Driving into work, "Donna" would scan the bank's parking lot. "Every single morning... to see if there was anybody out of the ordinary there waiting for me," she remembers.
Donna (not her real name) had good reason to be nervous. Over the course of 10 years as an assistant vice president of a Southeast regional bank, she'd stolen funds from customers' certificate-of-deposit accounts. Because of personal financial problems with a bad mortgage and a freshman daughter's college costs, she started to get by through pinching funds from the CDs.
What she stole - a few hundred here, a thousand there - was nothing she felt anyone would miss right away. And she would pay it all back when she could.
But her small-potatoes thefts ended up totaling almost $200,000. As she told the writers of "Insidious", a newly published book exploring how and why bank employees (and executives) go rogue, her life became "very stressful" hiding her scheme from detection. "I worked every day of the week because I was afraid to take a day off," said the 42-year-old mother of three.
Donna was eventually nabbed on a day she happened to be out of the office, leading to a conviction and an 18-month federal prison term she is currently serving.
No one knows if many embezzlers share Donna's emotional anguish - fear, guilt, regret and even nausea - but as "Insidious" describes, many have found the same justifications and avenues to pilfer from their employer banks. "We're in a tough economy and insider fraud seems to be growing," says "Insidious" co-author Shirley Inscoe, an anti-fraud specialist who formerly headed Wachovia's fraud-prevention efforts before joining the fraud-monitoring technology firm Memento.
Anti-fraud experts believe that insider fraud problems have escalated as employees under personal financial duress become desperate for a way out, or become vulnerable to recruitment by external fraud rings looking to have an agent working internally to steal data and/or funds.
How bad is the problem? Hard data is difficult to come by (banks don't report insider fraud statistics to regulators), but transactional risk-monitoring provider Actimize found in a September survey than more than 80 percent of financial institutions believe insider fraud is rising, and 78 percent point to economic stresses on employees as a prime factor.
But Inscoe says banks aren't helping matters by tossing aside security investments as their capital budgets tighten. "Banks are cutting costs dramatically," said Inscoe. "That may actually lower the internal controls they have in place."
Since banks don't report fraud numbers, they may tend to keep insider fraud issues under the radar: dismissing but not prosecuting employees who are caught stealing funds or purposefully breaching private consumer data, according to Chris Swecker, an anti-fraud consultant and former head of fraud prevention for Bank of America. Only 7 percent of insider fraud is committed by repeat offenders, according to the Association of Certified Fraud Examiners. Is that a matter of banks cleaning house - or allowing crooks to move on to the next job?
Security experts like Swecker say banks need to do a better job of checking employees' backgrounds. While human resources departments typically vet new hires, they rarely perform background checks with the FBI's criminal fingerprint database, says Swecker. And while they do perform some criminal background and credit checks for applicants, current employees are never re-examined.
"I liken working at a bank - especially where you have areas working with customer data - with handling top-secret information," he says.
The ones who do end up in legal trouble reveal how brazen some insiders become. Many mid-level employees or managers on modest salaries have bankrolled, for years on end, lavish lifestyles and investments by stealing. In 2006, a vice president with Harris Bank was nabbed for reportedly embezzling $14 million after federal investigators got wind that he purchased a $1.6 million Florida home on a $48,000 a year salary.
Monitoring employees' personal financial condition may seem to be an answer, but banks are loath to take a big-brother approach to snooping into employees' personal lives, say analysts.
Besides privacy issues, there's a big worry what such tactics could be a blow to morale of the vast majority of honest employees. "We want to trust the people we work with," says BC Krishna, Memento's CEO and co-author of "Insidious." "Life would be intolerable if we had to run around on pins and needles thinking the person working next to me or my boss is a criminal."
Banks instead rely a great deal on behind-the-scenes technology, with tools such as access monitoring of employees' physical locations and network log-ins as a way to trip alarm bells if insiders stray from protocol.
But these applications often lack system-wide communications - one department's computer access system may not see the same worker logged in elsewhere - and frequently are mired down with outdated credentials for employees (and even ex-employees) that still allow unauthorized access.
Garner security analyst Avivah Litan says banks are improving internal oversight with transaction and insider-access monitoring tools from companies like Memento, Actimize and Norkom. But what's needed, too, are "colluding" analytical systems that gather data to pinpoint suspicious insider activity from otherwise normal patterns of behavior, says Litan. She notes how an unnamed global bank used collective network analysis to prove that one of its branch managers was working with a known fraudster. How? They were each using the same ATM machines on a Caribbean Island at similar times.
"If you ask anyone, 'are you're worried about insider threats,' they'll say yes, especially in this economy," says Litan. "But it's hard to tackle."
As Donna explained in "Insidious" about her own shenanigans: "They should have caught me a long time ago." However, electronic systems and other checks-and-balances have their limits, because ultimately they still depend on the trust given to workers by the institutions. It's especially true of those whose experience gives them insight into the loopholes of bank security.
In another fraudster profile in "Insidious", a customer service representative for an Ohio institution was empowered by her branch manager to sign his initials on general ledger tickets or debit memos that required his signature, just to save him the hassle of all the extra paperwork. It was discovered she used his initials to issue fictitious loans and approve bogus bonuses for herself - a fraud that totaled $500,000 over two years.
What will get banks to improve tactics? While the Actimize survey points to wider fear of fraud, Swecker and others say banks may still have their heads in the sand on the issue of motivation.
According to a cross-industry survey of chief risk officers by the market intelligence firm IDC, insider threats are the primary exposure to data security - but most (52 percent) believe that threat is from employee neglect, not intentional fraud (19 percent). Many would argue that's naïve. But there's little hard data to convince the industry otherwise on how much insider fraud really takes place.
IDC estimates that annual losses for financial institutions adds up to an average of $500,000 a year for insider-based incidents, but the American Bankers Association's annual account fraud survey of fraud losses at banks and credit unions does not break out employee fraud.
Total identity-theft fraud losses have been estimated at around $50 billion a year, according to the Federal Trade Commission and Pleasanton, Calif.-based Javelin Strategy & Research, but much of that comes via fraud losses incurred by consumers themselves, such as through phishing scams.
Catherine Allen, a financial technology services consultant with the Santa Fe Group, thinks banks might be sobered by insider fraud if they measured some of its impact beyond lost dollars - customer migration, retention activities to stem the backlash, public relations, investigation costs, replacing and training new employees to replace fired ones, plus the cost of filing suspicious activity reports.
What may get employees' attention, meanwhile, is publicity. The attention paid to insider-based fraud is at its peak, thanks to data breach notification letters, along with the blogosphere's ability to amplify local incidents across the country - bringing national attention to cases like the pregnant California branch manager who forged $650,000 in cashiers' checks against an entertainer's IRA.
For Donna, her story may provide a better disincentive against stealing than any bank watchdog system.
Besides her prison term and lifelong felon status, Donna's career in banking is over. And it was more than her livelihood she lost; she's been cut off from the friends she had for a decade, and will feel like a pariah in her small community forever.
"There are lots of people out there who are just like me, who aren't felons or bad people," Donna said. "They just found themselves in a situation where they felt that that's what they needed to do. I bet they wish they hadn't either."
