Pete Miller: Fraud was always something that interested me. It’s a fascinating part of accounting and finance-how people gain the opportunity to commit fraud, what motivates them, and how they get caught. As a CPA, I’m required to take 40 hours of continuing education credits every year to maintain my license. I thought if I was going to be sitting in a classroom for eight hours, it had better be interesting. Earlier I had the chance to listen to a few convicted felons who served jail time for fraud. I knew courses on fraud would be interesting so I just fed that interest of mine for a few years.
About 11 years ago, I decided to become a Certified Fraud Examiner (CFE). It was one of the most fascinating academic experiences I’ve ever had. The program is numbers and finance-oriented but the human experience is built into it, too. You learn why people do what they do, the psychology behind it, the facial expressions people make if they’re lying, all that kind of stuff. The history and legal side of fraud are part of the curriculum. I passed that exam, and then built a business plan for how to develop a practice and pitched that to my partners at Clark Nuber. They said “It’s a great idea. Let’s go for it.” And we just set on a course to build the practice and did it slowly and methodically. We’ve since built up a nice resume of projects. In the last five or six years, we’ve done more to announce ourselves to the marketplace and we’ve had quite a pick-up in our practice. Unfortunately, fraud is a growth history.
Lauren: External versus internal fraud, what’s the difference? And what trends are you seeing?
My specialty, really, is occupational fraud. And my focus is internal fraud: somebody using their job to commit fraud. That’s primarily what I’ve studied primarily for the last 10 or 12 years. But tangentially, external fraud has picked up quite a bit. It’s something I keep my eye on as well. External fraud is somebody from the outside, whether
it’s an organization or individual, who is penetrating the company somehow to get access to the company’s money. We’ve seen a lot of pick up around something called “spear-phishing” and just “phishing” in general. Ten years ago, phishing was more of a broad attempt, where perpetrators, bad guys, would send a mass e-mail with a link that you would click and that would give them access to some of your information or download something onto your computer.
Phishing is broad in nature. It isn’t targeted. Spear-phishing is narrow – it’s focusing on something, somebody specific.
So, these bad guys have done their research.
They’ve done their research and they are sophisticated. What we find is they somehow get into a company’s system. They’ll study, for example, the CEO’s emails. They look at his or her emails and figure out what their tone sounds like and what their emails typically contain. They figure out a pattern and style so that, at some point, they can draft an email that reads like it’s from the CEO. And this email, in the CEO’s name, will say something like, “Please send a wire transfer to XYZ. You need to send it right away” sent to someone in the company with the authority to initiate a wire transfer. The thieves’ first email typically starts out with a modest dollar transfer amount, and if they get a bite, the next email will be for something larger.
They probe a little bit.
They probe a little bit and dip a toe in the water, and then they really go for it. We have seen, in the last year or two, about half a dozen of clients bitten by this type of scheme and some of them have fallen for it. Many more that number will get something like that type of probing email in their inbox.
Are these spear-phishing companies U.S. companies or are they foreign?
It’s a mix. From what I’ve read, a lot of it is from outside of the United States. But there’s certainly enough of it going on around here. They have a target, they look for vulnerabilities, and they find their way in.
Speaking of targets, are larger, publicly-held companies like Microsoft and Amazon more vulnerable to this type of fraud? Or are the smaller privately-owned companies more at risk?
What I’ve seen is that the incidences of fraud have slowed or perhaps even leveled off in publicly-held companies since Sarbanes-Oxley requirements ramped up their rigor of internal control.
But for the smaller, privately-held companies, chances are they have a smaller accounting and finance staff. They don’t have the ability to hire people for internal control’s sake. There are fewer internal controls and more opportunity for something like this to happen. For the folks that fell for the spear-phishing example I talked about earlier, that was the problem. There was an absence in internal controls that allowed that to happen. In one instance, the same person could both initiate and authorize a wire transfer.
But despite their smaller size and a lack of internal control, these companies could still have significant balances to go after.
That’s right. They could have balances that would make it worth the perpetrators effort.
With external fraud on the rise, smaller companies may be a bit more vulnerable for several reasons.
External fraud and internal fraud continue to be on the rise. But people commit internal fraud in a limited amount of methods. Schemes like fake vender schemes or ghost employee schemes or things of that nature tend to be still active and prevalent. Expense reimbursement fraud, despite technologies and software products in place that manage that process for a company internally and insert a layer of internal control, is on the rise.
These are employees who are filing fake expenses on their expense reports?
Yes, or filing the same expense multiple times. The perpetrator, an employee in this instance, might have a business meal and have an itemized receipt, a signed credit card receipt, and a credit card statement. They might file all three of those at different periods of time.
And nobody’s noticing the same date? That’s interesting! Tell me about the fake vendor approach.
The vendor management process and the kind of vendor master file that’s built into accounting programs don’t necessarily have a whole lot of rigor around them. Somebody can set up a fake vendor inside of the accounting process that’s very similar to a legitimate vendor. It could be ABC-LLC instead of ABC Inc. One of those is a legitimate company, the other isn’t. When the check comes through the system, it looks like a familiar vendor to the person that’s authorized it, and it makes its way through to payment to a bank account controlled by the perpetrator.
I once ran a CEO roundtable that invited a convicted thief in to speak to the group. That’s how he did it. He set up fake vendors. An accomplice on the outside cashed the checks. This went on for years. The business had no actively-involved owners. The thief was the general manager. One day the owner showed up and noticed a stack of invoices. The fake invoice was on the top of the pile. The owner glanced at it and said, “Gosh, who’s this company?” And then the whole scam just started to unravel.
They peeled back the onion!
Yup, they peeled back the onion. He shared how he got into the position to commit the fraud. As he made his way up through the ranks of the company, he found other people stealing company product. He caught them doing it and then he made a big deal about catching them. It established his “good guy” credentials in everybody’s mind. This man also spoke of his feeling of resentment at the time. He felt like while he created the company’s growth, he did not get his deserved recognition or pay. At the time, he was bitter and angry. He said, “Here I was growing this company, not an owner, and I felt like it was my due. The owner wasn’t paying attention and so I thought, why not?” He went under the radar for far too long.
Not a surprise, necessarily, given that “tone at the top” is such a huge deal in these cases. It’s not necessarily a surprise that somebody might not know what this thief was doing.
Talk about “tone at the top.” What does that mean to you?
It’s just paramount. I like to compare good tone and bad tone and think about the consequences in that context. Good tone at the top is a leader who leads by example, who is transparent and forthright with regulators, key vendors and employees. He or she goes out of his or her way to make sure they do the right thing. “Do the right thing” is part of their business philosophy and culture. They will go out and hire lieutenants that are like-minded and share that philosophy and then likewise, those lieutenants will hire people for their teams who are going to be like-minded. It just creates a good culture from the top down.
Contrast that with a company with a bad tone at the top. In that case, you have a leader who likes to cut corners any way he can, who is less than forthright with key vendors or regulators and talks about people behind their back. He is not transparent about things, and is very secretive. It creates a different tone. This leader is going to hire lieutenants that are a little dodgy or sneaky and then likewise down on the line. That bad tone of the top is riper for fraud than the good tone of the top.
It’s not just a matter of training and skills in terms of anti-fraud and policy? There’s that part of prevention and detection and then there are also the cultural norms, values, rules, attitude, how the leader acts, how the managers act, and the type of person they’re hiring.
Every internal control system has its weaknesses and vulnerabilities. Both the good tone and the bad tone examples have vulnerabilities in their internal control structure. But the people who are playing the parts in the good tone example would be less likely to rationalize their way into committing a fraud. The folks on the bad side, more likely. They would say, ‘I’m not valued enough,” or “Joe down the hall makes way more than I do and I work so much more here.” All sorts of things that could enter people’s minds that they could rationalize their way through it. The right tone at the top can help put a stop into the rationalization piece which is a key part of any fraud that’s going to be there.
Every organization has issues that need discussing. Companies with healthy cultures tackle these things head-on so that there aren’t a lot of “elephants in the room.” But if you don’t end up having what are often hard conversations that lead to resolution of these issues, people get resentful. It just creates this bad energy that’s going to go somewhere. It will attract wrong people and, sadly, repel the good people that might want to come to your organization, or, worse, get rid of the good people in your company. Or the goods ones stay but become what I call them ‘zombie employees.’ They were once good, but now they’re empty, angry shells.
They’re empty, angry people. Absolutely. And the rumors milling around go out of control in an environment like that. Even if the truth isn’t that bad, it can spin into something that is because of all the back-channel talk.
The leader who’s willing to take feedback on their own behavior by their team members sets an incredible tone of accountability and honesty. Then it’s all about holding each other accountable and doing the best job with the best people for the job. It’s not about going after people and exacting revenge.
It’s a whole different thing. The good tone folks can still have a “trust but verify” approach to management. And with a good tone to the top, it just becomes something that — it’s not that they’re checking up on me or they don’t think that I’m doing my job or they don’t trust me — it’s just a part of the process.
This is just how we do things.
The employee that’s having their work reviewed is thankful that that happens for a few reasons. One, the process finds any mistakes so that I can do things correctly next time. But secondly, I like the idea that my boss reviews my work so that if anything bad does happen, it’s not necessarily resting all on me. Other participants who are part of the problem are identified and that supports me as well.
Next up: How one business owner stopped a thief before losing thousands of dollars.