Challenges

Although combining OSINT with Fraud Triangle theory can be highly effective and cost-efficient, there are important challenges to address before implementing this approach, particularly given the sensitive nature of internal fraud. These include:

• Data Overload: The volume of publicly available information is constantly increasing. Failing to consider this and under-investing in skills and tools could result in an overwhelming volume of data, making it difficult to separate signal from noise. OSINT tools such as Maltego[xi] or Videris[xii] can ingest large volumes of data and automate their collection. Their ability to map complex relationships and present the results visually intuitively can help identify hidden risks, such as undisclosed conflicts of interest.

• Legal and Ethical Concerns: Organisations must ensure that their OSINT activities comply with all applicable privacy laws and are performed ethically. This is a significant challenge as there is not yet a universally recognised standard for OSINT, nor are there globally agreed-upon certifications or ethical frameworks. Therefore, companies need to ensure that their policies and procedures regarding the use of OSINT are robust.

• False Positives: OSINT findings should always be corroborated with other evidence to avoid acting on inaccurate or incomplete information. This often requires investigative and legal experience and is critical when dealing with allegations against employees.

Conclusion

Failing to recognise or identify internal fraud red flags can be costly. Experienced investigators will tell you that the signs are usually there if you know what you seek. However, OSINT, when focused on the characteristics which Cressey tells us are present in every fraud, can help surface indicators and alert companies before the fraud occurs. Some sensible first steps include:

1. Proactive Monitoring: Integrate OSINT tools and techniques into your risk operations to monitor public and internal data sources for signs of motive, rationalisation, and opportunity.

2. Collaboration Across Departments: Ensure that OSINT findings are shared with HR, compliance, and risk management teams to create a more comprehensive approach to fraud prevention.

3. Employee Training: Educate employees about the risks of fraud and the organisation’s commitment to ethical practices. This positive reinforcement can help reduce the likelihood of rationalisation.

4. Regular Audits: Conduct OSINT-driven audits to identify and address potential red flags before they escalate.

OSINT should no longer be considered a luxury but a necessity. By leveraging the power of publicly available information, and evaluating it through the lens provided by Fraud Triangle theory, organisations can identify indicators of motive, rationalisation and opportunity before any red flags are missed again.

Authored by: The Coalition of Cyber Investigators

Paul Wright (United Kingdom) & Neal Ysart (Philippines)

©2025 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator; and

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader.

With over 80 years of combined hands-on experience, Paul and Neal remain actively engaged in their field.

They established the Coalition to provide a platform to collaborate and share their expertise and analysis of topical issues in the converging domains of investigations, digital forensics and OSINT. Recognising that this convergence has created grey areas around critical topics, including the admissibility of evidence, process integrity, ethics, contextual analysis and validation, the coalition is Paul and Neal’s way of contributing to a discussion that is essential if the unresolved issues around OSINT derived evidence are to be addressed effectively. Please feel free to share this article and contribute your views.

[i] Corporate Finance Institute. (n.d.). Enron scandal. https://corporatefinanceinstitute.com/resources/esg/enron-scandal/ (accessed 15 April 2025)

[ii] The Coalition of Cyber Investigators. (2024). The Coalition of Cyber Investigators is a collaboration between Paul Wright (UK) and Neal Ysart (Philippines) [LinkedIn post]. LinkedIn. https://tinyurl.com/CoalitionCI (Accessed 13 April, 2025)

[iii] Cressey, D. R. (1953). Other people's money: A study in the social psychology of embezzlement. Glencoe, IL: Free Press.

[iv] Association of Certified Fraud Examiners. (n.d.). Homepage. https://www.acfe.com/ (Accessed 13 April, 2025)

[v] Registry Trust. (n.d.). TrustOnline: The official register of judgments, orders, and fines. https://www.trustonline.org.uk (accessed 15 April, 2025)

[vi] Reddit. (n.d.). Reddit. https://www.reddit.com/ (Accessed 17 April, 2025)

[vii] Glassdoor. (n.d.). Glassdoor. https://www.glassdoor.com/ (Accessed 17 April, 2025)

[viii] LinkedIn. (n.d.). LinkedIn. https://www.linkedin.com/ (Accessed 17 April, 2025)

[ix] Vayre, E., & Vonthron, A.-M. (2019). Identifying work-related internet’s uses—at work and outside usual workplaces and hours—and their relationships with work–home interface, work engagement, and problematic internet behavior. Frontiers in Psychology, 10, 2118. https://www.frontiersin.org/journals/psychology/articles/10.3389/fpsyg.2019.02118/full (Accessed 17 April, 2025)

[x] Association of Certified Fraud Examiners. (n.d.). Fraud 101: What is fraud? Association of Certified Fraud Examiners. https://www.acfe.com/fraud-resources/fraud-101-what-is-fraud (Accessed 1 May, 2025)

[xi] Paterva. (2024). Maltego [Computer software]. https://www.maltego.com/ (Accessed 4 May, 2025)

[xii] Blackdot Solutions. (2024). Videris [Computer software]. https://www.blackdotsolutions.com/videris/ (Accessed 4 May, 2025)

Combining OSINT with Fraud Triangle Theory to Detect Internal Fraud: A Beginners Guide

Internal fraud is more common than organisations like to admit. It ranges from simple cases such as expense fraud by a solitary employee to highly sophisticated schemes involving multiple parties. It erodes trust, damages reputations, crushes morale and can lead to material financial losses, and even catastrophic outcomes, such as the collapse of Enron[i].

Despite its devastating impact, internal fraud often goes undetected for long periods. However, both the founders of The Coalition of Cyber Investigators[ii], seasoned investigators, each with over 40 years of experience, have observed a striking pattern: you rarely, if ever, see a case of internal fraud without warning signs being present. The problem is not the absence of red flags but that they are often not recognised, ignored, or misinterpreted. This provides a significant opportunity for improvement. By increasing the ability to identify red flag indicators, organisations can detect internal fraud earlier, enabling them to take mitigating actions before a situation escalates into a full-blown crisis.

In this article, we explore how combining Open-Source Intelligence (OSINT) with Fraud Triangle theory - a scientific concept derived from the work of criminologist Donald Cressey[iii] - can help companies recognise red flag indicators and serve as an intelligence-based early warning system for internal fraud.

What Donald Cressey discovered.

As referenced, Cressey introduced the foundations of the Fraud Triangle in his 1953 book, Other People's Money: A Study in the Social Psychology of Embezzlement. While he did not explicitly use the term "Fraud Triangle," the concepts derived from his research shaped the universally accepted principles as to why individuals commit fraud.

Cressey identified three key factors that must be present for fraud to occur: motive (pressure), opportunity, and rationalisation. These three elements were later formalised into the "Fraud Triangle" theory by other researchers and practitioners in the field of fraud prevention and are commonly referenced by organisations such as the Association of Certified Fraud Examiners (ACFE)[iv] and other established fraud prevention bodies.

1. Motive (Pressure): Cressey identified that individuals who commit fraud often face some form of financial or personal pressure. He described this as a "non-shareable financial problem," meaning the individual feels they cannot share their financial difficulties with others due to shame, fear, or other reasons. This pressure creates the motivation to commit fraud. Examples of pressures that would force an individual to commit fraud include debt, addiction, peer pressure, coercion, bribery, retrenchment or revenge.

2. Opportunity: Cressey noted that for fraud to occur, the individual must perceive an opportunity to commit the act without being caught. This opportunity often arises from weak internal controls, lack of oversight, or the individual's position of trust within the organisation. Examples include no four-eyes check on payment approvals, weak due diligence, or collusive or corrupt work colleagues.

3. Rationalisation: Cressey stated that individuals who commit fraud must rationalise their actions to reconcile their behaviour with their values, or self-image as honest and trustworthy. This rationalisation allows them to justify their actions as acceptable given the circumstances. For example, “they’re a bank, they have plenty of money and won’t miss a few thousand” or “I work really hard so all I am doing is taking the bonus that I was entitled to”.

Recognising and addressing these elements can create an advantage for companies seeking to prevent and detect internal fraud. By integrating OSINT analysis into the monitoring of each Fraud Triangle aspect, companies can obtain deeper and more actionable insights, helping them identify fraud indicators earlier.

The Fraud Triangle and OSINT.

1. Motive: Identifying Financial or Personal Pressures

OSINT can help organisations identify potential motives by monitoring publicly available information, such as:

• Social Media Analysis: This could include posts about financial struggles, following the profiles, or liking the posts of debt or bankruptcy advisors, questions or other engagement with “get rich quick schemes” or gambling forums. Conversely, social media analysis could detect sudden displays of wealth which are inconsistent with the individual’s income or previous expenditure habits, for example, purchases of luxury items, branded clothing, lavish vacations, or frequent check-ins to high end restaurants.

• Public Records: Bankruptcy filings, liens, or court judgments can reveal financial distress. For example, in the UK, you can search the TrustOnline website, operated by the Registry Trust, for county or high court judgements or any other court orders against individuals or companies[v]. Through OSINT enquiries, you can identify if any close family members or associates of an employee have failing business interests or other financial dilemmas that your staff member may be subsidising.

• Online Behavioural Patterns: Online forums or anonymous reviews may highlight workplace grievances or dissatisfaction, which could be a motive for fraudulent behaviour. Forums such as Reddit[vi] or Glassdoor[vii] may identify posts complaining about being underpaid or struggling to make ends meet, which could indicate possible motives. LinkedIn[viii] analysis may reveal an open for work status, or other posts indicating the employee is disgruntled and looking to leave their current role. Workplace internet activity can be monitored to identify excessive use during the working day, a behaviour linked to external worries or personal pressures[ix]. The nature of the activity may also reveal red flags, such as if the employee regularly accesses debt advisory sites, online casinos, or other sites, which could indicate financial pressures.

Companies that can identify employees under financial or personal pressure can provide support and introduce heightened oversight to help mitigate risk.

2. Rationalisation: Detecting Potential Justifications

According to the Association of Certified Fraud Examiners (ACFE), "because the fraudster does not see himself as a criminal, he must justify the fraud to himself in a way that makes it seem acceptable[x]”. Cressey explains this type of rationalisation of intended actions is the mental process by which individuals may seek to justify their fraudulent activity.

Common instances include a belief that they are being unfairly treated, for example, “I am underpaid”, “I am entitled to more”, or “everyone else got a bonus”. OSINT can be analysed to help detect signs of rationalisation through several channels, including:

• Employee Sentiment Analysis: Monitor online reviews, forums, or social media for negative comments about the organisation, such as complaints about unfair treatment, low pay, or poor management.

• Whistleblowing or Grievance Process: Employees may express frustrations or express perceived injustice through the internal whistleblowing or grievance process.

• Pattern Analysis: Identifying clusters of employees expressing dissatisfaction can help organisations address systemic issues that may lead to rationalisation within groups and create a risk of collusion.

3. Opportunity: Closing the Gaps

Of the three elements described in the Fraud Triangle, opportunity is the one over which companies have the most influence. It refers to the ability of a fraudster to exploit weaknesses in controls or oversight to commit fraud. OSINT can play a significant role in detecting potential opportunities to commit fraud in a number of critical areas. These include:

• Identifying Conflicts of Interest: Evaluating OSINT can help uncover undisclosed relationships between employees and vendors, such as family ties, shared business interests, or close and longstanding social relationships by analysing social media connections, business registries, and public records. The visualisation of entity linkages, such as an employee’s connection to a vendor via a spouse’s business, can help enable rapid detection of hidden conflicts of interest. For example, social media analysis of a key supplier may reveal a very close, but previously undisclosed, family relationship with your company’s head of procurement, who was responsible for selecting the vendor. Checking the ownership details of a supplier may reveal that a significant shareholder is a member of the family of one of your non-executive directors. Conflicts of interest tend to resist transparency as they are often based on strong interpersonal relationships. Still, OSINT techniques can help level the playing field and shine the spotlight on risk factors that were previously hidden.

• Detecting Anomalous Behaviour: OSINT tools can flag unusual activity, such as employees registering shell companies or engaging in side businesses that could conflict with their roles. For example, after analysing business registrations, it was discovered that one of your employees had registered a business that had subsequently won some competitive bids through undercutting your company’s proposal.

• Dark Web Monitoring: OSINT can track whether employee credentials or other sensitive company data are being offered for sale on dark web marketplaces, indicating potential insider threats, internal compromise or previously unidentified or unreported breaches.