Payroll Fraud – How Snare helps you find the crooked insider using Database Activity Monitoring

The Cost of Payroll Fraud (in the billions)

As payroll has increasingly become a dedicated function in the finance and accounting arena, and as regulation in the payroll segment increasingly means that payroll processing has become an IT function, additional risks have been introduced into this high dollar risk arena.

Risks in payroll include out of date payroll systems, non-compliance, and fraud – particularly from insiders with access to back-end databases.

One of the key risks is the lack of visibility into those who have access to the databases and what changes they have made. Usually, this is a very specific area and IT generally and IT Security specifically may not have a good way to see what’s happened inside of the database.

The Australian Payroll Association, in an August 23, 2020 article says the Federal Bureau of Investigations (FBI) reported that between 1 January and 30 June 2019, payroll diversion increased by 815 per cent and that in the past three years, fraud has exceeded $26 (US) billion dollar in losses. The majority of payroll fraud falls into one of three perpetrator categories – employer, employee or third party.

Detecting Payroll Fraud

PwC’s 2020 Global Economic Crime and Fraud Survey revealed 37% of fraud was internal, including 34% by middle managers, 31% by operations staff, and 26% by senior management.

Fraud might also be executed through the creation of “ghost” employees, fake timesheets or maintaining ex-employee records to funnel salary payments into fraudulent accounts. Perpetrators may create false suppliers, and reimbursements for authorised contractors to provide services at inflated rates.

Australia’s most famous payroll fraud case is probably the Clive Peeters case, where the company payroll manager reportedly stole over AUD$19M from her employer over a two-year period.

The solution?

A Database Activity Monitoring (DAM) solution like Snare MSSQL Agent can track sensitive data access, mask sensitive data from anyone inspecting log data (so they cant see the actual data in the database), and provide separation of duties between DBA’s, Sysadmins and forensic investigators.

Our own Snare CISO, Steve Challans says:

“There are many areas of a database that users can interact with. Good applications tend to have their own role based access controls in place to control what a user does and prevent them from doing anything malicious to the database and its contents. 

However, there is another class of users that have direct ODBC access and/or DBA/Sysadmin privileges that can override technical controls and make changes to the databases and its data. Activities such as ‘create table, drop table, and adding columns’, are structural and schema-related, while ‘insert, update, delete, and select’ are data-related. Having someone perform unauthorised data changes affects the integrity of the data, so the business can make bad or wrong decisions with the misleading data now being used. Copying data and data exfiltration is another problem with leaking sensitive personal or financial information or company secrets. There have been many instances of a bad employee making database changes to change the payroll or HR system for nefarious needs. In other cases, there has been a breach of some sort and the hackers have gained access to the DBA accounts to access or exfiltrate data from the customer’s database systems –  causing great damage to the business.”

Database Activity Monitoring


Gartner
defines Database Activity Monitoring (DAM) as a suite of tools that can be used to support the ability to identify and report on fraudulent, illegal or other undesirable behaviour, with minimal impact on user operations and productivity.

Monitoring databases is critical when manipulation of data in those databases can result in financial loss. DAM can contain data from network-based monitoring, as well as native audit information to provide a comprehensive picture of database activity. This data can be used to report on database activity, support breach investigations, and alert on anomalies.

DAM helps businesses address regulatory compliance mandates like the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), U.S. government regulations such as NIST 800-53, and EU regulations.

Monitor Activity with Snare’s Microsoft SQL Agent

Snare’s specialised Microsoft SQL agent allows the customer to be very granular with the monitoring of the SQL activity within a single database or an entire instance that covers multiple databases.

Individual users or classes of users such as the DBAs that have the SYSADMIN role can be monitored. Specific settings can be used to collect information on specific database, tables with sensitive data, or specific commands run in the database. This reduces the noise of general monitoring of all user activity on the SQL environment.

The Snare agent works on all current versions of SQL server, on windows platforms, and is cluster-aware to cover off the more complex, highly available needs.

Some other tools can generate enormous amounts of log data which can overwhelm some systems. The Snare agent can be tuned to collect the specific user activity and filter out the rest of the noise.

If you would like to learn more about Snare’s Database Activity Monitoring solutions or about our suite of log collection and management solutions, including Snare Central and Snare Agents, reach out to us. Our team has helped over 4,000 companies around the world protect their logs and prevent cases of payroll fraud.