The Embezzler’s Ghost: Why The Fraud Triangle Is A Gift To Adaptive Threats

Posted on by

Paul Curwell

3–5 minutes

We are trying to catch 21st-century crooks with a framework designed in 1953 for middle-management embezzlers.

In my consulting practice and work with post-grad students, I see this disconnect constantly. We are defending against Organised Adversaries – crime syndicates, nation-states, and sophisticated fraud rings – using logic designed for a completely different era.

Donald Cressey’s “Fraud Triangle” was a breakthrough for its time. It perfectly explained the opportunistic fraudster: the trusted employee who hits a personal crisis and “breaks.”

But today, we aren’t just facing desperate employees. We are facing actors who don’t wait for a crisis to occur – they engineer one.

When we apply “embezzler logic” to a sophisticated criminal operation, we don’t just get it wrong. We create a dangerous blind spot.

Donald Cressy's Fraud Triangle focuses on embezzlers, and was developed in 1953.
The “Fraud Triangle”, Donald Cressey (1953)

The Problem: Looking For Desperation, Not Intent

The Fraud Triangle rests on the pillar of Pressure (specifically, a “non-shareable financial problem”). It is designed to find the person drowning in debt.

Adaptive threats, however, operate out of Strategic Intent.

If you only look for “financial desperation,” you will miss the high-performing, debt-free executive who is acting on ideology or coercion. We need to shift from Occupational Psychology (why good people go bad) to Adversarial Motive (what a sophisticated actor wants).

Understanding Motive As A Target Map

For adaptive threats, bankruptcy is rarely the lead indicator. To find the levers of disruption, we need to use the intelligence community’s MICE framework:

  • Money: For organised crime, this is about profit maximisation. Your lever: Increase their “cost of business” until the ROI fails.
  • Ideology: They believe your IP belongs to their nation. Your lever: Total denial of access—you cannot “ethically train” an ideologue.
  • Coercion: A trusted insider is being blackmailed. Your lever: Culture. A “safe-to-report” environment disrupts the adversary’s leverage.
  • Ego/Extortion: The desire for revenge or status. Your lever: Behavioural analytics that flag “entitlement patterns.”

The Structural Blindspot: Solo vs. Group Logic

The Fraud Triangle is a one-dimensional psychological analysis. It fails to model the reality of modern, structured threats:

  1. Group Decision-Making: Adaptive threats use hierarchical command structures, not solo impulses.
  2. Long-Term Strategy: These actors have patience. They use multi-stage operations and strategic misdirection (false flags) that a “one-off” fraud framework cannot detect.
  3. Institutional Doctrine: State-sponsored actors follow a professional doctrine, not a psychological rationalisation.
graphical illustration of an adaptive threat network
Sophisticated ‘adaptive threats’ are effectively businesses, with dedicated roles and cross-border reach (JP 3-25)

From Static Opportunities To Manufactured Ones

The Triangle assumes Opportunity is a static weakness – like a door accidentally left unlocked.

Adaptive threats don’t wait for an unlocked door; they build a key.

They use intelligence tradecraft – such as social engineering and long-term grooming – to create access. While the opportunistic embezzler exploits a loophole, the adaptive threat exploits the system itself.

Why Your Current Toolkit Is Failing

If you rely solely on the Fraud Triangle, your mitigation strategy is likely fighting the wrong war:

  • Bankruptcy Checks: Miss the “clean” operative being paid handsomely by a third party.
  • Baseline Controls: Easily bypassed by an adversary who has spent months mapping your social and technical dependencies.
  • Internal Investigations: Often fail because they assume a “lone wolf” perpetrator. As I’ve noted in my previous article, 31% of insiders operate in networks. If your detection doesn’t account for these internal networks, you are missing the campaign behind the individual.
Stop Looking For The “Lone Wolf”: New Research Reveals 31% Of Malicious Insiders Don’t Act Alone

The Shift: Toward Adaptive Detection

We must trust our people to run a business, but we must recognise when that trust is being exploited. We need to shift our surveillance and detection focus:

  • From Financial Monitoring to Relationship Mapping and Behaviour Analytics.
  • From Control Weaknesses to Access Pattern Analysis (UEBA).
  • From Individual Psychology to Organisational Loyalty and Network Cohesion.

The Takeaway

The opportunistic embezzler and the organised adversary are fundamentally different risks.

You cannot stop a professional spy or a state-backed fraud ring with a framework designed to catch a desperate clerk.

If your defence doesn’t evolve, you aren’t managing risk – you’re just waiting to be a headline.

Further Reading:

As published on LinkedIn. 

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.