The Fraud Your Security Stack Can't Detect: Inside an $8 Million Insider Scheme

Federal prosecutors in the Eastern District of New York have indicted Jordan Khammar, a former financial director at a multinational consulting and brand-management company, for allegedly stealing more than $8.2 million over nearly ten years.

‍

The indictment details a systematic scheme: more than 300 fraudulent wire transfers, corporate funds rerouted into companies Khammar controlled, falsified ledger entries covering the trail, and stolen money funding personal business ventures, real estate purchases, and credit card bills.

‍

It looks like a straightforward financial crime. But it reveals something more troubling: trusted insiders can exploit legitimate access far more easily than most organizations realize, and far more quietly than most security tools can detect.

‍

‍

The Real Insider Threat Most Companies Miss

‍

Insider fraud doesn't look like a cyberattack. There's no malware. No external breach. No forced entry. The insider isn't breaking into the system. They're just using it the way they're supposed to.

‍

Financial and operational employees, especially senior ones, work at the center of business-critical processes. Their job requires accessing ERP systems, approving expenses, entering wire instructions, and adjusting account records. Moving money, reviewing transactions, and manipulating financial data is literally what they do every day.

‍

This creates a dangerous paradox: the people with the most access to sensitive financial processes face the least scrutiny from security controls.

‍

Khammar's alleged scheme follows this pattern exactly. Every action he took looked like normal work from the outside. Logging into a finance portal. Initiating a transfer. Entering details. Reconciling accounts. The fraud existed inside the business process itself, not outside it.

‍

This is where traditional security falls apart.

‍

Why Security Tools Can't Catch Fraud Happening Inside Business Applications

‍

Most companies use a standard security stack: DLP to monitor data movement, user activity monitoring to capture screens, UEBA to spot behavioral anomalies, and EDR to catch external threats.

‍

Each tool works well in its area. But insider financial fraud happens between these areas, buried inside normal business activity where none of these technologies can understand what's actually happening.

‍

DLP stops sensitive documents from leaving the network, but it can't tell that a wire transfer entered into a banking portal is suspicious. Nothing was exfiltrated. Nothing left.

‍

User activity monitoring records screens, but passive recording doesn't reveal whether a field entry in a web-based ledger is legitimate or fraudulent. Without context, it's just surveillance, not detection.

‍

UEBA flags unusual patterns, but a financial director entering a wire transfer at 11:15 AM on a Tuesday doesn't trigger alarms. It matches their job description perfectly.

‍

EDR defends against external attacks and malicious code. Insider fraud done by a legitimate person, through legitimate applications, with legitimate credentials, doesn't exist in EDR's threat model.

‍

Fraud persists for years because the tools designed to defend companies aren't built to understand the business logic behind insider behavior.

‍

This type of fraud doesn't hide in dark corners of the network. It hides in the everyday use of trusted tools.

‍

When Security Controls Exist But Miss the Context

‍

Enterprise governance frameworks like ISO 27001, SOX, and COSO outline strong controls for financial integrity, access management, and risk monitoring. But these frameworks rely heavily on periodic reviews, segregation of duties, and human oversight.

‍

When a senior insider understands the controls as well as (or better than) the organization does, those guardrails can be quietly bypassed.

‍

Internal audits eventually find discrepancies. But by then, the money is gone, the trail is cold, and years of suspicious activity have blended into the background.

‍

The Khammar case shows us that governance provides structure, not visibility.

‍

What's missing is the ability to see user intent inside business workflows, not just the outcomes that show up in logs or ledgers after the fact.

‍

How to Actually See What Insiders Are Doing

‍

A different approach is needed, one based on behavioral intelligence, on-screen context, and machine learning.

‍

InnerActiv analyzes how users interact with systems, not just what data they move. It observes screen-level behavior, application sequences, and the subtle patterns within workflows that reveal when a trusted insider starts manipulating systems in unusual ways.

‍

InnerActiv's machine learning models build a baseline of normal usage patterns:

• How users typically enter financial information
• How long actions usually take
• Which systems are used together
• Which fields get populated and in what order
• What normal transaction flows look like over time
  ‍

This lets InnerActiv recognize subtle but critical deviations:

• Wire instructions typed in an unfamiliar sequence
• Unusual monetary values or repetitive adjustments
• Changes to fields a user typically doesn't touch
• Activity that looks normal to the system but abnormal for that specific person
• Transactions happening at odd times or paired with unrelated system use
  ‍

Even inside proprietary or web-based financial applications where API access is limited and events are hidden, InnerActiv interprets how the user interacts with the interface itself.

‍

This goes beyond keystrokes. Beyond logs. Beyond what DLP, UEBA, or user activity monitoring can figure out.

‍

It's visibility into the intent behind the action.

‍

Catching the Moment Trust Turns Into Theft

‍

The Jordan Khammar indictment isn't just a fraud case. It's a case study in how insider misuse thrives when visibility stops at the edge of the application window.

‍

Organizations don't need more logs, more alerts, or more periodic audits. They need a way to see what their trusted insiders are actually doing in the applications where financial truth gets created, changed, and manipulated.

‍

InnerActiv provides that missing layer. By combining screen behavior analysis, contextual analytics, and machine learning, it exposes the early warning signs that come before fraud, long before a ledger discrepancy appears, before an audit raises concerns, and before millions quietly vanish.

‍

Because here's the truth: every insider has the power to create risk. The real question is whether you can see the moment that power becomes misuse.

‍