Employees behaving badly – ten signs (s)he’s just not into you

There are many computer behaviors which, in a certain light, might suggest that an employee is skimming the accounts, paying bribes, pushing deals to friends or relatives, or planning to steal company IP to compete with them. A lot of these tell-tale signs involve the employee’s behavior on the computer or mobile devices they interact with in the workplace. And in most cases, these can be investigated forensically to understand the facts and uncover potential areas of employees behaving badly.

Here are some examples showing computer behavior that commonly come up in computer investigations in which I have been involved.

1. Love letters. That made you pay attention, didn’t it? But actually what we are referring to is a data analytics tool whereby you look at all the communications between the employee and different email domains, or instant messenger applications. Where there is an irregular amount of correspondence at certain times between certain people this begs the question – why? If an employee is having a large amount of correspondence with personal email domains such as Gmail or Yahoo, the question is why is the other party not using a work email address? Often there can be an innocent reason. The same applies to internal communications. If an employee is dealing very frequently with a colleague in the company with whom there is no reason for them to do so, this might highlight an improper relation.
2. The obsessive. It is often said a serial killer has the same thought patterns again and again. A person who has something to hide may go through similar repetitive actions. This might be frequent file transfer, evidence of frequent backing up, deletion or cleansing of files or caches. Got something to hide, Joe?
3. Private browsing. If someone is doing bank transfers or dealing with personal affairs there might be a good reason to use one of the many incognito browsers. But if there is a blanket use of such browsers at all times, it begs the question, why would they never want to have a history trail? While sometimes innocent, this might point to some desire to hide behaviors, or access to previous webmail conversations off the company email.
4. Pillow talk. Late night communication flows outside of common working hours in the jurisdiction an employee works may have a legitimate business for an international business, but in certain businesses it may still be unusual. Also, if you were examining the hard drive of a photocopier, do you think it is more interesting what was printed at 3 p.m. or 3 a.m.? I thought so.
5. Words mean what we want them to mean. Statistical studies have demonstrated that the words we use when we are engaging in nefarious activities can be codes for certain types of behavior. While it is commonplace that people do not talk about committing fraud on email, in the investigative profession an accounting “write off” may require more scrutiny. Also, if someone says that something “doesn’t make sense” or that something “sounds reasonable” this could suggest that one party is trying to convince another over email.
6. No-trace. Then you get the perfectionist, who likes to install wiping programs. Is there a reason why they need to delete files so thoroughly that they can never be retrieved? What reason would that be? A computer is like a tea strainer: something is always left behind. In most cases, even in the modern era of solid-state computing, the fact that you installed and then uninstalled a deletion software stays on long after the data you actually deleted. So unless an employee has a good reason for installing such a program, it could indicate risky behavior.
7. Leave the back door open. On the subject of ‘unauthorised’ proxys and VPNs, a VPN can provide a tunnel into a network, which also enables others to tap into your network. Can you eliminate the chance that the employee is not the one to blame, but is merely an innocent or negligent actor who has let in a hacker or cyber-criminal through some phishing or password vulnerability?
8. That synching feeling. Even people who are very careful will find themselves unwittingly plugging their phone into a laptop and clicking “yes” to trust the computer, thinking little about the fact the computer is backing up the files and photos automatically. Which takes us to…
9. Pokémon Go. Not really the new game, but the whole phenomenon of geo-location tagging. A photo that shows an employee was in a location they were not meant to be in at a certain time can be the tip of the iceberg for an investigation. Also, when geo-tagging establishes a pattern of behavior, it can be powerful evidence. Like the photo of the huge pile of cash geo-tagged at the employee’s house location. If he didn’t win the lottery how could someone on his salary have so much? And why was it at his house?
10. The enemy without. USB or external hard drives – most computers log previously connected devices, and if these are company property or on company property they could often be searched in an investigation.
    There may be legitimate reasons to use external devices – i.e., for presentations or demonstrations. But if an employee is constantly accessing them, this begs the question why the files could not be left on the work computer or network.

As Sherlock is oft quoted for saying in A Scandal in Bohemia: “It is a capital mistake to theorize in advance of the facts.” When dealing with employee behavior, evidence can be uncovered by a qualified forensic technology expert, coupled with experienced document reviewers who are experienced in spotting these contexts and patterns within groups of documents and assisting legal teams in uncovering implications of employee behavior.