With the millions of dollars that cybercriminals have obtained through their actions, bribing employees within companies has become a viable option for gaining access to corporate networks. Unfortunately, criminals have the money to "invest" in this method.
For this reason, it is essential that companies understand this threat, why criminals are interested in recruiting insiders, and how they use the privileges acquired through them.
Let's start with the definition of insider threat and then explore why employees are targeted by hackers and what can be done to mitigate the risks.
An insider threat can be understood as the intentional action of a privileged internal agent, whether a direct employee or a third party who has been granted access permissions.
However, more widely accepted definitions of insider threat also include situations where there was negligence or accidental and unconscious carelessness by the employee. A recent document from the United States Department of Defense (PDF) brought precisely this definition, which views the employee within their full human context.
Within this broader scope, an insider threat can manifest when an employee has personal or family problems, including financial difficulties, addictions, health issues, and lack of adequate training.
Although companies can model the risks linked to insider threats in the way they see as most appropriate in their context, it should be noted that the difference between these two perspectives is not as distant as it seems.
An employee acting in bad faith can take advantage of deficiencies in training to create a false situation where they "fall" for a scam planned by the hackers who recruited them. In this scenario, it can be difficult to differentiate a case of negligence from an intentional action. Those using a stricter definition of insider threat may end up not categorizing this incident correctly.
For an employee to compromise the corporate network, it is often enough to install Remote Monitoring & Management (RMM) software, which allows control of the system from another computer. The steps to perform this installation can be communicated by an attacker posing as the company's IT department or another professional, creating a scenario that, in principle, eliminates the internal user as a suspect.
Additionally, personal and family difficulties can increase the chances that an employee will decide to cooperate with intruders. In parallel, training that helps employees understand the policies and mechanisms that exist to detect and punish those who act in bad faith can reduce the employee's interest in making any deal with an external intruder.
If the employee does not understand that this type of attitude can harm all company stakeholders (including themselves), they are more likely to give in to the pressure from recruiters.
The United States Department of Justice recently announced the indictment of employees of DigitalMint and Sygnia companies under allegations that they collaborated with ransomware gangs. These professionals did not act directly against their employers but harmed clients and other companies using the privileges they had to disseminate malicious code or favor criminals instead of eliminating the threat from corporate networks.
This case brings an important lesson about the profile of people sought by hackers. Often, the target is not the company that employs the employee. This explains why criminals frequently seek accomplices based on the role they perform, regardless of the company they work for.
It is possible to understand why this happens and what criminals look for in each employee:
IT Technicians: Those who work in the IT department have access to various systems and hold privileged information about the network architecture of the company or clients it serves (if it is a service provider).
Even if a company is not a target of interest to criminals nor is connected to these targets, IT technicians can provide infrastructure (such as servers) to assist criminals in their operations. For this reason, these professionals are highly targeted.
Area Managers and Accounts at Financial Institutions: It is easy to have some notion of the reason behind criminals' interest in recruiting employees of financial institutions, but it is not always possible to imagine everything that criminals seek with this access.
The idea is not always just to transfer customers' money. Sometimes, the objective is to facilitate the creation of fake accounts (shell accounts) or access to business accounts to receive money stolen from other accounts. It can be more difficult to prove the irregular performance of employees in these cases, since an "error" that went unnoticed in documentation can also occur due to accidental oversights.
In the case of cryptocurrency exchanges, they are frequently the destination of stolen money for money laundering. After the funds are mixed with other cryptocurrencies, it can be quite difficult to recover what was stolen.
Telemarketing and Services: Service providers have access to systems or customer data that can be useful to hackers and scammers. Call centers for external and internal audiences, managed service providers (MSPs), and sometimes even outsourced companies for cleaning or maintenance can have a level of access useful to criminals.
Technology companies also fall on this list, both for the ability to enable external access (as in the case of IT employees) and for the possibility of sabotaging security solutions or fraud protection.
Government: Government employees can be very valuable to criminals. Often, they can query personal data to facilitate fraud, approve false documentation (including digital certificates), or leak data from companies that pass through government systems, such as in the case of tax documents.
Additionally, government IT infrastructure is often regarded as trustworthy by security systems. Therefore, the possibility of using government systems to receive leaked data or disseminate malware is even more interesting to criminals.
According to a report by the Ponemon Institute, insider threats generate, on average, an annual cost of $17.4 million for companies. This is double the amount found in 2018, which was $8.3 million.
According to Verizon's 2025 Data Breach Investigations Report (DBIR), 65% of incidents involving insider threats result from some type of employee negligence, while 31% of incidents stem from intentional employee actions.
Finally, the 2025 Insider Risk Report from Fortinet and Cybersecurity Insiders indicates that 77% of organizations had some data loss resulting from an insider threat in the 18-month period prior to the survey, and 21% of them had more than 20 incidents of this category in the same period.
Like the DBIR, the Cybersecurity Leaders survey also revealed that 62% of incidents result from human error or a compromised account.
The more employees a company has, the more difficult it is to direct actions that can mitigate internal incidents.
To overcome this challenge, it is necessary to monitor the actions of criminals in order to understand their targets and methods. With this knowledge, it is possible to develop actions and strategies that effectively mitigate risk.
Axur offers a range of solutions to monitor criminal activity, collecting intelligence on cyber threats that provide visibility on targeted threats as well as general and sector perspectives. Talk to our specialists to learn more.
A: An insider threat is an intentional or negligent action by a privileged internal agent (employee or third party with access permissions) that compromises organizational security. This includes both deliberate malicious actions and accidental security breaches caused by negligence or lack of training.
A: According to the Ponemon Institute, insider threats generate an average annual cost of $17.4 million for companies. This is double the 2018 figure of $8.3 million, showing a significant increase in the financial impact of these incidents.
A: 65% of insider threat incidents result from employee negligence, while 31% stem from intentional employee actions. Additionally, 62% of incidents result from human error or a compromised account.
A: Criminals primarily target:
A: Insider threats originate from individuals who already have legitimate access to organizational systems, making them harder to detect than external attacks. These insiders can bypass many security controls because they have authorized credentials and knowledge of internal processes.
A: Warning signs include employees experiencing financial difficulties, personal or family problems, substance abuse issues, dissatisfaction with the organization, unusual access patterns to sensitive data, or attempts to bypass security protocols.
A: Yes. Modern definitions of insider threats include both intentional malicious actions and unintentional security breaches caused by negligence, lack of training, or accidental mistakes. The U.S. Department of Defense recognizes this broader definition that considers employees within their full human context.
A: Companies can mitigate insider threats by implementing comprehensive employee training, monitoring user activity, understanding criminal recruitment methods, establishing clear security policies, and using threat intelligence to identify potential risks before they materialize.