An employee made changes to a policy’s beneficiaries, and several days later started withdrawing money from the policy. Such withdrawals were performed several times.
The sequence of activities performed by employees over a month’s time (a journey was created per user, per month).
TrackerIQ learned monthly working profiles for the entire organization and then used these profiles to detect abnormal/suspicious working journeys. The underlying assumption is that although activities themselves are common, actual attack journeys are very unusual.
Abnormal journeys were detected in historical data and began six months before the employee committed actual fraud. The employee started by performing activities similar to the final fraud, but with small monetary values of only a few cents. Had the insurance company detected these abnormal journeys when they started, it could either have asked the employee about the anomalies, which likely would have prevented the subsequent fraud, or instead start monitoring the employee more closely.
Monitoring employee activities and generating alerts about abnormal journeys, even if these journeys are not malicious, is an important preventive control given the number of alerts generated is small (a few per month).
Insurance, publicly traded.
The application is used by company employees to manage pension and insurance policies.
Application audit logs, including historical data, describing user (i.e. employee) activities within the application.