Case Study
Early Detection of Fraud
Committed by an Employee
Detected malicious activities
An employee made changes to a policy’s beneficiaries, and several days later started withdrawing money from the policy. Such withdrawals were performed several times.User journey analyzed
The sequence of activities performed by employees over a month’s time (a journey was created per user, per month).Process and assumptions
TrackerIQ learned monthly working profiles for the entire organization and then used these profiles to detect abnormal/suspicious working journeys. The underlying assumption is that although activities themselves are common, actual attack journeys are very unusual.TrackerIQ Analysis Results (over 24 months monitoring of log data)
- 30 journeys were flagged as suspicious
- 6 of the suspicious journeys involved the employee who committed fraud
Takeaway
Monitoring employee activities and generating alerts about abnormal journeys, even if these journeys are not malicious, is an important preventive control given the number of alerts generated is small (a few per month).TrackerIQ Benefits
- Quick initial tuning of the detection model using historical data, including detection of past suspicious activities
- Continuous monitoring of employee journeys to detect ongoing suspicious activities
- Continuous monitoring provides both preventive control and compensation control for the lack of effective access control policies within the existing business application (developed years ago)
- Few alerts per month (less than 1 per week) allow a focus on true suspicious activities
- An easy-to-use investigation tool for the business analyst
Industry
Insurance, publicly traded.
Application type
Custom-built.
Application usage
The application is used by company employees to manage pension and insurance policies.
Data analyzed
Application audit logs, including historical data, describing user (i.e. employee) activities within the application.
