Insider Threat's New Twist: Fraud Via the Spreadsheet

March 9, 2009 - Linda McGlasson

Most of us deal with the ubiquitous spreadsheet at least once a day in our daily work. Whether it is creating or updating reports for senior management or keeping track of equipment inventories - or the hundreds of other uses for spreadsheets - financial institutions depend on these workhorses to retain and create repositories of valuable data.

Without even considering the external threats that flaws in Microsoft Excel spreadsheets pose, including the yet unpatched zero day flaw Microsoft recently revealed in late February, the concern that many institutions may overlook is the potential for fraud perpetrated by employees.

When it comes to spreadsheets, another challenge is that fraud can be difficult to detect.

Ralph Baxter, CEO of security company ClusterSeven, explained it best to me when he said, "Although fraud is not the primary reason for the precarious state of the current economy, it is still a cause of concern to banks because most of them incorrectly believe their current security measures are adequate and they are preoccupied with surviving and may have inadvertently lowered their guard when it comes to fraud."

When it comes to spreadsheets, another challenge is that fraud can be difficult to detect. Spreadsheets, where fraud is often committed, are very accident prone, especially when they have thousands of lines of data. Baxter notes, "If for example, someone changes one cell to boost a future bonus, the bank will still need to prove the employee did not make an 'honest' mistake and intended to commit fraud."

To make matters worse in detecting this kind of fraud, the departments responsible for rooting out fraud tend to have very high turnover and are considered "low priority" for funding and training. Baxter says he sees morale is usually low, and the high turnover requires higher than average training resources, which aren't often available. This further reduces the effectiveness of institutions' security measures.

There are three types of fraud that are growing in popularity:

• Presentation fraud - is an increasingly common form of criminal activity and involves modifying the way a spreadsheet is viewed. Sometimes whole lines of data are made invisible, or a number in a cell is displayed using a white font on a similarly colored background. "Fraudsters with a great deal of experience using Excel can lay a false number over the real one. This type of fraud is quick and easy to do and occurs right before bonuses are calculated," he Baxter says.


• Adjustment fraud - involves incorrectly recording numbers on a spreadsheet as part of the process of updating information about the markets a bank is involved in. Ongoing adjustments are a normal part of the banking business and an employee who is committing adjustment fraud may actually appear to be doing a very thorough job. This type of fraud involves making multiple false data entries over a period of time and ultimately removing all evidence of fraud by the end of the manipulation process.


• Gradual fabrication fraud - involves inserting false data that is only slightly higher or lower than the actual number so that it does not attract attention from other employees or auditors. This scheme is meant to slowly inflate a bank's assets or worth. Once the false numbers have been accepted and a higher bonus check issued, the employee corrects the false number slowly, over time, once again to avoid raising any suspicion.

Institutions that still employ manually-driven spreadsheet management systems are highly vulnerable to these schemes because fraud detection is very labor intensive and involves reviewing each and every line of a spreadsheet. Want an example of what can be missed, including an innocent error when a spreadsheet is changed? Just look to the case of miscalculations because of a spreadsheet reformat gone bad that cost Barclays in its acquisition of Lehman Brothers assets last September.

To deal with this problem, many financial institutions are now investing in automated fraud detection systems that manage spreadsheet activities as part of an overall risk management program. An automated system can closely monitor, record and expose the behavior of each cell in a spreadsheet for auditors. Even the smallest irregularities can be spotted and remedied, which helps an institution balance governance, risk and regulatory compliance (GRC) obligations, and at the same time when you run an automated fraud detection system to monitor spreadsheet activities, it will also hopefully keep your staff honest when working with spreadsheets and make their "mistakes" really honest ones.