While fraud has existed for as long as there have been companies, when changes occur in how an organization operates, new doors open for people inside and outside an organization to steal.
Recent macroeconomic events involving supply chain slowdowns, flexible work arrangements and rising inflation have paved the way for a possible uptick in such crimes. Changes in the supervision of an employee coping with financial pressures, for instance, may encourage the person to commit fraud or invite a con artist to deceive the employee in a sophisticated social engineering scam.
Both types of criminal deceptions are widespread and expensive. According to the Association of Certified Fraud Examiners, occupational fraud causes an average 5% revenue loss annually, with the average loss per incident estimated to exceed $1.5 million. Social engineering scams have tripled since 2020, according to the Anti-Phishing Working Group, which tallied 316,747 phishing attacks in December, the highest monthly total since the organization began reporting on the subject in 2004.
In our annual Midsize Company Risk Report, fraud-related theft was cited as the top concern of financial risk managers. Because fraud involves insider and outsider deceptions tricking people into believing something that is not true, internal controls are the primary means of thwarting the schemes.
In cases involving an employee committing a fraud against an employer, criminologists have cited three factors at work: financial pressures, opportunity and rationalization. At present, the opportunity to commit fraud may appear greater for employees feeling the pinch of inflation at a 40-year high.
Under this pressure, some employees may rationalize that they are being unfairly penalized for economic factors beyond their control. If an opportunity presents itself to commit fraud, they may be tempted into thinking they won’t get caught.
A case in point is the disruption in the supply chain. The difficulties sourcing needed supplies have impelled many manufacturers to contract with new suppliers in unfamiliar locations. Given high demand for the company’s products, time is of the essence, possibly compressing the customary due diligence performed into the new supplier’s controls.
An employee with financial stress may decide to impersonate an accounts receivables executive at the new supplier to trick the company’s accounts payable into sending a payment into a bank account held by the employee. Or the employee may instead collude with someone working at the new supplier to manipulate the invoice, overcharging the company by 30% and sharing in the illicit proceeds.
Threats from outsiders continue to grow at an alarming rate. FBI statistics show crimes involving phishing/vishing/smishing/pharming nearly tripled from 2019 to 2021. In cases involving social engineering schemes, today’s more prevalent remote work options constitute a greater opportunity for success, because employees are under less physical supervision.
A different set of factors are at play in committing social engineering frauds. A common scam is for the fraudster to gather information from social media about an employee and a high-ranking executive within the company or at a key customer or supplier. The fraudster perpetrates a cyberattack to penetrate the company’s network and then impersonates the senior executive in a series of emails that appear legitimate.
If the impersonation is convincing, the employee can be duped into doing something that seems perfectly normal, such as transferring company or client funds into an illicit bank account held by the fraudster.
See also: Global Trend Map No. 11: Fraud
Warning Signs and Controls
Against this backdrop, financial risk managers have an array of defensive and offensive tactics at their disposal.
With regard to insider fraud, warning signs include sloppy record-keeping, accounts that often fail to balance, incomplete or undetailed bookkeeping records and missing documentation in financial reports and statements. Other red flags include a sudden shortage in inventory that is inconsistent with prior practice, frequent cash shortages and baffling adjustments to payable and receivable accounts.
If any of these warning signs are in place, question the employee, as there may be a plausible reason for the discrepancy. If the stated reasons are insufficient, and evidence suggests the employee is having personal financial problems, conduct an internal investigation to gather the facts.
During this period, curtail the employee’s access to company funds and other resources, as well as their involvement in supplier and other vendor transactions. If the company is publicly traded, external auditors should be alerted to the internal investigation.
To reduce the potential for fraud and theft, a strong system of internal controls must be in place. Practices like the segregation of duties ensure that no single employee can simultaneously commit a fraud and conceal it, because other people are required to countersign any transactions. Multiple tiers of review and approval, both with the payment of goods and services and the approvals of electronic fund transfers, are mitigants that work.
With regard to outsider fraud involving remote work by employees, warning signs include repeated non-use of the company’s VPN (virtual private network) by employees. Use of employee home WiFi systems increase the possibility of network penetration, setting the stage for a social engineering scam.
To reduce risk, encourage protections like multi-factor authentication, software updates and regular changing of passwords on employee laptops, routers and modems.
Alert employees to be extra vigilant about social engineering attempts, pointing out the three “unusual” components of a typical scam—an unusual request by someone in authority at the company, customer or supplier; an unusual sense of urgency in the request; and an unusual appeal to take immediate actions. If anything seems out of the ordinary, the employee should pick up the phone and call a supervisor. Employees should also use dedicated internal phone directories when confirming requests with other employees and outside vendors rather than relying on the phone contact information provided within the suspected email.
Lastly, in both insider and outsider frauds, there is wisdom in periodically having the above procedures vetted through internal and outside audits. It’s one thing to have a policy in place and another to make sure it is being followed, especially in times of stress.
No control system is foolproof, of course, hence the purchase of a fidelity bond absorbing the costs of the aforementioned scams, as well as other financial losses incurred due to theft, forgery and other fraudulent acts. Because fidelity bonds differ, it is prudent to discuss with an insurance broker or agent which type is best suited to the organization’s risk exposure, such as financial institution bonds, first-party bonds, third-party bonds or a commercial crime insurance policy.
An insurance broker or agent also can help explain each policy’s coverage nuances. Some fidelity bonds, for example, may exclude losses if company anti-fraud/anti-theft control policies and procedures were not followed or the fraud was directed by an outside entity like a supplier or a client.