The small matter of fraud
Wednesday, February 12, 2020
According to PwC’s 2018 Global Economic Crime and Fraud Survey, only 49% of global organisations said they’ve been a victim of fraud and economic crime. While some might question the percentage quoted, the natural question that follows is what about the other 51%? Have they really not suffered any fraud – at all?
The answer is that they probably have, but either haven’t spotted it or consider the activity just par for the course.
Michael Volkov, CEO of The Volkov Law Group LLC, reckons that “companies are experiencing increased fraud as part of an overall increase in economic crime around the globe. Reported economic crime has increased over the last few years and is continuing to increase.”
Philippa Dempster, managing partner of law firm Freeths, believes that we are certainly seeing more incidents. She says: “The 2019 England and Wales Crime Survey estimated that there are more than 3.9 million fraud cases a year and Action Fraud saw 276,129 cases reported to it according to The Independent in June 2019, a 12% increase.”
And print has seen its fair share of cases. In May 2016, Prime Group and Rapidity (and others) were targeted by a CEO fraud scam where an individual purports to be an executive and requests urgent payments. The scam uses spoofing technologies to make the request look genuine. More recently, in October 2019, the Police Service of Northern Ireland and South Yorkshire Police were investigating an alleged fraud by a former employee at Belfast-based Bradley Group, which is said to have involved £500,000.
As the PwC report highlights, while the authorities, firms and staff are more acutely aware of the risks of fraud, the biggest problem is that few recognise that the fraud that goes unseen is just as damaging – possibly more so – than the fraud that is found. Didier Lavion, principal, Global Economic Crime and Fraud Survey Leader, PwC US says: “The scale and impact of fraud has grown so significantly in today’s digitally enabled world. Indeed, it can almost be seen as a big business in its own right – one that is tech- enabled, innovative, opportunistic and pervasive. Think of it as the biggest competitor you didn’t know you had.”
Andrew Northage, a partner at Walker Morris LLP, has definitely seen awareness of fraud rise: “It is certainly the case that companies are now more mindful of the policies and procedures they must have in place to raise employee awareness of fraud and to deal with it if it occurs.” He puts this partly down to changes in legislation, notably the Bribery Act 2010 which requires “adequate procedures” to prevent someone paying a bribe in order to gain a commercial advantage; the same legislative framework was used again in relation to the offence of failing to prevent tax evasion under the Criminal Finances Act 2015.
In his view “businesses are increasingly taking a similar approach to aspects of corporate governance, such as fraud, in order to identify the risks to the business, to determine appropriate mitigation strategies.”
A typical fraud?
Is there a typical fraud that firms should look out for? Henry Ejdelbaum, managing director of AIMS Accountants for Business, thinks not. He says: “It’s impossible, and perhaps dangerous, to call any particular type of fraud ‘typical’ as fraud comes in a huge variety of shapes and sizes, from confidence tricks and email phishing through to internal embezzlement.”
That said, Dempster lists a number of examples that she’s seen which include requests to pay a fake bank account, fictitious invoices, invoices paid in one currency but posted in another, finance employees abusing a system, ex-employees abusing a system, and the overstating of accounts. Of course, there are plenty more.
Just as there is no typical fraud – just a multitude of options – there is no typical fraudster. And as Ejdelbaum notes, “one thing we can say is that fraud is no longer just the domain of your stereotypical ‘criminal’ pulling scams. Many are intelligent, educated, well trained and very often from good backgrounds”. He’s found them to be highly knowledgeable, with a wide variety of skills and know how to cover their tracks – they can be found in high-powered positions at reputable companies and can perpetuate frauds and scams orders of magnitudes higher than what might be expected.
Discovery of fraud
It’s quite interesting that most instances of major fraud are uncovered by chance. Consider the 2013 case of Amanda Stevens, the bookkeeper for Redcat Marketing, the publisher of a magazine for the motorcycle trade. Stevens stole £210,000 over six years; she was only caught because a VAT bill couldn’t be paid. The owners had to make four staff redundant, sell cars and business premises and take out a secured overdraft to keep the firm alive.
Fraudsters also make mistakes according to Northage: “One of the biggest frauds the UK has ever seen began to unravel when six seemingly unconnected companies responded to an audit letter on the same single fax.”
However, as Ejdelbaum puts it, “if someone is dedicated enough to engage in serious fraud, they’re also normally knowledgeable enough to make sure they cover their tracks, which can make them difficult to spot without serious resources dedicated to it”.
It follows that SMEs need to be on their toes as much as large concerns. “A big national corporation,” says Ejdelbaum, “has the resources and time to commit to protecting against fraud. They’ve got email firewalls, dedicated algorithms, and often even a dedicated workforce set to making sure everything is correct; this often isn’t so for a small business.”
It’s easy to see why SMEs are targeted. According to a 2018 report from the Department of Business, Energy & Industrial Strategy, Business population estimates for the UK and regions 2018, 99.9% of private sector businesses are SMEs, so the risk is that much greater. As Ejdelbaum points out, “when you’ve got a hundred other things to consider and manage at once, it’s easy for fraudulent behaviours to slip through the net until the hole is accidentally uncovered”.
Advice on prevention
Prevention is invariably better than the cure. It’s for this reason that Dempster recommends firms “create an open culture with regular awareness training and vigilance – circulating examples of the latest scams, ensuring good cyber security and also basic IT hygiene with regular password changes are part of best practice.” To this list she adds considering potential fraud areas and being vigilant: watching for unusual behaviour such as an individual living beyond their means, CCTV and suitable stock control systems in warehouses.
She would most definitely enforce holidays – “often this is the time when things are discovered. And in the accounts teams, have particular vigilance and an open culture so that people question and spot check.”
But there is a tell-tale sign, says Northage: employee behaviour. He says to “look for domineering or bullying management, obsessive secrecy and close or closed relationships with suppliers; there may be an unwillingness to delegate menial tasks, or you may notice a significant change in an employee’s lifestyle.”
Beyond that the best advice is not unsurprisingly, the simplest: use your common sense and if the firm has the resources, make use of them. Ejdelbaum says the most important thing is to “keep your wits about you”.
And he gives one example of why.
“In the busy January tax season, we always see a rise in HMRC-related scams. Some of the most common are emails asking to “confirm your login details”, or similar. These emails usually look almost exactly like ones that legitimately come from HMRC, down even to the smallest details. The only giveaway is that the email address itself isn’t quite right. That’s easy to miss if you’re just glancing through.”
Volkov urges firms with the resources to deploy data-based technologies and analytics to combat the risk. The techniques include continuous monitoring, email monitoring, anomaly detection, pattern recognition and artificial intelligence.
“Data mining and statistical analysis,” says Volkov, “can also be helpful in detecting fraud. By using sophisticated data mining tools, companies can search transactions to spot patterns and detect fraudulent transactions.”
Northage agrees but expands the point – he thinks that “different kinds of fraud warrant different approaches. For instance, if facing push payment fraud, or the risk of any kind of fraudulent transaction, email must be closely monitored”. He suggests that when dealing with payments, it is prudent to confirm payment details by telephone before transferring money, particularly if account details have changed at the last minute. One suggestion from Northage to guard against similar frauds from inside your business is to “consider introducing checks beyond emails from supervisors before payments can be authorised; email chains can be easily edited to make it look as though the payment has been authorised when it hasn’t”.
Major events usually involve senior management, especially those with the authority to override controls. However, employee fraud schemes often involve theft by exploiting systemic weaknesses, such as stealing cash before it has been recorded, fictitious expense reimbursement claims and/or stealing company property.
A classic example of systemic abuse is offered by Northage; and it seems so simple. “We are currently acting on behalf of a global food and drink manufacturer bringing a claim against an individual in its accounts department who spotted a weakness in the way in which payments of rebates were authorised [so that he could] amend the bank details of legitimate customers to his own account. This meant that rebates of around £650,000 were transferred to the employee’s account.” This backs Northage’s view that it is not the rank of the fraudster so much as the opportunities available, that are germane.
Interestingly, no matter how thorough the perpetrator, Volkov says that on average, fraud schemes last 18 months before being detected.
It shouldn’t be a surprise that employees are the key to detection. On one hand, employees who see solid policies will be deterred from engaging in criminal acts. On the other, honest employees will become critical allies in the fight and, with suppliers, can become key sources of tips and information.
Another suggestion, from Volkov, is to have systems and processes that cross check each other. “Fraudsters are adept at taking advantage of weaknesses or gaps in a company’s internal controls. A perfect example is when business systems do not share or cross-check information.” One specific test, for example, could look for duplicate invoices and payments.
On this tack, Northage is keen to highlight overly complex corporate relationships or autonomous subsidiaries. “Firms may have a lack of clear reporting lines or areas of responsibility, opaque management accounts, a high volume of transactions or excessive profits in peripheral functions. These and aggressive accounting policies and forecasts with reward schemes linked to results may indirectly encourage achievement through more mendacious means.” He warns to look for results that may be always at or just above budget, or oddly exceeding market trends.
It shouldn’t be forgotten that people rationalise their actions to justify their misconduct. Sometimes this is down to an avaricious nature, but sight shouldn’t be lost that some might seek to ‘make good’ some perceived slight or mistreatment.
Warning for management
Even if company directors are not directly involved in fraud that occurs on their watch, this does not mean they will be unaffected. As Northage details, any reputational damage to the firm may, by extension, mark the reputation of the directors.
He also points to the various statutory duties of directors – that they must promote the success of the company in good faith, exercise independent judgement and exercise reasonable care, skill and diligence in executing their role. From his perspective, “this may extend to ensuring anti-fraud policies and procedures are in place and followed. Depending on the circumstances of the fraud, its occurrence may indicate that a director could be in breach of their duties, even if they were not the perpetrator. In certain circumstances, a director may face disqualification or personal liability for any financial losses the company sustains.
Dempster too thinks that fraud can destroy a career: “Directors are always in the spotlight to see if more should have been done to prevent fraud. They can be disciplined, or even removed, if their policies and procedures allowed frauds to take place.” She reminds that it can spell the end of a business: Patisserie Valerie went into administration due to accounting irregularities. Bradley Group said the alleged fraud resulted in it having to restructure its operations with a number of staff laid off.
Fraud is everywhere, often hiding in plain sight. It’s impossible to stop it but firms can take steps to keep the risks to a minimum.
STEPS TO REDUCE THE RISK OF FRAUD
Segregate accounting duties
No one person should be able to handle all bookkeeping functions, such as client receivables, processing client payments, paying invoices, managing petty cash and recording on the accounting system on their own. Businesses should have at least two people who can work interchangeably.
Know your employees
Every business should seek to hire honest workers but without a formal process a rogue can slip in. All employees should have a background check, but if this isn’t feasible, it must be an absolute for anyone with access to cash or finance systems. Look for staff in finance functions being overly friendly or who work long hours or take time off. Staff in finance or cash functions must take two weeks off and have no access to company systems. All of this should apply to business partners too.
Even the smallest of firms needs processes. These can include multiple signatures for purchases or stock receipt, checking overtime, locking down access to company financial date or just regularly auditing parts of the business. Random audits of the books will put fraudsters on notice. Laxity here encourages fraud.
Check the business bank account
Every bank statement should be checked against documentation, both to ensure that monies have been legitimately moved and to ensure that papers haven’t been faked. It’s important to look for anything out of order while new payees should be checked and confirmed.
Staff should be taught to look for fraud, how to prevent it and the importance of reporting suspicions. An anonymous reporting system or process will allow the reporting of colleagues without leading to recrimination. It is just as important to write and distribute a code of ethics that details that no fraud will be tolerated. By extension, every suspicion must be followed up.
Protect financial information
Businesses should be wary of the people and organisations they provide their bank and credit card information to, and should use secure, online bill payment services when possible, eliminating the potential for cheque fraud or theft.
Call in an expert
If fraud is suspected – or there are legal and regulatory concerns – professional advice is needed to examine the business and its books. Reports can also be made to Action Fraud and in serious cases the police can be called in to take action including search and seize orders, seizing goods and computers, and freezing bank accounts.