An Inside Job (or making it look like one)
No one likes to be duped. It feels awful. It’s especially painful to have the wool pulled over our eyes by someone that we trust, such as an employee. Yet, each year businesses find themselves duped and it’s costing them more than a bruised ego.
According to the Association of Certified Fraud Examiners’ (ACFE) biennial 2014 Global Fraud Study, businesses, non-profits and other organizations typically lose about 5% in revenues annually to fraud. Five percent might not sound like a lot, but if applied to the 2013 estimated Gross World Product, that’s a projected global fraud loss of nearly $3.7 trillion, says ACFE.
In the ACFE study, the median loss caused by the frauds was $145,000 and 22% of the fraud cases involved losses of at least $1 million. What’s creating those losses? According to a May 2015 Arthur J. Gallagher Market Conditions Update, the most frequent crime claim continues to arise from employee schemes involving bogus vendors and/or bogus invoice claims. In these embezzlement schemes, employees create a fictitious vendor—or work in collusion with a real vendor— producing fake invoices to embezzle corporate money. One former insurance IT executive was recently charged with such a scheme when he embezzled $2.6 million USD by forging the company’s CFOs signature and issued fake invoices with the help of an IT vendor.
Watching All Fronts
Preventing fraud losses is becoming even more challenging for businesses, not only from within their own workforce but from outside forces posing as insiders to commit fraud and steal money.
Consider what recently happened to Ubiquiti, a San Jose, California-based maker of networking technology for service providers and enterprises. The company fell victim to a “CEO fraud” that enabled hackers to steal $46.7 million from the company’s accounts. The company recently disclosed in a Securities and Exchange Commission (SEC) filing that the incident, discovered in June, involved employee impersonation and fraudulent requests from an outside entity targeting Ubiquiti’s finance department. The scheme resulted in transfers of funds held by a Hong Kong subsidiary to other overseas accounts held by third parties. The company has recovered some of the loss and is pursuing the recovery of the remaining $31.8 million, cooperating with U.S. federal and numerous overseas law enforcement authorities who are actively pursuing a multi-agency criminal investigation.
Ubiquiti is not alone. Fraudsters are aiming for businesses of all sizes, such as one recent victim, Mega Metals Inc., a 30-year-old scrap processor in Phoenix, Arizona that employs 30. As recently reported in the Wall Street Journal, the company wired $100,000 to a German vendor to pay for a 40,000-pound container load of titanium shavings in April. Mega Metals typically buys three to four loads of titanium a week from suppliers in Europe and Asia, for anywhere from $50,000 to $5 million or more per transaction, to crush and wash the titanium scraps to resell to companies who will make other products from it. Following a recent transaction, however, the vendor who sent the titanium scrap shipment complained that it hadn’t received payment. That’s because a third party had hacked the email account used by a broker working for Mega Metals. As a result, it sent payment to who knows who, who knows where.
Companies across the globe lost more than $1 billion from October 2013 through June 2015 as a result of online fraud schemes, according to the US Federal Bureau of Investigation. Many of these online schemes start when crooks spoof or hijack the email accounts of business executives or employees. Still other outside fraudsters like the personal touch and have no issue executing their deceit via a few phone calls, gaining employee trust to aid in their fraud attempts. Other fraudsters aren’t afraid to impersonate an employee in person to steal directly — cash, equipment or goods — from a company’s premises.
Companies across the globe lost more than $1 billion from October 2013 through June 2015 as a result of online fraud schemes
A Good Offense
So here lies the challenge for businesses -- developing a strong offense to help manage the risk of fraud schemes both internally and externally and running a defense that minimizes the final losses that can not only impact profitability but even jeopardize survival. According to the US Chamber of Commerce, 30% of all business failures are caused by employee theft.
Fraud often occurs because opportunity presents itself. For businesses, that means the most effective prevention is creating controls that minimize the opportunity for an employee to get away with something. Getting caught is quite an effective deterrent.
To minimize opportunities or catch fraud situations early in the process, businesses need to maintain a strong system of internal controls, among them:
- Segregation of duties. This assures that one employee cannot perform a complete financial transaction from end-to-end without involving someone along the way.
- Background checks. For a nominal cost, any hiring company can make sure that employees have not already had some past issues that would affect their judgment with the organization’s money
- Technology. Today software accounting packages can raise a variety of red flags such as repetitive withdrawals or employee expense reimbursements.
- Independent audits. By looking at the flow of transactions through business accounts any unusual activities can be identified. On average, the ACFE says fraud schemes last about 18 months.
- Prosecuting Offenders. Protecting a business against commercial crimes requires showing that you mean business. Not acting can be detrimental, sending a signal that employees who dip into an organization’s bank account may just walk away with a slap on the wrist.
- Ongoing training and education to reinforce anti-fraud policies. Especially with a growing number of outside social engineering schemes trying to victimize businesses, employees need to know what to look out for. Also many control tools and protocols will help prevent an outside fraudster’s attempt to convince employees to do something they should not do.
- Encourage employees to speak up when they see something that isn’t right in the workplace. Fraud “Hotlines” or tip lines allow employees to report potential employee fraud anonymously. According to ACFE, tips are “consistently and by far” the most common fraud detection method.
A Strong Defense
Even with some of the best internal controls in place, companies can still be duped. And many are. It’s becoming increasingly challenging given the technology to move funds quickly, workforces that seem more strained, and sophisticated criminals with the social skills to get it done.
Fortunately, the insurance market today is offering some very competitive and comprehensive commercial crime coverage. Some recent reports estimate that commercial crime insurance capacity easily exceeds $600 million.
The basic Commercial Crime coverages available include employee theft, forgery or alteration, theft of money and securities on and off the business’ premises, robbery or safe burglary, computer and funds transfer fraud, money orders and counterfeit money, extortion, clients’ property coverage, identity theft and telephone toll fraud. Only a few carriers are currently offering “social engineering” insurance protection — covering loss due to an employee having been tricked into altering vendor payment information such as in Ubiquiti’s situation. However, XL Catlin will be launching a social engineering fraud endorsement in the near future and the availability of such coverage in the market will likely increase as more businesses seek protection against this new crime ploy.
The most cost-effective way to deal with fraud is to prevent it. Sharpening corporate controls and process as well as enlisting employees’ watchful eyes are key prevention measures. And having the right insurance does not hurt either.
About the Author
Gregory W. Bangs is chief underwriting officer of global crime at XL Catlin. Over the last 30 years, he’s been underwriting insurance and developing new products in the U.S., U.K., Hong Kong and France.