We were woken early one morning a couple of years ago by a Partner in a London Law firm asking us how quickly we could image a company’s server and about two dozen laptops.
Later that morning, forensic images were in progress. The company’s automatic Purchase Ledger payments had all been diverted to one bank account, in Africa.
It turned out that a clever, ex-employee had simply switched the bank account numbers and sort codes of the larger suppliers to an account in his “name” in an African bank.
Fast reactions by the lawyer and the bank recovered most of the money but the relative ease with which the fraud was set up and tested is quite disturbing.
From our forensic images we were able to pin-point the perpetrator and enable the police to seize computer equipment in the ex-employee’s home.
Often perpetrated by short-term subcontract IT staff that take up positions within larger companies to gain access to their IT systems, typically the perpetrators will open up backdoors that allow remote control of systems after they have completed their contract.
With the knowledge gained about the payment cycles, the perpetrator can gain access to the banking systems just prior to the bacs payments being lodged at the bank and then change the sort and account codes to ones which he, or his accomplices, control. The funds can then be withdrawn before the fraud is discovered.
Some simple steps can be taken to minimise the risk of becoming a victim of bank account fraud.
- Ensure user permissions are removed immediately when employees leave.
- Understand the technical risks involved with communicating with your bank, what is the interface between your accounting system and your bank processing.
- Routinely obtain “forensic images” of users’ computers when they leave – this will allow you to review their activity for evidential purposes in future investigations.
IT Forensics: Pinning Down Dishonest Employees