Fraud presents a constant threat to companies around the globe—and that risk is growing as perpetrators become ever more digitally savvy and creative in their criminal activities.
K2 Intelligence has conducted a multitude of financial fraud investigations for companies around the world. This work has given us a unique perspective on the challenges facing enterprises when dealing with potential fraud, and the effect fraud has on businesses when it occurs.
Needless to say, the impact can be devastating. Aside from the financial and legal liabilities it creates, fraud can tarnish hard-won reputations and cause stock prices and sales to plunge. Companies might lose opportunities to work with and for other well-governed large entities that carefully choose their partners based on their controversy-free track record. Companies implicated in fraud may also find it difficult to attract employees or to keep the morale of their existing employees high.
Investigating fraud is a complicated exercise itself that involves multiple challenges: running the investigation effectively while limiting disruption to the business; knowing when to involve law enforcement or regulators; and anticipating potential liabilities as they relate to local labor, tax, environmental, or other relevant regulations and best practices.
In this article, we share examples and insights we’ve gleaned over the years about the types of financial frauds corporations encounter and the most common challenges faced when investigating fraud. We’ll discuss the types of fraud companies typically confront, red flags they might consider, and current challenges they face in preventing, detecting, and responding to fraud-related activities.
Phishing for Answers
Corporate fraud falls into two basic categories: internal and external. As the name suggests, internal frauds are committed by company insiders. External frauds are committed by outside actors. Today’s most popular external fraud is the cyber breach.
Employees often serve as unwitting accomplices in external frauds. Phishing—where a person clicks on a link in an unsolicited email that then compromises the computer, and often the network to which the computer is connected—is still a potent issue for most companies, and it continues to give cyber criminals unfettered access to a whole host of sensitive operational and financial information.
Business email compromise is the most frequent result we see from a successful phishing expedition. After accessing a company’s email network, fraudsters pose as executives and ask employees to wire transfer funds to their accounts. They tap into corporate vendor lists, create false email addresses, and send fake invoices requesting payments. They’ve even captured personal information, posed as spouses, and convinced executive assistants to release money for phony purchases.
In one case, cyber criminals stole the credentials of two senior executives and manipulated their email settings so that all of their emails were forwarded to the criminal’s external accounts, giving the criminals a vast trove of data about the company’s finances, operations, and strategy.
When it comes to internal fraud, employees often take an active—and leading—role in such crimes. We have seen corrupt insiders inflate financial statements to boost bonuses or stock prices, create fictitious companies to divert funds, and concoct elaborate Ponzi schemes that require years of effort and manipulation. The most common types of internal fraud we come across are the following:
- Vendor fraud. This type of fraud often plagues global companies with large supply chains and businesses of all sizes. An employee disguises his or her identity and forms a company that poses as a vendor to which company contracts and transactions are funneled. Or an employee colludes with an external vendor, giving the vendor favorable contracts and excessive payments in exchange for kickbacks.
- Asset misappropriation. Asset or inventory misappropriation is a common scheme involving employee theft of a company’s goods inventory. For example, an employee in the distribution operations of a manufacturer may remove perfectly sellable items from the company’s inventory, label them as “damaged” or otherwise unsellable, and designate them as scrap. The employee then reroutes them to a third-party seller.
- Revenue recognition. A revenue-recognition fraud involves booking sales or services that haven’t been sold or delivered to customers. In a classic scenario, management needs to make their numbers for the period or a sales team needs to hit their sales quota, so sales people are told to falsify sales invoices and instructed to ship the goods to a third-party warehouse for storage. The sales team gets credit for the sale, an invoice is generated, and the company books the revenue. Yet the company also is saddled with an account receivable that in fact does not exist, and serious revenue-recognition issues if the fraud goes unchecked. In companies with trading operations, covering up these unrealized returns can be hidden through hedging and the scheme can go undetected for a longer period of time if appropriate controls are not in place.
There is a lot a company can do to prevent fraud and ensure it does not go undetected for long periods of time. Those organizations that are successful in preventing fraud implement strong internal controls; apply checks and balances; create an independent compliance function; and dictate a strong tone from the top of transparency, accountability, and zero tolerance of fraud.
Even with all possible measures put in place to prevent fraud, the question remains: How does a company detect when its employees are perpetrating a fraud? There are different tools and approaches that can be utilized: periodic fraud risk assessments, robust third-party due diligence and management, real-time monitoring, continuous fraud awareness training, and reporting hotlines.
We have worked with companies that use a variety of tools to monitor their business activities in “real time” with the objective of detecting fraud and protecting their organization from threats and loss of information or assets. They have various data loss prevention solutions in place to monitor communications, and utilize data analytics tools to analyze transactional data or data from the activities across a supply chain. Some companies even conduct periodic background checks of their employees to ensure that there are no undisclosed events that might impact their performance, might indicate they are involved in nefarious activities, or would reveal financial distress.
Consider this case from our files: A technology company with a recent history of intellectual property breaches sought our advice on identifying and launching an email monitoring tool designed to alert the firm to potential compromises of trade secrets and other intellectual property. The data loss prevention tool was fine-tuned to target communications that mentioned certain key terms associated with the firm’s most sensitive technologies. In addition, emails with attachments over a certain size were captured at the firewall in log files for analysis. During the first six months of use, the tool flagged several employees’ communications as suspicious and investigations were commenced.
It also pays to note behavior that seems outside the norm. For example, recall the case of the trader who caused his employer to lose billions in trade losses in a scheme that involved fictitious customer accounts, all to cover one bad trade. By all accounts, the trader was the first person in the office each morning and the last person out each night, never took a vacation, and rarely left his desk during the workday for fear of being found out. Are these habits indicative of nefarious behavior? Not necessarily, but they are certainly worthy of investigation and follow up.
When Fraud Strikes
The key to successfully managing an incidence of fraud within your organization is preparation. In other words, the first time to think about how to deal with fraud is not after it occurs, but well before. Of paramount importance is having a plan in place that establishes who will conduct the investigation; delineates responsibilities; outlines the correct communication strategy, determined by the severity of the fraud and who is involved; and defines a protocol for reporting, as necessary, to executive management and/or the board of directors.
At the start of the investigation, it is important to consider where the likely sources of evidence may be found to support or refute the allegations and take steps to preserve the information. In some cases, it may be necessary to have counsel circulate a document preservation notice to prevent the spoliation of potential evidence. In addition, it may be necessary to back up servers or personal computers to prevent critical files from being overwritten.
Conducting investigations across borders presents unique challenges as well. Awareness of local regulations and business customs must extend to the fraud investigation process. Data privacy laws, for example, might prevent large transfers of information from a server in one country to a server in another. Customs officers may confiscate laptops containing employee data. Even interviews can be disrupted because of laws in some jurisdictions that prevent an employer from unduly distressing an employee.
Local data privacy laws are just one of the complications companies face. Other types of laws also vary significantly around the world. For instance, investigative techniques such as computer forensics and interviews require a working knowledge of the applicable employment laws in the geography prior to undertaking such activities. In particular, post-investigation disciplining of employees must be done in concert with counsel to ensure compliance with local labor and employment laws. Acting contrary to such laws frequently results in financial and reputational impairments.
In general, fraud investigations must be conducted discreetly and without unduly disrupting business operations. In our experience, they also require an investigator with the skill and experience to connect dots in creative ways. If fraudsters are growing more sophisticated about their work, those rooting out their activities should be able to respond in kind.