Is the Pandemic Helping to Mask Fraud?

Fraud Week is an initiative of the Association of Certified Fraud Examiners (ACFE) to promote anti-fraud awareness and education. Today, we begin a special 5-part Fraud Week Coffee Break Series where we invite you to spend 10 minutes each day learning about various aspects of fraud detection and prevention through the eyes of our Certified Fraud Examiners and other fraud experts.

For this episode, we interviewed Mark Lowers, CFE, Founder and CEO of Lowers Risk Group, and Brad Moody, CFE, CFI, EVP of Operations for Lowers & Associates.

In its 2020 Report to the Nations on Occupational Fraud, the ACFE looked at common types of fraud and popular ways perpetrators conceal their activities. A related study from the ACFE explored the reported increase in fraud during the COVID-19 pandemic. What’s behind the increase? And how can organizations better protect themselves from becoming victims? We begin here.

Grab a cup of coffee and spend 8 minutes listening to the experienced voices of Mark Lowers and Brad Moody:

According to the ACFE, there are three primary categories of fraud: Asset misappropriation (seen in 86% of reported cases), corruption (43% of cases), and financial statement fraud (10% of cases). Within those broad categories are a number of fraud types:

The Fraud Tree:

Source: ACFE Report to the Nations

Considering that organizations lose 5% of their revenues to fraud each year, it’s helpful to understand how fraudsters are able to conceal their activities. Here’s what the ACFE report found:

Source: ACFE Report to the Nations

“(Bad actors,) especially in the IT world, one thing that they’re very good at is they’re very patient so a lot of the systems that have been impacted have been inside the corporate networks for a long time in order to gather information in order to perpetrate the crime,” explains Brad Moody.

Adding in the COVID Layer

We also have to look at how the COVID-19 pandemic crisis has impacted fraud. The ACFE is reporting increases across the board in nearly every type of fraud during COVID and expects these impacts to continue to have an impact for some time to come.

Mark Lowers explains it this way: “It’s really not that surprising (to see an increase in fraud right now) on the basis you have a tremendous remote workforce today. And those that are in designated work environments, you’re working with reduced staff because not everybody is considered essential. So, the layers of controls and the layers of operational controls that have historically been in place, in some cases people are doing workarounds to get work done. Anytime you do those workarounds, you have an opportunity for fraud to occur.”

Source: ACFE, Fraud in the Wake of COVID-19: Benchmarking Report

As the ACFE explains, “Travel bans, employees working remotely, and an increased reliance on technology and economic uncertainty have become the reality for many organizations around the world. And while these and other hurdles present numerous logistical and operational challenges, they also open the door to the increased pressure, opportunity, and rationalization that can lead to fraud.”

In fact, the ACFE report found increases in cyber fraud (social engineering, phishing, ransomware schemes), financial statement fraud, payment fraud, and employee embezzlement. Just about every category of fraud has been on the rise during the pandemic.

Lessons Learned from the Financial Services Industry

Cash is the culprit in many asset misappropriation schemes (theft of cash on hand, theft of cash receipts, fraudulent disbursements) and these cash-related fraud schemes can last a median duration of 14 months or more. The longer a fraud remains undetected, the greater the financial loss.

Here at Lowers Risk Group, we work extensively with the financial services industry and specifically with the cash servicing industry. As Mark Lowers and Brad Moody explained, while the industry, on the whole, is doing a great job during these extremely tough circumstances to protect their people and assets, the industry also provides a perfect backdrop for organizations of all types looking for ways to shore up their own internal controls.

We hope you enjoyed this first Coffee Break. Come back tomorrow to learn about the critical role of whistleblowers and auditors in your fraud prevention program.

It’s hard to imagine that, on any given day, over $3 trillion dollars moves via electronic transfer.  Financial institutions make these B2B transactions happen seamlessly on a global scale, and we often take for granted the very simple instructions required (and accepted) between businesses that make single transactions of millions of dollars possible.  Since organizations perform these transactions almost exclusively online, the Internet of things has an inherit opportunity for malicious redirection when company employees become complacent with routine wire instructions.

Responsible organizations follow robust, documented and accepted practices in an environment that embraces process.  The culture of any high reliability organization allows employee intervention and systematic controls to prevent fraud opportunities.  It may feel as if these processes are tedious and repetitive, however, at the end of the day, human actions allow fraud to exist.

Since 2016, it’s estimated that over $26 billion in fraud losses has come from wire funds transfers as the result of business email compromise alone.  With the recent COVID-19 pandemic event, fraudsters have a new ability to exploit corporations, especially in highly impacted areas.  It is important for organizations to maintain a culture of process and have contingency plans in place to allow transfers to continue seamlessly.

On the Lowers & Associates LinkedIn, we’ll be highlighting a series of security insights that are applicable to ANY industry (the second bullet below should look familiar).  Specific to wire transfer fraud, here are a few additional actions employers can take to remove risk and eliminate potential for loss:

• Strengthen screening and re-screening employment practices.
• Integrate and document responsibilities of all parties authorized in dual controls into processes involving preparation of wire transfer instructions and authorizing and approving such transfers.
• Ensure there is independent and frequent review of investment transactions by a knowledgeable party.
• Conduct semi-annual audits of the wire transfer function. Ensure auditors review password requirements and controls during each examination.
• Conduct annual penetration tests and annual security audits of web-based wire transfer applications that are hosted by the company or by a third-party application service provider.

BONUS: These are a few additional steps that businesses should think about adopting:

• Email social engineering education.
• Passwords should be at least 14 characters, must be complex (at least 1 of each): 1 Uppercase, 1 Lowercase, 1 Number, 1 Symbol and changed every 90 days.
• Two-factor identification.
• Appropriate insurance coverage for the business.
• Monitor banking accounts regularly.

In our work in high risk industries, we routinely uncover fraud and asset misappropriations. While it may seem counterintuitive, with the US and global economy currently at a standstill due to COVID-19 shelter at home directives, organizations should be on high alert for occupational fraud during this time. The Fraud Triangle provides a framework for explaining why this is.

Formulated in 1953 by criminologist Donald Cressey, the Fraud Triangle theorizes that fraud occurs when the fraudster feels financial pressure, they are presented an opportunity, and/or the person can rationalize the theft.

With record numbers of Americans filing for unemployment and organizations operating with skeleton crews, the circumstances are ripe for fraud to take place.

A “Perfect Storm” of Conditions

Today, with organizations shut down to outside visitors (including, in some cases, outside auditors) as well as many employees, we are seeing a virtual petri dish for fraud. Two corners of the Fraud Triangle – opportunity and rationalization – are getting bent pretty hard. The third corner, incentive, in the form of extreme pressure, is bent even further. People have less supervision, more opportunity, and way more financial pressure.

So while you’re dealing with this pandemic and the resulting disruption, now more than ever is the time to be vigilant.

Opportunity

The coronavirus pandemic has driven unprecedented change in the workplace. Many employees are either laid off, have taken a pay cut, and/or are working remotely. Those who remain, whether at the workplace or from home, may be working with less supervision than before. In fact, we are seeing many instances where key risk management procedures like dual controls have been weakened or suspended entirely. For example, instead of having two or more employees independently evaluate and compare financial records, now only one employee may be responsible. Or, that supervisory signature normally required on certain transactions? It’s no longer practical given our remote locations, so we’ll just “do it this way” in the interim.

Sound familiar? The problem in these scenarios is that one small transgression that goes unnoticed has a way of snowballing into full-blown fraud.

Rationalization

When opportunity and incentive exist, people are better able to rationalize their fraudulent behavior. That couldn’t be more true than during this pandemic.  “I have to do this to provide for my family. I’ll pay it back later. My employer deserves it for laying me off.” These are some of the underlying rationalizations that turn a fraudster’s underlying thoughts into an actionable theft.

Incentive/Pressure

Financial difficulties are at the top of the list in terms of the pressures that can motivate people to commit acts of fraud. At no other time in modern history have so many people been under such financial strain as they are today.

At the highest of levels of unemployment following the 2008 financial crisis, there were 15.3 million jobless Americans. By the third week of April 2020, 26.5 million workers had filed jobless claims as a result of the coronavirus. An estimated 33 million people are currently unemployed, representing nearly 21 percent of the workforce and the highest unemployment level since 1934. Many who remain employed have agreed to accept pay cuts, work reduced hours, or take unpaid furloughs.

While the $2 trillion stimulus bill, Coronavirus Aid, Relief, and Economic Security Act (CARES), provided some short-term relief, it is likely not enough to stem the extreme financial worry being felt by many who don’t know how they’ll pay next month’s mortgage or cover their car insurance premium.

The pressure is extreme.

The Takeaway? Stay Vigilant

It may be tempting for organizations to be complacent when the world seems at a standstill, but the time to be diligent is now. Businesses should be on “high alert” and taking measures to ensure they’re keeping their operations secure. That includes double checking that access to IT systems and software has been blocked for furloughed employees or that virtual private networks (VPNs) have been created for remote workers. Internal controls should also remain in place, even if they have to be modified temporarily. For example, regularly scheduled phone calls or video conferences send the message that you’re still monitoring employees’ activities. Finally, if you haven’t already done so, it’s a good time to do an updated risk assessment for the entire organization. Asking your team where new vulnerabilities might exist, whether internal controls are still functioning as intended, and what gaps have been created are all part of mitigating the risk potential associated with the Fraud Triangle.

If you’d like help conducting any of these assessments, please reach out to us.

We were proud to join the Association of Certified Fraud Examiners’ (ACFE) 2019 Fraud Awareness Week as an official supporter. Saturday, November 23, 2019 will conclude a weeklong effort by the ACFE to minimize the impact of fraud by promoting anti-fraud awareness and education.

Companies lose an estimated 5% of their revenue annually as a result of occupational fraud, according to the 2018 ACFE Report to the Nations. It turns out, the risk of occupational fraud is much higher than many managers and leaders realize. Each case results in a median loss of $130,000 and with cases lasting a median of 16 months, fraud is something organizations of all sizes must take care to detect and deter.

In support of Fraud Week, we produced several informational articles, which are summarized here for easy reference:

How Technology is Helping in the Fight Against Fraud

The key to catching fraudulent actions before real damage is done is having systems in place to ferret out anomalies and report suspicious activities early. This means being equipped with tools like automatic monitoring, artificial intelligence, and anomaly detection protocols. For instance, surprise audits and data monitoring are a powerful combination in reducing fraud loss. Though only 37% of the companies examined in the ACFE  study used them, those that did got fraud cases under control in approximately half the time and reduced fraud losses by more than 50%.

Read the full post

The ACFE’s 5 Big Fraud Tips You Should Act on Now

As part of the 2019 International Fraud Awareness Week, the Association of Certified Fraud Examiners (ACFE) distributes information and training to help anti-fraud professionals reduce the incidence of fraud and white-collar crime. A recent ACFE publication, 5 Fraud Tips Every Business Leader Should Act On, spells out five ways organizations can work to prevent and minimize fraud in the workplace. We’ve paired their recommendations with the research-based actions you can take to achieve these aims.

Read the full post

Recovering Fraud Losses: What the Numbers Reveal

Losses from occupational fraud topped $7 billion in 2017, according to the Association of Certified Fraud Examiners’ (ACFE) most recent global study on occupational fraud and abuse, 2018 Report to the Nations. The median loss for all cases in the study was $130,000 USD, yet a full 22 percent of companies lost $1 million or more. To add insult to injury, only 15 percent of businesses that experienced fraud were able to fully recover their losses.

Read the full post

7 Must-Haves for Occupational Fraud Prevention

These seven fraud prevention strategies, drawn from the 2018 Report to the Nations by the Association of Certified Fraud Examiners (ACFE), will go a long way in fortifying your organization against the conditions that can facilitate occupational fraud at the workplace.

Read the full post

We hope you have taken some time this week to think about your 2020 fraud prevention programs and strategies and how you’ll build early fraud detection and proactive prevention into your processes.

No company is immune to fraud.

Losses from occupational fraud topped $7 billion in 2017, according to the Association of Certified Fraud Examiners’ (ACFE) most recent global study on occupational fraud and abuse, 2018 Report to the Nations. The median loss for all cases in the study was $130,000 USD, yet a full 22 percent of companies lost $1 million or more. To add insult to injury, only 15 percent of businesses that experienced fraud were able to fully recover their losses.

The common theme in the report is that, while it’s often worthwhile to pursue remedial action against perpetrators, victims will usually not be made whole. Here are three factors negatively impacting these recuperation efforts.

1. Failure to Report

After a fraud has been discovered and investigated, a case might proceed to prosecution, civil litigation, both, or neither. In its annual study, ACFE researchers tracked the percent of cases that were referred to law enforcement or resulted in a civil suit being filed for each year dating back to 2008. They found that the rate of criminal referrals has been gradually decreasing over that time, from 69 percent in 2008 to 58 percent in 2018. In contrast, the rate at which civil suits are filed has stayed consistent, ranging from 22 percent to 24 percent within the same timeframe.

There are many reasons why victim organizations might decide not to refer cases to law enforcement and therefore forego any additional recuperation of the loss that may result. The top five cited reasons are:

1. Fear of bad publicity: 38%
2. Internal discipline sufficient: 33%
3. Too costly: 24%
4. Private settlement: 21%
5. Lack of evidence: 12%

2. The Greater the Loss, the Less Likely the Recovery

There is an inverse relationship between the amount that victim organizations lose to fraud versus what they are able to recover. So, even if the organization decides to pursue legal action, they are not likely to achieve full recovery. Here’s how the numbers panned out:

• Losses of $10,000 or less had a 30% chance of recovery
• Losses of $10,000 to $100,000 had a 16% chance of recovery
• Losses of $100,001 to $1,000,000 had a 14% chance of recovery
• Losses of $1,000,000 or more had an 8% chance of recovery

3. Desire to Avoid Fines

A third reason recovery efforts can be hampered is the knowledge that organizations may receive monetary fines from authorities for having inadequate controls in place and thus enabling fraud to occur.

Of the three types of occupational fraud – asset misappropriation, corruption, and financial statement fraud – the latter had the greatest likelihood of fines, at 17 percent. And, fines were imposed regardless of the size of the loss. For example, organizations that lost $10,000 or less were fined 14 percent of the time while those that lost $1,000,000 or more were fined 20% of the time.

At a median of $100,000 per fine, these penalties were no small matter.

An Ounce of Prevention

Given that recovery is an uphill battle, the takeaway is this: organizations should do what they can to prevent fraud from happening in the first place. Internal controls, codes of ethics, recognizing red flag behaviors, and the availability of reporting mechanisms are all tried-and-true methods for realizing that goal.