Insider Threats: £4.6m in self-signed invoices

Of the three categories of insider threat; theft, fraud and sabotage, fraud is often the most complex,  inventive and difficult to detect. This case however, has a certain simplicity to it.

The case concerns a Mr Kabbaj who worked for an “unnamed global internet company” according to the US Internal Revenue Service, and for Rakuten, according to Linkedin. A few weeks ago this former senior IT executive pleaded guilty to wire Fraud and could face around 20 years in jail.

How did it get to this?

Four years ago, whilst working for Rakuten, Mr Kabbaj formed a company called Interactive Systems. Over the course of the next four years Interactive Systems repeatedly billed Rakuten for non-existent equipment that it hadn’t supplied. These invoices, you will be unsurprised to learn, turned up on the desk of a Mr H. Kabbaj for authorisation.

Kabbaj was creating these fake invoices, emailing them to himself at his work address, authorising them and then sitting back and collecting the money. So far so simple, but what about the lack of tangible equipment? To cover his tracks Kabbaj would put the serial numbers of equipment his employer already owned onto the invoices.

How much did he make?

Kabbaj defrauded the company of £4.6 million over four years on top of his salary and benefits. According to his linkedin bio his skills include being able to  “Transform business processes and streamline them with technology solutions that deliver rapid ROI” –Which is true, if you understand that he meant rapid ROI for himself, not for the company.

How did he get caught?

Bit of an opsec fail on his part. Kabbaj was discovered when another employee looked closer at the invoices. Anomalies were noticed and then someone look at the meta data on the invoices.  They saw that the invoices were being created on Microsoft Word licensed to Kabbaj, proving that he had sent the invoices to himself..

What can I do to defend against this?

  1. Make sure no one person has power to approve invoices. Have multiple people looking at this.
  2. Crucial jobs should be rotated every so often. This helps train all the team on the tasks that need doing and also means people don’t have years in one role to potentially commit fraud.
  3. Train staff to spot odd behaviour. Kabbaj sent himself 52 invoices and made £4.6 million -there may well have been multiple signs he was up to no good that could have been identified and been reported.


Related Posts

Behaviour Change in your Organisation (short video)

Behaviour Change in your Organisation (short video)

Getting your staff to change their security behaviour It is often submitted that fear is bad. Actually, from a behavioural science perspective we know fear is the most effective tool for stimulating behavioural change. Fear of crime is necessary but not sufficient to...

Hacked! Right Match Singles Suffers a Data Breach..

Hacked! Right Match Singles Suffers a Data Breach..

Cyber Security Awareness Month Special: "Hacked" What would you do if your company was hit by a cyber attack? Do you have a plan? A crisis management team in place? Many companies don't have a plan or haven't tested that plan.  For Cyber Security Awareness Month 2020...

Get staff engaged for Cybersecurity Awareness Month

Get staff engaged for Cybersecurity Awareness Month

October is ECSM, a month-long European event promoting good cyber security practices and safety. This years themes are: Digital skills:  personal data protection, cyber bullying and cyber stalking establishing good practices online.  Cyber scams: cyber threats such as...