How to detect an employee accepting kickbacks using DLP?

Can you identify a person who accepts kickbacks without DLP? How are kickbacks and being keen on poker related? What communication channels do corrupt officials use? Do they have their own slang? We share our real experience of finding those who like illegal methods.

To begin with:

Habitat identification

Two categories of employees who appear to be guilty of kickbacks most often — those who spend money and those who bring it. Thus, the following positions should be monitored:
• technology supply department;
• sales department;
• accounting department;
• managers of any level (top management, heads of regional divisions, heads of

Download and configure policies

After installing the system, users of SearchInform DLP system can benefit from preset security policies. They need to be imported into AlertCenter and configured for your own tasks. To search for corrupt officials, the policies “Kickbacks”, “Theft and fraud”, “Discussion of salaries” are suitable.

Most of the security policies for identifying those who accept kickbacks are based on content analysis of their correspondence in instant messengers and private mailboxes. You can set up various types of search for them — by dictionaries, phrases, complex queries.

Search by dictionaries allows you to find conversations and documents on a specific topic. Over the years of working with clients, we have collected dozens of preconfigured dictionaries on various topics. For example, in the “Kickbacks” dictionary there are many options for describing a bribe: “fee”, “transfer”, “pocket”, etc. This is effective, because employees involved in kickbacks describe dark affairs in their correspondence with words not indicating directly but only implicating the meaning which should be hidden.

Dictionaries can be edited — remove unnecessary words and substitute other ones for them taking into account regional characteristics and professional slang. This will narrow down your search and insure you against possible false positives made by the system.


For instance, our client from the metallurgical industry shortly after the launch of SearchInform DLP received a lot of alerts for the word “coke”, which was included in the “Drugs” dictionary. It turned out that metallurgists use it in the harmless meaning of “coca-cola” as it was someone’s birthday and they planned the bar and snacks for after-hours celebration. The alert was put out.

Search by phrases is useful for searching complex queries. For greater accuracy, select the options “use synonyms”, “search with morphology” (to take into account word forms) and “search for a phrase” (you can choose the number of intermediate words), while unchecking the “take into account word order” checkbox.

Now you can use complex queries — “personal pronoun + significant word”, “significant word + companion word”, “verb + significant word”:

• my interest;
• your percentage;
• give a bribe;
• hush money;
• tender award;
• purchase gift.

For example, for the combination “tender award” the program can easily find the covert phrase “procurement assistance”. Sounds suspicious, doesn’t it?

A complex query, in which you can combine several types of searches, will help to combat false matches. Specify a keyword, phrase, document name and write down the search terms using logical operators (and, or, not).

Create new policies

In AlertCenter, you can create your own policy with the search attributes you need. The settings depend on what you want to track. In any case, you need to set:

1. search parameters;

2. the channels through which the system will search for the required information.

For example, you want to create a policy to control the movement of commercial offers. To do this, you can use the already familiar search by dictionary, but the unique algorithm “search for similar” will show better results. With its help, you can find documents with a form and content similar to the original.

To set up a search for similar ones, insert the text of a typical commercial proposal into the search window and indicate the percentage of “similarity” between the reference and the found document.

The next step is to select the monitored transmission channels. For example, mail (MailController) and cloud services (CloudController).

The policy has been created. Set a check interval and start a search. If you get a lot of false positives, be specific about your search rules. For convenience, you can set up regular notifications about incidents to your mail.

Look through the archives

SearchInform DLP allows you to search not only by recently intercepted information, but also by the archive. This function is available for most webmail services, as well as for popular messengers — Skype, Viber. The program automatically surfs the message history after activating these services on the computer with the endpoint controller.

Retrospective analysis of the correspondence will help keep under control the employees who often check private mailboxes and conduct correspondence in instant messengers from a working PC. SearchInform DLP will examine the history of messages and letters with suspicious topics.

Look for clues

When everything is set up, it’s time to check, for example, an office manager. If you have reasonable grounds to suspect, spend time searching manually in the AnalyticConsole and examine correspondence in email, social networks and instant messengers. See what was sent to the cloud and external storage.

Not sure where to start your search? Then pay attention to the following signs and schemes.

Commercial offer “with a gift”

The supplier sends a commercial offer to the employee’s personal mailbox and negotiates a bonus for the deal. A few days later, a commercial offer with an inflated cost (a hidden kickback) comes to the employee’s official email.

How to track: set up a search for the keyword “commercial offer” or search for similar ones in the incoming/outgoing personal email of employees. The system will process not only letters, but also attachments.

Leakage of documents

Some employees don’t send nothing to third-party mailboxes from a corporate computer and copy the financial documents, acts, invoices, and statements of the organisation to external storage in order to take the discussion of fraudulent activities outside the office.

How to track: the DeviceController module automatically saves to the server copies of all files transferred to external media from the computer on which the system is installed. So don’t forget to include it in your security policies. Also, configure shadow copying of the contents of USB devices connected to the computer. Be sure to include files in such formats as xls, doc, pdf in the interception settings.

Balance in monitoring

Often, those who receive bribes get money transferred to a bank card. Impatient people check the balance at work. Most Internet banking services display the account balance immediately after user authorisation — on the main page. A person can visit this page several times a day.

How to track: set up forced screenshots in MonitorController — write down the banks’ web addresses. Similarly, you can set up video recording of the session. Now, if the user wants to check the balance, the program will automatically take a screenshot of his screen.

Luxury surfing

An employee’s search queries that are incomparable with his official income can also become a clue for an information security specialist. In the history of the browser of corrupt officials, vouchers to expensive resorts, the purchase of luxury real estate, the manufacture of jewelry with diamonds and other luxury goods and services are literally flickering.

How to track: Create a policy to track search queries in HTPPController. In the module settings, write down the keywords “Maldives voucher to buy”, “Moscow jewelry”, “elite housing” and the like.

Public boaster

Even secretive corrupt officials can lose their guard over time and talk about a recent purchase in the general Skype chat. If the purchase amount suspiciously exceeds the official salary of the employee, you need to put him under increased control.

How to track: set up a phrasal search in the interception of messages from instant messengers with the keywords “apartment”, “car”, “Rolex” in conjunction with the verbs “bought”, “drove”, “hooked”.

Panic-monger in action

Employees who are of weak spirit, drawn into kickback schemes, can give themselves away as unnecessary anxiety in correspondence with colleagues shows.

How to track: set up a search in messengers for key phrases “danger”, “are not afraid”, “fear”, “ignite”. In the found dialogue, leads for an internal investigation may appear.

Violator’s draft

A rare scheme identified by one of our clients. The employees who were in cahoots registered a common mailbox on and discussed side schemes for selling the company’s equipment in the draft email.

How to track: the system automatically scans not only letters, but also drafts. If necessary, search by drafts can be turned off in the MailController settings.

Reluctant kickback acceptor

Employees are trying to compensate with kickbacks for the lack of funds. Only the requests differ: one wants to quickly solve the housing problem, while the other does not have enough pocket money, others — for the next trip to the casino.

Difficult life situations, the presence of addictions, a sudden illness of a close relative can persuade an employee to commit a crime. Such employees can be pressured not only by competitors and suppliers, but also by colleagues. It happens that bosses use high-risk subordinates as intermediaries to hide their involvement in shady affairs.

ProfileCenter helps to automate the formation of risk groups. The program analyses the correspondence of employees and compiles their psychological portraits. Hackers can be found among social climbers, gist lovers, people prone to unreasonable risks.

AlertCenter has predefined policies for different risk groups — gamblers, people with addictions (alcohol, drug addiction) and serious illnesses, employees with debts and loans. Each policy has its own vocabulary, which the system uses to look for clues in correspondence. It can also be edited.

Getting an employee at risk does not in itself mean that an employee is a criminal, but the situation requires a stricter control.


Even if it seems to you that everything is clear in your company, it is better to take measures in advance. Regular personnel monitoring will allow timely detection of employees involved in kickback schemes.

During the first month of using SearchInform DLP, one of our clients detected 100 cybersecurity incidents, including side schemes and document forgery. Check employees and management for honesty with a free 30-day trial.



Managing behavioral risk, measuring employee morale, detecting corporate fraud and protecting your staff from blackmailers or undisciplined colleagues — moulding keys to healthy environment and data safety

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Parfentiev

Leading Analyst at, I’m here to address those human factor risks many businesses often neglect or aren’t even aware of