers who worked for a United Kingdom provider. The team attempted to win $30,000 by entering Internet crossword-puzzle contests, running up a bill of $300,000 in airtime charges for its employer.

Who usually commits these kinds of crimes? Wilkinson said the culprit usually has less than six months on the job and works in customer service. "Then your switch-technician-type people," he said.

"They're the ones who would be entering numbers into the switch that aren't in the billing system."

Some offenders are plants.

"There's a significant presence of organized crime within some carriers," Wilkinson said. "They'll get (someone) like the sister of a gang-banger to work for a carrier. Then they go and get all of their phones through the carrier, and that employee goes in every month and credits the bills."

Building a Fence
Wilkinson called fraud a glaring vulnerability for the wireless industry. When asked about new ways criminals find to circumvent security measures, he chuckled. They don't have to find new ways, because committing fraud in wireless companies is already so easy, he said. Why? Because many service providers have been slow to institute strong operating policies and procedures.

There are many ways to build prevention into corporate operations. Daniels emphasized the importance of creating guiding principles. He said managers should let employees know what is expected of them. One way to do this is to put company policies about employee integrity in writing and have employees sign these documents.

Daniels also recommended setting up policies and procedures designed to remove tempting opportunities. For example, prohibit employees from servicing the accounts of friends and family members. Another way is to outline acceptable ways to dispose of customer-account information.

Be honest with employees and treat them well, Daniels recommended. The idea is that in a supportive environment, employees will respect management and help out by discouraging fraud through peer pressure.

"Peer pressure is a lot stronger than (an investigator) snooping," he said.

Information security is the area of vulnerability providers should pay more attention to, Wilkinson said. Service providers are given the trust of a customer who gives information: a home address, Social Security number, phone number, date of birth. All of this information is used to validate accounts.

"Every business that becomes a repository for that kind of information has a responsibility to protect that information," he said. "Information security could be improved tremendously if everyone was aware of what was supposed to be done."

The information to be protected can appear on a computer screen or on printed reports. One way to keep unauthorized people from looking at computerized records is by using passwords. But even this precaution often is undermined by employees who fail to protect the passwords, Wilkinson said. He has walked through offices and seen yellow Post-it notes broadcasting passwords from the sides of computer screens.

In addition to protecting customer information, Wilkinson suggested legal action be taken against employees caught committing fraud. He has noticed that service providers aren't inclined to prosecute.

"So the deterrent is that you lose your job," he said. "They only got the job to (commit the fraud) anyway. It's not like they were planning to retire there."

He knows of service providers that have adopted a policy of zero tolerance toward employee fraud and said they have reduced fraud significantly in their organizations.

"There's nothing like the impact of one of your co-workers being taken out in handcuffs to make people walk the straight and narrow," he added.

Nortel's Williams touted awareness as a requisite of fraud prevention. He said service providers should make sure every employee understands how fraud can be perpetrated and how to reduce the risks. Employees who are unaware of common fraud tactics can become unwitting accomplices. For instance, suppose someone phones your company and convinces the receptionist to provide an open line for testing. Once the person has access to an open line, he or she can funnel calls through it, allowing anyone to call long-distance and international markets at your expense.

Williams also said you should evaluate recruitment and selection practices. Procedures such as checking applicants' references should become part of the drill. Employers also may identify other methods to screen applicants. These steps are especially important for jobs that include handling proprietary or customer information.

After examining and improving policies and procedures, you should consider getting an independent audit from a third party, Williams recommended. Only after you have confirmed that your organizational controls are sufficient, should you begin investigating ways in which software solutions can help.

Detective Work
Fraud can be detected using manual methods or software. According to Wilkinson, a good manual method is to monitor exception reports. The reports track computer users' activities by user identification and passwords. The reports can uncover suspicious behavior, such as employees performing transactions that fall outside their job duties or providing too many credits. Reviewing the reports is a way to get clues about existing or potential fraud before the problem shows up in the billing department or customer complaints.

The downside to the exception reports is that someone has to review them.

"A lot of times, managers who are in the best position to identify abuse of procedure are so buried in doing other stuff that looking at reports is the last thing that gets done," Wilkinson said. "I've gone into offices where the reports were literally stacked as high as the desk. They haven't been checked."

Process audits also can be used to detect fraud or behavior that can lead to it. Monitoring a process means checking a random sample of accounts to determine if employees have handled them according to company policy.

Software solutions can provide an alternative to personnel weeding through a marsh of reports. These solutions range from prescreening to monitoring devices. Most are not specifically designed to prevent employee fraud but can be used for that purpose.

Software such as Lightbridge's Fraud Detect enables service providers to check applicants' personal information for discrepancies. This kind of product can help service providers spot phony applications that are submitted as part of a commission/subscription-fraud scam.

Cerebrus, a Nortel Networks system, uses a neural-network system or artificial intelligence to analyze calling patterns of subscribers and employees. The system detects calls that vary from the user's typical pattern.

These types of software programs, along with strong organizational policies and procedures, can give employers checks, balances and fraud deterrents. But nothing can eradicate employee fraud. The only way to wipe out internal fraud is to stay ahead of the human mind, Lightbridge's Toner said.

New Threats
Staying ahead of the criminal mind isn't always possible. But anticipating where the mind may take employee fraud in the future is possible. As service providers prepare to move deeper into the data arena with e-commerce transactions and Internet services, fraud perpetrators inevitably will seek new ways to exploit security weaknesses. At the same time, consumers will demand more security.

Computer hackers already have published credit-card numbers obtained from wireline Internet systems, and some consumers are reluctant to make purchases over the Internet. These events provide a clue that the protection of personal information will become a big issue for service providers in the future.

"There will be brand new opportunities for employees to exploit information from customers, " Daniels said. "Protecting the billing number used to be the primary concern (for service providers). But what is going to differentiate one carrier from another in the future is the carrier's ability to protect the customer."

---

Employee-Caused Losses

• Employee fraud and abuse costs U.S. organizations more than $400 billion annually.

• The average organization loses more than $9 per day per employee to fraud and abuse, averaging about 6% of its total annual revenue.

• Occupational fraud and abuses fall into three main categories: asset misappropriation, fraudulent statements, and bribery and corruption.

---

Typical Perpetrators

• The typical perpetrator of company fraud and abuse by employees is a college-educated white male; men commit nearly 75% of the offenses. The median loss caused by males is about $185,000; by females, about $48,000.

• Losses caused by managers are four times those caused by employees, and median losses caused by executives are 16 times those of their employees.

• The most costly abuses occur in organizations with less than 100 employees.