• United States



by CSO Contributor

How to Stop a Thief by Thinking Like a Thief

Dec 01, 20064 mins
CSO and CISOData and Information SecurityFraud

Connie Veates, assistant VP of corporate security and business continuity at BellSouth, developed a comprehensive antifraud program. The cornerstone of that program is the team's ability to think like a thief.

Know your fraud

Just as a chess master understands the numerable but finite opening sequences to a chess game, an

antifraud professional should know the numerable but finite fraud schemes. Connie Veates relies on a

fraud taxonomy with six classes of fraud and 123 distinct species. Those include many types of

inventory fraud, manifold check-kiting schemes and techniques with colorful names like cash lapping.

The beauty of a taxonomy is that it’s universal. Naturalists can classify newly discovered flora and fauna

in the existing Linnaean system. Likewise, newly discovered fraud schemes are just fresh takes on

established schemes in Veates’ taxonomy.

Divide and conquer

While members of her team understand these 123 frauds generally, that’s a lot of crimes to master. So

Veates commissions specific team members to become subject matter experts. The goal is to have one

person thinking like a specific kind of thief rather than everyone thinking about fraudsters in general.

This expert will gain a deep understanding of a specific kind of fraud, the type of person who commits

it and his motivation, and tools and techniques to combat it. Veates says, “We’ll have one person focus

on inventory fraud, and they’ll know to periodically check eBay, for example, to see if goods are being

sold there illegally. We’ll have another who knows benefits fraud inside and out, and so forth.”

Learn a little psychology

To think like a thief, you have to know how a thief’s mind works. The best place to start is with Dr.

Donald Cressey’s landmark work on the psychology of fraud and his “fraud triangle.” According to

Cressey, the three elements of all fraud are opportunity, motivation and rationalization.

Don’t trust your instincts

Sometimes we associate thinking like a thief with thinking like a bad guy, but they are not one and the

same. In order to successfully understand fraud, you need to throw out some prejudices about the type

of person who commits fraud. To start, it’s rarely a bad guy, a malicious person with purely malicious

intent. “I started in this thinking only bad people committed fraud,” Veates says. “In fact it’s usually

good people who make a bad decision and a bad rationalization, who think the pain they’re causing is

less than the gain they get. They could be a company’s board member. These are usually fairly

intelligent people. Typically male, higher up in the organization and typically, for internal fraud, they

have long tenures at the company.” In other words, fraudsters are criminals but not archetypical

criminals. Rather, they’re the same people you work with, have lunch with and socialize with every day.

This is why, when fraud’s discovered, you often hear victims saying, “He’s the last person I’d have

suspected.” That’s how he got away with it!

Trust your instincts

While you must stifle the natural tendency to generalize about who commits fraud, you should

definitely trust your gut when it comes to sensing fraud might be taking place. Veates encourages all

employees to report it when they have that “something’s just not right” vibe. And her subject matter

experts have developed keen senses of smell for something fishy, too.

Hire young turks

Veates believes one of the best sources for thinking like a thief is our nation’s youth. Young people

just out of college, often with a better working knowledge of technology than corporate managers, are

both skilled enough and energetic enough to want to suss out fraud techniques. “They have a specific

skill set, these just-out-of-college geeky guys who sit and play games and are intrigued with the

challenge,” Veates says. “It’s a like a video game to them. A safe way to have fun breaking the rules. We

let them loose and say, ‘How would you steal from this system?'”

If you want to think like a thief, act like a thief

The best way to understand how thieves think is to become one yourself, Veates says. Game your

systems. Learn how to break into them, who’s vulnerable to social engineering, where the weak spots in

the supply chain can be found. “We’ve developed a good reputation for this; we’ve done it for three

years now. Sometimes the business units know we’re doing it, sometimes not. Sometimes, we just

game the systems when we’re bored. Just break in and take the intelligence back to the business unit.

They see the fraud technique and say, ‘Who thinks like this?’ And we tell them, ‘We do.'”