When a business owner thinks about threats, they usually picture a hacker attack, an aggressive competitor or a sudden inspection by the regulators. Yet research from recent years points clearly to a very different fact: the costliest losses are inflicted not by outside enemies but by a company's own employees. The people who are trusted. The ones who hold the office keys, the access to accounting, the CRM passwords and the phone numbers of loyal clients. The "insiders". Internal theft in a company almost always comes from someone you never suspected.
According to the Association of Certified Fraud Examiners (ACFE) in its Report to the Nations on Occupational Fraud and Abuse, the average company loses roughly 5% of its annual revenue to internal fraud. The average loss from a single case of occupational fraud is about $117,000, and one in four investigations uncovers losses of more than a million dollars. On average, a fraud scheme goes unnoticed for 12 months — a full year during which a "trusted" employee methodically removes assets, wires money to shell counterparties or leaks the client base to competitors.
An even more telling statistic: in 89% of cases of internal fraud, the perpetrators turned out to be people with no prior convictions or disciplinary records whatsoever. In other words, the typical "corporate thief" is not someone you would suspect at first glance. It is the sales manager who has been with you for three years. It is the accountant who remembers the birthdays of everyone's children in the department. It is the warehouse supervisor you hired on a relative's recommendation. It is the person who is first to arrive at company parties and whose signature you trust on payment documents when you are rushing to catch a flight.
The Ukrainian context adds its own twist. Short average job tenure, high staff turnover, the mass shift to partial remote work and limited security budgets all create ideal conditions for abuse. On top of that comes economic instability, which pushes even previously honest people toward rationalizing theft: "the company underpays me anyway", "I've done so much for them", "it's temporary, I'll pay it back".
In this article we will break down the psychological profile of a typical insider, compile a list of ten concrete behavioural signals that give away a disloyal employee, analyse the real categories of damage, and discuss why traditional detection methods (video surveillance, audits, tip-offs from colleagues) work poorly — and what you can do instead to spot the threat before it turns into a seven-figure number in the "losses" column.
In 1953, the American criminologist Donald Cressey conducted a series of interviews with prisoners who had committed embezzlement at work. The result was a concept taught today in every corporate-security course — the Fraud Triangle. Cressey demonstrated that for a decent, loyal person to become a fraudster, three factors must coincide at once: pressure, opportunity and rationalization. If even one corner of the triangle is missing, there will be no theft. If all three are present, it is only a matter of time.
Financial pressure is the most common trigger. According to the same ACFE, more than 40% of corporate fraudsters were under serious financial strain at the moment they committed the crime: a mortgage, a child in a fee-paying university, medical treatment for relatives, bank debts or — increasingly often — gambling addictions and crypto speculation that went off plan. The Ukrainian market of micro-loans and online casinos has played its part: a person who earned a salary and lived normally just a year ago may today hold a dozen micro-loans and be desperately looking for a way to "plug the hole".
The key point: pressure is almost never visible at work. Fraudsters conceal financial problems well. What's more, they often display the opposite — a deliberately successful appearance, new gadgets, a holiday "in Turkey" (paid for right after the first theft). This is a psychological compensatory mechanism: the person is trying to prove to themselves and to everyone around them that "everything is fine".
Opportunity is created by the company itself. The riskiest positions are not the very top executives (they are suspected less often, but also controlled more tightly through external audits). The riskiest are the "mid-level roles with full access": the chief accountant in a small business, the sole logistician, the warehouse supervisor, the "one-man-band" IT administrator, the tender-procurement manager. The longer a person sits in such a role without rotation and without an audit, the more they know about the gaps in the system and the easier it is for them to exploit those gaps.
Rationalization is the most interesting part. Very few people stand in front of the mirror in the morning and tell themselves "I am a thief". Instead, the brain builds an elaborate system of justifications. "I'm the only one who actually works, the rest are slacking — it's only fair that I take a little more." "The boss bought his wife an $80,000 car and cut my bonus — I'm just taking what's mine." "It's not theft, I'm planning to pay it back as soon as I clear my loan." The longer the scheme runs, the stronger the rationalization becomes — and the harder it is for the person to stop on their own.
The psychological profile of a typical insider looks like this: a man or woman aged 30–50, with the company for 3–7 years, holding a positive reputation, never missing work, considered "reliable" and "one of us". Often a person with inflated self-esteem who is convinced they are underappreciated. Often someone whose outward markers of success do not match their official income. And almost always a person who controls a certain unique process in the company and acts as its sole "keeper of knowledge".
None of these signals on its own proves that a person is a fraudster. But if you see three or four from this list in a single employee at the same time, that is grounds for a closer look. Not an accusation, not a dismissal, not a public suspicion. A look, precisely: to observe more carefully, to review the processes they are involved in, to hold a structured conversation.
Surely that's a good thing? A hard worker, what more could you want. The problem is that an honest employee who stays late or comes in on a Saturday usually does so against a deadline, and everyone knows about it. An insider, however, comes to work when no one else is in the office — to have uncontrolled access to documents, servers, the warehouse, the company seal. If a person systematically shows up on weekends "to work" but the result of that work is unclear, that is a signal.
One of the oldest and most reliable red flags in banking and insurance. An honest person wants to rest. A fraudster is afraid to leave their "patch" unsupervised — because during two weeks of absence someone else might start digging deeper into the documents and uncover the scheme. Many large Western companies strictly require key personnel to take a mandatory two consecutive weeks of leave precisely as a mechanism for detecting abuse.
A manager on a salary of 25,000 hryvnia buys a new car for half a million. An accountant suddenly starts flying to Bali twice a year. A logistician renovates an apartment clearly worth more than their entire annual salary. There is always an explanation: "an inheritance", "my wife started a business", "I sold my parents' summer house". Sometimes it's true. Often it isn't. The gap between official income and actual spending is one of the most accurate signals.
A paradox that often gives an insider away. The person regularly complains about the company, the bosses, the policies, the pay. They say they "would have left long ago if not for…". At the same time they have offers from competitors — and don't leave. Why? Because here they have a source of income parallel to their salary. Quitting would mean losing access to that source. In the normal case, a dissatisfied employee either changes their attitude or leaves. Someone who complains for years and never goes anywhere is suspicious.
"Why do we need all this bureaucracy, I'll get it done anyway." "Let me sign it, we'll record it later." "I don't have time to fill in these forms." Every bypassed procedure creates a "grey zone" that is later very hard to check. An honest employee usually insists on the opposite — clear documentation, because it protects them. An insider, by contrast, seeks to reduce the number of traces.
A procurement manager who lunches with a supplier's representative twice a week. An accountant who has a "family" relationship with the manager of the bank the payments run through. A logistician who knows all the drivers personally and calls them on weekends. Such contacts in themselves are normal. But when they become excessively close and go beyond work matters, it is worth checking whether there are "kickbacks" flowing back.
An internal or external audit is a routine procedure. An honest person may be annoyed that it takes up time, but on the whole treats it calmly. An insider reacts disproportionately: anxiety, aggression, attempts to restrict the auditors' access, documents that go "missing" exactly when they are needed, sudden sick leave on audit days. This is almost always a sign that the documents contain something the person very much does not want to show.
The person started with a narrow area. But over time they "helped colleagues", "covered for people", "picked things up" — and now control three or four related processes. This is a classic scheme: the more access is concentrated in one pair of hands, the easier it is to build a "sleight of hand" arrangement, where one part of the system offsets another and no one can see the full picture. If there is a person in the company without whom "nothing works", that is not a genius, it is a risk.
Related to flag #3, but deeper. Social media full of photos from expensive restaurants, sessions with a personal trainer, a child in a fee-paying school, a wife who doesn't work. Officially — an average salary. The question: where's the money from? Sometimes the answer is boring (a second business, family support). Sometimes it isn't. Checking this is easy: just look at public social-media activity and compare it with the income you know about.
Not to be confused with introverts who simply dislike company parties. This is about something else: the person deliberately keeps colleagues at a distance specifically on work matters. They don't share information, don't hand over knowledge, don't let anyone into their processes, and react nervously to "outside" questions about their area. This is the behaviour of someone who is hiding something, not merely someone who is shy.
When an owner hears the word "insider", the first thing that comes to mind is theft of cash or goods. In reality, modern internal fraud is far more varied and often inflicts damage that is hard to spot immediately in the cash register.
1. Direct theft of assets. The classic of the genre. Cash from the till, goods from the warehouse, fuel from the vehicles, tools from production, stationery and equipment from the office. In accounting, this can mean paying wages to "dead souls", double payment of the same invoice (the second time to one's own card), or the creation of fake counterparties. On average, such schemes "eat up" between 1% and 5% of a company's turnover and typically run for months before anyone notices.
2. Leaks of information and client bases. A sales manager who copies the entire CRM before resigning. A marketer who leaks the upcoming advertising strategy to a competitor. A developer who takes the code with them to their next company. In IT and consulting, this type of damage often exceeds all the others combined. The Ukrainian reality of 2024–2026 has added another layer — leaks of clients' personal data, which can lead to serious fines under GDPR and reputational collapse.
3. Corporate espionage and "selling loyalty". The hardest category to detect. The person works at your company, but effectively in a competitor's interests. They pass on information about tenders, pricing policy, development plans, key clients. Sometimes it's done for money, sometimes as preparation for a "soft" move a year or two later. The damage from a single such person in a key position can reach tens of percent of market share.
4. Reputational losses. The fraud goes public. Clients hurt by a data leak start complaining openly. The former employee accuses the company in return — "they set me up". Partners learn that your CRM is now in a competitor's hands. Any of these scenarios can cost the company far more than the direct theft itself. For brands built on trust (finance, medicine, education), a reputational blow often proves fatal.
5. Legal risks. An insider can use the company for their own criminal schemes — not only stealing from you, but also making you an accomplice. For example, an accountant who "creatively" optimizes taxes puts the director at risk. An IT administrator who installs unlicensed software creates exposure to an inspection. A manager who takes kickbacks formally acts on behalf of the company — and when the scheme is exposed, it is not only they personally who answer for it. The legal consequences of such situations are often untangled for years.
Most Ukrainian companies that think about protecting themselves from insider threats use three classic tools. All three have serious limitations.
Video surveillance. Cameras in the office, in the warehouse, in the cash zone. It seems like a cure-all — every step under control. But in reality, video surveillance provides a false sense of security. First, no one watches the footage in real time — it is reviewed only after an incident has already happened. Second, modern insider fraud is predominantly digital: money is transferred in the online banking system, data is copied to a USB stick or to the cloud, information is sent by messenger from a personal phone. The camera won't see that. Third, the insider knows where the cameras are and simply acts outside their field of view or at moments when they are not recording.
Internal and external audits. An effective tool — but with three big "buts". An audit uncovers schemes only after they are already running — on average 12–18 months later. That is, once the damage is already done. Second: an audit works with documents and figures. So it detects crude schemes well (fake counterparties, double payments) and subtle ones poorly (kickbacks, information leaks, corporate espionage). Third: an audit costs money, and small and medium businesses run one once a year or only on an ad-hoc basis — while an insider has time to do plenty of harm.
Complaints from colleagues and anonymous "hotlines". A classic of large corporations. It works — but with significant limitations. Colleagues often see that something is wrong. But they stay silent for various reasons: fear of retaliation, reluctance to "snitch", loyalty to a specific person, unwillingness to take on responsibility. Studies show that even in companies with a well-established whistleblowing system, more than half of insider schemes are uncovered not through colleagues but by accident — through a mistake by the fraudster themselves, through an external partner, through a bank that noticed a strange payment.
The shared flaw of all three methods is that they are reactive. They catch fraudsters who have already stolen. By that point the damage is done. A large company with a financial cushion can absorb it. In a small or medium business, one such case can bring the whole company's story to an end.
The logic of a preventive approach is simple: it is better not to catch a fraudster a year after they have stolen a million, but to detect disloyalty at the hiring stage or during a scheduled check — while there is no damage yet. This is exactly what the class of solutions known as behavioural verification exists for.
Behavioural verification is not an "interrogation" and not a search for the "truth" about specific facts. It is a structured check of a person's attitude toward the company's key risks: whether they are loyal to the employer, whether they already have a hidden conflict of interest, whether there were facts of past theft, whether they would consider passing information to competitors. Modern methods make it possible to identify a high level of risk with sufficient accuracy, without requiring the person to be physically present in a security office and without creating the traumatic experience of an "interrogation".
The StimulTest for business service is a Ukrainian behavioural-verification platform built on exactly this principle. The check is conducted online, takes a person about 30–40 minutes, and gives the employer a structured report on key risk profiles: loyalty, financial risks, propensity for abuse, the presence of hidden conflicts. You can read separately, in detail, about how the technology works.
The key advantage of the approach is that it scales. Checking one person once a year on a classic polygraph is expensive and complicated. Checking an entire team of 30 people in the background within a week is realistic. And it is precisely this kind of regular, inexpensive, calm check that gives a company what neither cameras nor audits provide: the proactive detection of risks before they turn into losses.
A mid-sized Ukrainian logistics company (a fleet of 18 vehicles, turnover of about 60 million UAH a year) turned to StimulTest after suspecting that fuel was "going missing". The starting point for the suspicions was a discrepancy between the standard and actual mileage of the vehicles of 8% over three consecutive months — in money terms, that came to about 90,000 UAH a month.
The owner could have taken the classic route: summon every driver and logistician for a "chat", install more GPS trackers, hire an external auditor. Instead, the decision was made to run a behavioural check on all 12 people involved in the operational process — drivers, dispatchers, the garage supervisor and the logistician. The check took a week.
The result: for 10 of the 12 employees the risk profile was within the norm — no hidden conflicts of interest, no signs of disloyalty, zero facts of theft. For two, there was an elevated risk in the "financial abuse" category, with signs of a long-standing systemic scheme. The owner did not dismiss these people right away — instead he held a structured conversation, tightened controls on specific areas, and gradually, over the course of a month, the scheme stopped working. One of the employees resigned voluntarily. The losses at the moment of detection were about 270,000 UAH per quarter, and grew no further after that.
This example shows the main thing: a behavioural check is not designed to "fire the guilty party". It is designed so that you know exactly where the risks in your team are — and manage them consciously rather than blindly.
Technology alone does not solve the problem. A camera, an audit, a behavioural check — these are tools. They only work in the right environment. That environment is called a security culture — and it is built not by the security department but by the owner and the managers.
The core principles that turn a company into an "inconvenient target" for an insider: segregation of duties (no single person should control the full cycle alone — from order to payment), mandatory vacations (a minimum of 14 consecutive days for everyone with financial access), regular rotation in key positions, transparent documentation of processes (so that no one is "irreplaceable"), clear access rules based on the principle of least necessary privilege, and predictable scheduled checks that everyone knows about.
A very important psychological point: a security culture must not turn into a culture of total suspicion. If employees feel they are constantly being "caught out", the result will be a mass loss of loyalty — and, paradoxically, a rise in insider threats. A proper culture looks different: "we have transparent rules, predictable checks, fair pay, and we trust people. But at the same time we don't create artificial temptations — and when something is wrong, we see it quickly."
For a small business, a good starting point is to introduce three things at once: segregation of financial authority (for example, payments above a certain amount require a second signature), a mandatory behavioural check of all candidates for key positions before hiring, and a scheduled re-check of existing staff once every 12–18 months. This minimal set closes 70–80% of typical insider scenarios and costs far less than a single average case of fraud.
Yes, provided the check is conducted voluntarily, with the person's written consent, within the limits allowed by Ukrainian labour law, and the data is processed in accordance with the personal-data protection law. StimulTest operates precisely within this legal framework.
Modern methods account for attempts to give socially desirable answers through a system of cross-questions and control scales. Fully "fooling" a structured test is difficult, especially when the point is not a single question but an overall behavioural profile.
Don't fire them right away. A test result is not proof of a committed act but grounds for a careful review of the processes the person is involved in, tighter controls and a structured conversation. Often the problem is resolved without ending the employment relationship.
The basic recommendation is every new employee in a key position before hiring, plus a scheduled re-check of existing staff once every 12–18 months. For high-risk positions (finance, procurement, IT administration) — more frequently.
The cost of behavioural verification through online services is an order of magnitude lower than a classic polygraph and is affordable even for a business with a team of 5–10 people. Exact terms and rates can be confirmed in the contacts section.
A single insider can cost a company a sum you spent years earning. A behavioural check costs thousands — and saves millions. Find out how StimulTest for business helps Ukrainian companies detect risks before they turn into losses.
More material on corporate security is available in the Security section and on the online polygraph homepage.
Screen your team for internal-fraud risk and expose a costly insider before the damage is done. Certified examiner, full confidentiality, online and in person. Leave a request — we reply within 15 minutes.