Lessons from a Tesla Employee on How Easy It Is to Steal $9.3 Million from Your Employer
Can It Really Be That Easy?
Yes, it can. This became all too clear in late 2018, when a former Tesla employee was indicted for embezzling $9.3 million by impersonating one of its vendors.
This employee, Salil Parulekar, was part of Tesla’s global supply management group. During his tenure, his role entailed overseeing the company’s relationship with certain suppliers of various parts and services.
In this capacity, Mr. Parulekar became familiar with the individual vendors, the specifics of the business relationships in place, and the different representatives of each. He leveraged this knowledge to steal the identity of one supplier representatives and to easily dupe Tesla accounting personnel into switching the bank account information of an active supplier with that of an inactive one and diverting payments away from the intended recipient.
Furthermore, he created fake invoices and falsified accounts payable documents in his attempt to cover up his activities.
Though, ultimately, Mr. Parulekar was caught and subsequently charged with nine counts of wire fraud and one count of aggravated identity theft.
Nevertheless, the ease with which he managed to divert almost ten million dollars away from the car maker should be disconcerting to any and every employer.
To Err Is Human
The Tesla case brings to the fore once again how easy it is for insiders/employees to manipulate colleagues into executing fraud on their behalf.
This fact, is reflected in some staggering numbers:
- 95% of all security breaches involve human error
- 81% of companies affected by fraud reported insider perpetrators
- The average annual cost of an insider threat is $8.76 million
- It takes 73 days on average to contain an insider-driven incident
Accordingly, it is incumbent upon every organization to make sure it is properly addressing the risk of human vulnerability.
As we have seen, insiders are very adept at avoiding suspicion when engaging with other employees, and at convincing them to inadvertently execute fraudulent transactions.
4 Key Takeaways
Among the key takeaways that organizations would be well-served to consider are:
- Trust no one and validate vendor data using external (vs. internal) resources.
Even the most trusted insiders can wind up being the source of a fraud attempt. Because documents can easily be falsified – especially by insiders familiar with the organization, its employees’ behaviors, and processes, any change to the vendor master file must be cross checked with independent external sources. Just because we receive a document or request from a party claiming to be a supplier, we cannot assume that this is the case.
- Human beings (even the most well intended among us) are the weakest link in the security chain.
While best practices and sound processes are a must, they almost all rely on human judgement. And, as we have seen, fraudsters are very adept at manipulating people into wrong-doing (unbeknownst to them). This is why organizations must implement a technology-based solution that will eliminate reliance on the judgement of employees.
- Continuously monitor vendor data.
Such monitoring must be executed in real time using a system that is impenetrable to both outsiders and insiders, and which bypasses the most commonly exploited payments fraud vulnerabilities, i.e. unsuspecting personnel. Reviewing audit logs is not enough as these processes can easily be manipulated. - Use more than one means for validating vendor data.
Any change to the vendor master file must be reviewed by more than one person.
How nsKnox Can Help
This is exactly what nsKnox does. Our solutions enable organizations to enforce the segregation of duties and to quickly validate the accuracy of data provided by vendors, by comparing it with a reliable, external source of information.
Our technology continuously monitors vendor data and eliminates the need to solely rely on human judgement. nsKnox protects employees against social engineering attempts and cyber attacks, protects the organization against insider fraud, and the organization’s customers from being manipulated into transferring funds to a fraudulent account rather than the one that belongs to the organization.
