98% of your employees are assets to the business. 2% are liabilities.
The sad truth is that some employees can’t be trusted. They are thieves. They steal money from the hand that feeds them, the same hand that feeds the rest of us. In the casino industry it’s well known by seasoned surveillance veterans that the gaming floor is a candy store for employees with larceny in their heart.
Internal theft is a bit of a touchy subject amongst casino executives and public relations managers and is often kept on the down-low for various reasons.
In my opinion those reasons and the decrease in sharing the details of large casino scams, especially those involving employees, are the reason we have become more vulnerable to sophisticated organized criminal groups and bad actors. As an industry we are heading into a security black hole. Our reluctance to share information works in the favor of criminals. They see our security by obscurity and keep-your-mouth-shut philosophy as a weakness that they can exploit; that in turn puts a target on the rest of the industry.
If we are serious about keeping organized criminal activity out of the casino industry we need to come together as a group and devise a strategy to fight collusion and new age technology threats. In particular we have to address what all fraud experts are saying is an alarming global trend in fraud - the insider threat.
Let’s start by examining why brick and mortar casinos are so vulnerable to internal fraud and insider threats. Why do I think the insider threat is on the increase? What exactly is an insider threat? What does the casino industry need to do to reduce the risk of insider threats?
The Gaming Floor is a Candy Store
Casinos are unique places of business. They’re like huge money exchanges but with alcohol and a lot more excitement. They are colorful funhouses where humans and machines are played under the premise that they will both end the day with more cash than they started with.
Customers come with cash, the casino gives them an IOU in the form of plastic chips or paper tickets and they play games with “funny money” until they’ve had enough. If they’re lucky they may have enough funny money left to redeem for cash. No receipts. No questions. What happens in the casino stays in the casino or at least for 7 days, depending on how long the surveillance video is kept.
Cash is king in casinos and it flows freely and swiftly back and forth between the hands of customers and employees. We encourage our employees to maintain a brisk game pace and to conduct transactions quickly. Time and motion is a pillar of profitability in the gaming business. The more gambling transactions, the more money we make.
The problem is there are so many transactions that we can’t watch and check each one. We are a high-volume, fast-paced bank that doesn’t give out receipts. The more transactions that are not being verified, the more opportunities there are for internal fraud and collusion between dealers and players.
Over the last 25 years I estimate over 90% of money cheated from casinos has involved a crooked employee. To put that in perspective that’s close to a billion dollars. Casinos have become more susceptible to internal fraud and collusion scams because of three main factors:
Factor 1: Reduced Supervisor Levels on the Floor
For reasons ranging from management’s desire to reduce labor costs to simply not being able to find enough people to fill supervisory positions, the effects of removing an important layer of security presence on the floor has increased the opportunities for dealers to steal or conspire with players to cheat the games. This is more prominent in large casinos.
In smaller casinos in Europe and South America it is not uncommon to see one supervisor for each table. In larger Las Vegas-style casinos it is more common to see one supervisor for 4-8 tables.
When the mega-casinos opened in Asia in the early part of the century they were modeled after Vegas casinos but super-sized. Instead of 100 table games they built them with 300-800 table games. Those casinos suffered some of the biggest cheating losses in history from collusion scams between players and dealers.
A major contributing factor that enabled these monster scams was the inadequate supervisor to table ratios coupled with the lack of game protection experience with the supervisors they did have. There simply was not enough seasoned game protection expertise looking over the shoulders of dealers of high-volume, high limit games.
Regardless of the reason management should acknowledge that the higher the supervisor to table ratio is, the higher the risk. One supervisor simply cannot be as effective from a game protection perspective. With less experienced and protection savvy personnel in the pit we weaken overall game protection of the games by taking away a simple principle of fraud detection - trust but verify.
Factor 2: Lack of Enforcement of Critical Procedures
Reduced supervision and lack of procedure enforcement go together like peas and carrots. Casino gaming floors once hung their game protection hat on a strict diet of battle-proven procedures and military-like adherence to the rules. As can be attested by monthly surveillance-generated procedural violation reports, strict adherence to the procedures diet doesn’t seem to be working.
When analyzing most of the industry’s major casino scams involving dealer-player collusion, there is usually a breach of a process or procedure that enabled the scam. In defense of gaming supervisors tasked with enforcing procedures, often they simply haven’t been told why adherence to a specific procedure is vital.
With their overloaded work responsibilities this knowledge could help prioritize their supervisory duties in a more effective and risk-based manner. Managers and supervisors should understand and be able to clearly articulate the risk involved to dealers of not adhering to certain procedures and processes.
Let’s take the most exploited process on the casino floor in terms of player-dealer collusion scams - the transfer of the 8 decks of cards in a baccarat game from wherever it came from to the shoe. Not supervising and verifying this process has cost casinos hundreds of millions of dollars over the years by crooked dealers who conducted false shuffles or assisted players with obtaining inside information of cards and sequences before they were dealt during this process.
The reason so much money has been cheated is twofold: no one was supervising the process and a critical procedure was breached. Yet casinos continue to neglect supervising this high-risk process. Supervisors are encouraged to check other games and service other customers during this process. Maybe if a gaming risk assessment was conducted by management that considered the financial impact of past indiscretions, the tasks and responsibilities of floor supervisors might be prioritized differently.
Factor 3. The Fraud Triangle
In 1953 criminologist Donald Cressey published a model called the “fraud triangle.” The fraud triangle outlines the three conditions that lead to higher instances of occupational fraud: motivation, opportunity and rationalization. This model is relevant in understanding why employees become motivated to steal from their employer and can help assist with developing protection strategies. The fraud triangle basically asserts that employees need three things to happen before they would consider stealing from their employer:
Motivation: pressure, financial problems or addiction.
Opportunity: perceived opportunity to steal with a low amount of risk.
Rationalization: in the employee’s mind committing the theft is acceptable.
Motivation and opportunity is often present in the casino industry. There’s not much we can do about an employee’s motivation except to pay and treat them fairly. However, as managers and business stakeholders we can play a major role in reducing an employee’s perceived opportunity to commit fraud by implementing and enforcing strict controls, processes and procedures.
In casinos, due to the large volume of cash transactions, we appropriately and wisely add extra layers of security in the form of surveillance and supervision. If employees perceive they will get caught and have to face consequences they tend to drop the idea or at least think twice about it.
Even if an employee is motivated and has a perception there is an opportunity, they usually don’t steal from their employer. To become rogue they need to progress into the final stage of the triangle - being able to rationalize committing a crime in their own mind.
The rationalization stage requires fraudsters to justify fraud as acceptable. Most people are not criminals. Employees who commit fraud do not see themselves as criminals. They can explain, at least to themselves, why they did what they did. Common excuses from employee thieves are “they treated me wrong,” “upper management is doing it as well,” “our company makes so much money, they won’t miss it” and “there is no other way.”
In the casino industry the components of the fraud triangle are always present. There is a huge disparity between the “haves” of wealthy players and tailored suit executives and the “have-nots” of the minimum wage earning staff that serve them.
Fraud Triangle Turning into a Square
In 2004 David T. Wolfe and Dana R Hermanson presented a paper, The Fraud Diamond: Considering the Four Elements of Fraud, to the CPA journal with a theory that the fraud triangle could be expanded into a fraud diamond. One other component could be added to the original three - capability. Capability is having the necessary traits and abilities to pull it off.
Wolfe and Hermanson had investigated fraud cases for 15 years and found that there were three key elements in the majority of cases involving large sums of money.
1."Often a person’s position or function within an organization can allow them to create or exploit an opportunity for fraud not available to others.”
2 . "The right person for a fraud is smart enough to understand and exploit internal control weaknesses and to use position, function, or authorized access to the greatest advantage. Many of today’s largest frauds are committed by intelligent, experienced, creative people, with a solid grasp of company controls and vulnerabilities."
3. "The right person has a strong ego and great confidence that he will not be detected or the person believes that he could easily talk himself out of trouble if caught."
This is what we’re starting to see more of now. People in positions of authority with access to technology tools and knowledge that can facilitate scams easily and quickly.
I believe technological advancements and the continual evolution of the gaming floor will provide more opportunities for fraud and collusion between casino staff and outside agents. Smart guys will outnumber “wise guys.” Bad actors on the inside, with privileged information into the inner workings of the operation, are gaining the authority and autonomy to access assets unchecked. Bad actors on the outside are gaining intelligence on employees through open source investigation on the internet (OSINT) to connect, con, exploit and target aiders and abettors. The internet has become a sort of eHarmony hookup for bad actors.
In 2023 the security vulnerabilities of casinos were exposed to the world through a series of high profile ransomware attacks and cage heists that employed sophisticated social engineering techniques. All were facilitated by employees who were “tricked” by smart outsiders who had inside information and were able to target unsuspecting employees and exploit their lack of awareness and training.
Since COVID I’ve noticed an increase in fraud around the world in all industries. I think about the fraud diamond and how employees have become more motivated and empowered to steal from their employers.
The events of last year somewhat shifted my thinking on the casino insider threat. Over the years I’ve viewed employee theft as malicious. A thief is a thief! Now I see a digital world that enables fraud and enlists not only motivated criminals but unsuspecting accomplices with the push of a button.
Fighting Fraud with Fraud Fighters
To address the insider threat casinos need a different approach. A more aggressive approach. This starts with forming a specialized team of fraud experts. Not part-timers from other asset protection departments who take on a hybrid role but actual full-time dedicated fraud experts.
The organization chart is the window to the organization’s soul. A dedicated team on the org chart shows commitment to stake holders of doing everything they can do to maximize profits and to reduce the risk of internal fraud. And it would send a deterrent message to employees that the chances of successfully committing fraud and getting away with it are low. The fraud team's authority and presence would be seen as an ever-present caution to employees considering fraud.
The fraud team’s mission would be to deter, reduce the risk and to investigate internal fraud. Priority would be given to proactive deterrence and risk reduction. This can be achieved by reducing the opportunity for fraud and developing checks and balances for people with higher capabilities of committing fraud.
A key to success is providing fraud training and awareness to all staff, both during onboarding and ongoing. For example, all staff will be given social engineering training along with the latest methods hackers are using to get employees to help them infiltrate internal systems. Customized fraud recognition and protection training would be conducted by the team for all employees who are responsible for detecting fraud i.e., dealers, supervisors and managers.
The fraud team would be responsible for conducting internal policy, process and procedure risk assessments with the objective of recommending improvements and suggestions based on the latest and best industry practices. They will conduct fraud research and present their findings to senior executives and department heads.
The fraud team would work with law enforcement agencies and other casinos to obtain the latest intel on casino specific fraud and scams. They will work with internal departments like security, surveillance and revenue audit to conduct investigations.The fraud team would set up a whistleblower hotline. Intel and tips would be investigated and acted on immediately.
Above all else the fraud team will be proactive in staying informed on the latest threats to casinos, especially those involving technology. The fraud team will report any new threats to senior management and give regular presentations and updates on best practices against fraud in the casino industry.
The ultimate goal of the casino fraud team - ensuring 100% of employees are assets to the business and 0% are liabilities.