ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: IF016
  • Created: 22nd July 2024
  • Updated: 23rd October 2025
  • MITRE ATT&CK®: T1657
  • Contributor: The ITM Team

Misappropriation of Funds

A subject dishonestly makes false representations, fails to disclose information or abuses their access or position to make a financial gain and/or cause a loss to an organization. Methods to achieve this include unauthorized bank transfers, misuse of corporate cards, or creating fictitious invoices.

Subsections (8)

ID Name Description
IF016.006Creation of Fictitious Invoices

A subject with access to a billing system or indirect access to a billing system misuses their access to create fraudulent invoices, causing payments to be diverted to themselves, a business they own, or a third party.

IF016.009Creation of Fictitious Work Orders

The subject generates falsified internal work orders to simulate legitimate business activity, enabling unauthorized payments, resource allocation, or personal financial gain. These work orders are typically entered into official systems (e.g., procurement, HR, or service management platforms) and may reference real vendors or fictitious entities created by the subject.

 

Unlike invoice fraud, which occurs at the point of payment, this behavior targets the earlier procedural layer, embedding false tasks, contracts, or justifications into the organization’s internal operations. It is often used to pre-authorize expenditures or create documentation trails that appear procedurally valid.

 

Work order fabrication may be episodic or sustained, and is especially difficult to detect in high-trust environments or when the subject holds procurement authority. The behavior may surface during internal audits, budget discrepancies, or when a pattern of unusually consistent approvals is noticed across unrelated departments or timeframes.

IF016.007Excessive Overtime

A subject that self reports hours worked, and/or is eligible to claim overtime or an individual responsible for reporting such working time may falsify time records or make false representations to a working time system to cause payment or time in lieu for unperformed work.

IF016.004Insider Trading

A subject with access to sensitive or confidential information may decide to use that information to trade the company's stock or other securities (like bonds or stock options) based on significant, nonpublic information about the company.

IF016.001Misuse of a Corporate Card

A subject may misuse a corporate credit for their own benefit by making purchases that are not aligned with the intended purpose of the card or by failing to follow the policies and procedures governing its use.

IF016.005Modification of Invoices

A subject with access to a billing system or indirect access to a billing system misuses their access to modify existing invoices, causing payments to be diverted to themselves, a business they own, or a third party.

IF016.008Prepaid Debit Cards

The subject creates, obtains, or distributes prepaid debit cards as a mechanism for transferring or accessing misappropriated funds without direct attribution. The subject may load funds onto prepaid cards, often issued under false names, expired identities, or third-party aliases.

These cards may be used by the subject personally, handed off to co-conspirators, or leveraged to launder proceeds through ATM withdrawals, retail purchases, or online transfers. Their use enables dissociation from formal banking records and introduces delay or obfuscation in financial forensics.

IF016.002Unauthorized Bank Transfers

A subject misuses their direct or indirect access to dishonestly redirect funds to an account they control or to a third party.