Connie Veates, assistant VP of corporate security and business continuity at BellSouth, developed a comprehensive antifraud program. The cornerstone of that program is the team's ability to think like a thief. Know your fraud Just as a chess master understands the numerable but finite opening sequences to a chess game, an antifraud professional should know the numerable but finite fraud schemes. Connie Veates relies on a fraud taxonomy with six classes of fraud and 123 distinct species. Those include many types of inventory fraud, manifold check-kiting schemes and techniques with colorful names like cash lapping. The beauty of a taxonomy is that it’s universal. Naturalists can classify newly discovered flora and fauna in the existing Linnaean system. Likewise, newly discovered fraud schemes are just fresh takes on established schemes in Veates’ taxonomy.Divide and conquer While members of her team understand these 123 frauds generally, that’s a lot of crimes to master. So Veates commissions specific team members to become subject matter experts. The goal is to have one person thinking like a specific kind of thief rather than everyone thinking about fraudsters in general. This expert will gain a deep understanding of a specific kind of fraud, the type of person who commits it and his motivation, and tools and techniques to combat it. Veates says, “We’ll have one person focus on inventory fraud, and they’ll know to periodically check eBay, for example, to see if goods are being sold there illegally. We’ll have another who knows benefits fraud inside and out, and so forth.” Learn a little psychology To think like a thief, you have to know how a thief’s mind works. The best place to start is with Dr. Donald Cressey’s landmark work on the psychology of fraud and his “fraud triangle.” According to Cressey, the three elements of all fraud are opportunity, motivation and rationalization. Don’t trust your instinctsSometimes we associate thinking like a thief with thinking like a bad guy, but they are not one and the same. In order to successfully understand fraud, you need to throw out some prejudices about the type of person who commits fraud. To start, it’s rarely a bad guy, a malicious person with purely malicious intent. “I started in this thinking only bad people committed fraud,” Veates says. “In fact it’s usually good people who make a bad decision and a bad rationalization, who think the pain they’re causing is less than the gain they get. They could be a company’s board member. These are usually fairly intelligent people. Typically male, higher up in the organization and typically, for internal fraud, they have long tenures at the company.” In other words, fraudsters are criminals but not archetypical criminals. Rather, they’re the same people you work with, have lunch with and socialize with every day. This is why, when fraud’s discovered, you often hear victims saying, “He’s the last person I’d have suspected.” That’s how he got away with it!Trust your instincts While you must stifle the natural tendency to generalize about who commits fraud, you should definitely trust your gut when it comes to sensing fraud might be taking place. Veates encourages all employees to report it when they have that “something’s just not right” vibe. And her subject matter experts have developed keen senses of smell for something fishy, too. Hire young turks Veates believes one of the best sources for thinking like a thief is our nation’s youth. Young people just out of college, often with a better working knowledge of technology than corporate managers, are both skilled enough and energetic enough to want to suss out fraud techniques. “They have a specific skill set, these just-out-of-college geeky guys who sit and play games and are intrigued with the challenge,” Veates says. “It’s a like a video game to them. A safe way to have fun breaking the rules. We let them loose and say, ‘How would you steal from this system?'” If you want to think like a thief, act like a thief The best way to understand how thieves think is to become one yourself, Veates says. Game your systems. Learn how to break into them, who’s vulnerable to social engineering, where the weak spots in the supply chain can be found. “We’ve developed a good reputation for this; we’ve done it for three years now. Sometimes the business units know we’re doing it, sometimes not. Sometimes, we just game the systems when we’re bored. Just break in and take the intelligence back to the business unit. They see the fraud technique and say, ‘Who thinks like this?’ And we tell them, ‘We do.'” Related content news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability brandpost The advantages and risks of large language models in the cloud Understanding the pros and cons of LLMs in the cloud is a step closer to optimized efficiency—but be mindful of security concerns along the way. By Daniel Prizmant, Senior Principal Researcher at Palo Alto Networks Oct 03, 2023 5 mins Cloud Security news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe